kuoruan
commented
4 years ago 配置贴出来看看?
Open csquya opened 4 years ago
kuoruan
commented
4 years ago 配置贴出来看看?
RoninYuan-WY
commented
4 years ago 增加一条代理outbound,设置tag,在路由配置里增加一条带域名的规则,把netflix.com和nflxvideo.net加进去域名中,此条规则的outbound tag填入刚刚设置的tag即可,
csquya
commented
4 years ago 配置贴出来看看?
另有1个问题, bittorrent在客户端设置 direct, 服务端设置了blackhole, 但是有一天我还是收到警告了, vps被停止, 不知道是何问题, 我又去下了个脚本用iptables过滤BT的关键词,但除了在Debian系统可行,其他系统上多多少少有点问题,本人是小白,不知道如何处理。 记得有人曾经提议给个配置封禁10000以上端口,感觉提议不错,期待luci界面有此功能可配置。 { "dns": { "hosts": { "example.com": "127.0.0.1" }, "servers": [ { "address": "1.1.1.1", "port": 53, "domains": [ "geosite:geolocation-!cn" ] }, { "address": "8.8.8.8", "port": 53 }, { "address": "114.114.114.114", "port": 53, "domains": [ "geosite:cn" ] } ] }, "routing": { "domainStrategy": "IPOnDemand", "rules": [ { "type": "field", "protocol": [ "bittorrent" ], "outboundTag": "direct" }, { "type": "field", "domain": [ "geosite:category-ads-all" ], "outboundTag": "block" }, { "type": "field", "domain": [ "geosite:netflix", "geosite:youtube", "fast.com", "coinmarketcap.com" ], "outboundTag": "q2" }, { "type": "field", "domain": [ "geosite:geolocation-!cn" ], "outboundTag": "a" }, { "type": "field", "ip": [ "geoip:private", "geoip:cn", "61.160.204.241\/24" ], "outboundTag": "direct" }, { "type": "field", "domain": [ "geosite:cn", "microsoft.com", "myzaker.com", "geosite:bilibili", "rr.tv" ], "outboundTag": "direct" }, { "type": "field", "port": "53", "network": "udp", "inboundTag": [ "transparent_proxy" ], "outboundTag": "dns_out" } ] }, "policy": { "levels": { "0": { "handshake": 4, "connIdle": 300, "uplinkOnly": 2, "downlinkOnly": 5, "statsUserUplink": false, "statsUserDownlink": false, "bufferSize": 4 } }, "system": { "statsInboundUplink": false, "statsInboundDownlink": false } }, "inbounds": [ { "listen": "0.0.0.0", "port": 1688, "protocol": "socks", "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] }, "settings": { "udp": true, "auth": "noauth", "ip": "127.0.0.1" } }, { "listen": "0.0.0.0", "port": 1081, "protocol": "dokodemo-door", "tag": "transparent_proxy", "sniffing": { "enabled": true, "destOverride": [ "http", "tls" ] }, "settings": { "network": "tcp,udp", "timeout": 300, "followRedirect": true } } ], "outbounds": [ { "sendThrough": "0.0.0.0", "protocol": "vmess", "tag": "a2", "settings": { "vnext": [ { "address": "a2.mydomain.com", "port": 443, "users": [ { "id": "myid" } ] } ] }, "streamSettings": { "network": "ws", "security": "tls", "wsSettings": { "path": "\/mypath" }, "sockopt": { "mark": 255 } } }, { "sendThrough": "0.0.0.0", "protocol": "vmess", "tag": "a", "settings": { "vnext": [ { "address": "a.mydomain.com", "port": 443, "users": [ { "id": "myid" } ] } ] }, "streamSettings": { "network": "ws", "security": "tls", "wsSettings": { "path": "\/mypath" }, "sockopt": { "mark": 255 } } }, { "sendThrough": "0.0.0.0", "protocol": "freedom", "tag": "direct", "streamSettings": { "sockopt": { "mark": 255 } } }, { "sendThrough": "0.0.0.0", "protocol": "dns", "tag": "dns_out", "streamSettings": { "sockopt": { "mark": 255 } } }, { "sendThrough": "0.0.0.0", "protocol": "vmess", "tag": "p2", "settings": { "vnext": [ { "address": "p2.mydomain.com", "port": 443, "users": [ { "id": "myid" } ] } ] }, "streamSettings": { "network": "ws", "security": "tls", "wsSettings": { "path": "\/mypath" }, "sockopt": { "mark": 255 } } }, { "sendThrough": "0.0.0.0", "protocol": "blackhole", "tag": "block", "streamSettings": { "sockopt": { "mark": 255 } } }, { "sendThrough": "0.0.0.0", "protocol": "vmess", "tag": "q2", "settings": { "vnext": [ { "address": "q2.mydomain.com", "port": 443, "users": [ { "id": "myid" } ] } ] }, "streamSettings": { "network": "ws", "security": "tls", "wsSettings": { "path": "\/mypath" }, "sockopt": { "mark": 255 } } } ] }
csquya
commented
4 years ago 增加一条代理outbound,设置tag,在路由配置里增加一条带域名的规则,把netflix.com和nflxvideo.net加进去域名中,此条规则的outbound tag填入刚刚设置的tag即可,
我就是这样设置的呀, 请看上面配置
kuoruan
commented
4 years ago 新版本增加了个代理 1024 以下的选项,还加了个直连 BT 的配置项
RoninYuan-WY
commented
4 years ago 增加一条代理outbound,设置tag,在路由配置里增加一条带域名的规则,把netflix.com和nflxvideo.net加进去域名中,此条规则的outbound tag填入刚刚设置的tag即可,
我就是这样设置的呀, 请看上面配置 "domain": [ "geosite:netflix", "geosite:youtube", "fast.com", "coinmarketcap.com" ], 改成 "domain": [ "netflix.com", "nflxvideo.net", "geosite:youtube", "fast.com", "coinmarketcap.com" ], 应该可以了
csquya
commented
4 years ago 增加一条代理outbound,设置tag,在路由配置里增加一条带域名的规则,把netflix.com和nflxvideo.net加进去域名中,此条规则的outbound tag填入刚刚设置的tag即可,
我就是这样设置的呀, 请看上面配置 "domain": [ "geosite:netflix", "geosite:youtube", "fast.com", "coinmarketcap.com" ], 改成 "domain": [ "netflix.com", "nflxvideo.net", "geosite:youtube", "fast.com", "coinmarketcap.com" ], 应该可以了
你说的不是关键啊, 我的配置在ipv4里路由完全按照我设想的在走, 只是ipv6里不行。
况且 geosite:netflix (请参看 https://github.com/v2ray/domain-list-community/blob/master/data/netflix ) 非但包括了
netflix.com
nflxvideo.net
还包括 btstatic.com netflix.net nflxext.com nflximg.com nflximg.net nflxsearch.net nflxso.net
csquya
commented
4 years ago 新版本增加了个代理 1024 以下的选项,还加了个直连 BT 的配置项
大佬, 我这个问题应该是 ipv6 和透明代理的问题, 有了ipv6地址, iptables关于透明代理方面的设置不起作用了。参考 https://github.com/hq450/fancyss/issues/173 我看了以后也觉得没啥好的办法,不会搞啊。
RoninYuan-WY
commented
