sskaje / ubnt-clash Goto Github PK

View Code? Open in Web Editor NEW

38.0 3.0 5.0 100 KB

Clash config/op templates for ubnt EdgeRouters / VyOS

Shell 77.03% Python 22.97%

clash edgerouter ubnt edgemax edgeos unifi-os unifios edge-os vyos

ubnt-clash's Introduction

ubnt-clash

English | 中文版 | 中文 Wiki

Clash config for Ubnt EdgeRouters

Only supports configuration from URL.

Quick Start

Download deb package from https://github.com/sskaje/ubnt-clash/releases

# root required
sudo su

# Download deb package, copy URL from above
curl -OL https://github.com/sskaje/ubnt-clash/releases/download/x.y.z/ubnt-clash_x.y.z_all.deb
dpkg -i  ubnt-clash_x.y.z_all.deb

# Set config URL
configure
set interfaces clash utun config-url https://........
commit
save

# Install binary, GeoIP db, UI
clashctl.sh install
# Start Clash
clashctl.sh start

Configuration

EdgeOS Config

Tested under ubnt ER-X, ubnt ERLite, ubnt ER4 with latest firmware(Debian stretch based).

For USG devices, please make sure your config.gateway.json is properly configured on your controller.

{
  "interface": {
    "clash": {
      "utun": {
        "config-url": "https://...."
      }
    }
  }
}

Configure Syntax

configure

# Your configuration commands here

commit
save

root@ER3# set interfaces clash utun 
Possible completions:
  check-interval
  		Connection check interval, used in cron
  config-url	URL containing the Clash config (e.g., https://xxxx)
  description	Description for the interface
  disable	Interface to be disabled
  executable	Clash executable
  outbound-interface
  		Outbound interface, not used for now
  update-interval
  		Config update interval, used in cron

Create Interface

File is downloaded with cURL, file:/// is supported by cURL but not tested here.

set interfaces clash utun config-url https://........

ubnt-clash downloads Dreamacro/clash by default, you can use MetaCubeX/Clash.Meta by setting:

set interface clash utun executable meta

Auto Update Clash Configuration

Update configuration from subscription URL every 4 hours.

set interface clash utun update-interval 14400

Auto Check Connection

Check connection every 5 minutes.

set interface clash utun check-interval 300

If you want to check your connection every minute, please set the check-interval to 30 seconds.

PBR

Router local IP 192.168.2.1, LAN interface eth1

# route table
set protocols static table 10 interface-route 0.0.0.0/0 next-hop-interface utun

# pbr rules
set firewall group address-group SRC_CLASH address 192.168.2.10-192.168.2.250
set firewall modify MCLASH rule 101 action modify
set firewall modify MCLASH rule 101 modify table 10
set firewall modify MCLASH rule 101 source group address-group SRC_CLASH

# apply pbr rules to eth1
set interfaces ethernet eth1 firewall in modify MCLASH

# Fake IP destination only if you need, NOT recommended
set firewall group network-group DST_CLASH_FAKEIP network 198.18.0.0/16
set firewall modify MCLASH rule 101 destination group network-group DST_CLASH_FAKEIP

DNS Hijack

Router local IP 192.168.2.1, LAN interface eth1

set service nat rule 4050 destination group address-group ADDRv4_eth1
set service nat rule 4050 destination port 53
set service nat rule 4050 inbound-interface eth1
set service nat rule 4050 inside-address address 192.168.2.1
set service nat rule 4050 inside-address port 7874
set service nat rule 4050 protocol udp
set service nat rule 4050 source group address-group SRC_CLASH
set service nat rule 4050 type destination

Config Files

Files are stored under /config/clash

/config/clash/templates: template config files
/config/clash/templates/rulesets: example config files
/config/clash/utun: config files for utun

YAML files under templates will be copied to utun unless there is a same file under utun, files under templates/rulesets will NOT be copied.

YAML File Loading Order

utun/*.yaml
utun/rulesets/*.yaml
File downloaded from server
utun/*.yaml.overwrite to overwrite settings, don't try to overwrite an array.

This loading order is designed because appending element to array is easier in YQ.

Custom Entry

Some custom config entry is used by YQ scripts.

Create A New Proxy Group

Example templates/rulesets/tiktok.yaml

proxy-groups:
  - name: "TIKTOK"
    type: select
    proxies: []

create-proxy-group:
  TIKTOK: "日本|韩国"

A new proxy-group named "TIKTOK" will be created before all proxy-groups and its proxies is filtered like

yq '[.proxies[] | select( .name | test("日本|韩国") ) | .name]' download.yaml

3rd Party Rule Providers

Examples templates/rulesets/adblock.yaml

rule-providers:
  reject:
    type: http
    behavior: domain
    url: "https://p.rst.im/q/raw.githubusercontent.com/Loyalsoldier/clash-rules/release/reject.txt"
    path: ./reject.yaml
    interval: 86400

rules:
  - RULE-SET,reject,REJECT

A new rule provider will be added to clash config and a new rule will be insert before downloaded rules.

p.rst.im is recommended in url.

