400 lines
10 KiB
Markdown
400 lines
10 KiB
Markdown
<h1 align="center">
|
|
<img src="https://github.com/Dreamacro/clash/raw/master/docs/logo.png" alt="Clash" width="200">
|
|
<br>Clash<br>
|
|
</h1>
|
|
|
|
<h4 align="center">A rule-based tunnel in Go.</h4>
|
|
|
|
<p align="center">
|
|
<a href="https://github.com/Dreamacro/clash/actions">
|
|
<img src="https://img.shields.io/github/workflow/status/Dreamacro/clash/Go?style=flat-square" alt="Github Actions">
|
|
</a>
|
|
<a href="https://goreportcard.com/report/github.com/Dreamacro/clash">
|
|
<img src="https://goreportcard.com/badge/github.com/Dreamacro/clash?style=flat-square">
|
|
</a>
|
|
<a href="https://github.com/Dreamacro/clash/releases">
|
|
<img src="https://img.shields.io/github/release/Dreamacro/clash/all.svg?style=flat-square">
|
|
</a>
|
|
</p>
|
|
|
|
## Features
|
|
|
|
- Local HTTP/HTTPS/SOCKS server with/without authentication
|
|
- VMess, Shadowsocks, Trojan (experimental), Snell protocol support for remote connections. UDP is supported.
|
|
- Built-in DNS server that aims to minimize DNS pollution attacks, supports DoH/DoT upstream. Fake IP is also supported.
|
|
- Rules based off domains, GEOIP, IP CIDR or ports to forward packets to different nodes
|
|
- Remote groups allow users to implement powerful rules. Supports automatic fallback, load balancing or auto select node based off latency
|
|
- Remote providers, allowing users to get node lists remotely instead of hardcoding in config
|
|
- Netfilter TCP redirecting. You can deploy Clash on your Internet gateway with `iptables`.
|
|
- Comprehensive HTTP API controller
|
|
|
|
## Install
|
|
|
|
Clash requires Go >= 1.13. You can build it from source:
|
|
|
|
```sh
|
|
$ go get -u -v github.com/Dreamacro/clash
|
|
```
|
|
|
|
Pre-built binaries are available here: [release](https://github.com/Dreamacro/clash/releases)
|
|
Pre-built Premium binaries are available here: [Premium release](https://github.com/Dreamacro/clash/releases/tag/premium). Source is not currently available.
|
|
|
|
Check Clash version with:
|
|
|
|
```sh
|
|
$ clash -v
|
|
```
|
|
|
|
## Daemonize Clash
|
|
|
|
Unfortunately, there is no native or elegant way to implement daemons on Golang. We recommend using third-party daemon management tools like PM2, Supervisor or the like to keep Clash running as a service.
|
|
|
|
In the case of [pm2](https://github.com/Unitech/pm2), start the daemon this way:
|
|
|
|
```sh
|
|
$ pm2 start clash
|
|
```
|
|
|
|
If you have Docker installed, it's recommended to deploy Clash directly using `docker-compose`: [run Clash in Docker](https://github.com/Dreamacro/clash/wiki/Run-clash-in-docker)
|
|
|
|
## Config
|
|
|
|
The default configuration directory is `$HOME/.config/clash`.
|
|
|
|
The name of the configuration file is `config.yaml`.
|
|
|
|
If you want to use another directory, use `-d` to control the configuration directory.
|
|
|
|
For example, you can use the current directory as the configuration directory:
|
|
|
|
```sh
|
|
$ clash -d .
