backup/cgproxy
1
0
Fork 0
mirror of https://github.com/springzfx/cgproxy.git synced 2026-02-09 21:14:57 +08:00
Code Issues 1 Projects Releases Wiki Activity

Compare commits

base: backup:v0.05
Branches Tags
backup:master backup:dev backup:v0.0x
backup:v0.20 backup:v0.19 backup:v0.18 backup:v0.17 backup:v0.16 backup:v0.15 backup:v0.14 backup:v0.13 backup:v0.11 backup:v0.12 backup:v0.10 backup:v0.08 backup:v0.07 backup:v0.06 backup:v0.05 backup:v0.04 backup:v0.03 backup:v0.02 backup:v0.01
...
compare: backup:v0.06
Branches Tags
backup:master backup:dev backup:v0.0x
backup:v0.20 backup:v0.19 backup:v0.18 backup:v0.17 backup:v0.16 backup:v0.15 backup:v0.14 backup:v0.13 backup:v0.11 backup:v0.12 backup:v0.10 backup:v0.08 backup:v0.07 backup:v0.06 backup:v0.05 backup:v0.04 backup:v0.03 backup:v0.02 backup:v0.01

12 Commits
v0.05 ... v0.06

Author SHA1 Message Date
fancy
7f0ebe9d35 remove mark_noproxy, and other small change 2020-05-04 20:41:50 +08:00
fancy
236c08172b example: update readme 2020-05-03 18:29:08 +08:00
fancy
c07ae13030 example: add aliyun doh 2020-05-03 17:00:34 +08:00
fancy
d5ea832b4f change timeout, and dns no need to proxy 2020-05-03 15:05:56 +08:00
fancy
aa5ca6f204 update example, limit to localhost 2020-05-02 08:01:19 +08:00
fancy
a80187f947 optimize function get_cgroup2_mount_point 2020-05-02 04:15:54 +08:00
fancy
dca895c7cc readme update 2020-05-02 03:45:36 +08:00
fancy
08097a54d7 readme update 2020-05-02 03:42:22 +08:00
fancy
bce568d802 readme update 2020-05-02 03:40:32 +08:00
fancy
98c07a31af readme update 2020-05-02 03:37:58 +08:00
fancy
916c11d280 update config example 2020-05-01 17:51:53 +08:00
fancy
72579bc84a typo fix 2020-05-01 13:55:06 +08:00
12 changed files with 151 additions and 105 deletions
Expand all files Collapse all files

4
CMakeLists.txt
View File

@@ -1,6 +1,6 @@
cmake_minimum_required(VERSION 3.10) cmake_minimum_required(VERSION 3.10)
project(cgproxy VERSION 3.5) project(cgproxy VERSION 3.6)
add_executable(cgattach cgattach.cpp) add_executable(cgattach cgattach.cpp)
install(TARGETS cgattach DESTINATION /usr/bin install(TARGETS cgattach DESTINATION /usr/bin
@@ -48,4 +48,4 @@ set(CONTROL_DIR ${CMAKE_SOURCE_DIR}/control)
set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CONTROL_DIR}/postinst") set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CONTROL_DIR}/postinst")
set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CONTROL_DIR}/prerm") set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CONTROL_DIR}/prerm")
include(CPack) include(CPack)

10
cgattach.cpp
View File

@@ -32,10 +32,14 @@ bool validate(string pid, string cgroup) {
} }
string get_cgroup2_mount_point(){ string get_cgroup2_mount_point(){
char cgroup2_mount_point[100]; char cgroup2_mount_point[100]="";
FILE* fp = popen("findmnt -t cgroup2 -n |cut -d' ' -f 1", "r"); FILE* fp = popen("findmnt -t cgroup2 -n -o TARGET", "r");
fscanf(fp,"%s",&cgroup2_mount_point); int count=fscanf(fp,"%s",&cgroup2_mount_point);
fclose(fp); fclose(fp);
if (count=0){
fprintf(stderr, "cgroup2 not supported\n");
exit(EXIT_FAILURE);
}
return cgroup2_mount_point; return cgroup2_mount_point;
} }

