在现代网络环境中,许多设备(尤其是物联网设备)并不支持手动配置代理。为了让这些设备也能享受到代理服务,同时简化用户配置,Fake-IP 透明代理方案应运而生。当它与 VyOS 强大的路由能力和 sing-box 容器结合时,便能构建一个高效、稳定且“无感”的全网透明代理系统。
什么是 Fake-IP 分流?
Fake-IP(假 IP)是一种巧妙的透明代理技术。它与传统的 TProxy / Redirect 代理方式不同,其核心思想是在 DNS 解析阶段介入,而不是在流量转发阶段硬性修改目标地址。
基本原理:
- DNS 劫持与欺骗:当内网设备请求一个被代理的域名(如
google.com)时,VyOS 会将 DNS 请求劫持并发送给 sing-box 容器。 - 返回“假 IP”:sing-box 不会返回
google.com的真实 IP,而是返回一个内部预设的、私有的“假 IP”(通常是198.18.0.0/16范围内的地址)。同时,sing-box 会在内部维护一个映射表:假 IP <=> 真实域名。 - 流量拦截与重定向:内网设备拿到这个假 IP 后,会尝试连接它。由于这个假 IP 并不在本地网络,流量会经过 VyOS 路由器。此时,VyOS 的策略路由 (Policy-Based Routing – PBR) 会识别所有发往
198.18.0.0/16网段的流量,并将其重定向到 sing-box 容器内部的 TUN 接口。 - 代理处理与转发:sing-box 接收到这个“假 IP”流量后,会查询它内部的映射表,找到对应的真实域名。然后,sing-box 会像普通代理一样,将流量转发到真正的目标服务器,并进行加密、混淆等处理。
- 返回真实数据:来自目标服务器的响应数据流经 sing-box 处理后,返回给内网设备,设备对此过程完全无感。
1. 准备工作
在开始配置前,请确保:
- sing-box 的配置文件已放置在
/config/sing-box/config.json(VyOS 的/config目录在系统升级时会被保留)。 - 在
config.json中,inbounds部分已配置为使用tun模式,且接口名称通常设为tun0。
"inbounds": [
{
"tag": "tun-in",
"type": "tun",
"address": [
"172.19.0.1/30",
"fdfe:dcba:9876::1/126"
],
"mtu": 9000,
"auto_route": false, #自动路由必须关闭
"auto_redirect": false,
"strict_route": false
},
{
"type": "direct",
"tag": "dns-in",
"listen": "::",
"listen_port": 5353 #开始测试时使用,配置好后使用53.
}
]
2. VyOS 容器配置步骤
#可以先测试下载镜像,后续升级镜像也是这样。(没有代理可能会失败)
vyos@vyos:~$ add container image 'ghcr.io/sagernet/sing-box:latest'
Trying to pull ghcr.io/sagernet/sing-box:latest...
Getting image source signatures
Copying blob sha256:1c116ca82953a8d28c25ac42d976e6ba742508f020503f1f44bdcf7e4857883f
Copying blob sha256:1074353eec0db2c1d81d5af2671e56e00cf5738486f5762609ea33d606f88612
Copying blob sha256:0d53acfd02e5690a149f7a49a6b96b59f195d7a7639b7e6ee0db852a46737333
Copying config sha256:a15113fcda852dde401be0aed78270a1915bac63ede970b02f1b81728bcc6eaf
Writing manifest to image destination
a15113fcda852dde401be0aed78270a1915bac63ede970b02f1b81728bcc6eaf请进入配置模式执行以下命令:
# 1. 定义 sing-box 容器
set container name sing-box image 'ghcr.io/sagernet/sing-box:latest'
# 2. 赋予网络管理特权 (必须,否则无法操作 TUN)
set container name sing-box capability 'net-admin'
# 3. 映射宿主机的 TUN 设备到容器内
set container name sing-box device tun destination '/dev/net/tun'
set container name sing-box device tun source '/dev/net/tun'
# 4. 使用宿主机网络栈 (方便直接接管路由)
set container name sing-box allow-host-networks
# 5. 挂载配置文件路径
set container name sing-box volume config destination '/etc/sing-box'
set container name sing-box volume config source '/config/sing-box'
# 6. 设置启动参数:指定运行命令和配置文件路径
set container name sing-box arguments 'run -c /etc/sing-box/config.json'
# 7. 设置自启动策略
set container name sing-box restart 'always'
# 提交并保存
commit
save3. 关键配置项深度解析
TUN 设备映射 (device tun)
这是最核心的部分。/dev/net/tun 是 Linux 内核暴露给用户层用来创建虚拟网卡的字符设备。
- Source: 宿主机物理路径。
- Destination: 容器内可见路径。
- 通过映射,sing-box 才能在容器启动时调用内核接口创建出
tun0接口。
网络能力声明 (capability net-admin)
默认情况下,容器权限受限。net-admin 赋予了容器修改路由表、配置网卡、设置防火墙规则等“管理员级别”的网络操作权限。
网络模式 (allow-host-networks)
采用宿主机网络模式(Host Mode)是为了简化路由分流逻辑。
- sing-box 创建的
tun0将直接出现在 VyOS 的网卡列表中(可通过ip addr查看)。 - 这避免了容器网桥(Bridge)带来的额外 NAT 损耗,使 PBR(策略路由)可以直接指向
tun0。
4. 验证与调试
配置完成后,你可以通过以下命令检查运行状态:
- 查看容器是否运行:操作模式下运行
show container可以查看容器状态 - 查看 sing-box 日志: 操作模式下运行show container log sing-box,报错就把日志复制出来问AI.
