kr328 / clash-premium-installer Goto Github PK
View Code? Open in Web Editor NEWSimple clash premium core installer for Linux.
Simple clash premium core installer for Linux.
一直在使用premium core,但是d大也没说怎么用tun模式,看到这个安装脚本,又不想和目前使用的clash位置和名称冲突。请问怎么修改脚本才能支持自定义路径的clash的安装?谢谢
should it be "iptables"?
Ubuntu20.04,当使用service clash restart以后,clash正常启动无报错,但没有任何连接日志,仿佛没有接收到任何请求。但是接着手动几次restart服务以后,又恢复正常。
另外对cgroup不是很了解,clash.service里面运行setup-cgroup以后,在关闭服务后不需要用命令删除掉cgroup吗?
请教一下,我看脚本里有这个ip protocol != { tcp, udp } accept
,意思是只接受非tcp和udp的包吗??不太明白
我想让clash for magisk实现tun模式,请问要哪些操作。
刚开始以为udev规则失效并提了一个issue #1 ,在脚本中加入debug脚本后,发现udev规则生效,相应脚本(setup-tun.sh) 可以运行。但脚本未能成功修改iptables。
系统:Fedora 32
udev(7):https://man7.org/linux/man-pages/man7/udev.7.html
您好,电脑系统是Ubuntu18.04, 用clash-premium-installer安装的clash。
想用开启clash的电脑做个网关,但是手机经过配置后完全没有网。此时手机的Router改成了电脑的IP,
DNS为dns-hijack的8.8.8.8.
请问是哪里出问题导致手机没网呢?
下面是配置文件的头部:
redir-port: 7892 tproxy-port: 7893 mixed-port: 7890
allow-lan: true
bind-address: '*'
mode: rule
log-level: info
ipv6: false
external-controller: 127.0.0.1:9111hosts:
'mtalk.google.com': 108.177.125.188
't.cn': 203.107.55.116dns:
enable: false
listen: 0.0.0.0:53
default-nameserver:
- 114.114.114.114
- 8.8.8.8
enhanced-mode: redir-host # or fake-ip
fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDRfake-ip-filter:
- '.lan'
- localhost.ptlogin2.qq.com
- '+.srv.nintendo.net'
- '+.stun.playstation.net'
- '+.msftconnecttest.com'
- '+.msftncsi.com'
- '+.xboxlive.com'
- 'msftconnecttest.com'
- 'xbox..microsoft.com'nameserver:
- 114.114.114.114 # default value
- 8.8.8.8 # default value
- tls://dns.rubyfish.cn:853 # DNS over TLS
- https://1.1.1.1/dns-query # DNS over HTTPSfallback-filter:
geoip: true
ipcidr:tun:
enable: true
stack: system # or gvisor
dns-listen: 0.0.0.0:53
dns-hijack:
- 8.8.8.8:53
- tcp://8.8.8.8:53
看了几个文档, 发现这个 repo 是集官方文档以及官方文档的引用的大成者. 感谢
不过, 有一些问题.
不明白文件夹 /srv/clash/
是 644
installer.sh:
44:- assert install -d -m 0644 /srv/clash/
44:+ assert install -d -m 0755 /srv/clash/
88:- rm -rf /usr/bin/bypass-proxy-uid
88:+ rm -rf /usr/bin/bypass-proxy-pid
$ uname -a
Linux raspberrypi 5.10.17-v8+ #1403 SMP PREEMPT Mon Feb 22 11:37:54 GMT 2021 aarch64 GNU/Linux
$ ./clash -v
Clash 2021.03.10 linux arm64 Wed Mar 10 13:32:16 UTC 2021
# Port of HTTP(S) proxy server on the local end
# port: 7890
# Port of SOCKS5 proxy server on the local end
socks-port: 7891
# Transparent proxy server port for Linux and macOS (Redirect TCP and TProxy UDP)
redir-port: 7892
# Transparent proxy server port for Linux (TProxy TCP and TProxy UDP)
tproxy-port: 7893
# HTTP(S) and SOCKS5 server on the same port
mixed-port: 7890
# authentication of local SOCKS5/HTTP(S) server
# authentication:
# - "user1:pass1"
# - "user2:pass2"
# Set to true to allow connections to the local-end server from
# other LAN IP addresses
allow-lan: true
# This is only applicable when `allow-lan` is `true`
# '*': bind all IP addresses
# 192.168.122.11: bind a single IPv4 address
# "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address
bind-address: '*'