7
cgproxy.conf
View File

@@ -7,8 +7,8 @@
## cgroup must start with slash '/' ## cgroup must start with slash '/'
# cgroup_proxy="/" # cgroup_proxy="/"
cgroup_proxy="/proxy.slice" cgroup_proxy="/proxy.slice"
# cgroup_noproxy="/system.slice/v2ray.service"
cgroup_noproxy="/noproxy.slice" cgroup_noproxy="/noproxy.slice"
# cgroup_noproxy="/system.slice/v2ray.service"
######################################################################## ########################################################################
## allow as gateway for local network ## allow as gateway for local network
@@ -20,15 +20,14 @@ port=12345
######################################################################## ########################################################################
## if you set to false, it's traffic won't go through proxy, but still can go direct to internet ## if you set to false, it's traffic won't go through proxy, but still can go direct to internet
enable_dns=true
enable_tcp=true enable_tcp=true
enable_udp=true enable_udp=true
enable_ipv4=true enable_ipv4=true
enable_ipv6=true enable_ipv6=true
enable_dns=true
######################################################################## ########################################################################
## do not modify this if you don't known what you are doing ## do not modify this if you don't known what you are doing
table=100 table=100
fwmark=0x01 fwmark=0x01
mark_noproxy=0xff mark_newin=0x02
mark_newin=0x02