- 确认宿主机是否出现了 tun0 接口: 操作模式下运行
show interfaces或ip addr show tun0
如果配置了面板可以访问看看singbox运行是否正常。
ip addr show tun0
23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 172.19.0.1/30 brd 172.19.0.3 scope global tun0
valid_lft forever preferred_lft forever
inet6 fdfe:dcba:9876::1/126 scope global
valid_lft forever preferred_lft forever这里贴出我的singbox配置文件给大家参考。
{
"dns": {
"servers": [
{
"tag": "local",
"type": "udp",
"server": "119.29.29.29"
},
{
"tag": "public",
"type": "https",
"server": "dns.alidns.com",
"domain_resolver": "local"
},
{
"tag": "foreign",
"type": "https",
"server": "dns.google",
"domain_resolver": "local"
},
{
"tag": "fakeip",
"type": "fakeip",
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
],
"rules": [
{
"clash_mode": "direct",
"server": "local"
},
{
"clash_mode": "global",
"server": "fakeip"
},
{
"query_type": "HTTPS",
"action": "reject"
},
{
"rule_set": [
"geosite-cn",
"geosite-steamcn",
"geosite-apple"
],
"server": "local"
},
{
"query_type": [
"A",
"AAAA"
],
"server": "fakeip",
"rewrite_ttl": 1
}
],
"final": "foreign",
"strategy": "prefer_ipv6",
"independent_cache": true
},
"outbounds": [
{
"tag": "🚀 默认代理",
"type": "selector",
"outbounds": [
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "🧠 AI",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "📹 YouTube",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "🍀 Google",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "👨💻 Github",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "📲 Telegram",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "🎵 TikTok",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "🎥 Netflix",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "💶 PayPal",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "🎮 Steam",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "🪟 Microsoft",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "🐬 OneDrive",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "🍏 Apple",
"type": "selector",
"outbounds": [
"🎯 全球直连",
"🚀 默认代理",
"🐸 手动选择",
"♻️ 自动选择"
]
},
{
"tag": "🐠 漏网之鱼",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🎯 全球直连"
]
},
{
"tag": "🐸 手动选择",
"type": "selector",
"outbounds": [
"节点1",
"节点2",
"节点3"
]
},
{
"tag": "♻️ 自动选择",
"type": "urltest",
"outbounds": [
"节点1",
"节点2",
"节点3"
],
"interval": "10m",
"tolerance": 100
},
{
"tag": "🍃 延迟辅助",
"type": "urltest",
"outbounds": [
"🚀 默认代理",
"🎯 全球直连"
]
},
{
"tag": "GLOBAL",
"type": "selector",
"outbounds": [
"🚀 默认代理",
"🧠 AI",
"📹 YouTube",
"🍀 Google",
"👨💻 Github",
"📲 Telegram",
"🎵 TikTok",
"🎥 Netflix",
"💶 PayPal",
"🎮 Steam",
"🪟 Microsoft",
"🐬 OneDrive",
"🍏 Apple",
"🐠 漏网之鱼",
"🐸 手动选择",
"♻️ 自动选择",
"🍃 延迟辅助",
"🎯 全球直连"
]
},
{
"tag": "🎯 全球直连",
"type": "direct"
},
节点信息不便展示
],
"route": {
"rules": [
{
"action": "sniff",
"sniffer": [
"http",
"tls",
"quic",
"dns"
]
},
{
"type": "logical",
"mode": "or",
"rules": [
{
"port": 53
},
{
"protocol": "dns"
}
],
"action": "hijack-dns"
},
{
"ip_is_private": true,
"outbound": "🎯 全球直连"
},
{
"clash_mode": "direct",
"outbound": "🎯 全球直连"
},
{
"clash_mode": "global",
"outbound": "GLOBAL"
},
{
"rule_set": "geosite-adobe",
"action": "reject"
},
{
"rule_set": "geosite-ai",
"outbound": "🧠 AI"
},
{
"rule_set": "geosite-youtube",
"outbound": "📹 YouTube"
},
{
"rule_set": "geosite-google",
"outbound": "🍀 Google"
},
{
"rule_set": "geosite-github",
"outbound": "👨💻 Github"
},
{
"rule_set": "geosite-onedrive",
"outbound": "🐬 OneDrive"
},
{
"rule_set": "geosite-microsoft",
"outbound": "🪟 Microsoft"
},
{
"rule_set": "geosite-apple",
"outbound": "🍏 Apple"
},
{
"rule_set": "geosite-telegram",
"outbound": "📲 Telegram"
},
{
"rule_set": "geosite-tiktok",
"outbound": "🎵 TikTok"
},
{
"rule_set": "geosite-netflix",
"outbound": "🎥 Netflix"
},
{
"rule_set": "geosite-paypal",
"outbound": "💶 PayPal"
},
{
"rule_set": "geosite-steamcn",
"outbound": "🎯 全球直连"
},
{
"rule_set": "geosite-steam",
"outbound": "🎮 Steam"
},
{
"rule_set": "geosite-!cn",
"outbound": "🚀 默认代理"
},
{
"rule_set": "geosite-cn",
"outbound": "🎯 全球直连"