# Clash router working mode
# rule: rule-based packet routing
# global: all packets will be forwarded to a single endpoint
# direct: directly forward the packets to the Internet
mode: rule
# Clash by default prints logs to STDOUT
# info / warning / error / debug / silent
log-level: info
# When set to false, resolver won't translate hostnames to IPv6 addresses
ipv6: true
# RESTful web API listening address
external-controller: 0.0.0.0:9090
# A relative path to the configuration directory or an absolute path to a
# directory in which you put some static web resource. Clash core will then
# serve it at `http://{{external-controller}}/ui`.
external-ui: yacd-gh-pages
# Secret for the RESTful API (optional)
# Authenticate by spedifying HTTP header `Authorization: Bearer ${secret}`
# ALWAYS set a secret if RESTful API is listening on 0.0.0.0
secret: ""
# Outbound interface name
interface-name: eth0
# Static hosts for DNS server and connection establishment (like /etc/hosts)
#
# Wildcard hostnames are supported (e.g. *.clash.dev, *.foo.*.example.com)
# Non-wildcard domain names have a higher priority than wildcard domain names
# e.g. foo.example.com > *.example.com > .example.com
# P.S. +.foo.com equals to .foo.com and foo.com
hosts:
# '*.clash.dev': 127.0.0.1
# '.dev': 127.0.0.1
# 'alpha.clash.dev': '::1'
# DNS server settings
# This section is optional. When not present, the DNS server will be disabled.
dns:
enable: true
listen: 0.0.0.0:50053
ipv6: true # when the false, response to AAAA questions will be empty
# These nameservers are used to resolve the DNS nameserver hostnames below.
# Specify IP addresses only
default-nameserver:
- 114.114.114.114
- 8.8.8.8
enhanced-mode: redir-host # or fake-ip
# fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR
# use-hosts: true # lookup hosts and return IP record
# Hostnames in this list will not be resolved with fake IPs
# i.e. questions to these domain names will always be answered with their
# real IP addresses
# fake-ip-filter:
# - '*.lan'
# - localhost.ptlogin2.qq.com
# Supports UDP, TCP, DoT, DoH. You can specify the port to connect to.
# All DNS questions are sent directly to the nameserver, without proxies
# involved. Clash answers the DNS question with the first result gathered.
nameserver:
- 114.114.114.114
- 223.5.5.5
- 119.29.29.29
- tls://dns.rubyfish.cn:853 # DNS over TLS
- https://1.1.1.1/dns-query # DNS over HTTPS
# When `fallback` is present, the DNS server will send concurrent requests
# to the servers in this section along with servers in `nameservers`.
# The answers from fallback servers are used when the GEOIP country
# is not `CN`.
fallback:
- tcp://1.1.1.1
# If IP addresses resolved with servers in `nameservers` are in the specified
# subnets below, they are considered invalid and results from `fallback`
# servers are used instead.
#
# IP address resolved with servers in `nameserver` is used when
# `fallback-filter.geoip` is true and when GEOIP of the IP address is `CN`.
#
# If `fallback-filter.geoip` is false, results from `nameserver` nameservers
# are always used if not match `fallback-filter.ipcidr`.
#
# This is a countermeasure against DNS pollution attacks.
fallback-filter:
geoip: true
# ips in these subnets will be considered polluted
ipcidr:
- 240.0.0.0/4
# domain:
# - '+.google.com'
# - '+.facebook.com'
# - '+.youtube.com'
tun:
enable: true
stack: gvisor # or system
macOS-auto-route: true
macOS-auto-detect-interface: true
dns-hijack:
- tcp://8.8.8.8:53
- 8.8.8.8:1053
...
