github.com/yaling888/clash@v1.53.0/examples/template/redirect-to-tun-transparent-gateway.yaml (about) 1 #################################################################################### 2 # 3 # Work on Linux, as a transparent proxy gateway, just replace the Subscription-1 URL. 4 # 5 # 运行在Linux机器上,作为透明代理网关使用,只需替换Subscription-1的订阅链接, 6 # 请把客户端的网关和DNS指向Linux机器的IP,客户端DNS为公网DNS时可不用指向网关的DNS。 7 # 8 #################################################################################### 9 10 #mixed-port: 7890 11 #mitm-port: 7891 12 13 allow-lan: true 14 15 bind-address: '*' 16 17 # rule / script / global / direct (default value is rule) 18 mode: rule 19 20 # set log level to stdout (default value is info) 21 # debug / info / warning / error 22 log-level: warning 23 24 ipv6: false 25 26 sniffing: false 27 28 force-cert-verify: true 29 30 profile: 31 store-selected: true 32 store-fake-ip: true 33 tracing: false # default value is true 34 35 experimental: 36 # udp-fallback-policy: 'proxy' # a proxy that supports UDP 37 38 # A RESTful API for clash 39 external-controller: 0.0.0.0:9090 40 41 # Secret for RESTful API (Optional) 42 #secret: xxxx 43 44 external-ui: ./dashboard 45 46 # outbound interface name 47 interface-name: eth0 48 49 ebpf: 50 redirect-to-tun: 51 - eth0 # gateway interface name, 网关对应的网卡接口名称 52 # - wlan0 53 54 tun: 55 enable: true 56 stack: system # system or gvisor 57 device: tun://utun 58 dns-hijack: 59 - any:53 60 - tcp://any:53 61 auto-route: false # auto set global route, conflict with redirect-to-tun 62 # auto-detect-interface: true # conflict with interface-name 63 64 hosts: 65 'localhost': '127.0.0.1' 66 67 dns: 68 enable: true 69 use-hosts: true 70 ipv6: false 71 remote-dns-resolve: true # default value is true 72 enhanced-mode: fake-ip 73 fake-ip-range: 198.18.0.1/16 74 listen: 0.0.0.0:53 75 # nameserver-policy: 76 # '+.example.com': 192.168.1.254 77 default-nameserver: 78 - 119.29.29.29 79 - 223.6.6.6 80 proxy-server-nameserver: 81 - https://1.12.12.12/dns-query 82 - https://223.5.5.5/dns-query 83 nameserver: 84 - https://120.53.53.53/dns-query 85 - tls://223.6.6.6:853 86 remote-nameserver: 87 - https://8.8.8.8/dns-query 88 - tls://1.1.1.1:853 89 fallback: 90 - tcp://8.8.8.8:53#DNS-Proxy # if set `remote-dns-resolve` to false, then enable it. 91 fake-ip-filter: 92 - '*.lan' 93 # - '+.example.com' 94 fallback-filter: 95 geoip: false 96 geosite: 97 - gfw 98 # domain: 99 # - '+.example.com' 100 ipcidr: 101 - 0.0.0.0/32 102 103 #mitm: 104 # hosts: 105 # - '+.google.cn' 106 # rules: 107 # - ^https?://(.*)google\.cn(.*) url 307 https://$1google.com$2 108 109 proxy-groups: 110 - name: Auto 111 type: url-test 112 interval: 1200 113 tolerance: 150 114 url: http://www.gstatic.com/generate_204 115 use: &Use 116 - Subscription-1 117 118 - name: Geo-HK 119 type: url-test 120 interval: 600 121 tolerance: 100 122 url: http://www.gstatic.com/generate_204 123 filter: "HongKong|HK|香港" 124 use: *Use 125 126 - name: Geo-TW 127 type: url-test 128 interval: 600 129 tolerance: 100 130 url: http://www.gstatic.com/generate_204 131 filter: "Taiwan|TW|台湾" 132 use: *Use 133 134 - name: Geo-SG 135 type: url-test 136 interval: 600 137 tolerance: 100 138 url: http://www.gstatic.com/generate_204 139 filter: "Singapore|SG|新加坡" 140 use: *Use 141 142 - name: Geo-JP 143 type: url-test 144 interval: 600 145 tolerance: 100 146 url: http://www.gstatic.com/generate_204 147 filter: "Japan|JP|日本" 148 use: *Use 149 150 - name: Geo-US 151 type: url-test 152 interval: 600 153 tolerance: 100 154 url: http://www.gstatic.com/generate_204 155 filter: "America|United States|US|美国" 156 use: *Use 157 158 - name: Geo-UK 159 type: url-test 160 interval: 600 161 tolerance: 100 162 url: http://www.gstatic.com/generate_204 163 filter: "Britain|England|UK|英国" 164 use: *Use 165 166 - name: Geo-DE 167 type: url-test 168 interval: 600 169 tolerance: 100 170 url: http://www.gstatic.com/generate_204 171 filter: "Germany|Deutsch|DE|德国" 172 use: *Use 173 174 - name: Geo-CN 175 type: select 176 disable-dns: true 177 filter: "China|CN|中国" 178 use: *Use 179 proxies: 180 - DIRECT 181 182 - name: Block 183 type: select 184 use: *Use 185 proxies: 186 - REJECT 187 - DIRECT 188 - Geo-HK 189 - Geo-TW 190 - Geo-SG 191 - Geo-JP 192 - Geo-US 193 - Geo-UK 194 - Geo-DE 195 - Geo-CN 196 197 - name: Proxy 198 type: select 199 use: *Use 200 proxies: 201 - Auto 202 - Geo-HK 203 - Geo-TW 204 - Geo-SG 205 - Geo-JP 206 - Geo-US 207 - Geo-UK 208 - Geo-DE 209 - Geo-CN 210 - DIRECT 211 - Block 212 213 - name: DNS-Proxy 214 type: select 215 use: *Use 216 proxies: &Proxy 217 - Proxy 218 - Auto 219 - Geo-HK 220 - Geo-TW 221 - Geo-SG 222 - Geo-JP 223 - Geo-US 224 - Geo-UK 225 - Geo-DE 226 - Geo-CN 227 - DIRECT 228 - Block 229 230 - name: Netflix 231 type: select 232 use: *Use 233 proxies: *Proxy 234 235 - name: Apple 236 type: select 237 use: *Use 238 proxies: *Proxy 239 240 - name: iCloud 241 type: select 242 use: *Use 243 proxies: *Proxy 244 245 - name: MicrosoftCN 246 type: select 247 use: *Use 248 proxies: *Proxy 249 250 - name: PayPal 251 type: select 252 use: *Use 253 proxies: *Proxy 254 255 - name: Steam 256 type: select 257 use: *Use 258 proxies: *Proxy 259 260 - name: Game 261 type: select 262 use: *Use 263 proxies: *Proxy 264 265 - name: Facebook 266 type: select 267 use: *Use 268 proxies: *Proxy 269 270 - name: Twitter 271 type: select 272 use: *Use 273 proxies: *Proxy 274 275 - name: Telegram 276 type: select 277 use: *Use 278 proxies: *Proxy 279 280 - name: GlobalTV 281 type: select 282 use: *Use 283 proxies: *Proxy 284 285 - name: YouTube 286 type: select 287 use: *Use 288 proxies: *Proxy 289 290 - name: Spotify 291 type: select 292 use: *Use 293 proxies: *Proxy 294 295 - name: SpeedTest 296 type: select 297 use: *Use 298 proxies: *Proxy 299 300 - name: Download 301 type: select 302 use: *Use 303 proxies: *Proxy 304 305 - name: CN 306 type: select 307 disable-dns: true 308 use: *Use 309 proxies: *Proxy 310 311 - name: Mismatch 312 type: select 313 use: *Use 314 proxies: *Proxy 315 316 proxy-providers: 317 Subscription-1: 318 type: http 319 url: "URL" # replace this URL with your provider's subscription link 320 path: ./providers/Subscription-1.yaml 321 interval: 6h 322 # prefix-name: "S-" 323 # url-proxy: true 324 # udp: true 325 header: 326 User-Agent: 327 - "Clash/v1.11.8" 328 health-check: 329 enable: false 330 interval: 0 331 url: http://www.gstatic.com/generate_204 332 # lazy: false # default value is true 333 334 script: 335 # path: ./script.star 