config.yaml 40 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154
  1. # port: 7890 # HTTP(S) 代理服务器端口
  2. # socks-port: 7891 # SOCKS5 代理端口
  3. mixed-port: 10801 # HTTP(S) 和 SOCKS 代理混合端口
  4. # redir-port: 7892 # 透明代理端口,用于 Linux 和 MacOS
  5. # Transparent proxy server port for Linux (TProxy TCP and TProxy UDP)
  6. # tproxy-port: 7893
  7. allow-lan: true # 允许局域网连接
  8. bind-address: "*" # 绑定 IP 地址,仅作用于 allow-lan 为 true,'*'表示所有地址
  9. authentication: # http,socks 入口的验证用户名,密码
  10. - "username:password"
  11. skip-auth-prefixes: # 设置跳过验证的 IP 段
  12. - 127.0.0.1/8
  13. - ::1/128
  14. lan-allowed-ips: # 允许连接的 IP 地址段,仅作用于 allow-lan 为 true, 默认值为 0.0.0.0/0 和::/0
  15. - 0.0.0.0/0
  16. - ::/0
  17. lan-disallowed-ips: # 禁止连接的 IP 地址段,黑名单优先级高于白名单,默认值为空
  18. - 192.168.0.3/32
  19. # find-process-mode has 3 values:always, strict, off
  20. # - always, 开启,强制匹配所有进程
  21. # - strict, 默认,由 mihomo 判断是否开启
  22. # - off, 不匹配进程,推荐在路由器上使用此模式
  23. find-process-mode: strict
  24. mode: rule
  25. #自定义 geodata url
  26. geox-url:
  27. geoip: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
  28. geosite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
  29. mmdb: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb"
  30. geo-auto-update: false # 是否自动更新 geodata
  31. geo-update-interval: 24 # 更新间隔,单位:小时
  32. # Matcher implementation used by GeoSite, available implementations:
  33. # - succinct (default, same as rule-set)
  34. # - mph (from V2Ray, also `hybrid` in Xray)
  35. # geosite-matcher: succinct
  36. log-level: debug # 日志等级 silent/error/warning/info/debug
  37. ipv6: true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS 请求 AAAA 记录
  38. tls:
  39. certificate: string # 证书 PEM 格式,或者 证书的路径
  40. private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径
  41. custom-certifactes:
  42. - |
  43. -----BEGIN CERTIFICATE-----
  44. format/pem...
  45. -----END CERTIFICATE-----
  46. external-controller: 0.0.0.0:9093 # RESTful API 监听地址
  47. external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件
  48. # secret: "123456" # `Authorization:Bearer ${secret}`
  49. # RESTful API Unix socket 监听地址( windows版本大于17063也可以使用,即大于等于1803/RS4版本即可使用 )
  50. # !!!注意: 从Unix socket访问api接口不会验证secret, 如果开启请自行保证安全问题 !!!
  51. # 测试方法: curl -v --unix-socket "mihomo.sock" http://localhost/
  52. external-controller-unix: mihomo.sock
  53. # tcp-concurrent: true # TCP 并发连接所有 IP, 将使用最快握手的 TCP
  54. # 配置 WEB UI 目录,使用 http://{{external-controller}}/ui 访问
  55. external-ui: /path/to/ui/folder/
  56. external-ui-name: xd
  57. external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip"
  58. # 在RESTful API端口上开启DOH服务器
  59. # !!!该URL不会验证secret, 如果开启请自行保证安全问题 !!!
  60. external-doh-server: /dns-query
  61. # interface-name: en0 # 设置出口网卡
  62. # 全局 TLS 指纹,优先低于 proxy 内的 client-fingerprint
  63. # 可选: "chrome","firefox","safari","ios","random","none" options.
  64. # Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.
  65. global-client-fingerprint: chrome
  66. # TCP keep alive interval
  67. keep-alive-interval: 15
  68. # routing-mark:6666 # 配置 fwmark 仅用于 Linux
  69. experimental:
  70. # Disable quic-go GSO support. This may result in reduced performance on Linux.
  71. # This is not recommended for most users.
  72. # Only users encountering issues with quic-go's internal implementation should enable this,
  73. # and they should disable it as soon as the issue is resolved.
  74. # This field will be removed when quic-go fixes all their issues in GSO.
  75. # This equivalent to the environment variable QUIC_GO_DISABLE_GSO=1.
