科学上网存在法律风险,以下配置好的上网工具建议仅个人使用。
购买境外服务器
考虑到存在法律风险,建议使用国外服务器商提供的云服务器,如hosthatch、AWS、Azure、Google Cloud等。
服务器配置建议先低配即可,系统可以用Debian或centos。
注意:购买成功后,先ping下服务器IP,看下是否能ping的通,如果不通,可能是IP被墙了,建议联系服务商更换IP或删除服务器重新购买。
安装V2ray服务端
将V2ray安装到刚才购买的服务器上,关于V2Ray介绍可以自行百度,是一个可以实现网络代理的软件,开源且功能强大。
通过SSH客户端登录服务器
SSH客户端有很多,如 Termius,下载地址 https://www.termius.com/windows
具体使用方法,自己研究下。
安装V2Ray
在SSH客户端,输入以下命令安装:
bash <(curl -s -L https://git.io/v2ray.sh)然后选择安装,输入1回车,后面的步骤没有特殊需要,一直回车即可。
完成安装后出现以下界面:
这些信息是后面配置需要的。后面如果忘记,可以输入
v2ray 命令查看。
安装Clash客户端
Clash客户端的作用是用来连接V2ray服务端,帮助本地网络实现网络代理。
配置文件
编写clash客户端的配置文件,其作用主要是定义连接代理的服务器节点(可以配置多个节点),定义代理规则(比如哪些网址需要通过代理访问,哪些是可以直接访问的)。
此处提供一个我在使用的一个配置模板,在文末处。
可以用记事本或notepad等编辑器,将以上内容复制进去,需要修改的部分是:
找到 proxies 处,其中的VMess信息修改为自己服务器信息(其中“[]”的那几项)
proxies:
# 支持的协议及加密算法示例请查阅 Clash 项目 README 以使用最新格式:https://github.com/Dreamacro/clash/blob/master/README.md
# VMess
- name: "hh_tokyo"
type: vmess
server: [服务器IP地址]
port: [服务器v2ray端口]
uuid: [用户ID]
alterId: [额外ID]
cipher: auto
network: tcp对应上面服务器里的信息,编辑好以后保存文件为config.yaml
下载clash客户端
windows、mac客户端
下载地址:https://github.com/Fndroid/clash_for_windows_pkg/releases
.dmg后缀是mac客户端,.exe是Windows客户端
安卓客户端
下载地址:https://github.com/Kr328/ClashForAndroid/releases
IOS客户端
暂未找到免费开源的,可以使用 Shadowrocket(未实测),在App Store购买Shadowrocket并下载使用(需要使用美国apple id登录)。
安装clash客户端
以windows为例,下载上面的客户端,在本地完成安装。
导入配置文件
点击 Import 导入刚才的配置文件,然后点下刚导入后的配置,启用即可。
测试
下图中可以选择 Rule,则仅在访问外网被墙网站才翻墙,同时可以测速检查是否配置成功。
同时,打开浏览器访问谷歌、twitter等网站测试真实访问情况。
配置模板
# Port of HTTP(S) proxy server on the local end
# port: 7890
# Port of SOCKS5 proxy server on the local end
# socks-port: 7891
# Transparent proxy server port for Linux and macOS
# redir-port: 7892
# HTTP(S) and SOCKS5 server on the same port
mixed-port: 7890
# authentication of local SOCKS5/HTTP(S) server
# authentication:
# - "user1:pass1"
# - "user2:pass2"
# Set to true to allow connections to local-end server from
# other LAN IP addresses
allow-lan: true
# This is only applicable when `allow-lan` is `true`
# '*': bind all IP addresses
# 192.168.122.11: bind a single IPv4 address
# "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address
bind-address: '*'