|
|
```
|
|
|
|
<details>
|
|
<summary>This is an example configuration file (click to expand)</summary>
|
|
|
|
```yml
|
|
# port of HTTP
|
|
port: 7890
|
|
|
|
# port of SOCKS5
|
|
socks-port: 7891
|
|
|
|
# (HTTP and SOCKS5 in one port)
|
|
# mixed-port: 7890
|
|
|
|
# redir port for Linux and macOS
|
|
# redir-port: 7892
|
|
|
|
allow-lan: false
|
|
|
|
# Only applicable when setting allow-lan to true
|
|
# "*": bind all IP addresses
|
|
# 192.168.122.11: bind a single IPv4 address
|
|
# "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address
|
|
# bind-address: "*"
|
|
|
|
# rule / global / direct (default is rule)
|
|
mode: rule
|
|
|
|
# set log level to stdout (default is info)
|
|
# info / warning / error / debug / silent
|
|
log-level: info
|
|
|
|
# RESTful API for clash
|
|
external-controller: 127.0.0.1:9090
|
|
|
|
# you can put the static web resource (such as clash-dashboard) to a directory, and clash would serve in `${API}/ui`
|
|
# input is a relative path to the configuration directory or an absolute path
|
|
# external-ui: folder
|
|
|
|
# Secret for RESTful API (Optional)
|
|
# secret: ""
|
|
|
|
# experimental feature
|
|
experimental:
|
|
ignore-resolve-fail: true # ignore dns resolve fail, default value is true
|
|
# interface-name: en0 # outbound interface name
|
|
|
|
# authentication of local SOCKS5/HTTP(S) server
|
|
# authentication:
|
|
# - "user1:pass1"
|
|
# - "user2:pass2"
|
|
|
|
# # hosts, support wildcard (e.g. *.clash.dev Even *.foo.*.example.com)
|
|
# # static domain has a higher priority than wildcard domain (foo.example.com > *.example.com > .example.com)
|
|
# # +.foo.com equal .foo.com and foo.com
|
|
# hosts:
|
|
# '*.clash.dev': 127.0.0.1
|
|
# '.dev': 127.0.0.1
|
|
# 'alpha.clash.dev': '::1'
|
|
# '+.foo.dev': 127.0.0.1
|
|
|
|
# dns:
|
|
# enable: true # set true to enable dns (default is false)
|
|
# ipv6: false # default is false
|
|
# listen: 0.0.0.0:53
|
|
# # default-nameserver: # resolve dns nameserver host, should fill pure IP
|
|
# # - 114.114.114.114
|
|
# # - 8.8.8.8
|
|
# enhanced-mode: redir-host # or fake-ip
|
|
# # fake-ip-range: 198.18.0.1/16 # if you don't know what it is, don't change it
|
|
# fake-ip-filter: # fake ip white domain list
|
|
# - '*.lan'
|
|
# - localhost.ptlogin2.qq.com
|
|
# nameserver:
|
|
# - 114.114.114.114
|
|
# - tls://dns.rubyfish.cn:853 # dns over tls
|
|
# - https://1.1.1.1/dns-query # dns over https
|
|
# fallback: # concurrent request with nameserver, fallback used when GEOIP country isn't CN
|
|
# - tcp://1.1.1.1
|
|
# fallback-filter:
|
|
# geoip: true # default
|
|
# ipcidr: # ips in these subnets will be considered polluted
|
|
# - 240.0.0.0/4
|
|
|
|
proxies:
|
|
# shadowsocks
|
|
# The supported ciphers(encrypt methods):
|
|
# aes-128-gcm aes-192-gcm aes-256-gcm
|
|
# aes-128-cfb aes-192-cfb aes-256-cfb
|
|
# aes-128-ctr aes-192-ctr aes-256-ctr
|
|
# rc4-md5 chacha20-ietf xchacha20
|
|
# chacha20-ietf-poly1305 xchacha20-ietf-poly1305
|
|
- name: "ss1"
|
|
type: ss
|
|
server: server
|
|
port: 443
|
|
cipher: chacha20-ietf-poly1305
|
|
password: "password"
|
|
# udp: true
|
|
|
|
# old obfs configuration format remove after prerelease
|
|
- name: "ss2"
|
|
type: ss
|
|
server: server
|
|
port: 443
|
|
cipher: chacha20-ietf-poly1305
|
|
password: "password"
|
|
plugin: obfs
|
|
plugin-opts:
|
|
mode: tls # or http
|
|
# host: bing.com
|
|
|
|
- name: "ss3"
|
|
type: ss
|
|
server: server
|
|
port: 443
|
|
cipher: chacha20-ietf-poly1305
|
|
password: "password"
|
|
plugin: v2ray-plugin
|
|
plugin-opts:
|
|
mode: websocket # no QUIC now
|
|
# tls: true # wss
|
|
# skip-cert-verify: true
|
|
# host: bing.com
|
|
# path: "/"
|
|
# mux: true
|
|
# headers:
|
|
# custom: value
|
|
|
|
# vmess
|
|
# cipher support auto/aes-128-gcm/chacha20-poly1305/none
|
|
- name: "vmess"
|
|
type: vmess
|
|
server: server
|
|
port: 443
|
|
uuid: uuid
|
|
alterId: 32
|
|
cipher: auto
|
|
# udp: true
|
|
# tls: true
|
|
# skip-cert-verify: true
|
|
# servername: example.com # priority over wss host
|
|
# network: ws
|
|
# ws-path: /path
|
|
# ws-headers:
|
|
# Host: v2ray.com
|
|
|
|
- name: "vmess-http"
|
|
type: vmess
|
|
server: server
|
|
port: 443
|
|
uuid: uuid
|
|
alterId: 32
|
|
cipher: auto
|
|
# udp: true
|
|
# network: http
|
|
# http-opts:
|
|
# # method: "GET"
|
|
# # path:
|
|
# # - '/'
|
|
# # - '/video'
|
|
# # headers:
|
|
# # Connection:
|
|
# # - keep-alive
|
|
|
|
# socks5
|
|
- name: "socks"
|
|
type: socks5
|
|
server: server
|
|
port: 443
|
|
# username: username
|
|
# password: password
|
|
# tls: true
|
|
# skip-cert-verify: true
|
|
# udp: true
|
|
|
|
# http
|
|
- name: "http"
|
|
type: http
|
|
server: server
|
|
port: 443
|
|
# username: username
|
|
# password: password
|
|
# tls: true # https
|
|
# skip-cert-verify: true
|
|
|
|
# snell
|
|
- name: "snell"
|
|
type: snell
|
|
server: server
|
|
port: 44046
|
|
psk: yourpsk
|
|
# obfs-opts:
|
|
# mode: http # or tls
|
|
# host: bing.com
|
|
|
|
# trojan
|
|
- name: "trojan"
|
|
type: trojan
|
|
server: server
|
|
port: 443
|
|
password: yourpsk
|
|
# udp: true
|
|
# sni: example.com # aka server name
|
|
# alpn:
|
|
# - h2
|
|
# - http/1.1
|
|
# skip-cert-verify: true
|
|
|
|
proxy-groups:
