使用 sing-box 搭建梯子

使用 sing-box 作为家里的科学上网工具已经有一段时间了,其出色的性能和简洁的配置让我非常满意。之前都是把它作为客户端使用,梯子用的都是机场提供的,但是最近发现机场的梯子越来越不稳定,为了保证家里网络的稳定性,避免机场挂了导致家里无法正常访问网络,所以决定自己搭建一个梯子作为备用。具体 VPS 选哪个这里就不推荐了,因为仅作为备用,所以对 VPS 的要求不高,只要能正常访问网络就行。 本次采用的协议是 Hysteria2,VPS 系统的 Debian12。

安装 sing-box

bash <(curl -fsSL https://sing-box.app/deb-install.sh)

生成证书

使用 acme.sh 来生成证书,具体安装和使用方法可以参考 acme.sh 的文档。如果不使用域名的话,也没必要使用 acme.sh 来生成证书。

mkdir -p /etc/sing-box/ssl/xxx.xxx.com # 创建证书目录,注意 xxx.xxx.com 要和你的域名一致
./acme.sh --issue --dns dns_cf -d xxx.xxx.com --cert-file /etc/sing-box/ssl/xxx.xxx.com/cert.pem --key-file /etc/sing-box/ssl/xxx.xxx.com/key.pem --fullchain-file /etc/sing-box/ssl/xxx.xxx.com/fullchain.pem --reloadcmd "systemctl restart sing-box"

配置 sing-box

{
  "log": {
    "disabled": false,
    "level": "info",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "tag": "cloudflare",
        "address": "https://1.1.1.1/dns-query",
        "strategy": "ipv4_only",
        "detour": "direct"
      },
      {
        "tag": "block",
        "address": "rcode://success"
      }
    ],
    "rules": [
      {
        "geosite": [
          "category-ads-all"
        ],
        "server": "block",
        "disable_cache": true
      }
    ],
    "final": "cloudflare",
    "strategy": "",
    "disable_cache": false,
    "disable_expire": false
  },
  "inbounds": [
    {
      "type": "hysteria2",
      "tag": "hy2-in",
      "listen": "::",
      "listen_port": 443,
      "tcp_fast_open": true,
      "tcp_multi_path": false,
      "udp_fragment": true,
      "udp_timeout": 300,
      "sniff": true,
      "sniff_override_destination": false,
      "sniff_timeout": "300ms",
      "domain_strategy": "prefer_ipv4",
      "up_mbps": 500,
      "down_mbps": 500,
      "obfs": {
        "type": "salamander",
        "password": "password"
      },
      "users": [
        {
          "name": "name",
          "password": "password"
        }
      ],
      "ignore_client_bandwidth": false,
      "tls": {
        "enabled": true,
        "certificate_path": "/etc/sing-box/ssl/xxx.xxx.com/cert.pem",
        "key_path": "/etc/sing-box/ssl/xxx.xxx.com/key.pem",
        "alpn": [
          "h3"
        ]
      },
      "masquerade": "https://github.com",
      "brutal_debug": false
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    }
  ],
  "route": {
    "final": "direct"
  },
  "experimental": {}
}

客户端 sing-box 配置

{
  "type": "hysteria2",
  "tag": "bwg",
  "server": "xxx.xxx.com",
  "server_port": 443,
  "up_mbps": 30,
  "down_mbps": 300,
  "password": "",
  "obfs": {
    "type": "salamander",
    "password": "password"
  },
  "tls": {
    "enabled": true,
    "server_name": "xxx.xxx.com",
    "insecure": true,
    "alpn": [
      "h3"
    ]
  },
  "brutal_debug": false
},

其他问题

  • 使用 IOS 平台的 ShadowRocket 链接时,不需要用户名
  • 证书不能是泛域名证书
安装 sing-box
H3
生成证书
H3
配置 sing-box
H3
客户端 sing-box 配置
H3
其他问题
H3