336 code: | 337 blockHosts = ['analytics', 'adservice', 'firebase', 'bugly', 'safebrowsing', 'doubleclick'] 338 directHosts = ['push.apple.com', 'iosapps.itunes.apple.com', 'jetbrains.com', 'msftconnecttest.com'] 339 340 def main(ctx, metadata): 341 network = metadata["network"] 342 dst_port = int(metadata["dst_port"]) 343 if network == 'udp' and dst_port == 443: 344 return "REJECT" 345 346 if network == "udp" and (dst_port == 123 or (dst_port >= 136 and dst_port <=139)): 347 return "DIRECT" 348 349 host = metadata["host"] 350 for kw in blockHosts: 351 if kw in host: 352 return "REJECT" 353 354 if ctx.rule_providers['category-ads-all'].match(metadata): 355 return "Block" 356 357 for kw in directHosts: 358 if kw in host: 359 return "DIRECT" 360 361 if ctx.rule_providers['icloud'].match(metadata): 362 return "iCloud" 363 364 if ctx.rule_providers['apple'].match(metadata): 365 return "Apple" 366 367 if ctx.rule_providers['microsoft@cn'].match(metadata): 368 return "MicrosoftCN" 369 370 if ctx.rule_providers['paypal@cn'].match(metadata): 371 return "CN" 372 373 if ctx.rule_providers['paypal'].match(metadata): 374 return "PayPal" 375 376 if ctx.rule_providers['twitter'].match(metadata): 377 return "Twitter" 378 379 if ctx.rule_providers['facebook'].match(metadata): 380 return "Facebook" 381 382 if ctx.rule_providers['youtube'].match(metadata): 383 return "YouTube" 384 385 if ctx.rule_providers['geolocation-!cn'].match(metadata): 386 return "Proxy" 387 388 if ctx.rule_providers['geolocation-cn'].match(metadata): 389 return "CN" 390 391 code = "" 392 ip = metadata["dst_ip"] 393 if ip != "": 394 code = ctx.geoip(ip) 395 if code == "PRIVATE" or code == "LAN": 396 return "DIRECT" 397 if code == "TELEGRAM": 398 return "Telegram" 399 else: 400 ip = ctx.resolve_ip(host) 401 402 if ip == "": 403 return "Mismatch" 404 405 code = ctx.geoip(ip) if code == "" else code 406 if code == "CN": 407 return "CN" 408 409 return "Mismatch" # default policy for requests which are not matched by any other script 410 411 engine: expr # or starlark (10x to 20x slower) 412 shortcuts: 413 QUIC: | 414 network == "udp" and dst_port == 443 415 Privacy: | 416 any(["analytics", "adservice", "firebase", "safebrowsing", "doubleclick", "bugly", "bugsnag"], host contains #) 417 BilibiliUdp: | 418 network == "udp" and match_provider("bilibili") 419 DirectUdp: | 420 network == "udp" and (dst_port == 123 or (dst_port >= 136 and dst_port <=139)) 421 422 rules: 423 - GEOIP,private,DIRECT,no-resolve 424 - GEOIP,telegram,Telegram,no-resolve 425 426 - SCRIPT,QUIC,REJECT # Disable QUIC 427 - SCRIPT,Privacy,REJECT 428 - SCRIPT,BilibiliUdp,REJECT 429 - SCRIPT,DirectUdp,DIRECT 430 431 - DOMAIN-SUFFIX,push.apple.com,DIRECT 432 433 - GEOSITE,category-ads-all,Block 434 435 - DOMAIN-SUFFIX,jetbrains.com,DIRECT 436 - DOMAIN-SUFFIX,msftconnecttest.com,DIRECT 437 - DOMAIN,iosapps.itunes.apple.com,DIRECT 438 439 - GEOSITE,icloud,iCloud 440 - GEOSITE,apple,Apple 441 - GEOSITE,microsoft@cn,MicrosoftCN 442 - GEOSITE,paypal@cn,CN 443 - GEOSITE,paypal,PayPal 444 - GEOSITE,twitter,Twitter 445 - GEOSITE,facebook,Facebook 446 - GEOSITE,youtube,YouTube 447 - GEOSITE,geolocation-!cn,Proxy 448 - GEOSITE,geolocation-cn,CN 449 450 - GEOIP,cn,CN 451 452 - MATCH,Mismatch