  76. #quic-go-disable-gso: true
  77. # 类似于 /etc/hosts, 仅支持配置单个 IP
  78. hosts:
  79. # '*.mihomo.dev': 127.0.0.1
  80. # '.dev': 127.0.0.1
  81. # 'alpha.mihomo.dev': '::1'
  82. # test.com: [1.1.1.1, 2.2.2.2]
  83. # home.lan: lan # lan 为特别字段,将加入本地所有网卡的地址
  84. # baidu.com: google.com # 只允许配置一个别名
  85. profile: # 存储 select 选择记录
  86. store-selected: false
  87. # 持久化 fake-ip
  88. store-fake-ip: true
  89. # Tun 配置
  90. tun:
  91. enable: false
  92. stack: system # gvisor/mixed
  93. dns-hijack:
  94. - 0.0.0.0:53 # 需要劫持的 DNS
  95. # auto-detect-interface: true # 自动识别出口网卡
  96. # auto-route: true # 配置路由表
  97. # mtu: 9000 # 最大传输单元
  98. # gso: false # 启用通用分段卸载,仅支持 Linux
  99. # gso-max-size: 65536 # 通用分段卸载包的最大大小
  100. auto-redirect: false # 自动配置 iptables 以重定向 TCP 连接。仅支持 Linux。带有 auto-redirect 的 auto-route 现在可以在路由器上按预期工作,无需干预。
  101. # strict-route: true # 将所有连接路由到 tun 来防止泄漏,但你的设备将无法其他设备被访问
  102. route-address-set: # 将指定规则集中的目标 IP CIDR 规则添加到防火墙, 不匹配的流量将绕过路由, 仅支持 Linux,且需要 nftables,`auto-route` 和 `auto-redirect` 已启用。
  103. - ruleset-1
  104. - ruleset-2
  105. route-exclude-address-set: # 将指定规则集中的目标 IP CIDR 规则添加到防火墙, 匹配的流量将绕过路由, 仅支持 Linux,且需要 nftables,`auto-route` 和 `auto-redirect` 已启用。
  106. - ruleset-3
  107. - ruleset-4
  108. route-address: # 启用 auto-route 时使用自定义路由而不是默认路由
  109. - 0.0.0.0/1
  110. - 128.0.0.0/1
  111. - "::/1"
  112. - "8000::/1"
  113. # inet4-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由(旧写法)
  114. # - 0.0.0.0/1
  115. # - 128.0.0.0/1
  116. # inet6-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由(旧写法)
  117. # - "::/1"
  118. # - "8000::/1"
  119. # endpoint-independent-nat: false # 启用独立于端点的 NAT
  120. # include-interface: # 限制被路由的接口。默认不限制,与 `exclude-interface` 冲突
  121. # - "lan0"
  122. # exclude-interface: # 排除路由的接口,与 `include-interface` 冲突
  123. # - "lan1"
  124. # include-uid: # UID 规则仅在 Linux 下被支持,并且需要 auto-route
  125. # - 0
  126. # include-uid-range: # 限制被路由的的用户范围
  127. # - 1000:9999
  128. # exclude-uid: # 排除路由的的用户
  129. #- 1000
  130. # exclude-uid-range: # 排除路由的的用户范围
  131. # - 1000:9999
  132. # Android 用户和应用规则仅在 Android 下被支持
  133. # 并且需要 auto-route
  134. # include-android-user: # 限制被路由的 Android 用户
  135. # - 0
  136. # - 10
  137. # include-package: # 限制被路由的 Android 应用包名
  138. # - com.android.chrome
  139. # exclude-package: # 排除被路由的 Android 应用包名
  140. # - com.android.captiveportallogin
  141. #ebpf 配置
  142. ebpf:
  143. auto-redir: # redirect 模式,仅支持 TCP
  144. - eth0
  145. redirect-to-tun: # UDP+TCP 使用该功能请勿启用 auto-route
  146. - eth0
  147. # 嗅探域名 可选配置
  148. sniffer:
  149. enable: false
  150. ## 对 redir-host 类型识别的流量进行强制嗅探
  151. ## 如:Tun、Redir 和 TProxy 并 DNS 为 redir-host 皆属于
  152. # force-dns-mapping: false
  153. ## 对所有未获取到域名的流量进行强制嗅探
  154. # parse-pure-ip: false
  155. # 是否使用嗅探结果作为实际访问,默认 true
  156. # 全局配置,优先级低于 sniffer.sniff 实际配置
  157. override-destination: false
  158. sniff: # TLS 和 QUIC 默认如果不配置 ports 默认嗅探 443
  159. QUIC:
  160. # ports: [ 443 ]
  161. TLS:
  162. # ports: [443, 8443]
  163. # 默认嗅探 80
  164. HTTP: # 需要嗅探的端口
  165. ports: [80, 8080-8880]
  166. # 可覆盖 sniffer.override-destination
  167. override-destination: true
  168. force-domain:
  169. - +.v2ex.com
  170. ## 对嗅探结果进行跳过
  171. # skip-domain:
  172. # - Mijia Cloud
  173. # 需要嗅探协议
  174. # 已废弃,若 sniffer.sniff 配置则此项无效
  175. sniffing:
  176. - tls
  177. - http
  178. # 强制对此域名进行嗅探
  179. # 仅对白名单中的端口进行嗅探,默认为 443,80
  180. # 已废弃,若 sniffer.sniff 配置则此项无效
  181. port-whitelist:
  182. - "80"
  183. - "443"
  184. # - 8000-9999
  185. tunnels: # one line config
  186. - tcp/udp,127.0.0.1:6553,114.114.114.114:53,proxy
  187. - tcp,127.0.0.1:6666,rds.mysql.com:3306,vpn
  188. # full yaml config
  189. - network: [tcp, udp]
  190. address: 127.0.0.1:7777
  191. target: target.com
  192. proxy: proxy
  193. # DNS 配置
  194. dns:
  195. cache-algorithm: arc
  196. enable: false # 关闭将使用系统 DNS
  197. prefer-h3: false # 是否开启 DoH 支持 HTTP/3,将并发尝试
  198. listen: 0.0.0.0:53 # 开启 DNS 服务器监听
  199. # ipv6: false # false 将返回 AAAA 的空结果
  200. # ipv6-timeout: 300 # 单位:ms,内部双栈并发时,向上游查询 AAAA 时,等待 AAAA 的时间,默认 100ms
  201. # 用于解析 nameserver,fallback 以及其他 DNS 服务器配置的,DNS 服务域名
  202. # 只能使用纯 IP 地址,可使用加密 DNS
  203. default-nameserver:
  204. - 114.114.114.114
  205. - 8.8.8.8
  206. - tls://1.12.12.12:853
  207. - tls://223.5.5.5:853
  208. - system # append DNS server from system configuration. If not found, it would print an error log and skip.