|
|
# relay chains the proxies. proxies shall not contain a relay. No UDP support.
|
|
# Traffic: clash <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet
|
|
- name: "relay"
|
|
type: relay
|
|
proxies:
|
|
- http
|
|
- vmess
|
|
- ss1
|
|
- ss2
|
|
|
|
# url-test select which proxy will be used by benchmarking speed to a URL.
|
|
- name: "auto"
|
|
type: url-test
|
|
proxies:
|
|
- ss1
|
|
- ss2
|
|
- vmess1
|
|
# tolerance: 150
|
|
url: 'http://www.gstatic.com/generate_204'
|
|
interval: 300
|
|
|
|
# fallback select an available policy by priority. The availability is tested by accessing an URL, just like an auto url-test group.
|
|
- name: "fallback-auto"
|
|
type: fallback
|
|
proxies:
|
|
- ss1
|
|
- ss2
|
|
- vmess1
|
|
url: 'http://www.gstatic.com/generate_204'
|
|
interval: 300
|
|
|
|
# load-balance: The request of the same eTLD will be dial on the same proxy.
|
|
- name: "load-balance"
|
|
type: load-balance
|
|
proxies:
|
|
- ss1
|
|
- ss2
|
|
- vmess1
|
|
url: 'http://www.gstatic.com/generate_204'
|
|
interval: 300
|
|
|
|
# select is used for selecting proxy or proxy group
|
|
# you can use RESTful API to switch proxy, is recommended for use in GUI.
|
|
- name: Proxy
|
|
type: select
|
|
proxies:
|
|
- ss1
|
|
- ss2
|
|
- vmess1
|
|
- auto
|
|
|
|
- name: UseProvider
|
|
type: select
|
|
use:
|
|
- provider1
|
|
proxies:
|
|
- Proxy
|
|
- DIRECT
|
|
|
|
proxy-providers:
|
|
provider1:
|
|
type: http
|
|
url: "url"
|
|
interval: 3600
|
|
path: ./hk.yaml
|
|
health-check:
|
|
enable: true
|
|
interval: 600
|
|
url: http://www.gstatic.com/generate_204
|
|
test:
|
|
type: file
|
|
path: /test.yaml
|
|
health-check:
|
|
enable: true
|
|
interval: 36000
|
|
url: http://www.gstatic.com/generate_204
|
|
|
|
rules:
|
|
- DOMAIN-SUFFIX,google.com,auto
|
|
- DOMAIN-KEYWORD,google,auto
|
|
- DOMAIN,google.com,auto
|
|
- DOMAIN-SUFFIX,ad.com,REJECT
|
|
# rename SOURCE-IP-CIDR and would remove after prerelease
|
|
- SRC-IP-CIDR,192.168.1.201/32,DIRECT
|
|
# optional param "no-resolve" for IP rules (GEOIP IP-CIDR)
|
|
- IP-CIDR,127.0.0.0/8,DIRECT
|
|
- GEOIP,CN,DIRECT
|
|
- DST-PORT,80,DIRECT
|
|
- SRC-PORT,7777,DIRECT
|
|
# FINAL would remove after prerelease
|
|
# you also can use `FINAL,Proxy` or `FINAL,,Proxy` now
|
|
- MATCH,auto
|
|
```
|
|
</details>
|
|
|
|
## Advanced
|
|
[Provider](https://github.com/Dreamacro/clash/wiki/Provider)
|
|
|
|
## Documentations
|
|
https://clash.gitbook.io/
|
|
|
|
## Credits
|
|
|
|
[riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
|
|
|
|
[v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
|
|
|
|
## License
|
|
|
|
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2FDreamacro%2Fclash.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2FDreamacro%2Fclash?ref=badge_large)
|
|
|
|
## TODO
|
|
|
|
- [x] Complementing the necessary rule operators
|
|
- [x] Redir proxy
|
|
- [x] UDP support
|
|
- [x] Connection manager
|
|
- ~~[ ] Event API~~
|