digital

使用 sing-box 搭建 Netflix 节点的小思路

本文最后更新于 2026 年 4 月 23 日

背景

由于本身不需要科学上网,所以平时没有给自己搭建代理的需求。不过在 Proton 的订阅中已包含了 Proton VPN,而可利用该服务实现 Netflix 换区解锁,因此偶尔也有挂 VPN 的场景。

但考虑到一直挂着 VPN 也会导致访问其他网站的 IP 地址变更,因此希望能选择性地只针对 Netflix 走代理。

再加上虽然我自己不用科学上网,但我也搭建了节点给朋友使用。我也希望能让某节点实现 Netflix 解锁的作用。

偶然想到 Proton VPN 实际是提供 Wireguard 节点配置的,所以可利用 sing-box 的出入站规则搭建一个专门用于 Netflix 解锁的节点。

服务端配置

服务器有限,因此除了该服务器原本用于科学上网的 shadowsocks 服务外,又新增了一个用于解锁 Netflix 的 shadowsocks 服务,该 ss 入站对应一个 Proton VPN 的 Wireguard 端点。

为什么非要用服务器中转一下 Proton VPN?因为在需要科学上网的地区,Proton VPN 的节点有可能在黑名单内,无法正常连接,时不时会被阻断。

于是该服务器的 sing-box 的配置文件如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
{
  "log": {
    "level": "warn",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "type": "https",
        "tag": "local",
        "server": "1.1.1.1"
      },
      {
        "type": "https",
        "tag": "dns-netflix",
        "server": "1.1.1.1",
        "detour": "wg-netflix"
      }
    ],
    "rules": [
      {
        "inbound": "ss-normal",
        "server": "local"
      },
      {
        "inbound": "ss-netflix",
        "server": "dns-netflix"
      }
    ],
    "strategy": "prefer_ipv4"
  },
  "inbounds": [
    {
      "type": "shadowsocks",
      "tag": "ss-normal",
      "listen": "::",
      "listen_port": 端口一,
      "network": "tcp",
      "method": "2022-blake3-aes-256-gcm",
      "password": "使用 sing-box generate rand --base64 32 命令生成的密码",
      "multiplex": {
        "enabled": true
      }
    },
    {
      "type": "shadowsocks",
      "tag": "ss-netflix",
      "listen": "::",
      "listen_port": 端口二,
      "network": "tcp",
      "method": "2022-blake3-aes-256-gcm",
      "password": "使用 sing-box generate rand --base64 32 命令生成的密码",
      "multiplex": {
        "enabled": true
      }
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    }
  ],
  "endpoints": [
    {
      "type": "wireguard",
      "tag": "wg-netflix",
      "system": false,
      "address": [
        "10.2.0.2/32",
        "2a07:b944::2:2/128"
      ],
      "private_key": "私钥",
      "peers": [
        {
          "address": "Wireguard 服务器 IP 地址",
          "port": 服务端口,
          "public_key": "节点公钥",
          "allowed_ips": [
            "0.0.0.0/0", 
            "::/0"
          ]
        }
      ]
    }
  ],
  "route": {
    "default_domain_resolver": "local",
    "rules": [
      {
        "inbound": "ss-normal",
        "outbound": "direct"
      },
      {
        "inbound": "ss-netflix",
        "outbound": "wg-netflix"
      }
    ],
    "final": "direct"
  }
}

