bGZo's Notes

proxy

21 min read

Tip

世界之大,付钱可及。

Why

Great Firewall

1987 年 9 月 20 日 20 时 55 分,中国的第一封 Email 发往德国,内容是:

Across the Great Wall we can reach every corner of the world. 越过长城,走向世界

似乎这和后来实施的全境防火墙形成了 Callback,因为现任的名字就是:Great Firewall。

有人说这是属于中国的柏林墙,有人试图拍打他,但渐渐声音都消失了 https://www.zhihu.com/question/25150310/answer/30229095 。这里阳光明媚,无论是处于密不透风的墙内外,都无事发生。

我对「墙」的认识,最早从 Google 退出中国开始:

https://www.google.com/press/new-approach-to-china/update.html

Google Search 无法在中国运营的原因众说纷纭,我们不得而知,但我喜欢用 Google Search,它比 Baidu Search 更加高效,仅此而已。后者为了商业化无所不用其极,我相信每个有良知的国人都希望它早日倒闭。

墙是属于 审查 的一部分,任何国家都有审查,都有他们的「政治正确」。而中国只是审查发展的最终形态,它比任何国家都要严格。

Block services

既然他会审查一切新颖,而我们对审查的名单一无所知,那么毫无疑问,有时候我们想访问的服务,就在 404 的提示词背后。

有意思的是,我们可以通过小红书曾泄露出的审查文件(日志), https://chinadigitaltimes.net/space/%E5%B0%8F%E7%BA%A2%E4%B9%A6%E5%AE%A1%E6%9F%A5%E7%99%BE%E7%A7%91, 窥见正在进行的事情。

让我们看看通过代理,我们能访问哪些服务?

  • Social Media
    • Twitter / X
    • Facebook / Instagram
    • Tiktok
    • Mastodon / Bluesky
    • Youtube
    • Telegram
    • Discord
    • LINE
  • Steaming Media
    • Bahamut
    • Netflix
    • Hulu
    • Disney
    • Spotify
    • Youtube Music
  • Forum
    • V2EX
    • 一亩三分地
    • Reddit
    • Stack overflow
  • Research
    • Google research
  • Github
  • Any new trend technology
    • OpenAI
  • Pron )

How

VPN

VPN 最开始发明出来是为了远程登录专用网络,好让相关人员实现异地办公,而这一行为正是可以绕过 GFW 的手段。下述会介绍具体的原理,所以这里不在赘述。

Value your nodes / circuits

Leased line 不过墙

wikipedia: https://en.wikipedia.org/wiki/Leased_line

  • IPLC / International Private Leased Circuit
    • 国际私有租赁线路
  • IEPL / International Ethernet Private Line
    • 国际以太网专线

Public Internet Access 公网出口

  • ChinaNet / 163 骨干网 / AS4134
    • 骨干网, 基建早, 带宽大, 便宜, 承载普通质量的互联网业务.
    • 接入国际 Tier1/2 运营商以及主流 OTT
  • Chinatelecom Next Carrier Network / CNCN / CN2 / AS4809
    • 后进骨干网, 稳定高速, 时延敏感
    • 直连国际网. 国际出口有单独线路
    • CN2 GT / Global Transit
      • 全球互联网资源转接
    • CN2 GIA / Global Internet Access
      • 为企业提供 中国方向 互联网专线接入.
      • GIA 单独回国线路, 高优先级, 高质量
      • 接入 CN2,出口全程 CN2, 但出口带宽小, 有网络波动.
      • 单程/单向 CN2
        • 去 CN2, 回 ChinaNet
          • 测试效果好, 实际体验无感.
        • 去 ChinaNet, 回 CN2
          • 综合抗 DDoS, 速度, 价格的最优解.
      • 双程/双向 CN2
  • Telecom Global Internet Services / GIS
    • Global Transit (GT)
    • Global Internet Access(GIA)
    • ChinaNet Paid-Peer
    • China Access
  • more via: 浅谈中国电信出口网络的链路情况

BGP / Border Gateway Protocol

  • 边界网关协议, 互联网 AS 间的互联
  • BGP 多线机房相较于双 IP 双线机房更优

中继

  • 入口国内, 出国国外, 过墙会用隧道协议 (负载均衡 防止被墙)