71
cgroup-tproxy.sh
View File

@@ -39,16 +39,17 @@ enable_gateway=false
## some variables ## some variables
port=12345 port=12345
## some options
enable_dns=true
enable_tcp=true enable_tcp=true
enable_udp=true enable_udp=true
enable_ipv4=true enable_ipv4=true
enable_ipv6=true enable_ipv6=true
enable_dns=true
## do not modify this if you don't known what you are doing ## do not modify this if you don't known what you are doing
table=100 table=100
fwmark=0x01 fwmark=0x01
mark_noproxy=0xff
make_newin=0x02 make_newin=0x02
## cgroup things ## cgroup things
@@ -109,8 +110,8 @@ test -d $cgroup_mount_point$cgroup_noproxy || mkdir $cgroup_mount_point$cgroup_
ip rule add fwmark $fwmark table $table ip rule add fwmark $fwmark table $table
ip route add local default dev lo table $table ip route add local default dev lo table $table
iptables -t mangle -N TPROXY_ENT iptables -t mangle -N TPROXY_ENT
iptables -t mangle -A TPROXY_ENT -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $fwmark iptables -t mangle -A TPROXY_ENT -p tcp -j TPROXY --on-ip localhost --on-port $port --tproxy-mark $fwmark
iptables -t mangle -A TPROXY_ENT -p udp -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $fwmark iptables -t mangle -A TPROXY_ENT -p udp -j TPROXY --on-ip localhost --on-port $port --tproxy-mark $fwmark
iptables -t mangle -N TPROXY_PRE iptables -t mangle -N TPROXY_PRE
iptables -t mangle -A TPROXY_PRE -m socket --transparent -j MARK --set-mark $fwmark iptables -t mangle -A TPROXY_PRE -m socket --transparent -j MARK --set-mark $fwmark
@@ -119,18 +120,15 @@ iptables -t mangle -A TPROXY_PRE -p icmp -j RETURN
iptables -t mangle -A TPROXY_PRE -p udp --dport 53 -j TPROXY_ENT iptables -t mangle -A TPROXY_PRE -p udp --dport 53 -j TPROXY_ENT
iptables -t mangle -A TPROXY_PRE -p tcp --dport 53 -j TPROXY_ENT iptables -t mangle -A TPROXY_PRE -p tcp --dport 53 -j TPROXY_ENT
iptables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN iptables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
iptables -t mangle -A TPROXY_PRE -m pkttype --pkt-type broadcast -j RETURN iptables -t mangle -A TPROXY_PRE -m addrtype ! --dst-type UNICAST -j RETURN
iptables -t mangle -A TPROXY_PRE -m pkttype --pkt-type multicast -j RETURN
iptables -t mangle -A TPROXY_PRE -j TPROXY_ENT iptables -t mangle -A TPROXY_PRE -j TPROXY_ENT
iptables -t mangle -A PREROUTING -j TPROXY_PRE iptables -t mangle -A PREROUTING -j TPROXY_PRE
iptables -t mangle -N TPROXY_OUT iptables -t mangle -N TPROXY_OUT
iptables -t mangle -A TPROXY_OUT -o lo -j RETURN
iptables -t mangle -A TPROXY_OUT -p icmp -j RETURN iptables -t mangle -A TPROXY_OUT -p icmp -j RETURN
iptables -t mangle -A TPROXY_OUT -m connmark --mark $make_newin -j RETURN iptables -t mangle -A TPROXY_OUT -m connmark --mark $make_newin -j RETURN
iptables -t mangle -A TPROXY_OUT -m pkttype --pkt-type broadcast -j RETURN iptables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
iptables -t mangle -A TPROXY_OUT -m pkttype --pkt-type multicast -j RETURN iptables -t mangle -A TPROXY_PRE -m addrtype ! --dst-type UNICAST -j RETURN
iptables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN
iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $fwmark iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $fwmark
iptables -t mangle -A OUTPUT -j TPROXY_OUT iptables -t mangle -A OUTPUT -j TPROXY_OUT
@@ -139,56 +137,53 @@ iptables -t mangle -A OUTPUT -j TPROXY_OUT
ip -6 rule add fwmark $fwmark table $table ip -6 rule add fwmark $fwmark table $table
ip -6 route add local default dev lo table $table ip -6 route add local default dev lo table $table
ip6tables -t mangle -N TPROXY_ENT ip6tables -t mangle -N TPROXY_ENT
ip6tables -t mangle -A TPROXY_ENT -p tcp -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $fwmark ip6tables -t mangle -A TPROXY_ENT -p tcp -j TPROXY --on-ip localhost --on-port $port --tproxy-mark $fwmark
ip6tables -t mangle -A TPROXY_ENT -p udp -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $fwmark ip6tables -t mangle -A TPROXY_ENT -p udp -j TPROXY --on-ip localhost --on-port $port --tproxy-mark $fwmark
ip6tables -t mangle -N TPROXY_PRE ip6tables -t mangle -N TPROXY_PRE
ip6tables -t mangle -A TPROXY_PRE -m socket --transparent -j MARK --set-mark $fwmark ip6tables -t mangle -A TPROXY_PRE -m socket --transparent -j MARK --set-mark $fwmark
ip6tables -t mangle -A TPROXY_PRE -m socket --transparent -j RETURN ip6tables -t mangle -A TPROXY_PRE -m socket --transparent -j RETURN
ip6tables -t mangle -A TPROXY_PRE -p icmp -j RETURN ip6tables -t mangle -A TPROXY_PRE -p icmpv6 -j RETURN
ip6tables -t mangle -A TPROXY_PRE -p udp --dport 53 -j TPROXY_ENT ip6tables -t mangle -A TPROXY_PRE -p udp --dport 53 -j TPROXY_ENT
ip6tables -t mangle -A TPROXY_PRE -p tcp --dport 53 -j TPROXY_ENT ip6tables -t mangle -A TPROXY_PRE -p tcp --dport 53 -j TPROXY_ENT
ip6tables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN ip6tables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
ip6tables -t mangle -A TPROXY_PRE -m pkttype --pkt-type broadcast -j RETURN ip6tables -t mangle -A TPROXY_PRE -m addrtype ! --dst-type UNICAST -j RETURN
ip6tables -t mangle -A TPROXY_PRE -m pkttype --pkt-type multicast -j RETURN
ip6tables -t mangle -A TPROXY_PRE -j TPROXY_ENT ip6tables -t mangle -A TPROXY_PRE -j TPROXY_ENT
ip6tables -t mangle -A PREROUTING -j TPROXY_PRE ip6tables -t mangle -A PREROUTING -j TPROXY_PRE
ip6tables -t mangle -N TPROXY_OUT ip6tables -t mangle -N TPROXY_OUT
ip6tables -t mangle -A TPROXY_OUT -o lo -j RETURN ip6tables -t mangle -A TPROXY_OUT -p icmpv6 -j RETURN
ip6tables -t mangle -A TPROXY_OUT -p icmp -j RETURN
ip6tables -t mangle -A TPROXY_OUT -m pkttype --pkt-type broadcast -j RETURN
ip6tables -t mangle -A TPROXY_OUT -m pkttype --pkt-type multicast -j RETURN
ip6tables -t mangle -A TPROXY_OUT -m connmark --mark $make_newin -j RETURN ip6tables -t mangle -A TPROXY_OUT -m connmark --mark $make_newin -j RETURN
ip6tables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN ip6tables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
ip6tables -t mangle -A TPROXY_PRE -m addrtype ! --dst-type UNICAST -j RETURN
ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $fwmark ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $fwmark
ip6tables -t mangle -A OUTPUT -j TPROXY_OUT ip6tables -t mangle -A OUTPUT -j TPROXY_OUT
