dante+stunnel+clash 科学上网 - 技术分享 - 生活 | ☆∵∴Hito∴∵★ = 涛声依旧 = 天下事有难易乎？为之，则难者亦易矣

# 前言

上次介绍了使用 squid+stunnel 的方案进行科学上网。但是那个方案只适合在浏览器上使用，并不能让其它 app 也可以科学上网。此次介绍使用 dante+stunnel+clash 的方式来代理其它 app 科学上网。

# 准备

一台可以访问外网的服务器，如香港的云主机并安装 Ubuntu 系统。

# dante 部分

1、安装

1	apt-get install -y dante-server

2、配置

修改 dante 配置
1、修改 /etc/danted.conf 文件，在末尾加入下面的配置
2、如果不需要用户密码认证，则把 socksmethod 改为 none
3、可以为认证单独添加一个用户
sudo useradd -r -s /bin/false proxy
sudo passwd proxy
4、重启服务
systemctl restart danted
5、查看状态
systemctl status danted

logoutput: syslog
internal: 0.0.0.0 port = 1080
external: eth0

socksmethod: username
clientmethod: none

user.privileged: root
user.notprivileged: nobody

client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}

socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}

# stunnel 服务端部分

1、安装（和 danted 装在一起）

1	apt-get install -y stunnel

2、生成 TLS/SSL 证书

1	openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem

3、将证书 stunnel.pem 放到 /etc/stunnel/ 目录下
4、修改 stunnel 配置 (/etc/stunnle/stunnle.conf)

; 设置stunnel的pid文件路径
pid = /etc/stunnel/stunnel.pid
; 设置stunnel工作的用户（组）
setuid = root
setgid = root

; 开启日志等级：emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7)
debug = 7
; 日志文件路径
output = /etc/stunnel/stunnel.log

; 证书文件
cert = /etc/stunnel/stunnel.pem
; 私钥文件
key = /etc/stunnel/stunnel.pem

; 自定义服务名danted
[danted]
; 服务监听的端口，client要连接这个端口与server通信
accept = 1081
; 服务要连接的端口，连接到danted的1080端口，将数据发给danted
connect = 1080

5、重启服务
systemctl restart stunnel4
6、查看状态
systemctl status stunnel4

# stunnel 客户端部分

可以安装在要代理的机器上，在需要代理的情况下再开启（代理地址填 127.0.0.1 加客户端监听端口）。也可以安装在国内的服务器上一直保持连接（代理信息填国内服务器 ip 加客户端监听端口）。本示例客户端为 ubuntu 系统

1、安装（和 danted 装在一起）

1	apt-get install -y stunnel

2、修改配置（/etc/stunnel/stunnel.conf）

[danted]
; 监听端口，用户的代理设置就是 stunnel-client-ip:1080
accept = 1080
; 要连接到的stunnel server的ip与端口
connect = stunnel服务端ip:1081
client = yes
; 需要验证对方发过来的证书
;verify = 2
; 用来进行证书验证的文件
;CAfile = /etc/stunnel/stunnel-server.pem

# Clash 部分

1、下载
Clash 客户端
2、配置

新建订阅

编辑文件并写入以下配置

# Profile Template for clash verge

proxies:
  - name: "PROXY"
    type: socks5  # 节点类型
    server: ""  # SOCKS5 服务器地址
    port: 1080  # 服务器端口
    username: "proxy"  # 可选，用户名
    password: ""  # 可选，密码

rule-providers:
  reject:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
    path: ./ruleset/reject.yaml
    interval: 86400

  icloud:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt"
    path: ./ruleset/icloud.yaml
    interval: 86400

  apple:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt"
    path: ./ruleset/apple.yaml
    interval: 86400

  google:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt"
    path: ./ruleset/google.yaml
    interval: 86400

  proxy:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
    path: ./ruleset/proxy.yaml
    interval: 86400

  direct:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
    path: ./ruleset/direct.yaml
    interval: 86400

  private:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt"
    path: ./ruleset/private.yaml
    interval: 86400

  gfw:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt"
    path: ./ruleset/gfw.yaml
    interval: 86400

  tld-not-cn:
    type: http
    behavior: domain
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt"
    path: ./ruleset/tld-not-cn.yaml
    interval: 86400

  telegramcidr:
    type: http
    behavior: ipcidr
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt"
    path: ./ruleset/telegramcidr.yaml
    interval: 86400

  cncidr:
    type: http
    behavior: ipcidr
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt"
    path: ./ruleset/cncidr.yaml
    interval: 86400

  lancidr:
    type: http
    behavior: ipcidr
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt"
    path: ./ruleset/lancidr.yaml
    interval: 86400

  applications:
    type: http
    behavior: classical
    url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications.txt"
    path: ./ruleset/applications.yaml
    interval: 86400

rules:
  - RULE-SET,applications,DIRECT
  - DOMAIN,clash.razord.top,DIRECT
  - DOMAIN,yacd.haishan.me,DIRECT
  - RULE-SET,private,DIRECT
  - RULE-SET,reject,REJECT
  - RULE-SET,icloud,DIRECT
  - RULE-SET,apple,DIRECT
  - RULE-SET,google,PROXY
  - RULE-SET,proxy,PROXY
  - RULE-SET,direct,DIRECT
  - RULE-SET,lancidr,DIRECT
  - RULE-SET,cncidr,DIRECT
  - RULE-SET,telegramcidr,PROXY
  - GEOIP,LAN,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,PROXY

开启代理和自启动

至次运行 clash 的电脑就可以愉快的科学上网了，并且还可以代理同局域网的其它电脑科学上网。