  209. enhanced-mode: fake-ip # or redir-host
  210. fake-ip-range: 198.18.0.1/16 # fake-ip 池设置
  211. # use-hosts: true # 查询 hosts
  212. # 配置后面的nameserver、fallback和nameserver-policy向dns服务器的连接过程是否遵守遵守rules规则
  213. # 如果为false(默认值)则这三部分的dns服务器在未特别指定的情况下会直连
  214. # 如果为true,将会按照rules的规则匹配链接方式(走代理或直连),如果有特别指定则任然以指定值为准
  215. # 仅当proxy-server-nameserver非空时可以开启此选项, 强烈不建议和prefer-h3一起使用
  216. # 此外,这三者配置中的dns服务器如果出现域名会采用default-nameserver配置项解析,也请确保正确配置default-nameserver
  217. respect-rules: false
  218. # 配置不使用 fake-ip 的域名
  219. # fake-ip-filter:
  220. # - '*.lan'
  221. # - localhost.ptlogin2.qq.com
  222. # DNS 主要域名配置
  223. # 支持 UDP,TCP,DoT,DoH,DoQ
  224. # 这部分为主要 DNS 配置,影响所有直连,确保使用对大陆解析精准的 DNS
  225. nameserver:
  226. - 114.114.114.114 # default value
  227. - 8.8.8.8 # default value
  228. - tls://223.5.5.5:853 # DNS over TLS
  229. - https://doh.pub/dns-query # DNS over HTTPS
  230. - https://dns.alidns.com/dns-query#h3=true # 强制 HTTP/3,与 perfer-h3 无关,强制开启 DoH 的 HTTP/3 支持,若不支持将无法使用
  231. - https://mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3
  232. - dhcp://en0 # dns from dhcp
  233. - quic://dns.adguard.com:784 # DNS over QUIC
  234. # - '8.8.8.8#RULES' # 效果同respect-rules,但仅对该服务器生效
  235. # - '8.8.8.8#en0' # 兼容指定 DNS 出口网卡
  236. # 当配置 fallback 时,会查询 nameserver 中返回的 IP 是否为 CN,非必要配置
  237. # 当不是 CN,则使用 fallback 中的 DNS 查询结果
  238. # 确保配置 fallback 时能够正常查询
  239. # fallback:
  240. # - tcp://1.1.1.1
  241. # - 'tcp://1.1.1.1#ProxyGroupName' # 指定 DNS 过代理查询,ProxyGroupName 为策略组名或节点名,过代理配置优先于配置出口网卡,当找不到策略组或节点名则设置为出口网卡
  242. # 专用于节点域名解析的 DNS 服务器,非必要配置项
  243. # proxy-server-nameserver:
  244. # - https://dns.google/dns-query
  245. # - tls://one.one.one.one
  246. # 配置 fallback 使用条件
  247. # fallback-filter:
  248. # geoip: true # 配置是否使用 geoip
  249. # geoip-code: CN # 当 nameserver 域名的 IP 查询 geoip 库为 CN 时,不使用 fallback 中的 DNS 查询结果
  250. # 配置强制 fallback,优先于 IP 判断,具体分类自行查看 geosite 库
  251. # geosite:
  252. # - gfw
  253. # 如果不匹配 ipcidr 则使用 nameservers 中的结果
  254. # ipcidr:
  255. # - 240.0.0.0/4
  256. # domain:
  257. # - '+.google.com'
  258. # - '+.facebook.com'
  259. # - '+.youtube.com'
  260. # 配置查询域名使用的 DNS 服务器
  261. nameserver-policy:
  262. # 'www.baidu.com': '114.114.114.114'
  263. # '+.internal.crop.com': '10.0.0.1'
  264. "geosite:cn,private,apple":
  265. - https://doh.pub/dns-query
  266. - https://dns.alidns.com/dns-query
  267. "geosite:category-ads-all": rcode://success
  268. "www.baidu.com,+.google.cn": [223.5.5.5, https://dns.alidns.com/dns-query]
  269. ## global,dns 为 rule-providers 中的名为 global 和 dns 规则订阅,
  270. ## 且 behavior 必须为 domain/classical,当为 classical 时仅会生效域名类规则
  271. # "rule-set:global,dns": 8.8.8.8
  272. proxies: # socks5
  273. - name: "socks"
  274. type: socks5
  275. server: server
  276. port: 443
  277. # username: username
  278. # password: password
  279. # tls: true
  280. # fingerprint: xxxx
  281. # skip-cert-verify: true
  282. # udp: true
  283. # ip-version: ipv6
  284. # http
  285. - name: "http"
  286. type: http
  287. server: server
  288. port: 443
  289. # username: username
  290. # password: password
  291. # tls: true # https
  292. # skip-cert-verify: true
  293. # sni: custom.com
  294. # fingerprint: xxxx # 同 experimental.fingerprints 使用 sha256 指纹,配置协议独立的指纹,将忽略 experimental.fingerprints
  295. # ip-version: dual
  296. # Snell
  297. # Beware that there's currently no UDP support yet
  298. - name: "snell"
  299. type: snell
  300. server: server
  301. port: 44046
  302. psk: yourpsk
  303. # version: 2
  304. # obfs-opts:
  305. # mode: http # or tls
  306. # host: bing.com
  307. # Shadowsocks
  308. # cipher支持:
  309. # aes-128-gcm aes-192-gcm aes-256-gcm
  310. # aes-128-cfb aes-192-cfb aes-256-cfb
  311. # aes-128-ctr aes-192-ctr aes-256-ctr
  312. # rc4-md5 chacha20-ietf xchacha20
  313. # chacha20-ietf-poly1305 xchacha20-ietf-poly1305
  314. # 2022-blake3-aes-128-gcm 2022-blake3-aes-256-gcm 2022-blake3-chacha20-poly1305
  315. - name: "ss1"
  316. type: ss
  317. server: server
  318. port: 443
  319. cipher: chacha20-ietf-poly1305
  320. password: "password"
  321. # udp: true
  322. # udp-over-tcp: false
  323. # ip-version: ipv4 # 设置节点使用 IP 版本,可选:dual,ipv4,ipv6,ipv4-prefer,ipv6-prefer。默认使用 dual
  324. # ipv4:仅使用 IPv4 ipv6:仅使用 IPv6
  325. # ipv4-prefer:优先使用 IPv4 对于 TCP 会进行双栈解析,并发链接但是优先使用 IPv4 链接,
  326. # UDP 则为双栈解析,获取结果中的第一个 IPv4
  327. # ipv6-prefer 同 ipv4-prefer
  328. # 现有协议都支持此参数,TCP 效果仅在开启 tcp-concurrent 生效
  329. smux:
  330. enabled: false
  331. protocol: smux # smux/yamux/h2mux
  332. # max-connections: 4 # Maximum connections. Conflict with max-streams.