## allow to disable, order is important ## allow to disable, order is important
$enable_dns || iptables -t mangle -I TPROXY_OUT -p udp --dport 53 -j RETURN $enable_dns || iptables -t mangle -I TPROXY_OUT -p udp --dport 53 -j RETURN
$enable_dns || ip6tables -t mangle -I TPROXY_OUT -p udp --dport 53 -j RETURN $enable_dns || ip6tables -t mangle -I TPROXY_OUT -p udp --dport 53 -j RETURN
$enable_udp || iptables -t mangle -I TPROXY_OUT -p udp -j RETURN $enable_udp || iptables -t mangle -I TPROXY_OUT -p udp -j RETURN
$enable_udp || ip6tables -t mangle -I TPROXY_OUT -p udp -j RETURN $enable_udp || ip6tables -t mangle -I TPROXY_OUT -p udp -j RETURN
$enable_tcp || iptables -t mangle -I TPROXY_OUT -p tcp -j RETURN $enable_tcp || iptables -t mangle -I TPROXY_OUT -p tcp -j RETURN
$enable_tcp || ip6tables -t mangle -I TPROXY_OUT -p tcp -j RETURN $enable_tcp || ip6tables -t mangle -I TPROXY_OUT -p tcp -j RETURN
$enable_ipv4 || iptables -t mangle -I TPROXY_OUT -j RETURN $enable_ipv4 || iptables -t mangle -I TPROXY_OUT -j RETURN
$enable_ipv6 || ip6tables -t mangle -I TPROXY_OUT -j RETURN $enable_ipv6 || ip6tables -t mangle -I TPROXY_OUT -j RETURN
if $enable_gateway; then if $enable_gateway; then
$enable_dns || iptables -t mangle -I TPROXY_PRE -p udp --dport 53 -j RETURN $enable_dns || iptables -t mangle -I TPROXY_PRE -p udp --dport 53 -j RETURN
$enable_dns || ip6tables -t mangle -I TPROXY_PRE -p udp --dport 53 -j RETURN $enable_dns || ip6tables -t mangle -I TPROXY_PRE -p udp --dport 53 -j RETURN
$enable_udp || iptables -t mangle -I TPROXY_PRE -p udp -j RETURN $enable_udp || iptables -t mangle -I TPROXY_PRE -p udp -j RETURN
$enable_udp || ip6tables -t mangle -I TPROXY_PRE -p udp -j RETURN $enable_udp || ip6tables -t mangle -I TPROXY_PRE -p udp -j RETURN
$enable_tcp || iptables -t mangle -I TPROXY_PRE -p tcp -j RETURN $enable_tcp || iptables -t mangle -I TPROXY_PRE -p tcp -j RETURN
$enable_tcp || ip6tables -t mangle -I TPROXY_PRE -p tcp -j RETURN $enable_tcp || ip6tables -t mangle -I TPROXY_PRE -p tcp -j RETURN
$enable_ipv4 || iptables -t mangle -I TPROXY_PRE -j RETURN $enable_ipv4 || iptables -t mangle -I TPROXY_PRE -j RETURN
$enable_ipv6 || ip6tables -t mangle -I TPROXY_PRE -j RETURN $enable_ipv6 || ip6tables -t mangle -I TPROXY_PRE -j RETURN
fi fi
## do not handle local device connection through tproxy if gateway is not enabled ## do not handle local device connection through tproxy if gateway is not enabled
$enable_gateway || iptables -t mangle -I TPROXY_PRE -m addrtype ! --src-type LOCAL -m addrtype ! --dst-type LOCAL -j RETURN $enable_gateway || iptables -t mangle -I TPROXY_PRE -m addrtype ! --src-type LOCAL -j RETURN
$enable_gateway || ip6tables -t mangle -I TPROXY_PRE -m addrtype ! --src-type LOCAL -m addrtype ! --dst-type LOCAL -j RETURN $enable_gateway || ip6tables -t mangle -I TPROXY_PRE -m addrtype ! --src-type LOCAL -j RETURN
## make sure following rules are the first in chain TPROXY_PRE to mark new incoming connection or gateway proxy connection ## make sure following rules are the first in chain TPROXY_PRE to mark new incoming connection or gateway proxy connection
## so must put at last to insert first ## so must put at last to insert first