...
diff --git a/scripts/clash-default b/scripts/clash-default
@@ -9,7 +9,7 @@ NETFILTER_MARK=114514
# iproute2 rule table id
IPROUTE2_TABLE_ID=114
-# dns redirect
-FORWARD_DNS_REDIRECT=1.0.0.1:53
+# dns redirect, match dns listen in clash config
+FORWARD_DNS_REDIRECT=0.0.0.1:50053
diff --git a/scripts/clash.service b/scripts/clash.service
@@ -4,8 +4,14 @@ After=network-online.target nftables.service iptabels.service
[Service]
Type=simple
-ExecStartPre=+/usr/lib/clash/setup-cgroup.sh
-ExecStart=/usr/bin/bypass-proxy /usr/bin/clash -d /srv/clash
+StandardError=journal
+User=pi
+Group=pi
+ExecStartPre=+/home/pi/lib/clash/setup-cgroup.sh
+ExecStart=/home/pi/bin/bypass-proxy /home/pi/bin/clash -f /home/pi/.config/clash/config.yaml
+Restart=on-failure
[Install]
WantedBy=multi-user.target
Output:
...
INFO[0000] Start initial compatible provider 🎞StreamingSE
INFO[0000] RESTful API listening at: 0.0.0.0:9090
INFO[0000] SOCKS proxy listening at: :7891
WARN[0000] Failed to start Redir UDP Listener: operation not permitted
ERRO[0000] Start TProxy server error: operation not permitted
INFO[0000] Redir proxy listening at: :7892
INFO[0000] Mixed(http+socks5) proxy listening at: :7890
INFO[0000] DNS server listening at: 0.0.0.0:50053
...
/Home/pi/
, 使用路径名检查 package 是否安装会报错, 如 if [ ! -d "/usr/lib/udev/rules.d" ];then
. 不知如下怎样:
sudo ./installer.sh install
提示cgroup not support net_cls
于是mkdir -p /sys/fs/cgroup/net_cls
后安装完成
启动后报错
/sys/fs/cgroup/net_cls/bypass_proxy/net_cls.classid permission denied
/sys/fs/cgroup/net_cls/bypass_proxy/tasks no such file or directory
于是参考net_cls编辑setup-cgroup.sh如下
if [ ! -d "/sys/fs/cgroup/net_cls" ];then
mkdir -p /sys/fs/cgroup/net_cls
exit 0
fi
mount -t cgroup -onet_cls net_cls /sys/fs/cgroup/net_cls
mkdir -p /sys/fs/cgroup/net_cls/bypass_proxy
echo "$PROXY_BYPASS_CGROUP" > /sys/fs/cgroup/net_cls/bypass_proxy/net_cls.classid
chmod 666 /sys/fs/cgroup/net_cls/bypass_proxy/tasks
目前本机运行无报错,可顺利开启tun。
注:本机Debian bullseye版本,本人是普通用户,对代码编辑了解少,如有差错请多包涵。
最后感谢作者提供该脚本工具为普通用户一键开启tun模式,不知道后期是否会编写一键开启tproxy模式。
~/clash-premium-installer# ./installer.sh install
-ash: ./installer.sh: Permission denied
刚好在 https://github.com/Dreamacro/clash 那边提过 https://github.com/Dreamacro/clash/discussions/1251类似的问题 。
tun模式运行的clash premium会接管53端口,域名类请求都会被clash正确地处理,但是有一些应用如Telegram、Android TV端的Netflix会直接请求IP地址类资源,这类请求似乎没有被导入utun。
我关闭了防火墙并尝试了下面的iptables规则,发现可以解决问题,但是似乎clash-premium-installer用的是nftables。
#!/bin/bash
# https://comzyh.gitbook.io/clash/real-ip-tun-example
# 创建 Clash Chain
iptables -t mangle -N clash
# 放行内网内部数据
iptables -t mangle -A clash -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A clash -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A clash -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A clash -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A clash -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A clash -d 240.0.0.0/4 -j RETURN
# 其他数据打上标记
iptables -t mangle -A clash -j MARK --set-xmark 100
# 给转发流量打上fwmark
iptables -t mangle -A PREROUTING -j clash
# 放行root用户数据避免回环
# iptables -t mangle -A OUTPUT -m owner --uid-owner 0 -j RETURN
# utun添加策略路由表
ip route add default dev utun table 100
# 标记为100的包由策略路由表100处理
ip rule add fwmark 100 lookup 100
exec "$@"
所以在打开防火墙时该如何处理IP地址类的入站流量?另外“放行root用户数据避免回环”那个规则是否应该加上?