  333. # min-streams: 4 # Minimum multiplexed streams in a connection before opening a new connection. Conflict with max-streams.
  334. # max-streams: 0 # Maximum multiplexed streams in a connection before opening a new connection. Conflict with max-connections and min-streams.
  335. # padding: false # Enable padding. Requires sing-box server version 1.3-beta9 or later.
  336. # statistic: false # 控制是否将底层连接显示在面板中,方便打断底层连接
  337. # only-tcp: false # 如果设置为 true, smux 的设置将不会对 udp 生效,udp 连接会直接走底层协议
  338. - name: "ss2"
  339. type: ss
  340. server: server
  341. port: 443
  342. cipher: chacha20-ietf-poly1305
  343. password: "password"
  344. plugin: obfs
  345. plugin-opts:
  346. mode: tls # or http
  347. # host: bing.com
  348. - name: "ss3"
  349. type: ss
  350. server: server
  351. port: 443
  352. cipher: chacha20-ietf-poly1305
  353. password: "password"
  354. plugin: v2ray-plugin
  355. plugin-opts:
  356. mode: websocket # no QUIC now
  357. # tls: true # wss
  358. # 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
  359. # 配置指纹将实现 SSL Pining 效果
  360. # fingerprint: xxxx
  361. # skip-cert-verify: true
  362. # host: bing.com
  363. # path: "/"
  364. # mux: true
  365. # headers:
  366. # custom: value
  367. # v2ray-http-upgrade: false
  368. # v2ray-http-upgrade-fast-open: false
  369. - name: "ss4-shadow-tls"
  370. type: ss
  371. server: server
  372. port: 443
  373. cipher: chacha20-ietf-poly1305
  374. password: "password"
  375. plugin: shadow-tls
  376. client-fingerprint: chrome
  377. plugin-opts:
  378. host: "cloud.tencent.com"
  379. password: "shadow_tls_password"
  380. version: 2 # support 1/2/3
  381. - name: "ss-restls-tls13"
  382. type: ss
  383. server: [YOUR_SERVER_IP]
  384. port: 443
  385. cipher: chacha20-ietf-poly1305
  386. password: [YOUR_SS_PASSWORD]
  387. client-fingerprint:
  388. chrome # One of: chrome, ios, firefox or safari
  389. # 可以是 chrome, ios, firefox, safari 中的一个
  390. plugin: restls
  391. plugin-opts:
  392. host:
  393. "www.microsoft.com" # Must be a TLS 1.3 server
  394. # 应当是一个 TLS 1.3 服务器
  395. password: [YOUR_RESTLS_PASSWORD]
  396. version-hint: "tls13"
  397. # Control your post-handshake traffic through restls-script
  398. # Hide proxy behaviors like "tls in tls".
  399. # see https://github.com/3andne/restls/blob/main/Restls-Script:%20Hide%20Your%20Proxy%20Traffic%20Behavior.md
  400. # 用 restls 剧本来控制握手后的行为,隐藏"tls in tls"等特征
  401. # 详情:https://github.com/3andne/restls/blob/main/Restls-Script:%20%E9%9A%90%E8%97%8F%E4%BD%A0%E7%9A%84%E4%BB%A3%E7%90%86%E8%A1%8C%E4%B8%BA.md
  402. restls-script: "300?100<1,400~100,350~100,600~100,300~200,300~100"
  403. - name: "ss-restls-tls12"
  404. type: ss
  405. server: [YOUR_SERVER_IP]
  406. port: 443
  407. cipher: chacha20-ietf-poly1305
  408. password: [YOUR_SS_PASSWORD]
  409. client-fingerprint:
  410. chrome # One of: chrome, ios, firefox or safari
  411. # 可以是 chrome, ios, firefox, safari 中的一个
  412. plugin: restls
  413. plugin-opts:
  414. host:
  415. "vscode.dev" # Must be a TLS 1.2 server
  416. # 应当是一个 TLS 1.2 服务器
  417. password: [YOUR_RESTLS_PASSWORD]
  418. version-hint: "tls12"
  419. restls-script: "1000?100<1,500~100,350~100,600~100,400~200"
  420. # vmess
  421. # cipher 支持 auto/aes-128-gcm/chacha20-poly1305/none
  422. - name: "vmess"
  423. type: vmess
  424. server: server
  425. port: 443
  426. uuid: uuid
  427. alterId: 32
  428. cipher: auto
  429. # udp: true
  430. # tls: true
  431. # fingerprint: xxxx
  432. # client-fingerprint: chrome # Available: "chrome","firefox","safari","ios","random", currently only support TLS transport in TCP/GRPC/WS/HTTP for VLESS/Vmess and trojan.