60
readme.md
View File

@@ -1,3 +1,5 @@
# Transparent Proxy with cgroup v2 # Transparent Proxy with cgroup v2
@@ -36,12 +38,12 @@ It aslo supports global transparent proxy and gateway proxy. See [Global transpa
- TPROXY - TPROXY
A process listening on port (e.g. 12345) to accept iptables TPROXY, for example v2ray's dokodemo-door in tproxy mode. A process listening on port (e.g. 12345) to accept iptables TPROXY, for example v2ray's dokodemo-door in tproxy mode.
## How to install ## How to install
```bash ```bash
mkdir build && cd build && cmake .. && make && make install mkdir build && cd build && cmake .. && make && sudo make install
``` ```
- It is alreay in [archlinux AUR](https://aur.archlinux.org/packages/cgproxy/). - It is alreay in [archlinux AUR](https://aur.archlinux.org/packages/cgproxy/).
@@ -50,13 +52,12 @@ mkdir build && cd build && cmake .. && make && make install
## How to use ## How to use
- First enable service - First enable and start service
```bash ```bash
sudo systemctl enable --now cgproxy.service sudo systemctl enable --now cgproxy.service
sudo systemctl status cgproxy.service
``` ```
- Then prefix with cgproxy with your command, just like proxychains - Then prefix with cgproxy with your command, just like proxychains
``` ```
@@ -69,8 +70,13 @@ mkdir build && cd build && cmake .. && make && make install
cgproxy curl -vIs https://www.google.com cgproxy curl -vIs https://www.google.com
``` ```
- To completely stop
```
sudo systemctl disable --now cgproxy.service
```
----
<details> <details>
<summary>More config in `/etc/cgproxy.conf` (click to expand)</summary> <summary>More config in <i>/etc/cgproxy.conf</i> (click to expand)</summary>
```bash ```bash
######################################################################## ########################################################################
@@ -78,6 +84,7 @@ mkdir build && cd build && cmake .. && make && make install
## any process in cgroup_proxy will be proxied, and cgroup_noproxy the opposite ## any process in cgroup_proxy will be proxied, and cgroup_noproxy the opposite
## cgroup must start with slash '/' ## cgroup must start with slash '/'
# cgroup_proxy="/" # cgroup_proxy="/"
# cgroup_noproxy="/system.slice/v2ray.service"
cgroup_proxy="/proxy.slice" cgroup_proxy="/proxy.slice"
cgroup_noproxy="/noproxy.slice" cgroup_noproxy="/noproxy.slice"
@@ -91,17 +98,16 @@ port=12345
######################################################################## ########################################################################
## if you set to false, it's traffic won't go through proxy, but still can go direct to internet ## if you set to false, it's traffic won't go through proxy, but still can go direct to internet
enable_dns=true
enable_tcp=true enable_tcp=true
enable_udp=true enable_udp=true
enable_ipv4=true enable_ipv4=true
enable_ipv6=true enable_ipv6=true
enable_dns=true
######################################################################## ########################################################################
## do not modify this if you don't known what you are doing ## do not modify this if you don't known what you are doing
table=100 table=100
fwmark=0x01 fwmark=0x01
mark_noproxy=0xff
mark_newin=0x02 mark_newin=0x02
``` ```
</details> </details>
@@ -113,24 +119,27 @@ sudo systemctl restart cgproxy.service
## Global transparent proxy ## Global transparent proxy
- First, set **cgroup_proxy="/"** in `/etc/cgproxy.conf`, this will proxy all connection - Set `cgroup_proxy="/"` in */etc/cgproxy.conf*, this will proxy all connection
- Then, run your proxy software in cgroup_noproxy to allow direct to internet - And allow your proxy program (v2ray) direct to internet, two ways:
- active way
```bash run `cgnoproxy <PROXY PROGRAM>`
cgnoproxy <PROXY PROGRAM>
# qv2ray as example example: `cgnoproxy sudo v2ray -config config_file`
cgnoproxy qv2ray
# v2ray as example - passive way
cgnoproxy sudo v2ray --config config_file
``` set `cgroup_noproxy="<PROXY PROGRAM's CGROUP>"`
- Finally, restart service `sudo systemctl restart cgproxy.service`, that's all example: `cgroup_noproxy="/system.slice/v2ray.service"`
- Finally, restart cgproxy service, that's all
## Gateway proxy ## Gateway proxy
- Set **enable_gateway=true** in `/etc/cgproxy.conf` and restart service - Set `enable_gateway=true` in */etc/cgproxy.conf*
- Run your proxy software in cgroup_noproxy to allow direct to internet as above. This is necessary when you use global transparent proxy the same time. - And allow your proxy software (v2ray) direct to internet, described above
- Other device set this host as gateway, and set public dns if necessary - Other device set this host as gateway, and set public dns if necessary
## Other useful tools provided in this project ## Other useful tools provided in this project
@@ -159,7 +168,7 @@ sudo systemctl restart cgproxy.service