},
{
"rule_set": "geoip-google",
"outbound": "🍀 Google"
},
{
"rule_set": "geoip-apple",
"outbound": "🍏 Apple"
},
{
"rule_set": "geoip-telegram",
"outbound": "📲 Telegram"
},
{
"rule_set": "geoip-netflix",
"outbound": "🎥 Netflix"
},
{
"rule_set": "geoip-cn",
"outbound": "🎯 全球直连"
}
],
"rule_set": [
{
"tag": "geosite-adobe",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://github.com/qljsyph/ruleset-icon/raw/refs/heads/main/sing-box/geosite/adobe.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-ai",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/category-ai-!cn.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-youtube",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/youtube.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-google",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/google.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-github",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/github.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-onedrive",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/onedrive.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-microsoft",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/microsoft.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-apple",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/apple.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-telegram",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/telegram.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-tiktok",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/tiktok.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-netflix",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/netflix.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-paypal",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/paypal.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-steamcn",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/steam@cn.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-steam",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/steam.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-!cn",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/geolocation-!cn.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geosite-cn",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geosite/cn.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geoip-google",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geoip/google.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geoip-apple",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo-lite/geoip/apple.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geoip-telegram",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geoip/telegram.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geoip-netflix",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geoip/netflix.srs",
"download_detour": "🎯 全球直连"
},
{
"tag": "geoip-cn",
"type": "remote",
"format": "binary",
"url": "https://gh-proxy.com/https://github.com/qljsyph/ruleset-icon/raw/refs/heads/main/sing-box/geoip/China-ASN-combined-ip.srs",
"download_detour": "🎯 全球直连"
}
],
"final": "🐠 漏网之鱼",
"auto_detect_interface": true,
"default_domain_resolver": {
"server": "public"
}
},
"inbounds": [
{
"tag": "tun-in",
"type": "tun",
"address": [
"172.19.0.1/30",
"fdfe:dcba:9876::1/126"
],
"mtu": 9000,
"auto_route": false,
"auto_redirect": false,
"strict_route": false
},
{
"type": "direct",
"tag": "dns-in",
"listen": "::",
"listen_port": 53
}
],
"experimental": {
"cache_file": {
"enabled": true,
"path": "/etc/sing-box/cache.db",
"store_fakeip": true
},
"clash_api": {
"external_controller": "0.0.0.0:9090",
"external_ui": "/etc/sing-box/ui",
"external_ui_download_url": "https://gh-proxy.com/https://github.com/Zephyruso/zashboard/archive/refs/heads/gh-pages.zip",
"external_ui_download_detour": "🎯 全球直连",
"secret": "",
"default_mode": "rule"
}
},
"log": {
"disabled": false,
"level": "info",
"timestamp": true
}
}
发表回复