  433. # skip-cert-verify: true
  434. # servername: example.com # priority over wss host
  435. # network: ws
  436. # ws-opts:
  437. # path: /path
  438. # headers:
  439. # Host: v2ray.com
  440. # max-early-data: 2048
  441. # early-data-header-name: Sec-WebSocket-Protocol
  442. # v2ray-http-upgrade: false
  443. # v2ray-http-upgrade-fast-open: false
  444. - name: "vmess-h2"
  445. type: vmess
  446. server: server
  447. port: 443
  448. uuid: uuid
  449. alterId: 32
  450. cipher: auto
  451. network: h2
  452. tls: true
  453. # fingerprint: xxxx
  454. h2-opts:
  455. host:
  456. - http.example.com
  457. - http-alt.example.com
  458. path: /
  459. - name: "vmess-http"
  460. type: vmess
  461. server: server
  462. port: 443
  463. uuid: uuid
  464. alterId: 32
  465. cipher: auto
  466. # udp: true
  467. # network: http
  468. # http-opts:
  469. # method: "GET"
  470. # path:
  471. # - '/'
  472. # - '/video'
  473. # headers:
  474. # Connection:
  475. # - keep-alive
  476. # ip-version: ipv4 # 设置使用 IP 类型偏好,可选:ipv4,ipv6,dual,默认值:dual
  477. - name: vmess-grpc
  478. server: server
  479. port: 443
  480. type: vmess
  481. uuid: uuid
  482. alterId: 32
  483. cipher: auto
  484. network: grpc
  485. tls: true
  486. # fingerprint: xxxx
  487. servername: example.com
  488. # skip-cert-verify: true
  489. grpc-opts:
  490. grpc-service-name: "example"
  491. # ip-version: ipv4
  492. # vless
  493. - name: "vless-tcp"
  494. type: vless
  495. server: server
  496. port: 443
  497. uuid: uuid
  498. network: tcp
  499. servername: example.com # AKA SNI
  500. # flow: xtls-rprx-direct # xtls-rprx-origin # enable XTLS
  501. # skip-cert-verify: true
  502. # fingerprint: xxxx
  503. # client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
  504. - name: "vless-vision"
  505. type: vless
  506. server: server
  507. port: 443
  508. uuid: uuid
  509. network: tcp
  510. tls: true
  511. udp: true
  512. flow: xtls-rprx-vision
  513. client-fingerprint: chrome
  514. # fingerprint: xxxx
  515. # skip-cert-verify: true
  516. - name: "vless-reality-vision"
  517. type: vless
  518. server: server
  519. port: 443
  520. uuid: uuid
  521. network: tcp
  522. tls: true
  523. udp: true
  524. flow: xtls-rprx-vision
  525. servername: www.microsoft.com # REALITY servername
  526. reality-opts:
  527. public-key: xxx
  528. short-id: xxx # optional
  529. client-fingerprint: chrome # cannot be empty
  530. - name: "vless-reality-grpc"
  531. type: vless
  532. server: server
  533. port: 443
  534. uuid: uuid
  535. network: grpc
  536. tls: true
  537. udp: true
  538. flow:
  539. # skip-cert-verify: true
  540. client-fingerprint: chrome
  541. servername: testingcf.jsdelivr.net
  542. grpc-opts:
  543. grpc-service-name: "grpc"
  544. reality-opts:
  545. public-key: CrrQSjAG_YkHLwvM2M-7XkKJilgL5upBKCp0od0tLhE
  546. short-id: 10f897e26c4b9478
  547. - name: "vless-ws"
  548. type: vless
  549. server: server
  550. port: 443
  551. uuid: uuid
  552. udp: true
  553. tls: true
  554. network: ws
  555. # client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
  556. servername: example.com # priority over wss host
  557. # skip-cert-verify: true
  558. # fingerprint: xxxx
  559. ws-opts:
  560. path: "/"
  561. headers:
  562. Host: example.com
  563. # v2ray-http-upgrade: false
  564. # v2ray-http-upgrade-fast-open: false
  565. # Trojan
  566. - name: "trojan"
  567. type: trojan
  568. server: server
  569. port: 443
  570. password: yourpsk
  571. # client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
  572. # fingerprint: xxxx
  573. # udp: true
  574. # sni: example.com # aka server name
  575. # alpn:
  576. # - h2
  577. # - http/1.1
  578. # skip-cert-verify: true
  579. # ss-opts: # like trojan-go's `shadowsocks` config
  580. # enabled: false
  581. # method: aes-128-gcm # aes-128-gcm/aes-256-gcm/chacha20-ietf-poly1305
  582. # password: "example"
  583. - name: trojan-grpc
  584. server: server
  585. port: 443
  586. type: trojan
  587. password: "example"
  588. network: grpc
  589. sni: example.com
  590. # skip-cert-verify: true
  591. # fingerprint: xxxx
  592. udp: true
  593. grpc-opts:
  594. grpc-service-name: "example"
  595. - name: trojan-ws
  596. server: server
  597. port: 443
  598. type: trojan
  599. password: "example"
  600. network: ws
  601. sni: example.com
  602. # skip-cert-verify: true
  603. # fingerprint: xxxx
  604. udp: true
  605. # ws-opts:
  606. # path: /path
  607. # headers:
  608. # Host: example.com
  609. # v2ray-http-upgrade: false
  610. # v2ray-http-upgrade-fast-open: false
  611. - name: "trojan-xtls"
  612. type: trojan
  613. server: server
  614. port: 443
  615. password: yourpsk
  616. flow: "xtls-rprx-direct" # xtls-rprx-origin xtls-rprx-direct
  617. flow-show: true
  618. # udp: true
  619. # sni: example.com # aka server name
  620. # skip-cert-verify: true
  621. # fingerprint: xxxx
  622. #hysteria
  623. - name: "hysteria"
  624. type: hysteria
  625. server: server.com