## NOTES ## NOTES
- `cgattach` attach pid to specific cgroup, and has *suid* bit set by default, be careful to use on multi-user server for securiry. To avoid this situation, you can remove the *suid* bit , then it will fallback to use *sudo*, with *visudo* you can restrict permission or set NOPASSWD for youself. - `cgattach` has *suid* bit set by default, be careful to use on multi-user server for securiry. To avoid this situation, you can remove the *suid* bit , then it will fallback to use *sudo*, with *sudoer* you can restrict permission or set NOPASSWD for youself.
- v2ray TPROXY need root or special permission - v2ray TPROXY need root or special permission
@@ -167,13 +176,14 @@ sudo systemctl restart cgproxy.service
sudo setcap "cap_net_admin,cap_net_bind_service=ep" /usr/lib/v2ray/v2ray sudo setcap "cap_net_admin,cap_net_bind_service=ep" /usr/lib/v2ray/v2ray
``` ```
- Why not outbound mark solution, because in v2ray [when `"localhost"` is used, out-going DNS traffic is not controlled by V2Ray](https://www.v2fly.org/en/configuration/dns.html), so no mark at all, that's pitty. - Why not outbound mark solution, because in v2ray [when `"localhost"` is used, out-going DNS traffic is not controlled by V2Ray](https://www.v2fly.org/en/configuration/dns.html), so no mark at all, that's pity.
## TIPS ## TIPS
- `systemd-cgls` to see the cgroup hierarchical tree. - `systemd-cgls` to see the cgroup hierarchical tree.
- v2ray full config exmaple in [v2ray_buid](https://github.com/springzfx/cgproxy/tree/master/v2ray_buid), more to see [v2ray multi-file config](https://www.v2fly.org/chapter_02/multiple_config.html) - Check cgroup2 support `findmnt -t cgroup2`
- Qv2ray config example - Offer you v2ray service and full config exmaple in [v2ray_config](https://github.com/springzfx/cgproxy/tree/master/v2ray_config)
- Offer you qv2ray config example
![Qv2ray config example](https://i.loli.net/2020/04/28/bdQBzUD37FOgfvt.png) ![Qv2ray config example](https://i.loli.net/2020/04/28/bdQBzUD37FOgfvt.png)

2
v2ray_config/00_log.json
View File

@@ -1,5 +1,5 @@
{ {
"log": { "log": {
"loglevel": "debug" "loglevel": "error"
} }
} }

6
v2ray_config/02_dns.json
View File

@@ -1,6 +1,8 @@
{ {
"dns": { "dns": {
"servers": [ "servers": [
"https://223.5.5.5/dns-query",
"https://1.1.1.1/dns-query",
{ {
"address": "localhost", "address": "localhost",
"port": 53, "port": 53,
@@ -10,9 +12,7 @@
"expectIPs": [ "expectIPs": [
"geoip:cn" "geoip:cn"
] ]
}, }
"https+local://1.1.1.1/dns-query",
"223.6.6.6"
], ],
"tag": "dns_inbound" "tag": "dns_inbound"
} }

49
v2ray_config/03_routing.json
View File

@@ -2,11 +2,32 @@
"routing": { "routing": {
"domainStrategy": "IPIfNonMatch", "domainStrategy": "IPIfNonMatch",
"rules": [ "rules": [
{
"domain": [
"geosite:category-ads-all"
],
"outboundTag": "outBound_BLACKHOLE",
"type": "field"
},
{
"inboundTag": [
"inbound_API"
],
"outboundTag": "API",
"type": "field"
},
{ {
"outboundTag": "dns-out", "outboundTag": "dns-out",
"port": "53", "port": "53",
"type": "field" "type": "field"
}, },
{
"inboundTag": [
"dns_inbound"
],
"outboundTag": "outBound_DIRECT",
"type": "field"
},
{ {
"domain": [ "domain": [
"geosite:google", "geosite:google",
@@ -20,27 +41,6 @@
"outboundTag": "outBound_PROXY", "outboundTag": "outBound_PROXY",
"type": "field" "type": "field"
}, },
{
"ip": [
"geoip:private"
],
"outboundTag": "outBound_DIRECT",
"type": "field"
},
{
"domain": [
"geosite:category-ads-all"
],
"outboundTag": "outBound_BLACKHOLE",
"type": "field"
},
{
"ip": [
"geoip:cn"
],
"outboundTag": "outBound_DIRECT",
"type": "field"
},
{ {
"domain": [ "domain": [
"geosite:cn" "geosite:cn"
@@ -49,10 +49,11 @@
"type": "field" "type": "field"
}, },
{ {
"inboundTag": [ "ip": [
"inbound_API" "geoip:cn",
"geoip:private"
], ],
"outboundTag": "API", "outboundTag": "outBound_DIRECT",
"type": "field" "type": "field"
} }
] ]

30
v2ray_config/05_inbounds_tproxy_ipv4lo.json Normal file
View File

@@ -0,0 +1,30 @@
{
"inbounds": [
{
"listen": "127.0.0.1",
"port": 12345,
"protocol": "dokodemo-door",
"settings": {
"address": "",
"followRedirect": true,
"network": "tcp,udp",
"port": 0,
"timeout": 300,
"userLevel": 0
},
"sniffing": {
"destOverride": [
"http",
"tls"
],
"enabled": true
},
"streamSettings": {
"sockopt": {
"tproxy": "tproxy"
}
},
"tag": "tproxy_IN_ipv4lo"
}
]
}

6
v2ray_config/05_inbounds_tproxy.json → v2ray_config/05_inbounds_tproxy_ipv6lo.json
View File

@@ -1,7 +1,7 @@
{ {
"inbounds": [ "inbounds": [
{ {
"listen": "0.0.0.0", "listen": "::1",
"port": 12345, "port": 12345,
"protocol": "dokodemo-door", "protocol": "dokodemo-door",
"settings": { "settings": {
@@ -9,7 +9,7 @@
"followRedirect": true, "followRedirect": true,
"network": "tcp,udp", "network": "tcp,udp",
"port": 0, "port": 0,
"timeout": 0, "timeout": 300,
"userLevel": 0 "userLevel": 0
}, },
"sniffing": { "sniffing": {
@@ -24,7 +24,7 @@
"tproxy": "tproxy" "tproxy": "tproxy"
} }
}, },
"tag": "tproxy_IN" "tag": "tproxy_IN_ipv6lo"
} }
] ]
} }

2
v2ray_config/06_outbounds_myproxy.json
View File

@@ -1 +1 @@
{} {}

9
v2ray_config/readme.md
View File

@@ -1 +1,8 @@
Fill `06_outbounds_myproxy.json` with your vmess proxy config with tag `outBound_PROXY`. ## Usage
- Fill `06_outbounds_myproxy.json` with your vmess proxy config with tag `outBound_PROXY`.
- Start with `sudo v2ray -confdir .`
## Reference
- [v2ray multi-file config](https://www.v2fly.org/chapter_02/multiple_config.html)