Command line

#         ____
#  __   _|___ \ _ __  _ __ _____  ___   _
#  \ \ / / __) | '_ \| '__/ _ \ \/ / | | |
#   \ V / / __/| |_) | | | (_) >  <| |_| |
#  (_)_/ |_____| .__/|_|  \___/_/\_\\__, |
#              |_|                  |___/
# +---------------+---------------------------------------+
# | author        | bGZo                                  |
# | test command  | curl www.google.com                   |
# | software      | clashMeta / proxifier                 |
# +---------------+---------------------------------------+
 
 
# +-----------------+-------------------------------------------------+
# | system          | *nix / wsl1 / wsl2 with mirrored networkingMode |
# | check command   | env | grep -i proxy                             |
# +-----------------+-------------------------------------------------+
export http_proxy=http://127.0.0.1:7890
export https_proxy=http://127.0.0.1:7890
export all_proxy=http://127.0.0.1:7890
 
 
# +---------+--------------------------------+
# | system  | wsl2 with dynamtic IP          |
# | mark    | we need to set every each time |
# +---------+--------------------------------+
host_ip=$(cat /etc/resolv.conf | grep "nameserver" |cut -f 2 -d " ")
export http_proxy="http://$host_ip:7890"
export https_proxy="http://$host_ip:7890"
export all_proxy="http://$host_ip:7890"
 
 
# +---------+------------------------------------------------+
# | distro  | debian                                         |
# | mark    | some cases using sudo will ignore the exported |
# |         | variable. like pacman should with `-E` to      |
# |         | preserve. Under debian use it temporarily.     |
# +---------+------------------------------------------------+
sudo apt -o Acquire::http::proxy="http://127.0.0.1:7890/" update
 
 
# +---------+---------------------+
# | system  | windows cmd         |
# | mark    | use unset to cancel |
# +---------+---------------------+
set http_proxy=http://127.0.0.1:7890
set https_proxy=http://127.0.0.1:7890
set proxy_all=http://127.0.0.1:7890 
 
 
# +---------+---------------------+
# | system  | windows powershell  |
# +---------+---------------------+
$env:http_proxy="http://127.0.0.1:7890"
$env:https_proxy="http://127.0.0.1:7890"
$env:all_proxy="http://127.0.0.1:7890"
# Other ways could be like
  # $ sudo netsh winhttp set proxy 127.0.0.1:7890
  # $ netsh winhttp show proxy
  # $ sudo netsh winhttp reset proxy
  # More use case via: https://gist.github.com/famousgarkin/c5138b1e13ac41920d22
 
 
# +--------+------------------------------------+
# | tool   | winget                             |
# | cancel | winget settings reset DefaultProxy |
# +--------+------------------------------------+
sudo winget settings --enable ProxyCommandLineOptions
winget --proxy http://127.0.0.1:7890 install 
 
 
# +------+-------+
# | tool | scoop  |
# +------+-------+
scoop config proxy 127.0.0.1:7890
 
 
# +------+-------+
# | tool | pip3  |
# +------+-------+
pip3 install --trusted-host pypi.tuna.tsinghua.edu.cn -i https://pypi.tuna.tsinghua.edu.cn/simple
 
 
# +-------+-----------------+
# | tool  | npm/yarn        |
# | check | npm config list |
# +-------+-----------------+
# temporarily
npm install --registry=http://registry.npm.taobao.org
 
# permanently
npm config set proxy http://127.0.0.1:7890
npm config set https-proxy http://127.0.0.1:7890
 
# delete
npm config delete proxy
 
 
# +---------------+--------------------------------------------+
# | tool          | git                                        |
# | reference     | https://git-scm.com/docs/git-config        |
# |               | https://stackoverflow.com/questions/783811 |
# | only download | https://ghproxy.com, https://ghp.ci        |
# +---------------+--------------------------------------------+
git config --global http.proxy http://127.0.0.1:7890
git config --global --unset http.proxy
git config --global --get http.proxy
 
 
# +-------------+--------------------------------------------------+
# | tool        | electron                                         |
# | reference   | https://code.visualstudio.com/docs/setup/network |                            
# +-------------+--------------------------------------------------+
./vsode --proxy-server=http://127.0.0.1:7890 # --no-proxy-server

