发表于 本文字数: 2.6k 阅读时长 ≈ 2 分钟
  • fake-ip: 用于内部存储域名和 IP 的映射,便于根据域名分流。
  • nameserver-policy: 用于指定域名的 DNS 服务器,避免内网域名无法解析(需新增内网域名的分流规则)。

关于 Clash 科学上网的最佳实践

Clash-Verge-Rev最佳实践

浅谈 DNS 泄露

OpenClash 设置方案

  • Link State Change Event
    • 本质上最终流量都会经过 7897 端口。
    • 主要区别:
      • 系统代理:应用程序自愿连接 7897 端口。
      • TUN 模式:系统强制将流量交给 sing-box,再由 sing-box 转发给 7897 端口。
    • 如果存在内网服务器,需要配置 DNS 服务器,以便获取正确的内网地址并进行分流。
    • 局域网代理目前存在问题,无法通过 Git 访问,只能通过 HTTP。

一些代理配置如下
[wsl2]
networkingMode=mirrored
autoProxy=false
dnsTunneling=false
dnsProxy=false
firewall=false
Windows 防火墙放行

curl -fsSL https://sing-box.app/install.sh | sh

/etc/sing-box/config.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
{
  "log": {
    "level": "info",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "tag": "google-doh",
        "type": "https",
        "server": "8.8.8.8",
        "detour": "proxy"
      },
      {
        "tag": "company-dns",
        "type": "udp",
        "server": "192.168.13.1"
      },
      {
        "tag": "local-dns",
        "type": "local"
      }
    ],
    "rules": [
      {
        "domain_suffix": [
          "gitlab.fzcsxl.com"
        ],
        "server": "company-dns"
      }
    ],
    "final": "google-doh",
    "strategy": "ipv4_only"
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "interface_name": "tun0",
      "address": [
        "172.19.0.1/30"
      ],
      "auto_route": true,
      "strict_route": true,
      "stack": "gvisor",
      "mtu": 9000,
      "sniff": true
    }
  ],
  "outbounds": [
    {
      "type": "socks",
      "tag": "proxy",
      "server": "127.0.0.1",
      "server_port": 7897,
      "version": "5"
    },
    {
      "type": "direct",
      "tag": "direct"
    }
  ],
  "route": {
    "rules": [
      {
        "port": [123],     
        "outbound": "direct"  
      },
      {
        "protocol": "dns",
        "action": "hijack-dns"
      },
      {
        "ip_is_private": true,
        "outbound": "direct"
      },
      {
        "protocol": "quic",
        "outbound": "direct"
      }
    ],
    "auto_detect_interface": true,
    "default_domain_resolver": "google-doh",
    "final": "proxy"
  }
}


sudo systemctl enable --now sing-box
sudo systemctl start sing-box
sudo systemctl status sing-box