  626. port: 443
  627. # ports: 1000,2000-3000,5000 # port 不可省略
  628. auth-str: yourpassword
  629. # obfs: obfs_str
  630. # alpn:
  631. # - h3
  632. protocol: udp # 支持 udp/wechat-video/faketcp
  633. up: "30 Mbps" # 若不写单位,默认为 Mbps
  634. down: "200 Mbps" # 若不写单位,默认为 Mbps
  635. # sni: server.com
  636. # skip-cert-verify: false
  637. # recv-window-conn: 12582912
  638. # recv-window: 52428800
  639. # ca: "./my.ca"
  640. # ca-str: "xyz"
  641. # disable-mtu-discovery: false
  642. # fingerprint: xxxx
  643. # fast-open: true # 支持 TCP 快速打开,默认为 false
  644. #hysteria2
  645. - name: "hysteria2"
  646. type: hysteria2
  647. server: server.com
  648. port: 443
  649. # ports: 1000,2000-3000,5000 # port 不可省略
  650. # hop-interval: 15
  651. # up 和 down 均不写或为 0 则使用 BBR 流控
  652. # up: "30 Mbps" # 若不写单位,默认为 Mbps
  653. # down: "200 Mbps" # 若不写单位,默认为 Mbps
  654. password: yourpassword
  655. # obfs: salamander # 默认为空,如果填写则开启 obfs,目前仅支持 salamander
  656. # obfs-password: yourpassword
  657. # sni: server.com
  658. # skip-cert-verify: false
  659. # fingerprint: xxxx
  660. # alpn:
  661. # - h3
  662. # ca: "./my.ca"
  663. # ca-str: "xyz"
  664. # wireguard
  665. - name: "wg"
  666. type: wireguard
  667. server: 162.159.192.1
  668. port: 2480
  669. ip: 172.16.0.2
  670. ipv6: fd01:5ca1:ab1e:80fa:ab85:6eea:213f:f4a5
  671. public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
  672. # pre-shared-key: 31aIhAPwktDGpH4JDhA8GNvjFXEf/a6+UaQRyOAiyfM=
  673. private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
  674. udp: true
  675. reserved: "U4An"
  676. # 数组格式也是合法的
  677. # reserved: [209,98,59]
  678. # 一个出站代理的标识。当值不为空时,将使用指定的 proxy 发出连接
  679. # dialer-proxy: "ss1"
  680. # remote-dns-resolve: true # 强制 dns 远程解析,默认值为 false
  681. # dns: [ 1.1.1.1, 8.8.8.8 ] # 仅在 remote-dns-resolve 为 true 时生效
  682. # refresh-server-ip-interval: 60 # 重新解析server ip的间隔,单位为秒,默认值为0即仅第一次链接时解析server域名,仅应在server域名对应的IP会发生变化时启用该选项(如家宽ddns)
  683. # 如果 peers 不为空,该段落中的 allowed-ips 不可为空;前面段落的 server,port,public-key,pre-shared-key 均会被忽略,但 private-key 会被保留且只能在顶层指定
  684. # peers:
  685. # - server: 162.159.192.1
  686. # port: 2480
  687. # public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
  688. # # pre-shared-key: 31aIhAPwktDGpH4JDhA8GNvjFXEf/a6+UaQRyOAiyfM=
  689. # allowed-ips: ['0.0.0.0/0']
  690. # reserved: [209,98,59]
  691. # tuic
  692. - name: tuic
  693. server: www.example.com
  694. port: 10443
  695. type: tuic
  696. # tuicV4 必须填写 token(不可同时填写 uuid 和 password)
  697. token: TOKEN
  698. # tuicV5 必须填写 uuid 和 password(不可同时填写 token)
  699. uuid: 00000000-0000-0000-0000-000000000001
  700. password: PASSWORD_1
  701. # ip: 127.0.0.1 # for overwriting the DNS lookup result of the server address set in option 'server'
  702. # heartbeat-interval: 10000
  703. # alpn: [h3]
  704. disable-sni: true
  705. reduce-rtt: true
  706. request-timeout: 8000
  707. udp-relay-mode: native # Available: "native", "quic". Default: "native"
  708. # congestion-controller: bbr # Available: "cubic", "new_reno", "bbr". Default: "cubic"
  709. # cwnd: 10 # default: 32
  710. # max-udp-relay-packet-size: 1500
  711. # fast-open: true
  712. # skip-cert-verify: true
  713. # max-open-streams: 20 # default 100, too many open streams may hurt performance
  714. # sni: example.com
  715. #
  716. # meta 和 sing-box 私有扩展,将 ss-uot 用于 udp 中继,开启此选项后 udp-relay-mode 将失效
  717. # 警告,与原版 tuic 不兼容!!!
  718. # udp-over-stream: false
  719. # udp-over-stream-version: 1
  720. # ShadowsocksR
  721. # The supported ciphers (encryption methods): all stream ciphers in ss
  722. # The supported obfses:
  723. # plain http_simple http_post
  724. # random_head tls1.2_ticket_auth tls1.2_ticket_fastauth
  725. # The supported protocols:
  726. # origin auth_sha1_v4 auth_aes128_md5
  727. # auth_aes128_sha1 auth_chain_a auth_chain_b
  728. - name: "ssr"
  729. type: ssr
  730. server: server
  731. port: 443
  732. cipher: chacha20-ietf
  733. password: "password"
  734. obfs: tls1.2_ticket_auth
  735. protocol: auth_sha1_v4
  736. # obfs-param: domain.tld
  737. # protocol-param: "#"
  738. # udp: true
  739. - name: "ssh-out"
  740. type: ssh
  741. server: 127.0.0.1
  742. port: 22
  743. username: root
  744. password: password
  745. privateKey: path
  746. # dns 出站会将请求劫持到内部 dns 模块,所有请求均在内部处理
  747. - name: "dns-out"
  748. type: dns
  749. proxy-groups:
  750. # 代理链,目前 relay 可以支持 udp 的只有 vmess/vless/trojan/ss/ssr/tuic
  751. # wireguard 目前不支持在 relay 中使用,请使用 proxy 中的 dialer-proxy 配置项
  752. # Traffic: mihomo <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet
  753. - name: "relay"
  754. type: relay
  755. proxies:
  756. - http
  757. - vmess
  758. - ss1
  759. - ss2
  760. # url-test 将按照 url 测试结果使用延迟最低节点
  761. - name: "auto"
  762. type: url-test
  763. proxies:
  764. - ss1
  765. - ss2
  766. - vmess1
  767. # tolerance: 150
  768. # lazy: true
  769. # expected-status: 204 # 当健康检查返回状态码与期望值不符时,认为节点不可用
  770. url: "https://cp.cloudflare.com/generate_204"
  771. interval: 300