# Clash router working mode
# rule: rule-based packet routing
# global: all packets will be forwarded to a single endpoint
# direct: directly forward the packets to the Internet
mode: rule
# Clash by default prints logs to STDOUT
# info / warning / error / debug / silent
log-level: info
# When set to false, resolver won't translate hostnames to IPv6 addresses
ipv6: false
# RESTful web API listening address
external-controller: 0.0.0.0:9090
# A relative path to the configuration directory or an absolute path to a
# directory in which you put some static web resource. Clash core will then
# serve it at `${API}/ui`.
# external-ui: folder
# Secret for the RESTful API (optional)
# Authenticate by spedifying HTTP header `Authorization: Bearer ${secret}`
# ALWAYS set a secret if RESTful API is listening on 0.0.0.0
# secret: ""
# Outbound interface name
#interface-name: en0
# Static hosts for DNS server and connection establishment, only works
# when `dns.enhanced-mode` is `redir-host`.
#
# Wildcard hostnames are supported (e.g. *.clash.dev, *.foo.*.example.com)
# Non-wildcard domain names has a higher priority than wildcard domain names
# e.g. foo.example.com > *.example.com > .example.com
# P.S. +.foo.com equals to .foo.com and foo.com
hosts:
'mtalk.google.com': 108.177.125.188
# '*.clash.dev': 127.0.0.1
# '.dev': 127.0.0.1
# 'alpha.clash.dev': '::1'
# DNS server settings
# This section is optional. When not present, DNS server will be disabled.
dns:
enable: false
listen: 0.0.0.0:53
# ipv6: false # when false, response to AAAA questions will be empty
# These nameservers are used to resolve the DNS nameserver hostnames below.
# Specify IP addresses only
default-nameserver:
- 114.114.114.114
- 8.8.8.8
enhanced-mode: redir-host # or fake-ip
fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR
# Hostnames in this list will not be resolved with fake IPs
# i.e. questions to these domain names will always be answered with their
# real IP addresses
# fake-ip-filter:
# - '*.lan'
# - localhost.ptlogin2.qq.com
# Supports UDP, TCP, DoT, DoH. You can specify the port to connect to.
# All DNS questions are sent directly to the nameserver, without proxies
# involved. Clash answers the DNS question with the first result gathered.
nameserver:
- 114.114.114.114 # default value
- 8.8.8.8 # default value
- tls://dns.rubyfish.cn:853 # DNS over TLS
- https://1.1.1.1/dns-query # DNS over HTTPS
# When `fallback` is present, the DNS server will send concurrent requests
# to the servers in this section along with servers in `nameservers`.
# The answers from fallback servers are used when the GEOIP country
# is not `CN`.
# fallback:
# - tcp://1.1.1.1
# If IP addresses resolved with servers in `nameservers` are in the specified
# subnets below, they are considered invalid and results from `fallback`
# servers are used instead.
#
# IP address resolved with servers in `nameserver` is used when
# `fallback-filter.geoip` is true and when GEOIP of the IP address is `CN`.
#
# If `fallback-filter.geoip` is false, results from `fallback` nameservers
# are always used, and answers from `nameservers` are discarded.
#
# This is a countermeasure against DNS pollution attacks.
fallback-filter:
geoip: true
ipcidr:
# - 240.0.0.0/4
proxies:
# 支持的协议及加密算法示例请查阅 Clash 项目 README 以使用最新格式:https://github.com/Dreamacro/clash/blob/master/README.md
# VMess
- name: "hh_tokyo"
type: vmess
server: 103.100.120.220
port: 123456
uuid: dddd-191d-4cd6-9f51-eeee
alterId: 0
cipher: auto
network: tcp
# 服务器节点订阅
proxy-providers:
