digital

使用 sing-box 搭建 Netflix 节点的小思路

背景

由于本身不需要科学上网,所以平时其实是没有给自己搭建代理的需求的。不过我在 Proton 的订阅包含了 Proton VPN,而可利用该服务实现 Netflix 换区解锁,因此偶尔也有挂 VPN 的场景。

但考虑到一直挂着 VPN 也会导致我访问其他网站的 IP 地址变更,因此希望能选择性地只针对 Netflix 走代理。

再加上虽然我自己不用科学上网,但我也搭建了节点给朋友使用。我也希望能让某节点实现 Netflix 解锁的作用。

偶然想到 sing-box 的出入站规则,加上 Proton VPN 实际是提供 Wireguard 节点配置的,所以搭建一个专门用于 Netflix 解锁的节点是可行的。

服务端配置

服务器有限,因此除了该服务器原本用于科学上网的 shadowsocks 服务外,又新增了一个用于解锁 Netflix 的 shadowsocks 服务,该 ss 入站对应一个 Proton VPN 的 Wireguard 出站。

为什么非要用服务器中转一下 Proton VPN?因为在需要科学上网的地区,Proton VPN 的节点是在黑名单里的,无法正常连接,会被阻断。

于是该服务器的 sing-box 的配置文件如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
{
  "log": {
    "level": "info"
  },
  "dns": {
    "servers": [
      {
        "tag": "local",
        "address": "tls://1.1.1.1"
      },
      {
        "tag": "remote",
        "address": "tls://1.1.1.1",
        "detour": "wg-out"
      }
    ],
    "rules": [
      {
        "outbound": "any",
        "server": "local"
      },
      {
        "inbound": "ss-normal",
        "server": "local"
      },
      {
        "inbound": "ss-netflix",
        "server": "remote"
      }
    ]
  },
  "inbounds": [
    {
      "type": "shadowsocks",
      "tag": "ss-normal",
      "listen": "::",
      "listen_port": 端口一,
      "sniff": true,
      "network": "tcp",
      "method": "2022-blake3-aes-256-gcm",
      "password": "使用 sing-box generate rand --base64 32 命令生成的密码",
      "multiplex": {
        "enabled": true
      }
    },
    {
      "type": "shadowsocks",
      "tag": "ss-netflix",
      "listen": "::",
      "listen_port": 端口二,
      "sniff": true,
      "network": "tcp",
      "method": "2022-blake3-aes-256-gcm",
      "password": "使用 sing-box generate rand --base64 32 命令生成的密码",
      "multiplex": {
        "enabled": true
      }
    }
  ],
  "outbounds": [
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "dns",
      "tag": "dns-out"
    },
    {
      "type": "wireguard",
      "tag": "wg-out",
      "server": "Wireguard 服务器 IP 地址",
      "server_port": 服务端口,
      "local_address": ["10.2.0.2/32"],
      "private_key": "私钥",
      "peer_public_key": "节点公钥"
    }
  ],
  "route": {
    "rules": [
      {
        "protocol": "dns",
        "outbound": "dns-out"
      },
      {
        "inbound": "ss-normal",
        "outbound": "direct"
      },
      {
        "inbound": "ss-netflix",
        "outbound": "wg-out"
      }
    ]
  }
}