  772. # fallback 将按照 url 测试结果按照节点顺序选择
  773. - name: "fallback-auto"
  774. type: fallback
  775. proxies:
  776. - ss1
  777. - ss2
  778. - vmess1
  779. url: "https://cp.cloudflare.com/generate_204"
  780. interval: 300
  781. # load-balance 将按照算法随机选择节点
  782. - name: "load-balance"
  783. type: load-balance
  784. proxies:
  785. - ss1
  786. - ss2
  787. - vmess1
  788. url: "https://cp.cloudflare.com/generate_204"
  789. interval: 300
  790. # strategy: consistent-hashing # 可选 round-robin 和 sticky-sessions
  791. # select 用户自行选择节点
  792. - name: Proxy
  793. type: select
  794. # disable-udp: true
  795. proxies:
  796. - ss1
  797. - ss2
  798. - vmess1
  799. - auto
  800. # 配置指定 interface-name 和 fwmark 的 DIRECT
  801. - name: en1
  802. type: select
  803. interface-name: en1
  804. routing-mark: 6667
  805. proxies:
  806. - DIRECT
  807. - name: UseProvider
  808. type: select
  809. filter: "HK|TW" # 正则表达式,过滤 provider1 中节点名包含 HK 或 TW
  810. use:
  811. - provider1
  812. proxies:
  813. - Proxy
  814. - DIRECT
  815. # Mihomo 格式的节点或支持 *ray 的分享格式
  816. proxy-providers:
  817. provider1:
  818. type: http # http 的 path 可空置,默认储存路径为 homedir 的 proxies 文件夹,文件名为 url 的 md5
  819. url: "url"
  820. interval: 3600
  821. path: ./provider1.yaml # 默认只允许存储在 mihomo 的 Home Dir,如果想存储到任意位置,添加环境变量 SKIP_SAFE_PATH_CHECK=1
  822. proxy: DIRECT
  823. header:
  824. User-Agent:
  825. - "Clash/v1.18.0"
  826. - "mihomo/1.18.3"
  827. # Accept:
  828. # - 'application/vnd.github.v3.raw'
  829. # Authorization:
  830. # - 'token 1231231'
  831. health-check:
  832. enable: true
  833. interval: 600
  834. # lazy: true
  835. url: https://cp.cloudflare.com/generate_204
  836. # expected-status: 204 # 当健康检查返回状态码与期望值不符时,认为节点不可用
  837. override: # 覆写节点加载时的一些配置项
  838. skip-cert-verify: true
  839. udp: true
  840. # down: "50 Mbps"
  841. # up: "10 Mbps"
  842. # dialer-proxy: proxy
  843. # interface-name: tailscale0
  844. # routing-mark: 233
  845. # ip-version: ipv4-prefer
  846. # additional-prefix: "[provider1]"
  847. # additional-suffix: "test"
  848. test:
  849. type: file
  850. path: /test.yaml
  851. health-check:
  852. enable: true
  853. interval: 36000
  854. url: https://cp.cloudflare.com/generate_204
  855. rule-providers:
  856. rule1:
  857. behavior: classical # domain ipcidr
  858. interval: 259200
  859. path: /path/to/save/file.yaml # 默认只允许存储在 mihomo 的 Home Dir,如果想存储到任意位置,添加环境变量 SKIP_SAFE_PATH_CHECK=1
  860. type: http # http 的 path 可空置,默认储存路径为 homedir 的 rules 文件夹,文件名为 url 的 md5
  861. url: "url"
  862. proxy: DIRECT
  863. rule2:
  864. behavior: classical
  865. interval: 259200
  866. path: /path/to/save/file.yaml
  867. type: file
  868. rule3:
  869. # mrs类型ruleset,目前仅支持domain和ipcidr(即不支持classical),
  870. #
  871. # 对于behavior=domain:
  872. # - format=yaml 可以通过“mihomo convert-ruleset domain yaml XXX.yaml XXX.mrs”转换到mrs格式
  873. # - format=text 可以通过“mihomo convert-ruleset domain text XXX.text XXX.mrs”转换到mrs格式
  874. # - XXX.mrs 可以通过"mihomo convert-ruleset domain mrs XXX.mrs XXX.text"转换回text格式(暂不支持转换回ymal格式)
  875. #
  876. # 对于behavior=ipcidr:
  877. # - format=yaml 可以通过“mihomo convert-ruleset ipcidr yaml XXX.yaml XXX.mrs”转换到mrs格式
  878. # - format=text 可以通过“mihomo convert-ruleset ipcidr text XXX.text XXX.mrs”转换到mrs格式
  879. # - XXX.mrs 可以通过"mihomo convert-ruleset ipcidr mrs XXX.mrs XXX.text"转换回text格式(暂不支持转换回ymal格式)
  880. #
  881. type: http
  882. url: "url"
  883. format: mrs
  884. behavior: domain
  885. path: /path/to/save/file.mrs
  886. rules:
  887. - RULE-SET,rule1,REJECT
  888. - IP-ASN,1,PROXY
  889. - DOMAIN-REGEX,^abc,DIRECT
  890. - DOMAIN-SUFFIX,baidu.com,DIRECT
  891. - DOMAIN-KEYWORD,google,ss1
  892. - IP-CIDR,1.1.1.1/32,ss1
  893. - IP-CIDR6,2409::/64,DIRECT
  894. # 当满足条件是 TCP 或 UDP 流量时,使用名为 sub-rule-name1 的规则集
  895. - SUB-RULE,(OR,((NETWORK,TCP),(NETWORK,UDP))),sub-rule-name1
  896. - SUB-RULE,(AND,((NETWORK,UDP))),sub-rule-name2
  897. # 定义多个子规则集,规则将以分叉匹配,使用 SUB-RULE 使用
  898. # google.com(not match)--> baidu.com(match)
  899. # / |
  900. # / |
  901. # https://baidu.com --> rule1 --> rule2 --> sub-rule-name1(match tcp) 使用 DIRECT
  902. #
  903. #
  904. # google.com(not match)--> baidu.com(not match)
  905. # / |
  906. # / |
  907. # dns 1.1.1.1 --> rule1 --> rule2 --> sub-rule-name1(match udp) sub-rule-name2(match udp)
  908. # |
  909. # |
  910. # 使用 REJECT <-- 1.1.1.1/32(match)
  911. #
  912. sub-rules:
  913. sub-rule-name1:
  914. - DOMAIN,google.com,ss1
  915. - DOMAIN,baidu.com,DIRECT
  916. sub-rule-name2:
  917. - IP-CIDR,1.1.1.1/32,REJECT
  918. - IP-CIDR,8.8.8.8/32,ss1
  919. - DOMAIN,dns.alidns.com,REJECT
  920. # 流量入站
  921. listeners:
  922. - name: socks5-in-1
  923. type: socks
  924. port: 10808
  925. #listen: 0.0.0.0 # 默认监听 0.0.0.0
  926. # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules
  927. # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理
  928. # udp: false # 默认 true
  929. - name: http-in-1
  930. type: http
  931. port: 10809
  932. listen: 0.0.0.0
  933. # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules
  934. # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
  935. - name: mixed-in-1
  936. type: mixed # HTTP(S) 和 SOCKS 代理混合
  937. port: 10810
  938. listen: 0.0.0.0
  939. # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules
  940. # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
  941. # udp: false # 默认 true
  942. - name: reidr-in-1
  943. type: redir
  944. port: 10811
  945. listen: 0.0.0.0
  946. # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules
  947. # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
  948. - name: tproxy-in-1
  949. type: tproxy
  950. port: 10812
  951. listen: 0.0.0.0
  952. # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules
  953. # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
  954. # udp: false # 默认 true
  955. - name: shadowsocks-in-1
  956. type: shadowsocks
  957. port: 10813
  958. listen: 0.0.0.0
  959. # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules
  960. # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
  961. password: vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=
  962. cipher: 2022-blake3-aes-256-gcm
  963. - name: vmess-in-1
  964. type: vmess
  965. port: 10814
  966. listen: 0.0.0.0
  967. # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules
  968. # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
  969. users:
  970. - username: 1
  971. uuid: 9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68
  972. alterId: 1
  973. # ws-path: "/" # 如果不为空则开启 websocket 传输层
  974. # 下面两项如果填写则开启 tls(需要同时填写)
  975. # certificate: ./server.crt
  976. # private-key: ./server.key
  977. - name: tuic-in-1
  978. type: tuic
  979. port: 10815
  980. listen: 0.0.0.0
  981. # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules
  982. # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
  983. # token: # tuicV4 填写(可以同时填写 users)
  984. # - TOKEN
  985. # users: # tuicV5 填写(可以同时填写 token)
  986. # 00000000-0000-0000-0000-000000000000: PASSWORD_0
  987. # 00000000-0000-0000-0000-000000000001: PASSWORD_1
  988. # certificate: ./server.crt
  989. # private-key: ./server.key
  990. # congestion-controller: bbr
  991. # max-idle-time: 15000
  992. # authentication-timeout: 1000
  993. # alpn:
  994. # - h3
  995. # max-udp-relay-packet-size: 1500
  996. - name: tunnel-in-1
  997. type: tunnel
  998. port: 10816
  999. listen: 0.0.0.0
  1000. # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules
  1001. # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
  1002. network: [tcp, udp]
  1003. target: target.com
  1004. - name: tun-in-1
  1005. type: tun
  1006. # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules
  1007. # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
  1008. stack: system # gvisor / mixed
  1009. dns-hijack:
  1010. - 0.0.0.0:53 # 需要劫持的 DNS
  1011. # auto-detect-interface: false # 自动识别出口网卡
  1012. # auto-route: false # 配置路由表
  1013. # mtu: 9000 # 最大传输单元
  1014. inet4-address: # 必须手动设置 ipv4 地址段
  1015. - 198.19.0.1/30
  1016. inet6-address: # 必须手动设置 ipv6 地址段
  1017. - "fdfe:dcba:9877::1/126"
  1018. # strict-route: true # 将所有连接路由到 tun 来防止泄漏,但你的设备将无法其他设备被访问
  1019. # inet4-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由
  1020. # - 0.0.0.0/1
  1021. # - 128.0.0.0/1
  1022. # inet6-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由
  1023. # - "::/1"
  1024. # - "8000::/1"
  1025. # endpoint-independent-nat: false # 启用独立于端点的 NAT
  1026. # include-uid: # UID 规则仅在 Linux 下被支持,并且需要 auto-route
  1027. # - 0
  1028. # include-uid-range: # 限制被路由的的用户范围
  1029. # - 1000:99999
  1030. # exclude-uid: # 排除路由的的用户
  1031. # - 1000
  1032. # exclude-uid-range: # 排除路由的的用户范围
  1033. # - 1000:99999
  1034. # Android 用户和应用规则仅在 Android 下被支持
  1035. # 并且需要 auto-route
  1036. # include-android-user: # 限制被路由的 Android 用户
  1037. # - 0
  1038. # - 10
  1039. # include-package: # 限制被路由的 Android 应用包名
  1040. # - com.android.chrome
  1041. # exclude-package: # 排除被路由的 Android 应用包名
  1042. # - com.android.captiveportallogin
  1043. # 入口配置与 Listener 等价,传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理
  1044. # shadowsocks,vmess 入口配置(传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理)
  1045. # ss-config: ss://2022-blake3-aes-256-gcm:vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=@:23456
  1046. # vmess-config: vmess://1:9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68@:12345
  1047. # tuic 服务器入口(传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理)
  1048. # tuic-server:
  1049. # enable: true
  1050. # listen: 127.0.0.1:10443
  1051. # token: # tuicV4 填写(可以同时填写 users)
  1052. # - TOKEN
  1053. # users: # tuicV5 填写(可以同时填写 token)
  1054. # 00000000-0000-0000-0000-000000000000: PASSWORD_0
  1055. # 00000000-0000-0000-0000-000000000001: PASSWORD_1
  1056. # certificate: ./server.crt
  1057. # private-key: ./server.key
  1058. # congestion-controller: bbr
  1059. # max-idle-time: 15000
  1060. # authentication-timeout: 1000
  1061. # alpn:
  1062. # - h3
  1063. # max-udp-relay-packet-size: 1500