用于科学上网的服务在代理服务器上就走直连,用于解锁 Netflix 的服务才会再走一遍 Wireguard。

客户端配置

对应的客户端配置文件如下,文件省略了很多内容,只为大致解释结构:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
{
  "log": {
    "disabled": false,
    "level": "warn",
    "timestamp": true
  },
  "dns": {
    "servers": [
      {
        "tag": "cloudflare",
        "type": "https",
        "server": "1.1.1.1",
        "detour": "✨ 自动选择节点"
      },
      {
        "tag": "netflix",
        "type": "https",
        "server": "1.1.1.1",
        "detour": "🍿 网飞视频"
      },
      {
        "tag": "local",
        "type": "udp",
        "server": "223.5.5.5"
      }
    ],
    "rules": [
      {
        "clash_mode": "Direct",
        "server": "local"
      },
      {
        "clash_mode": "Global",
        "server": "cloudflare"
      },
      {
        "rule_set": "geosite-netflix",
        "server": "netflix"
      },
      {
        "rule_set": [
          "geosite-private",
          "geosite-geolocation-cn",
          "geosite-cn",
          "geosite-apple@cn",
          "geosite-category-games@cn",
          "ruleset-chinamax"
        ],
        "server": "local"
      },
      {
        "rule_set": "geosite-geolocation-!cn",
        "server": "cloudflare"
      }
    ],
    "final": "local",
    "strategy": "prefer_ipv4"
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "address": [
        "172.19.0.1/30",
        "fdfe:dcba:9876::1/126"
      ],
      "auto_route": true,
      "strict_route": true
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "❎ 直连"
    },
    {
      "省略了": "其他节点信息"
    },
    {
      "type": "urltest",
      "tag": "✨ 自动选择节点",
      "outbounds": [
        "众多的",
        "节点 tag"
      ],
      "url": "http://www.gstatic.com/generate_204",
      "interval": "5m"
    },
    {
      "type": "selector",
      "tag": "🍿 网飞视频",
      "outbounds": [
        "某节点 tag"
      ]
    }
  ],
  "route": {
    "default_domain_resolver": "local",
    "rules": [
      {
        "inbound": "tun-in",
        "action": "sniff"
      },
      {
        "protocol": "dns",
        "action": "hijack-dns"
      },
      {
        "ip_is_private": true,
        "outbound": "❎ 直连"
      },
      {
        "protocol": "bittorrent",
        "outbound": "❎ 直连"
      },
      {
        "clash_mode": "Direct",
        "outbound": "❎ 直连"
      },
      {
        "clash_mode": "Global",
        "outbound": "✨ 自动选择节点"
      },
      {
        "rule_set": "geosite-netflix",
        "outbound": "🍿 网飞视频"
      },
      {
        "rule_set": "geosite-gfw",
        "outbound": "✨ 自动选择节点"
      },
      {
        "rule_set": [
          "geosite-private",
          "geosite-geolocation-cn",
          "geoip-cn",
          "geosite-cn",
          "geosite-apple@cn",
          "geosite-category-games@cn",
          "ruleset-chinamax"
        ],
        "outbound": "❎ 直连"
      },
      {
        "rule_set": "geosite-geolocation-!cn",
        "outbound": "✨ 自动选择节点"
      },
      {
        "rule_set": "geoip-cn",
        "invert": true,
        "outbound": "✨ 自动选择节点"
      }
    ],
    "rule_set": [
      {
        "type": "remote",
        "tag": "geosite-netflix",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-netflix.srs",
        "download_detour": "✨ 自动选择节点"
      },
      {
        "type": "remote",
        "tag": "geosite-gfw",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/Toperlock/sing-box-geosite/main/rule/gfw.srs",
        "download_detour": "✨ 自动选择节点"
      },
      {
        "type": "remote",
        "tag": "geosite-private",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-private.srs",
        "download_detour": "✨ 自动选择节点"
      },
      {
        "type": "remote",
        "tag": "geosite-geolocation-cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs",
        "download_detour": "✨ 自动选择节点"
      },
      {
        "type": "remote",
        "tag": "geoip-cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs",
        "download_detour": "✨ 自动选择节点"
      },
      {
        "type": "remote",
        "tag": "geosite-cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-cn.srs",
        "download_detour": "✨ 自动选择节点"
      },
      {
        "type": "remote",
        "tag": "geosite-apple@cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/[email protected]",
        "download_detour": "✨ 自动选择节点"
      },
      {
        "type": "remote",
        "tag": "geosite-category-games@cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/[email protected]",
        "download_detour": "✨ 自动选择节点"
      },
      {
        "type": "remote",
        "tag": "ruleset-chinamax",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/shangguanhongxin/for-sing-box-and-surge/master/sing-box/ChinaMax/ChinaMax_All.srs",
        "download_detour": "✨ 自动选择节点"
      },
      {
        "type": "remote",
        "tag": "geosite-geolocation-!cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-!cn.srs",
        "download_detour": "✨ 自动选择节点"
      }
    ],
    "auto_detect_interface": true,
    "final": "❎ 直连"
  },
  "experimental": {
    "cache_file": {
      "enabled": true
    }
  }
}

注意

实际上,如果只考虑我个人使用,就完全不用修改服务端配置,只要在我自己的客户端配置好 Netflix 流量走一个 Wireguard 的 endpoint 即可。但我不想麻烦而且不在乎延迟,所以用了和给朋友的一样的客户端配置文件。

Mastodon