自建独享落地节点

适用于对 IP 质量要求较高的用户,需要一定的理解与动手能力

基于 L4 转发,理论上支持任何协议,以下仅为示例

  • 系统建议:Linux Debian 10 及以上

  • 运行环境:Docker

  • 运行软件:Shadowsocks rust

安装步骤

apt install docker.io -y
docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:10000" -m "aes-128-gcm" -k "Password" -U

or (DNS)

docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:10000" -m "aes-128-gcm" -k "Password" -U --dns "1.1.1.1,1.0.0.1"

or (IPv6 first)

docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:10000" -m "aes-128-gcm" -k "Password" -U -6

Telegram Bot 发送指令 "/ssserver" 或 "/ssserver_v6" 即可获取与本站个人端口加密/协议一致的部署命令

添加流量转发规则

  1. 选择起源节点

  2. 填入目标服务器地址

  3. 填入目标端口

  4. 勾选[目标节点与本站个人端口加密/协议一致](如果没有采用 Telegram Bot 命令部署请跳过此步骤)

一分钟内自动生效,正常情况下在代理客户端选择起源节点即可

口碑较好的商家(排名不分先后)

配合流量转发,仅需购买国际宽带网络(Routing Profile: StandardVPS/VDS

商业:静态 IP (static IP)

香港
台湾
日本
美国
新加坡
全球

流媒体:动态IP (dynamic IP or Random IPv6)

香港
台湾
日本
美国
新加坡
韩国
英国

以上部分链接包含AFF

优化(将以下内容直接复制粘贴到 Shell 执行即可)

#!/bin/bash

for pkg in ntpdate htpdate; do
    if ! command -v $pkg &> /dev/null; then
        apt install $pkg -y
    fi
done

timedatectl set-timezone Asia/Shanghai

timeout 5 ntpdate time1.google.com || timeout 5 htpdate -s www.baidu.com
hwclock -w

entropy=$(< /proc/sys/kernel/random/entropy_avail)
if [ $entropy -lt "1000" ] && ! systemctl is-active --quiet haveged; then
    apt install haveged -y
    systemctl enable haveged
    systemctl restart haveged
fi

echo "1048576" > /proc/sys/fs/file-max
ulimit -n 1048576

chattr -i /etc/sysctl.conf
cat > /etc/sysctl.conf << EOF
# Memory usage
# https://blog.cloudflare.com/the-story-of-one-latency-spike/
# https://cloud.google.com/architecture/tcp-optimization-for-network-performance-in-gcp-and-hybrid/
# https://zhensheng.im/2021/01/31/linux-wmem-and-rmem-adjustments.meow
# https://github.com/redhat-performance/tuned/blob/master/profiles/network-throughput/tuned.conf
# ReceiveBuffer: X - (X / (2 ^ tcp_adv_win_scale)) = RTT * Bandwidth / 8
# SendBuffer: RTT * Bandwidth / 8 * 0.7
net.core.netdev_max_backlog = 262144
net.ipv4.tcp_max_syn_backlog = 8192
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.ipv4.tcp_rmem = 16384 131072 67108864
net.ipv4.tcp_wmem = 4096 16384 33554432
net.ipv4.udp_rmem_min = 131072
net.ipv4.udp_wmem_min = 131072

# Layer 2
# No Proxy ARP, obviously
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.proxy_arp = 0
# Do not reply ARP requests if the target IP address is not configured on the incoming interface
net.ipv4.conf.default.arp_ignore = 1
net.ipv4.conf.all.arp_ignore = 1
# When sending ARP requests, use the best IP address configured on the outgoing interface
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
# Enable gratuitous arp requests
net.ipv4.conf.default.arp_notify = 1
net.ipv4.conf.all.arp_notify = 1

# IPv4 routing
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# Enable when there are 1-2K hosts
net.ipv4.neigh.default.gc_thresh1 = 2048
net.ipv4.neigh.default.gc_thresh2 = 4096
net.ipv4.neigh.default.gc_thresh3 = 8192

# IPv6 routing
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
# Enable when there are 1-2K hosts
net.ipv6.neigh.default.gc_thresh1 = 4096
net.ipv6.neigh.default.gc_thresh2 = 8192
net.ipv6.neigh.default.gc_thresh3 = 16384

# PMTUD
# https://blog.cloudflare.com/path-mtu-discovery-in-practice/
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_base_mss = 1024

# MPLS & L3VPN support
# https://web.archive.org/web/20210301222346/https://cumulusnetworks.com/blog/vrf-for-linux/
# net.mpls.ip_ttl_propagate = 1
# net.mpls.default_ttl = 255
# net.mpls.platform_labels = 1048575
net.ipv4.tcp_l3mdev_accept = 0
net.ipv4.udp_l3mdev_accept = 0
net.ipv4.raw_l3mdev_accept = 0
# net.mpls.conf.lo.input = 1

# ICMP
# net.ipv4.icmp_errors_use_inbound_ifaddr = 1
# net.ipv4.icmp_ratelimit = 0
# net.ipv6.icmp.ratelimit = 0
net.ipv4.icmp_echo_ignore_all = 1
# net.ipv6.icmp_echo_ignore_all = 1

# TCP connection accepting
# https://serverfault.com/questions/518862/will-increasing-net-core-somaxconn-make-a-difference
net.core.somaxconn = 8192
net.ipv4.tcp_abort_on_overflow = 0

# TCP connection recycling
# https://dropbox.tech/infrastructure/optimizing-web-servers-for-high-throughput-and-low-latency
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_max_tw_buckets = 4096

# TCP congestion control
# https://blog.cloudflare.com/http-2-prioritization-with-nginx/
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_notsent_lowat = 16384
net.ipv4.tcp_window_scaling = 1

# TCP keepalive
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 3

# TCP auxiliary
# https://dropbox.tech/infrastructure/optimizing-web-servers-for-high-throughput-and-low-latency
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_adv_win_scale = 1

# ECN
net.ipv4.tcp_ecn = 0
net.ipv4.tcp_ecn_fallback = 1

# ECMP hashing
# https://web.archive.org/web/20210204031636/https://cumulusnetworks.com/blog/celebrating-ecmp-part-two/
net.ipv4.fib_multipath_hash_policy = 1
net.ipv4.fib_multipath_use_neigh = 1

# GRE keepalive
# https://blog.artech.se/2016/01/10/4/
net.ipv4.conf.default.accept_local = 1
net.ipv4.conf.all.accept_local = 1

# IGMP
# https://phabricator.vyos.net/T863
net.ipv4.igmp_max_memberships = 512

# IPv6 route table size bug fix
# https://web.archive.org/web/20200516030405/https://lists.nat.moe/pipermail/transit-service/2020-May/000000.html
net.ipv6.route.max_size = 2147483647

# Prefer different parity for ip_local_port_range start and end value
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.ip_local_reserved_ports = 10000

# Maximum number of open files
fs.file-max = 1048576

# Avoid the use of swap spaces where possible
vm.swappiness = 1
EOF
sysctl -p

cat > /etc/security/limits.conf << EOF
root     hard   nofile    1048576
root     soft   nproc     1048576
root     hard   nproc     1048576
root     soft   core      1048576
root     hard   core      1048576
root     hard   memlock   unlimited
root     soft   memlock   unlimited

*     soft   nofile    1048576
*     hard   nofile    1048576
*     soft   nproc     1048576
*     hard   nproc     1048576
*     soft   core      1048576
*     hard   core      1048576
*     hard   memlock   unlimited
*     soft   memlock   unlimited
EOF
上一页流量中继(外部转发)下一页跨区域流媒体解锁

最后更新于