这两天本来想升级下 OpenWRT 系统,没想到升级到新版本后有一些问题(后来发现应该是 AdGuardHome 的问题),而且在调教 Clash 配置的时候发现 OpenWRT 非常不友好的不能按照我所想的修改配置文件,即界面修改不能生效,于是决定使用类 RHEL 系统(本文使用 AlmaLinux 配置一下)。
1. Clash 配置
1.1. 首先从 Clash 首页下载执行文件并放至执行文件目录
1.2. 配置启动 service 文件
vi /etc/systemd/system/clash.service
文件内容如下所示:
[Unit]
Description=Clash daemon, A rule-based proxy in Go.
After=network.target
[Service]
Type=simple
Restart=always
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/usr/local/bin/clash -d /etc/clash
StandardOutput=file:/var/log/clash/clash.out
StandardError=file:/var/log/clash/clash.err
[Install]
WantedBy=multi-user.target
1.3. 将 Clash 的配置文件放至 /etc/clash 目录下
1.4. 配置防火墙
sudo firewall-cmd --permanent --direct --add-chain ipv4 nat clash
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat clash 1 -d 0.0.0.0/8 -j RETURN
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat clash 1 -d 10.0.0.0/8 -j RETURN
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat clash 1 -d 127.0.0.0/8 -j RETURN
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat clash 1 -d 169.254.0.0/16 -j RETURN
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat clash 1 -d 172.16.0.0/12 -j RETURN
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat clash 1 -d 192.168.0.0/16 -j RETURN
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat clash 1 -d 224.0.0.0/4 -j RETURN
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat clash 1 -d 240.0.0.0/4 -j RETURN
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat clash 2 -p tcp -j REDIRECT --to-ports "7892"
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -p tcp -j clash
# 使用 Clash DNS 切非 53 端口时需要,本文使用 AdGuard Home 作为 DNS 服务,故不需要进行如下配置
sudo firewall-cmd --permanent --direct --add-chain ipv4 nat CLASH_DNS
sudo firewall-cmd --permanent --direct --remove-rules ipv4 nat CLASH_DNS
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat CLASH_DNS 1 -p udp -j REDIRECT --to-port 1053
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p udp --dport 53 -j CLASH_DNS
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat CLASH_DNS 1 -p tcp -j REDIRECT --to-port 1053
sudo firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp --dport 53 -j CLASH_DNS
sudo firewall-cmd --reload
处理后的 firewall 配置文件(/etc/firewalld/direct.xml)如下所示:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<chain ipv="ipv4" table="nat" chain="clash"/>
<chain ipv="ipv4" table="nat" chain="CLASH_DNS"/>
<rule ipv="ipv4" table="nat" chain="clash" priority="1">-d 0.0.0.0/8 -j RETURN</rule>
<rule ipv="ipv4" table="nat" chain="clash" priority="1">-d 10.0.0.0/8 -j RETURN</rule>
<rule ipv="ipv4" table="nat" chain="clash" priority="1">-d 127.0.0.0/8 -j RETURN</rule>
<rule ipv="ipv4" table="nat" chain="clash" priority="1">-d 169.254.0.0/16 -j RETURN</rule>
<rule ipv="ipv4" table="nat" chain="clash" priority="1">-d 172.16.0.0/12 -j RETURN</rule>
<rule ipv="ipv4" table="nat" chain="clash" priority="1">-d 192.168.0.0/16 -j RETURN</rule>
<rule ipv="ipv4" table="nat" chain="clash" priority="1">-d 224.0.0.0/4 -j RETURN</rule>
<rule ipv="ipv4" table="nat" chain="clash" priority="1">-d 240.0.0.0/4 -j RETURN</rule>
<rule ipv="ipv4" table="nat" chain="clash" priority="2">-p tcp -j REDIRECT --to-ports 7892</rule>
<rule ipv="ipv4" table="nat" chain="PREROUTING" priority="0">-p tcp -j clash</rule>
<rule ipv="ipv4" table="nat" chain="CLASH_DNS" priority="1">-p udp -j REDIRECT --to-port 1053</rule>
<rule ipv="ipv4" table="nat" chain="CLASH_DNS" priority="1">-p tcp -j REDIRECT --to-port 1053</rule>
<rule ipv="ipv4" table="nat" chain="OUTPUT" priority="0">-p udp --dport 53 -j CLASH_DNS</rule>
<rule ipv="ipv4" table="nat" chain="OUTPUT" priority="0">-p tcp --dport 53 -j CLASH_DNS</rule>
</direct>
2. AdGuard Home 配置
附 AdGuard Home service 文件 /etc/systemd/system/AdGuardHome.service :
[Unit]
Description=AdGuard Home: Network-level blocker
ConditionFileIsExecutable=/opt/AdGuardHome/AdGuardHome
After=syslog.target network-online.target
[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStartPre=/bin/mkdir -p /var/log/
# ExecStart=/opt/AdGuardHome/AdGuardHome "-s" "run"
ExecStart=/opt/AdGuardHome/AdGuardHome -c /etc/AdGuardHome/AdGuardHome.yaml
WorkingDirectory=/opt/AdGuardHome
StandardOutput=file:/var/log/AdGuardHome/AdGuardHome.out
StandardError=file:/var/log/AdGuardHome/AdGuardHome.err
Restart=always
RestartSec=10
EnvironmentFile=-/etc/sysconfig/AdGuardHome
[Install]
WantedBy=multi-user.target
防火墙配置:
sudo firewall-cmd --zone=public --add-port=53/udp --permanent
sudo firewall-cmd --zone=public --add-port=53/tcp --permanent
3. v2ray 配置
附 v2ray service 配置文件(/etc/systemd/system/v2ray.service)内容:
[Unit]
Description=V2Ray Service
Documentation=https://www.v2fly.org/
After=network.target nss-lookup.target
StartLimitIntervalSec=500
StartLimitBurst=5
[Service]
User=nobody
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ExecStart=/opt/v2ray/v2ray -config /etc/v2ray/config.json
Restart=on-failure
RestartSec=5s
RestartPreventExitStatus=23
[Install]
WantedBy=multi-user.target
本文中的 DNS 结构如下所示:
客户端 -> AdGuard Home -> Clash -> Other DNS
即 AdGuard Home 中的 DNS Upstream 只配置了 Clash 的地址。
部分内容参考自网络。