# name: # Provider 名称
# type: http # http 或 file
# path: # 文件路径
# url: # 只有当类型为 HTTP 时才可用,您不需要在本地空间中创建新文件。
# interval: # 自动更新间隔,仅在类型为 HTTP 时可用
# health-check: # 健康检查选项从此处开始
# enable:
# url:
# interval:
#
# 「url」参数填写订阅链接
#
# 订阅链接可以使用 API 进行转换,如:https://sub.dler.io/
#
# 1.模式选择「进阶模式」 2.填写订阅链接 3.勾选「输出为 Node List」 4.「生成订阅链接」
#
# DuckDuckGo-Sub: # 冲鸭机场订阅链接
# type: http
# url: "https://duckduckgo.security/user/sub.php?token=DivineEngine"
# interval: 3600
# path: ./Proxy/ProxyList.yaml # 不同机场不同命名
# health-check:
# enable: true
# interval: 600
# url: http://www.gstatic.com/generate_204
proxy-groups:
# 策略组示例请查阅 Clash 项目 README 以使用最新格式:https://github.com/Dreamacro/clash/blob/master/README.md
#
# 策略组说明
#
# 「MATCH」类似 Surge 的「Final」,此处用于选择白名单模式(PROXY 策略)和黑名单模式(DIRECT 策略)
#
# 「Streaming」和「StreamingSE」比较好理解,有专用于流媒体的节点就设置到其中,如果没有「StreamingSE」的需求可以连带 Rule 部分一起删掉,「Streaming」需至少保留 Rule,用「PROXY」即可。
#
# 「PROXY」是代理规则策略,它可以指定为某个节点或嵌套一个其他策略组,如:「自动测试」、「Fallback」或「负载均衡」的策略组,关于这 3 个策略组的具体示例可以看官方示例:https://github.com/Dreamacro/clash
#
# Fallback 比较实用的策略组类型,用于测试服务器节点的可用性,当第一个节点不可用时切换到第二个,以此类推。
- name: "Fallback"
type: fallback
proxies:
- "hh_tokyo"
url: 'http://www.gstatic.com/generate_204'
interval: 30
# 代理节点选择
- name: "PROXY"
type: select
proxies:
- "Fallback"
- "hh_tokyo"
# 白名单模式 PROXY, 黑名单模式 DIRECT, 不知道别动
- name: "MATCH"
type: select
proxies:
- PROXY
- DIRECT
# 国际流媒体服务
- name: "Streaming"
type: select
proxies:
- "PROXY"
- "hh_tokyo"
# 中国流媒体服务(面向海外版本)
- name: "StreamingSE"
type: select
proxies:
- DIRECT
# 手动选择节点订阅
# - name: "DuckDuckGo"
# type: select # 亦可使用 fallback 或 load-balance
# use:
# - DuckDuckGo-Sub
# 关于 Rule Provider 请查阅:https://lancellc.gitbook.io/clash/clash-config-file/rule-provider
rule-providers:
reject:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
path: ./ruleset/reject.yaml
interval: 86400
icloud:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt"
path: ./ruleset/icloud.yaml
interval: 86400
apple:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt"
path: ./ruleset/apple.yaml
interval: 86400
google:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt"
path: ./ruleset/google.yaml
interval: 86400
proxy:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
path: ./ruleset/proxy.yaml
interval: 86400
direct:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
path: ./ruleset/direct.yaml
interval: 86400
private:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt"
path: ./ruleset/private.yaml
interval: 86400
gfw:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt"
path: ./ruleset/gfw.yaml
interval: 86400
greatfire:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/greatfire.txt"
path: ./ruleset/greatfire.yaml
interval: 86400
tld-not-cn:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt"
path: ./ruleset/tld-not-cn.yaml
interval: 86400
telegramcidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt"
path: ./ruleset/telegramcidr.yaml
interval: 86400
cncidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt"
path: ./ruleset/cncidr.yaml
interval: 86400
lancidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt"
path: ./ruleset/lancidr.yaml
interval: 86400
applications:
type: http
behavior: classical
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications.txt"
path: ./ruleset/applications.yaml
interval: 86400
# 白名单模式,未命中规则走代理
rules:
- RULE-SET,applications,DIRECT
- DOMAIN,clash.razord.top,DIRECT
- DOMAIN,yacd.haishan.me,DIRECT
- DOMAIN-SUFFIX,googleapis.cn,DIRECT
- DOMAIN-SUFFIX,xn--ngstr-lra8j.com,DIRECT
- DOMAIN-SUFFIX,jd.com,DIRECT
- RULE-SET,private,DIRECT
- RULE-SET,reject,REJECT
- RULE-SET,icloud,DIRECT
- RULE-SET,apple,DIRECT
- RULE-SET,google,DIRECT
- RULE-SET,proxy,PROXY
- RULE-SET,direct,DIRECT
- RULE-SET,lancidr,DIRECT
- RULE-SET,cncidr,DIRECT
- RULE-SET,telegramcidr,PROXY
- GEOIP,LAN,DIRECT
- GEOIP,CN,DIRECT
- MATCH,PROXY