4 years ago 你所说的也是我一直在解决的问题,以下可以供你参考下 https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6
csquya
commented
4 years ago 你所说的也是我一直在解决的问题,以下可以供你参考下 https://gist.github.com/jamesmacwhite/6a642cb6bad00c5cefa91ec3d742e2a6
不完全是一回事, 这篇文章说的是netfilx对ipv6不友好, 会被认为是代理, 实际上现在不会了, 非但不会, 甚至有人在ipv4 被netflix列入黑名单之后,反而使用ipv6来连接到netflix。 我的问题是netflix优先使用了ipv6, 并且ipv6没有走v2ray路由, 导致netflix认出了我的ipv6地址在国内,从而拒绝提供服务。 这篇文章内利用ip6tables来屏蔽ipv6流量这个办法, 虽对以上2种情况都有作用, 但不是好的办法, 况且我早知道这个办法, 我也早说了, 我是小白, 搞不定。搞得定我也不喜欢这种办法。
理想的情况是,当用ipv6地址的时候, 按路由经过v2ray到达vps, 再经由vps的ipv6地址到达netflix, 次一点的就是经由vps的ipv4地址到达netflix, 再次一点的是由v2ray本身来屏蔽ipv6-netflix的流量,接下来就是网上能找到的用ip6tables来屏蔽流量, 最后就是我的办法取消路由器ipv6的dhcp分配。
我现在的办法是最简单的, 但最粗暴,但我同样不喜欢, 只是不得已而为之。
RoninYuan-WY
commented
4 years ago 上文的方法就是屏蔽ipv6-netflix的流量了,我大概理解你希望是首选ipv6的连接,具体实施我们不谈,目的是为了正确的看netflix,至于用ipv4还是ipv6应该没有什么关系,我尝试过ipv6用netflix并不能给你带来好的体验,因为nf发现你ipv6fallback会出现让你重新加载的页面,你又要刷新,所以用ipv4连NF是最好的解决方案,在你的情况里双栈直接屏蔽NF ipv6是最佳的使用效果,至于设置,只要在 /etc/dnsmasq.conf 最后加上如下几行即可
server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: server=/nflximg.net/# address=/nflximg.net/:: server=/nflxvideo.net/# address=/nflxvideo.net/:: server=/nflxso.net/# address=/nflxso.net/::
csquya
commented
4 years ago 上文的方法就是屏蔽ipv6-netflix的流量了,我大概理解你希望是首选ipv6的连接,具体实施我们不谈,目的是为了正确的看netflix,至于用ipv4还是ipv6应该没有什么关系,我尝试过ipv6用netflix并不能给你带来好的体验,因为nf发现你ipv6fallback会出现让你重新加载的页面,你又要刷新,所以用ipv4连NF是最好的解决方案,在你的情况里双栈直接屏蔽NF ipv6是最佳的使用效果,至于设置,只要在 /etc/dnsmasq.conf 最后加上如下几行即可 Null AAAA response on these domains server=/netflix.com/# address=/netflix.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: server=/nflximg.net/# address=/nflximg.net/:: server=/nflxvideo.net/# address=/nflxvideo.net/:: server=/nflxso.net/# address=/nflxso.net/::
兄弟,谢谢。经过我测试,此办法较简单而且有效,在没有修改之前,我测试 fast.com站点,IPV4和IPV6交替出现,将fast.com也加入之后,到目前为止测试出现的地址都是ipv4地址。(更新,刚才出现了一次ipv6, 看来还是不完美)
以下是将所有netflix站点和测速站点fast.com 加入之后的列表, 修改之后 service dnsmasq restart 重启 dnsmasq才生效。
server=/netflix.com/# address=/netflix.com/:: server=/nflxvideo.net/# address=/nflxvideo.net/:: server=/btstatic.com/# address=/btstatic.com/:: server=/netflix.net/# address=/netflix.net/:: server=/nflxext.com/# address=/nflxext.com/:: server=/nflximg.com/# address=/nflximg.com/:: server=/nflximg.net/# address=/nflximg.net/:: server=/nflxsearch.net/# address=/nflxsearch.net/:: server=/nflxso.net/# address=/nflxso.net/:: server=/fast.com/# address=/fast.com/::
在访问netflix的时候发生了问题,尽管我设了路由通过v2ray访问, 但是还是直连了。 其他网站暂无发现此现象。
搜索过google,百度, 其他人也有此情况, 解决办法看起来有些复杂,所以我简单粗暴地在路由上禁止ipv6 的dhcp分配。
考虑到ipv6还是有好处的, 比如无需nat即可直连内网等, 有些网站必须ipv6, 所以有无更好解决办法。谢谢大佬关注。