Update GeoIP

MAXMIND change the access to database since 20191230, via: Significant Changes to Accessing and Using GeoLite2 Databases

Starting December 30, 2019, we will be requiring users of our GeoLite2 databases to register for a MaxMind account and obtain a license key in order to download GeoLite2 databases. We will continue to offer the GeoLite2 databases without charge, and with the ability to redistribute with proper attribution and in compliance with privacy regulations. In addition, we are **introducing a new end-user license agreement to govern your use of the GeoLite2 databases **. Previously, GeoLite2 databases were accessible for download to the public on our developer website and were licensed under the Creative Commons Attribution-ShareAlike 4.0 International License .

So here is some repos supported by github:

Convert Subscription

First of all, we should know, the most important backend, tindy2013/subconverter, is the only one service we need to self host;

Then, let us see what a full url we would get:

https://api.bianyuan.xyz/sub?target=clash&udp=true&config=https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/config/ACL4SSR_Online_Full_AdblockPlus.ini&emoji=true&filename=Paoluz_Cat4SSR&new_name=true&url=

In some way, solution needs two parts: the subconverter configure and the convert link. The latter is a likely rss link, in most cases. So our target is to figure out the former configuration.

The whole shorten configure is following, you could refer the official Chinese document:

调用参数解释
target指想要生成的配置类型
url指机场所提供的订阅链接或代理节点的分享链接
[group]用于设置该订阅的组名,多用于 SSD/SSR
[upload_path]用于将生成的订阅文件上传至 Gist 后的名称
[include]指仅保留匹配到的节点
[exclude]指排除匹配到的节点
[config]指外部配置的地址 (包含分组和规则部分) 详见
[dev_id]用于设置 QuantumultX 的远程设备 ID,以在某些版本上开启远程脚本
[filename]指定所生成订阅的文件名
[interval]用于设置托管配置更新间隔 (秒)
[rename]用于自定义重命名
[filter_script]用于自定义筛选节点的 js 代码
[strict]如果设置为 true,则 Surge 将在上述间隔后要求强制更新
[upload]用于将生成的订阅文件上传至 Gist,需要填写 gistconf.ini,(即不上传)
[emoji]用于设置节点名称是否包含 Emoji
[add_emoji]用于在节点名称前加入 Emoji
[remove_emoji]用于设置是否删除节点名称中原有的 Emoji
[append_type]用于在节点名称前插入节点类型,如 [SS],[SSR] 等
[tfo]用于开启该订阅链接的 TCPFastOpen
[udp]用于开启该订阅链接的 UDP
[list]用于输出 SurgeNodeList 或者 ClashProxyProvider 或者 [:br]Quantumult(X) 的节点订阅或者解码后的 SIP002
[sort]用于对输出的节点或策略组按节点名进行再次排序
[sort_script]用于自定义排序的 js 代码
[script]用于生成 ClashScript
[insert]用于设置是否将配置文件中的 insert_url 插入
[scv]用于关闭 TLS 节点的证书检查
[fdn]用于过滤目标类型不支持的节点
[expand]用于在 API 端处理或转换 Surge,QuantumultX,Clash 的规则列表
[append_info]用于输出包含流量或到期信息的节点
[prepend]用于设置插入 insert_url 时是否插入到所有节点前面
[classic]用于设置是否生成 Clashclassicalrule-provider
[tls13]用于设置是否为节点增加 tls1.3 开启参数
[new_name]如果设置为 true,则将启用 Clash 的新组名称 (proxies,proxy-groups,rules)

Parameters target could be:

TypeAs SourceAs TargetTarget Name
Clashclash
ClashRclashr
Quantumultquan
Quantumult Xquanx
Loonloon
SS (SIP002)ss
SS Androidsssub
SSDssd
SSRssr
Surfboardsurfboard
Surge 2surge&ver=2
Surge 3surge&ver=3
Surge 4surge&ver=4
V2Rayv2ray
Telegram-liked HTTP/Socks 5 links×Only as source

The most important thing is point out a configuration address to match our url. You could find that .acl file in ACL4SSR/ACL4SSR; By the way, the author of this repo also host a website to convert subscription;

Another is CareyWang/sub-web

Note

Check out repo under the master branch, which is not default branch.