Other Files

GeoIP database file willl be downloaded to /config/clash and symlink to /run/clash/utun/.

Dashboard files will be downloaded to /config/clash/dashboard

Commands

Install

Install Clash Premium Binary, YQ, GeoIP Database.

Proxy provided by p.rst.im

clashctl.sh install

# proxied download
USE_PROXY=1 clashctl.sh install

Update

Update Clash Binary

clashctl.sh update

# proxied download
USE_PROXY=1 clashctl.sh update

Update Clash DashBoard UI

clashctl.sh update_ui

# proxied download
USE_PROXY=1 clashctl.sh update_ui

Update GeoIP Database

clashctl.sh update_db

# proxied download
USE_PROXY=1 clashctl.sh update_db

Update YQ

clashctl.sh update_yq

# proxied download
USE_PROXY=1 clashctl.sh update_yq

Show Clash Binary Version

clashctl.sh show_version

Start/Stop/Restart Client

clashctl.sh start
clashctl.sh stop
clashctl.sh restart

Update Config And Restart

clashctl.sh rehash

clashctl.sh help

About Proxy

Proxy is provided by https://p.rst.im/

You can either:

USE_PROXY=1 clashctl.sh ...

touch /config/clash/USE_PROXY
clashctl ...

Flags

USE_PROXY

/config/clash/USE_PROXY

See About Proxy above

NO_MONITOR

/config/clash/NO_MONITOR

Create this file to disable proxy auto change.

Cron

Via system/task-scheduler

# task scheduler, monitor, cron, etc.
set system task-scheduler task clash-cron crontab-spec "*/1 * * * *"
set system task-scheduler task clash-cron executable path "/config/scripts/clash-cron"

Up/Down Scripts

Put pre-up.sh, post-up.sh, pre-down.sh, post-down.sh under /config/clash/utun/scripts/ and make them executable.

Misc

OpenClash Enhanced Mode

Add allow-lan: true to misc.yaml.overwrite

Run command

# redirect all TCP from SRC_CLASH to 7892
iptables -t nat -A PREROUTING -i wg1 -p tcp -m set --match-set SRC_CLASH src  -j REDIRECT --to-ports 7892

# redirect all TCP from SRC_CLASH and not to DST_NOCLASH to 7892
iptables -t nat -A PREROUTING -i wg1 -p tcp -m set --match-set SRC_CLASH src -m set ! --match-set DST_NOCLASH dst  -j REDIRECT --to-ports 7892

# redirect all TCP from SRC_CLASH and not to DST_NOCLASH and not to CHINA_IP to 7892
iptables -t nat -A PREROUTING -i wg1 -p tcp -m set --match-set SRC_CLASH src -m set ! --match-set DST_NOCLASH dst -m set ! --match-set CHINA_IP dst -j REDIRECT --to-ports 7892

No 'best practice' yet, you can try with up/down scripts.

Test

Clash utun

Run on your Router to verify if clash tun is up and working.

curl https://rst.im/ip --interface utun -v

ubnt-clash's People

Contributors

Stargazers

Watchers

Forkers

tvhggg silentdark zengzhengkevin misaka-11037 suvlife

ubnt-clash's Issues

请问是否支持udp转发

主要给quest 2使用，其他设备都可以安装代理。现在设想只有quest2走代理，所以需要udp转发流量。如果不能实现udp转发就不折腾了。感谢分享，这类教程很珍贵！

如果配置文件中proxies节点写成数组的形式如：
{name: 🇭🇰 Hong Kong 06, server: api.1.ss03.net, port: 22356, type: ss, cipher: chacha20-ietf-poly1305, password: 52XXX, udp: true}
似乎程序不能兼容，必须是普通格式才行，如：
name: 🇭🇰 Hong Kong 09
type: ss
server: api.1.ss03.net
port: 22359
password: 52XXX
cipher: chacha20-ietf-poly1305
udp: true

另外是否计划更新0.4.4版本了？

流量没有走utun

已经按照教程部署完服务，看到路由器上服务已经在跑了，但是测试设备连接的时候还是无法FQ。clashctl.sh 服务启动没有使用sudo权限，命令跑ip测试时发现不带sudo 返回的ip还是运营商公网ip，只有带sudo了后才会走代理。不带sudo测试网络时看到打印以下错误

SO_BINDTODEVICE utun failed with errno 1: Operation not permitted; will do regular bind