谢谢
安装脚本所设定的udev规则(99-clash.rules)不起作用,需要手动执行sudo /usr/lib/clash/setup-tun.sh
来配置tun。
ubuntu18,setup-tun.sh这个脚本提示错误:
internal:0:0-0: Error: Could not open file "-": No such file or directory
1、clash通过此脚本安装。
2、Clash宿主机为小米笔记本air 12.5,系统为deepin20.4
3、笔记本可以正常通过Tun上网。
4、我家移动宽带300M
问题描述:
1、安卓手机wifi设置为宿主机的ip和DNS,speed测速为9MB/s
2、还是安卓手机,DHCP,wifi代理设置成宿主机ip和7890端口号,测速为47-48MB/s
3、台式机win11按照上述两种方式设置,网速也是如上所述。
RT.
安装成功,未提示错误。通过socks5可以正常代理上网,通过tun,也就是把客户机的网关和dns都设置成clash的ip无法代理上网。
而且就算一个域名解析成同一个IP地址,网关设置成clash就ping不通,设置成主路由的就可以ping通。说明跟dns没关系。网关设置成clash的时候使用socks5代理照样可以上网,说明clash代理是成功运行的,只是无法通过redir转发。clash配置如下:
mixed-port: 7890
redir-port: 7892
#tproxy-port: 7893
allow-lan: true
mode: rule
log-level: warning # info / warning / error / debug / silent
ipv6: false
external-controller: 0.0.0.0:9090
# external-ui: /ui
#interface-name: ens18
tun:
enable: true
stack: system # or `gvisor'
# dns-listen: 0.0.0.0:53
dns-hijack:
- 1.0.0.1:53
# auto-route: true
dns: # DNS server settings
enable: true
# listen: 0.0.0.0:53
ipv6: false
default-nameserver:
- 119.29.29.29
enhanced-mode: redir-host # or fake-ip redir-host
fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR
# use-hosts: true # lookup hosts and return IP record
fake-ip-filter:
- '*.lan'
- localhost.ptlogin2.qq.com
- '+.srv.nintendo.net'
- '+.stun.playstation.net'
- '+.msftconnecttest.com'
- '+.msftncsi.com'
- '+.xboxlive.com'
- 'msftconnecttest.com'
- 'xbox.*.microsoft.com'
- '*.battlenet.com.cn'
- '*.battlenet.com'
- '*.blzstatic.cn'
- '*.battle.net'
nameserver: # 国内域名使用 nameserver 请求
- https://doh.pub/dns-query #腾讯DNS
- https://dns.alidns.com/dns-query #阿里DNS
# - 119.29.29.29
fallback: # 国外域名使用 fallback 请求 (没有被污染的DNS)
- https://cloudflare-dns.com/dns-query #Cloudflare DNS
- https://doh.dns.sb/dns-query #DNS.SB
fallback-filter: # fallback请求过滤
geoip: true
ipcidr:
- 240.0.0.0/4
domain:
- '+.google.com'
- '+.youtube.com'
通过ifconfig
查看, tun设备也成功建立了
utun: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 9000
inet 198.18.0.1 netmask 255.255.0.0 destination 198.18.0.1
inet6 fe80::5a70:e37f:3785:97e8 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 1040 bytes 115856 (113.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1042 bytes 115952 (113.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
通过nft list table clash -s
查看,clash防火墙规则也有了
table ip clash {
chain local {
type route hook output priority 0; policy accept;
ip protocol != { tcp, udp } accept
cgroup 114514 accept
ip daddr { 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4 } accept
ct state new ct mark set 0x0001bf52
ct mark 0x0001bf52 mark set 0x0001bf52
}
chain forward {
type filter hook prerouting priority 0; policy accept;
ip protocol != { tcp, udp } accept
iif "utun" accept
ip daddr { 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4 } accept
mark set 0x0001bf52
}
chain local-dns-redirect {
type nat hook output priority 0; policy accept;
ip protocol != { tcp, udp } accept
cgroup 114514 accept
ip daddr 127.0.0.0/8 accept
udp dport domain dnat to 1.0.0.1:domain
tcp dport domain dnat to 1.0.0.1:domain
}
chain forward-dns-redirect {
type nat hook prerouting priority 0; policy accept;
ip protocol != { tcp, udp } accept
udp dport domain dnat to 1.0.0.1:domain
tcp dport domain dnat to 1.0.0.1:domain
}
}
I am just curious about why set the home dir to srv/clash? Are there any additional benefits for doing this?
From clash wiki, he recommend /etc/clash. for myself, I prefer put configs to ~/.config/clash.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.