The most interesting thing is that, the Chinese document of subconverter is really usefully and inspired, like following: ✨

在进行下一步操作前,十分推荐您阅读以下内容: 与 调用地址 相关的:什么是URL? 与 配置文件 相关的:INI 语法介绍YAML 语法介绍 以及 TOML 语法介绍Clash 配置相关的:YAML 语法介绍 以及 官方文档模板 配置相关的:INJA 语法介绍 会经常涉及到的: 正则表达式入门 当遇到问题需要提交 ISSUE 时的:提问的智慧 当您尝试进行进阶操作时,即默认您有相关的操作能力,本程序仅保证在默认配置文件下能够正常运行。

Tools you might be used:

Warning

We notice the backend have the function to upload subscription to gist; And there are more invisible actions, but actually we don’t know; So this could be a risk worth noting when we use a free convert service.

Finally, you should have a dashboard to config, because clash only support API to config, and there are 2 projects about it.1

  1. Dreamacro/clash-dashboard: web port of clash
  2. haishanh/yacd: Yet Another Clash Dashboard

Former is better in closing connection; latter is better in select node;

What

DNS

GeoIP database

Another useful file is GeoIP, which is supported by MAXMIND, to determine an Internet visitor’s country based on their IP address. And this file is often used in your config.yaml. Check your configure )

Rules GEOIP: GEOIP,CN,policy routes any requests to a China IP address to policy. Check document in Configuration · Dreamacro/clash Wiki

Socks5

基于 Socks5 代理方式的网络数据加密传输包

Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

SOCKS performs at Layer 5 of the OSI model (the session layer, an intermediate layer between the presentation layer and the transport layer)

It was approved by the IETF in 1996 as RFC 1928

Since SOCKS is very detectable, a common approach is to present a SOCKS interface for more sophisticated protocols:

Protocols

Shadowsocks / SS

Shadowsocks 分为服务器端和客户端,在使用之前,需要先将服务器端程序部署到服务器上面,然后通过客户端连接并建立本地代理。基于 Socks52

SS/SSR 客户端,在连接 SS/SSR 服务器的同时也会在本机开启 SOCKS5 和 HTTP 连接,用于本机软件和同一局域网内的其他设备连接,所以 SS/SSR 信息部分必须和 SS/SSR 服务器信息一致。

比较大的机场是:

SSR / ShadowsocksR

v2rayN

Others not public

  • OpenVPN
  • IKEv2/IPsec
  • WireGuard
  • SSTP
  • L2TP/IPSec
  • PPTP

Select your client

iOS (全区可下载,包括中区)

iOS (仅国区下架,其他区可下载)

macOS

Windows

Android

Linux

路由器

TV

V2Ray

Trojan

Problems

耗电严重

这是移动操作系统的一个特殊机制,Surge、Quantumult、Shadowrocket 等等所有的 SS 客户端开启后会接管全局的(几乎)所有通信,所以所有的网络方面电量消耗都会被算在 SS 客户端头上,实际使用中不会感到 SS 客户端对电量有明显影响,「设置 - 电池」中看到它的电池用量,绝大部分都是网络所消耗的电量,并不是 SS 客户端消耗的电量,SS 客户端就是背锅侠。

iOS 设备上使用 SS 客户端也会显示 VPN 图标: 是因为使用了 iOS 系统的 VPN Network Extension 接口(以及 NEPacketTunnelProvider 和 NWUDPSession 组件),iOS 9 才开放的此接口,这些新接口让我们可以制作出私密协议的 VPN 产品,苹果官方称之为 Enterprise VPN。正是因为 iOS 9 之后开放了这个接口和组件才能有今天 iOS 上的各式各样的 SS 客户端。

官方文档:https://developer.apple.com/documentation/networkextension

Footnotes

  1. 如何在 Linux 上优雅的使用 Clash? · Zs’s Blog, node.js What is the difference between npm install and npm run build?Stack Overflow

  2. https://zh.wikipedia.org/wiki/Shadowsocks

Graph View

Backlinks

Recent Notes