Post

Using dae as proxy tool

Posted Updated
By 9vvert
7 min read
Using dae as proxy tool

前言

前一阵子自己搭建了shadowsocks的私用VPN服务器,本来和平地用了2个月,结果因为太嚣张,用它来下载《上古卷轴OL》,一天搞了快200G的流量,不过2天就被拿下了. 好在vultr能够随时增加备用ip.

这次我将卷土重来,顺便学习了一些gfw进行ip封锁的规律。它首先会对可疑的流量进行各种探测,包括但不限于重放攻击、指纹检测等, 如果怀疑是VPN流量就直接封禁。像shadowsocks这种流式加密协议,因为返回的全是密文,会引起它的怀疑,所以很容易被安排。这次我决定从两个地方下手:

  • 加强伪装,使用VLESS+REALITY, 把代理流量伪装成访问某个正规网站的流量。可以参考我的一键部署脚本: 9vvert/Oneshot-VPN-deployment

  • 减少走向私人VPN服务器的流量,用dae实现控制。也就是说,准备一个普通的订阅梯子,除了特定对ip纯净度要求高的网站(比如claude)强制走私人VPS节点,其余流量的优先走普通梯子.

dae这个工具,其实我已经用了快一年了,很喜欢它方便的配置、简单的服务管理方式. 最近刚好找个机会记录一下它的配置方式.

config overview

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

global {
  # Bind to LAN and/or WAN as you want. Replace the interface name to your own.
  # lan_interface: docker0
  wan_interface: auto

  log_level: debug
  allow_insecure: false
  auto_config_kernel_parameter: true

  dial_mode: domain

  tls_implementation: utls
  utls_imitate: chrome_auto
}

subscription {
  # Fill in your subscription links here.
  tapfog: '<订阅地址>'

}

node {
  my_vps: '<VPS节点链接>'
}


# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
dns {
  upstream {
    googledns: 'tcp+udp://dns.google:53'
    alidns: 'udp://dns.alidns.com:53'
  }
  routing {
    request {
      qname(geosite:cn) -> alidns
      # 其余 fallback 走 googledns(推荐这样,而不是 alidns)
      fallback: googledns
    }
  }
}
group {
    # 只包含订阅节点
    common_proxy {
        filter: subtag(tapfog) && !name(keyword: 'ExpireAt:')
        policy: min_moving_avg
    }

    # 只包含自己的节点
    vps_proxy {
        filter: name(my_vps)
        policy: fixed(0)
    }

    # 默认使用的组:订阅优先,自己的节点兜底
    mix_proxy {
        filter: subtag(tapfog) && !name(keyword: 'ExpireAt:')
        filter: name(my_vps) [add_latency: 9999ms]
        policy: min_moving_avg
    }
}

# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
routing {
  pname(NetworkManager) -> direct
  dip(224.0.0.0/3, 'ff00::/8') -> direct

  dscp(4) -> direct

  ### Write your rules below.

  # OpenAI
  domain(geosite:openai) -> vps_proxy

  # google
  domain(geosite:google) -> vps_proxy
  domain(geosite:google-deepmind) -> vps_proxy
  domain(geosite:google-gemini) -> vps_proxy

  # github
  domain(geosite:github) -> mix_proxy

  # Docker
  domain(geosite:docker) -> vps_proxy

  domain(geosite:anthropic) -> vps_proxy

  # 
  dip(geoip:cn) -> direct
  domain(geosite:china-list) -> direct
  domain(geosite:cn) -> direct

  # Disable h3 because it usually consumes too much cpu/mem resources.
  l4proto(udp) && dport(443) -> block
  domain(geosite:cn) -> direct

  fallback: mix_proxy
}

node

我们定义了两个node, 其内容为对应的链接.

1
2
3
4
5
6
7
8

subscription {
  # Fill in your subscription links here.
  tapfog: '<订阅地址>'
}

node {
  my_vps: '<VPS节点链接>'
}

dae支持多种协议的链接。比如我的VPS节点部署完毕后,会产生一个vless://开头的url, 将其在这里导入.

group

```group { # 只包含订阅节点 common_proxy { filter: subtag(tapfog) && !name(keyword: ‘ExpireAt:’) policy: min_moving_avg }

1
2
3
4
5
6
7
8
9
10
11
12

# 只包含自己的节点
vps_proxy {
    filter: name(my_vps)
    policy: fixed(0)
}

# 默认使用的组:订阅优先,自己的节点兜底
mix_proxy {
    filter: subtag(tapfog) && !name(keyword: 'ExpireAt:')
    filter: name(my_vps) [add_latency: 9999ms]
    policy: min_moving_avg
} } ``` 我们按照普通梯子、个人VPS、二者混合,组成了3个节点. 注意可以用subtag来过滤名称.

fixed(0)为当前group内的第一个节点;min_moving_avg则看延迟最短的节点. 值得一提的是,我们在mix_proxy中,手动给vps节点的权重增加了9999ms延迟,也就是说:只有在普通梯子所有节点都不可达的时候,才启用我们的备用节点。这样既可以保证在普通梯子不稳定的时候也能使用代理,还能在平时,将下载各种大文件的流量优先移交给普通梯子,减少个人VPS节点被gfw拿下的风险.

rule

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

routing {
  pname(NetworkManager) -> direct
  dip(224.0.0.0/3, 'ff00::/8') -> direct

  dscp(4) -> direct

  ### Write your rules below.

  # OpenAI
  domain(geosite:openai) -> vps_proxy

  # google
  domain(geosite:google) -> vps_proxy
  domain(geosite:google-deepmind) -> vps_proxy
  domain(geosite:google-gemini) -> vps_proxy

  # github
  domain(geosite:github) -> mix_proxy

  # Docker
  domain(geosite:docker) -> vps_proxy

  domain(geosite:anthropic) -> vps_proxy

  # 
  dip(geoip:cn) -> direct
  domain(geosite:china-list) -> direct
  domain(geosite:cn) -> direct

  # Disable h3 because it usually consumes too much cpu/mem resources.
  l4proto(udp) && dport(443) -> block
  domain(geosite:cn) -> direct

  fallback: mix_proxy
}

最后就是路由规则。除了一些对ip敏感的网站强制使用vps_proxy,其余的网站会fallback到mix_proxy

system
system
This post is licensed under CC BY 4.0 by the author.