用于科学上网的服务在代理服务器上就走直连,用于解锁 Netflix 的服务才会再走一遍 Wireguard。

客户端配置

对应的客户端配置文件如下,文件省略了很多内容,只为大致解释结构:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
{
  "dns": {
    "servers": [
      {
        "tag": "cloudflare",
        "address": "tls://1.1.1.1",
        "detour": "✨ 自动选择节点"
      },
      { "tag": "local", "address": "223.5.5.5", "detour": "❎ 直连" },
      { "tag": "netflix", "address": "tls://1.1.1.1", "detour": "🍿 网飞视频" }
    ],
    "rules": [
      { "outbound": "any", "server": "local" },
      { "clash_mode": "Direct", "server": "local" },
      { "clash_mode": "Global", "server": "cloudflare" },
      { "rule_set": "geosite-netflix", "server": "netflix" },
      {
        "rule_set": [
          "geosite-geolocation-cn",
          "geosite-cn",
          "geosite-apple@cn",
          "geosite-category-games@cn",
          "geoip-cn",
          "geosite-private",
          "ruleset-chinamax"
        ],
        "server": "local"
      },
      { "rule_set": "geosite-geolocation-!cn", "server": "cloudflare" }
    ],
    "strategy": "ipv4_only"
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "inet4_address": "172.19.0.1/30",
      "auto_route": true,
      "strict_route": true,
      "stack": "mixed",
      "sniff": true
    }
  ],
  "outbounds": [
    { "type": "dns", "tag": "dns-out" },
    { "type": "direct", "tag": "❎ 直连" },
    {
        "省略了": "其他节点信息"
    },
    {
      "type": "selector",
      "tag": "🍿 网飞视频",
      "outbounds": ["某节点 tag"]
    },
    {
      "type": "urltest",
      "tag": "✨ 自动选择节点",
      "outbounds": [
        "众多的",
        "节点 tag"
      ],
      "url": "http://www.gstatic.com/generate_204",
      "interval": "5m"
    }
  ],
  "route": {
    "rules": [
      { "protocol": "dns", "outbound": "dns-out" },
      { "geoip": ["private"], "outbound": "❎ 直连" },
      { "clash_mode": "Direct", "outbound": "❎ 直连" },
      { "clash_mode": "Global", "outbound": "📡 默认代理" },
      { "rule_set": "geosite-netflix", "outbound": "🍿 网飞视频" },
      {
        "rule_set": [
          "geosite-geolocation-cn",
          "geoip-cn",
          "geosite-cn",
          "geosite-apple@cn",
          "geosite-category-games@cn",
          "ruleset-chinamax",
          "geosite-private"
        ],
        "outbound": "❎ 直连"
      },
      { "rule_set": "geosite-geolocation-!cn", "outbound": "✨ 自动选择节点" },
      {
        "process_name": [
          "aria2c.exe",
          "fdm.exe",
          "folx.exe",
          "nettransport.exe",
          "thunder.exe",
          "transmission.exe",
          "utorrent.exe",
          "webtorrent.exe",
          "webtorrent helper.exe",
          "qbittorrent.exe",
          "downloadservice.exe",
          "weiyun.exe",
          "baidunetdisk.exe"
        ],
        "domain_suffix": ["smtp"],
        "domain_keyword": ["aria2"],
        "outbound": "❎ 直连"
      }
    ],
    "rule_set": [
      {
        "type": "remote",
        "tag": "geosite-geolocation-cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs"
      },
      {
        "type": "remote",
        "tag": "geoip-cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs"
      },
      {
        "type": "remote",
        "tag": "geosite-cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-cn.srs"
      },
      {
        "type": "remote",
        "tag": "geosite-apple@cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/[email protected]"
      },
      {
        "type": "remote",
        "tag": "geosite-category-games@cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/[email protected]"
      },
      {
        "type": "remote",
        "tag": "ruleset-chinamax",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/shangguanhongxin/for-sing-box-and-surge/master/sing-box/ChinaMax/ChinaMax_All.srs"
      },
      {
        "type": "remote",
        "tag": "geosite-private",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-private.srs"
      },
      {
        "type": "remote",
        "tag": "geosite-geolocation-!cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/CHIZI-0618/v2ray-rules-dat/release/singbox_rule_set/geosite-geolocation-!cn.srs"
      },
      {
        "type": "remote",
        "tag": "geosite-netflix",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-netflix.srs"
      }
    ],
    "auto_detect_interface": true,
    "final": "✨ 自动选择节点"
  },
  "experimental": {}
}

注意

实际上,如果我只考虑我个人使用,我完全不用修改服务端配置,只要在我自己的客户端配置好 Netflix 流量走一个 Wireguard 的 outbound 即可。但我不想麻烦而且不在乎延迟,所以用了和给朋友的一样的客户端配置文件。

Mastodon