[Feature] A socks5 port to bypass traffic like DIRECT mode?

[Azadzadeh]

Verify steps

• [X] 我已经在 Issue Tracker 中找过我要提出的请求 I have searched on the issue tracker for a related feature request.
• [X] 我已经仔细看过 Documentation 并无法找到这个功能 I have read the documentation and was unable to solve the issue.

Description

Assuming we are using TUN mode + hijacked DNS. In this mode, all traffic is controlled by Clash.Meta. we can bypass traffic to a domain or ip by setting a rule and using DIRECT.

my question: how to expose a certain port so all traffic going through it is bypassed like DIRECT? so i mean, in this TUN mode, all traffic is handled by Rule. I want a socks5 port that always behaves like DIRECT.

Possible Solution

No response

[xishang0128]

https://github.com/MetaCubeX/Clash.Meta/blob/79626189f33631dc6bcd7d6503e2b2a5ff509453/docs/config.yaml#L889 proxy: DIRECT

[Azadzadeh]

@xishang0128 yeah, that solves it! thanks

listeners:
  - name: 'socks5-always-direct'
    type: socks
    port: 8085
    proxy: DIRECT

However, somehow i missed this inbound feature! Am i correct to assume that with this feature, Clash.Meta can act in server-side as a proxy server? for example with this commit, we don't need an independent hysteria2 binary at server-side, right?

[xishang0128]

@Azadzadeh Yes, clash meta can act as a proxy server for some protocols

[xishang0128]

@Azadzadeh Yes, clash meta can act as a proxy server for some protocols

You can refer to https://wiki.metacubex.one/config/inbound/ and https://wiki.metacubex.one/config/inbound/hysteria2, which are still being improved and are not available in English.

[Azadzadeh]

@xishang0128 and upstream Clash doesn't support this "acting as proxy server in server-side"? https://dreamacro.github.io/clash/configuration/inbound.html#inbound

Also, there is an ambiguity about inbound TUN and general top-level TUN. What does setting them both, mean in practice?

[xishang0128]

Also, there is an ambiguity about inbound TUN and general top-level TUN. What does setting them both, mean in practice?

They are equivalent, just set one of them

[xishang0128]

@xishang0128 and upstream Clash doesn't support this "acting as proxy server in server-side"? https://dreamacro.github.io/clash/configuration/inbound.html#inbound

The upstream only supports socks/http and does not support the encrypted proxy protocol. socks/http is not safe on public networks.

[Azadzadeh]

@xishang0128 about acting as inbound proxy at server-side, i think, in general, it's better to rely on each protocol's upstream binary since security updates are first apply there and take a while to propagate to Clash.Meta. What is your view on this matter?

[xishang0128]

@Azadzadeh No need to worry about this. If security issues arise, clash.meta will promptly update the protocol. If it's a minor issue, clash.meta may not be updated soon, or it may not be updated at all (clash.meta may not be affected by minor issues that occur upstream)

for example tuic , clash.meta have some implementations of their own.

[stevejohnson7]

Solved. So close it