- WireGuard Install (Debian10)
apt update
apt upgrade
sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"
apt update
apt install wireguard resolvconf
cd /etc/wireguard/; umask 077; wg genkey | tee privatekey | wg pubkey > publickey
cat << _EOF_ >wg0.conf
[Interface]
Address = 192.168.40.1/24
ListenPort = 51194
PrivateKey = `cat privatekey`
PostUp = iptables -t nat -A POSTROUTING -s 192.168.40.0/24 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -s 192.168.40.0/24 -j MASQUERADE
[Peer]
PersistentKeepalive = 25
PublicKey = avm9Z/O4CqE0XK6BXB4/7z0/rNL0TT2KBC7cmaMNxwk=
AllowedIPs = 192.168.40.10/32
_EOF_
/ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
wget https://github.com/ViRb3/wgcf/releases/download/v2.2.11/wgcf_2.2.11_linux_amd64
chmod +x wgcf_2.2.11_linux_amd64
./wgcf_2.2.11_linux_amd64 register
./wgcf_2.2.11_linux_amd64 generate
cp wgcf-profile.conf /etc/wireguard/wgcf.conf
[Interface]
PrivateKey = --------------------------------------------
Address = 172.16.0.2/32
Address = fd01:5ca1:ab1e:87ec:61dd:e557:bee:252d/128
DNS = 1.1.1.1
MTU = 1280
Table = off
PostUP = ip -4 rule add fwmark 51820 lookup 51820
PostUP = ip -4 route add default dev wgcf table 51820
PostUP = ip -4 rule add table main suppress_prefixlength 0
PostUP = ip -6 rule add fwmark 51820 lookup 51820
PostUP = ip -6 rule add not fwmark 51820 table 51820
PostUP = ip -6 route add ::/0 dev wgcf table 51820
PostUP = ip -6 rule add table main suppress_prefixlength 0
PostDown = ip -4 rule delete fwmark 51820 lookup 51820
PostDown = ip -4 rule delete table main suppress_prefixlength 0
PostDown = ip -6 rule delete fwmark 51820 lookup 51820
PostDown = ip -6 rule delete not fwmark 51820 table 51820
PostDown = ip -6 rule delete table main suppress_prefixlength 0
[Peer]
PublicKey = --------------------------------------------
PersistentKeepalive = 25
AllowedIPs = ::/0
Endpoint = engage.cloudflareclient.com:2408
AllowedIPs = 0.0.0.0/5
AllowedIPs = 8.0.0.0/7
AllowedIPs = 11.0.0.0/8
AllowedIPs = 12.0.0.0/6
AllowedIPs = 16.0.0.0/4
AllowedIPs = 32.0.0.0/3
AllowedIPs = 64.0.0.0/2
AllowedIPs = 128.0.0.0/3
AllowedIPs = 160.0.0.0/5
AllowedIPs = 168.0.0.0/6
AllowedIPs = 172.0.0.0/12
AllowedIPs = 172.32.0.0/11
AllowedIPs = 172.64.0.0/10
AllowedIPs = 172.128.0.0/9
AllowedIPs = 173.0.0.0/8
AllowedIPs = 174.0.0.0/7
AllowedIPs = 176.0.0.0/4
AllowedIPs = 192.0.0.0/9
AllowedIPs = 192.128.0.0/11
AllowedIPs = 192.160.0.0/13
AllowedIPs = 192.169.0.0/16
AllowedIPs = 192.170.0.0/15
AllowedIPs = 192.172.0.0/14
AllowedIPs = 192.176.0.0/12
AllowedIPs = 192.192.0.0/10
AllowedIPs = 193.0.0.0/8
AllowedIPs = 194.0.0.0/7
AllowedIPs = 196.0.0.0/6
AllowedIPs = 200.0.0.0/5
AllowedIPs = 208.0.0.0/4
PrivateKey = --------------------------------------------
Address = 172.16.0.2/32
Address = fd01:5ca1:ab1e:87ec:61dd:e557:bee:252d/128
DNS = 1.1.1.1
MTU = 1280
Table = off
PostUP = ip -4 rule add from 172.16.0.2/32 lookup 51820
PostUP = ip -4 route add default dev wgcf table 51820
PostUP = ip -4 rule add table main suppress_prefixlength 0
PostUP = ip -6 rule add not fwmark 51820 table 51820
PostUP = ip -6 route add ::/0 dev wgcf table 51820
PostUP = ip -6 rule add table main suppress_prefixlength 0
PostDown = ip -4 rule delete from 172.16.0.2/32 lookup 51820
PostDown = ip -4 rule delete table main suppress_prefixlength 0
PostDown = ip -6 rule delete not fwmark 51820 table 51820
PostDown = ip -6 rule delete table main suppress_prefixlength 0
[Peer]
PublicKey = --------------------------------------------
PersistentKeepalive = 25
AllowedIPs = ::/0
Endpoint = engage.cloudflareclient.com:2408
AllowedIPs = 0.0.0.0/5
