前提条件
本文假设读者已经具备以下条件:
- 一台境外的vps,推荐BWG。
- 一个域名,无备案要求。先设置dns将域名解析到vps的ip。
- 为域名申请一个证书,可以从Let’s Encrypt获取免费证书;参考Caddy安装和配置。
V2ay服务端
校准时区
VMess 协议的认证基于时间,一定要保证服务器和客户端的系统时间相差要在 90 秒以内。
这里我们把时区设成上海
> timedatectl list-timezones | grep Shanghai
Asia/Shanghai
> timedatectl set-timezone Asia/Shanghai
服务端安装
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
# /etc/systemd/system/v2ray.service
[Unit]
Description=V2Ray Service
Documentation=https://www.v2fly.org/
After=network.target nss-lookup.target
[Service]
User=nobody
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ExecStart=/usr/local/bin/v2ray run -config /usr/local/etc/v2ray/config.json
Restart=on-failure
RestartPreventExitStatus=23
[Install]
WantedBy=multi-user.target
# /etc/systemd/system/v2ray.service.d/10-donot_touch_single_conf.conf
# In case you have a good reason to do so, duplicate this file in the same directory and make your customizes there.
# Or all changes you made will be lost! # Refer: https://www.freedesktop.org/software/systemd/man/systemd.unit.html
[Service]
ExecStart=
ExecStart=/usr/local/bin/v2ray run -config /usr/local/etc/v2ray/config.json
启动V2ray
sudo systemctl enable v2ray
sudo systemctl start v2ray
之后可以使用 sudo systemctl start|stop|status|reload|restart|reload-or-restart 控制 V2Ray 的运行
服务端配置
将服务器 /usr/local/etc/v2ray/config.json 文件修改成下面的内容。 尽量保持简单,太复杂的东西总是难以维护。
修改完成后要运行systemctl restart v2ray重启 V2Ray,使修改的配置生效。
启动后,V2ray会以 Vmess + WS 方式监听 8888 端口。
{
"inbounds": [
{
"port": 8888,
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"network": "tcp,udp",
"followRedirect": true,
"decryption": "none",
"clients": [
{
"id": "26f616e6-d668-11eb-baaf-acde48001122",
"level": 0
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/ray"
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
}
]
}
说明:
ws- WebSocket 方式8888服务器监听端口127.0.0.1代表本机, 只监听 127.0.0.1,避免除本机外的机器探测到开放了8888端口- id 为 UUID 格式,请使用软件生成,不要尝试自己造一个,否则很大程度上造出一个错误的格式来。
freedom- 主传出协议 这里是直接转发所有流量
UUID获取
cat /proc/sys/kernel/random/uuid
客户端配置
将客户端的 config.json 文件修改成下面的内容,修改完成后要重启客户端 V2Ray 才会使修改的配置生效。 (#及后面的文字为注释,json文件中不需要包含)
{
"inbounds": [
{
"port": 1080, # 本地监听端口
"protocol": "socks", # 入口协议为 SOCKS 5
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"settings": {
"auth": "noauth" #socks的认证设置,noauth 代表不认证,由于 socks 通常在客户端使用,所以这里不认证
}
}
],
"outbounds": [
{
"protocol": "vmess", # 出口协议
"settings": {
"vnext": [
{
"address": "your_server_ip", # 服务器地址,请修改为你自己的服务器IP
"port": 8888, # 服务器监听的端口
"users": [
{
"id": "26f616e6-d668-11eb-baaf-acde48001122", # 用户 ID,必须与服务器端配置相同
"alterId": 0 # 此处的值也应当与服务器相同
}
]
}
],
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/ray" #服务器端和客服端保持一致,注意有无“/”是由区别的
}
}
}
}
]
}
- 在 Windows 和 macOS 中,配置文件通常是 V2Ray 同目录下的 config.json 文件。直接运行 v2ray 或 v2ray.exe 即可。
- 在 Linux 中,配置文件通常位于 /etc/v2ray/config.json 文件。运行 v2ray –config=/etc/v2ray/config.json,或使用 systemd 等工具把 V2Ray 作为服务在后台运行。
clash客户端运行
Clash 配置文件使用的规则集使用https://github.com/Loyalsoldier/clash-rules
proxies:
# vmess
# cipher support auto/aes-128-gcm/chacha20-poly1305/none
- name: "vmess1"
type: vmess
server: your_server_ip
port: 443
uuid: 26f616e6-d668-11eb-baaf-acde48001122 # 用户 ID,必须与服务器端配置相同
alterId: 0
cipher: auto
# udp: true
tls: true
skip-cert-verify: false
# servername: example.com # priority over wss host
network: ws
ws-opts:
path: /ray #服务器端和客服端保持一致,注意有无“/”是由区别的
headers:
Host: your_server_ip
# max-early-data: 2048
# early-data-header-name: Sec-WebSocket-Protocol
proxy-groups:
- name: PROXY
type: select
# disable-udp: true
proxies:
- vmess1
rule-providers:
reject:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
path: ./ruleset/reject.yaml
interval: 86400
icloud:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt"
path: ./ruleset/icloud.yaml
interval: 86400
apple:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt"
path: ./ruleset/apple.yaml
interval: 86400
google:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt"
path: ./ruleset/google.yaml
interval: 86400
proxy:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
path: ./ruleset/proxy.yaml
interval: 86400
direct:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
path: ./ruleset/direct.yaml
interval: 86400
private:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt"
path: ./ruleset/private.yaml
interval: 86400
gfw:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt"
path: ./ruleset/gfw.yaml
interval: 86400
greatfire:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/greatfire.txt"
path: ./ruleset/greatfire.yaml
interval: 86400
tld-not-cn:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt"
path: ./ruleset/tld-not-cn.yaml
interval: 86400
telegramcidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt"
path: ./ruleset/telegramcidr.yaml
interval: 86400
cncidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt"
path: ./ruleset/cncidr.yaml
interval: 86400
lancidr:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt"
path: ./ruleset/lancidr.yaml
interval: 86400
applications:
type: http
behavior: classical
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications.txt"
path: ./ruleset/applications.yaml
interval: 86400
rules:
- RULE-SET,applications,DIRECT
- DOMAIN,clash.razord.top,DIRECT
- DOMAIN,yacd.haishan.me,DIRECT
- RULE-SET,private,DIRECT
- RULE-SET,reject,REJECT
- RULE-SET,icloud,DIRECT
- RULE-SET,apple,DIRECT
- RULE-SET,google,DIRECT
- RULE-SET,proxy,PROXY
- RULE-SET,direct,DIRECT
- RULE-SET,lancidr,DIRECT
- RULE-SET,cncidr,DIRECT
- RULE-SET,telegramcidr,PROXY
- GEOIP,LAN,DIRECT
- GEOIP,CN,DIRECT
- MATCH,PROXY
调试
# 检查运行状态
systemctl status v2ray
# 检查输出的日志
journalctl -u v2ray --no-pager | less +G