是不是我还有什么地方没有配置好导致没有真正的走代理。

ubnt@ubnt:/run$ curl https://rst.im/ip --interface utun
60.163.249.61
ubnt@ubnt:/run$ sudo curl https://rst.im/ip --interface utun
45.117.100.51
ubnt@ubnt:/run$ curl https://rst.im/ip --interface utun -v

Trying 104.21.14.234...
TCP_NODELAY set
Local Interface utun is ip 198.18.0.1 using address family 2
SO_BINDTODEVICE utun failed with errno 1: Operation not permitted; will do regular bind
Local port: 0
Connected to rst.im (104.21.14.234) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@strength
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS change cipher, Client hello (1):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
ALPN, server accepted to use h2
Server certificate:
subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
start date: Jun 6 00:00:00 2022 GMT
expire date: Jun 5 23:59:59 2023 GMT
subjectAltName: host "rst.im" matched cert's "rst.im"
issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
SSL certificate verify ok.
Using HTTP2, server supports multi-use
Connection state changed (HTTP/2 confirmed)
Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
Using Stream ID: 1 (easy handle 0x55689ed8)

GET /ip HTTP/1.1
Host: rst.im
User-Agent: curl/7.52.1
Accept: /

Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Sat, 11 Feb 2023 05:57:31 GMT
< content-type: text/html; charset=UTF-8
< cf-cache-status: DYNAMIC
< report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v3?s=Y5GqV4Mf4XuzDvB%2FKn0y%2Br6x0HRCBydynTpYeuuw7Xv6rTRGA%2Bbq1t%2BAWpTwnF%2FneZ2mBBHY6YPbaLDL%2FhfCczWj%2Fevn%2B%2BmJM6hJeJ0rOlQyletW%2FAmD3rw%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 797ad8f23bef9e5c-SJC
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
<
60.163.249.61
Curl_http_done: called premature == 0
Connection #0 to host rst.im left intact

应用pbr规则后机器无法ssh

环境：
edgerouter lite 3
eth0: WAN 192.168.1.1
eth1: server pc 192.168.2.2
eth2: client pc 192.168.3.3

安装clash后，使用curl https://rst.im/ip --interface utun -v 测试clash正常工作。

按照下述操作后，client 无法ssh到server，请问是什么问题？

# 创建路由表
set protocols static table 10 interface-route 0.0.0.0/0 next-hop-interface utun

# pbr 规则
set firewall group address-group SRC_CLASH address 192.168.2.2
set firewall modify MCLASH rule 101 action modify
set firewall modify MCLASH rule 101 modify table 10
set firewall modify MCLASH rule 101 source group address-group SRC_CLASH

# 在 eth1 上应用 pbr 规则
set interfaces ethernet eth1 firewall in modify MCLASH

能否支持vyos呢？

请问能否处一个vyosvyos 1.3/1.4的分支呢？
测试了一下vyos 1.3 是报错的。无法使用

root@vyos# dpkg -i ubnt-clash_0.5.0_all.deb
(Reading database ... 63871 files and directories currently installed.)
Preparing to unpack ubnt-clash_0.5.0_all.deb ...
Unpacking ubnt-clash (0.5.0) over (0.5.0) ...
dpkg: dependency problems prevent configuration of ubnt-clash:
 ubnt-clash depends on jq; however:
  Package jq is not configured yet.

dpkg: error processing package ubnt-clash (--install):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 ubnt-clash

启动失败，提示Invalid Clash Config

wood@ubnt:$ sudo clashctl.sh start
Download Config
Error: Invalid Clash Config
wood@ubnt:$ clashctl.sh start

example config

Missing example config

订阅地址包含特殊字符，配置订阅 URL时无法输入

我服务商给的订阅地址里有个问号，把整个url全转义后Error: Invalid Clash Config应该是不支持转义，请问这个怎么解决呢

Edgerouter-X安装不成功

使用一键安装

root@EdgeRouter-X-5-Port:~# curl https://p.rst.im/q/raw.githubusercontent.com/sskaje/ubnt-clash/master/one.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 350 0 350 0 0 935 0 --:--:-- --:--:-- --:--:-- 938
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 11312 100 11312 0 0 13255 0 --:--:-- --:--:-- --:--:-- 0
(Reading database ... 37164 files and directories currently installed.)
Preparing to unpack /tmp/tmp.QB09Vg.deb ...
Unpacking ubnt-clash (0.5.0) over (0.5.0) ...
Setting up ubnt-clash (0.5.0) ...
cat: can't open '/config/clash/CURLOPT': No such file or directory
Installing yq...
/usr/bin/clashctl.sh: line 160: & 1: syntax error: operand expected (error token is "& 1")
/usr/bin/clashctl.sh: line 122: & 1: syntax error: operand expected (error token is "& 1")
YQ not installed