AllowedIPs = 8.0.0.0/7
AllowedIPs = 11.0.0.0/8
AllowedIPs = 12.0.0.0/6
AllowedIPs = 16.0.0.0/4
AllowedIPs = 32.0.0.0/3
AllowedIPs = 64.0.0.0/2
AllowedIPs = 128.0.0.0/3
AllowedIPs = 160.0.0.0/5
AllowedIPs = 168.0.0.0/6
AllowedIPs = 172.0.0.0/12
AllowedIPs = 172.32.0.0/11
AllowedIPs = 172.64.0.0/10
AllowedIPs = 172.128.0.0/9
AllowedIPs = 173.0.0.0/8
AllowedIPs = 174.0.0.0/7
AllowedIPs = 176.0.0.0/4
AllowedIPs = 192.0.0.0/9
AllowedIPs = 192.128.0.0/11
AllowedIPs = 192.160.0.0/13
AllowedIPs = 192.169.0.0/16
AllowedIPs = 192.170.0.0/15
AllowedIPs = 192.172.0.0/14
AllowedIPs = 192.176.0.0/12
AllowedIPs = 192.192.0.0/10
AllowedIPs = 193.0.0.0/8
AllowedIPs = 194.0.0.0/7
AllowedIPs = 196.0.0.0/6
AllowedIPs = 200.0.0.0/5
AllowedIPs = 208.0.0.0/4
systemctl enable [email protected]
systemctl start [email protected]
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
- /usr/local/etc/xray/config.json (fwmark)
{
"dns": {
"tag": "dns_in",
"hosts": {
"static.doubleclick.net": "127.0.0.1"
},
"servers": [
{ "address": "8.8.8.8", "port": 53, "domains": [ "geosite:geolocation-!cn" ] },
{ "address": "114.114.114.114", "port": 53, "domains": [ "geosite:cn" ], "expectIPs": ["geoip:cn"] }
]
},
"inbounds": [
{
"port": 5555,
"protocol": "shadowsocks",
"settings": {
"clients": [
{
"password": "password",
"method": "chacha20-poly1305"
}
],
"network": "tcp,udp"
}
}
],
"outbounds": [
{
"protocol": "freedom",
"streamSettings": {
"sockopt": {
"mark": 51820,
"domainStrategy": "UseIP"
}
}
},
{
"tag": "block",
"protocol": "blackhole"
}
],
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"domain": ["geosite:category-ads-all"],
"outboundTag": "block"
}
]
}
}
- /usr/local/etc/xray/config.json (table)
{
"dns": {
"tag": "dns_in",
"hosts": {
"static.doubleclick.net": "127.0.0.1"
},
"servers": [
{ "address": "8.8.8.8", "port": 53, "domains": [ "geosite:geolocation-!cn" ] },
{ "address": "114.114.114.114", "port": 53, "domains": [ "geosite:cn" ], "expectIPs": ["geoip:cn"] }
]
},
"inbounds": [
{
"port": 5555,
"protocol": "shadowsocks",
"settings": {
"clients": [
{
"password": "password",
"method": "chacha20-poly1305"
}
],
"network": "tcp,udp"
}
}
],
"outbounds": [
{
"protocol": "freedom",
"sendThrough": "::",
"settings": {
"domainStrategy": "UseIPv6"
},
"tag": "ipv6"
},
{
"protocol": "freedom",
"sendThrough": "172.16.0.2",
"settings": {
"domainStrategy": "UseIPv4"
},
"tag": "ipv4"
},
{
"tag": "block",
"protocol": "blackhole"
}
],
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"domain": ["geosite:category-ads-all"],
"outboundTag": "block"
},
{
"type": "field",
"ip": ["0.0.0.0/0"],
"outboundTag": "ipv4"
}
]
}
}
{
"dns": {
"tag": "dns_in",
"hosts": {
"static.doubleclick.net": "127.0.0.1"
},
"servers": [
{ "address": "8.8.8.8", "port": 53, "domains": [ "geosite:geolocation-!cn" ] },
{ "address": "114.114.114.114", "port": 53, "domains": [ "geosite:cn" ], "expectIPs": ["geoip:cn"] }
]
},
"inbounds": [
{
"port": 5555,
"protocol": "shadowsocks",
"settings": {
"password": "cmxXxxk9vQEKorCbBTGMc5z6olc0YIkXWBgfr+k61Sw=",
"method": "2022-blake3-chacha20-poly1305",
"network": "tcp,udp",
"level": 0
}
}
],
"outbounds": [
{
"protocol": "freedom",
"sendThrough": "::",
"settings": {
"domainStrategy": "UseIPv6"
},
"tag": "ipv6"
},
{
"protocol": "freedom",
"sendThrough": "172.16.0.2",
"settings": {
"domainStrategy": "UseIPv4"
},
"tag": "ipv4"
},
{
"tag": "block",
"protocol": "blackhole"
}
],
"routing": {
"domainStrategy": "IPIfNonMatch",
"rules": [
{
"type": "field",
"domain": ["geosite:category-ads-all"],
"outboundTag": "block"
},
{
"type": "field",
"ip": ["0.0.0.0/0"],
"outboundTag": "ipv4"
}
]
}
}