分享一个v2ray配置，对内做透明代理旁路由，对外做VPN

我一直很不喜欢V2ray的配置文件（现在依旧不喜欢），觉得太乱，一点儿也不清晰，不同的inbounds和outbounds混在一起，无法清晰地分出每一个服务。其实这也是v2ray的灵活性的体现。

简单来说，v2ray没有服务端、客户端之分，或者说v2ray的客户端、服务端在一起；inbounds做服务端，接受客户端的请求，与客户端的outbounds相对应；outbounds做客户端，向服务端发起请求，与服务端的inbounds相对应。同一个v2ray的inbounds与outbounds之间用routing来连接，routing就用来定义当我的一个inbounds接收到了流量，该把它发送到outbounds中的哪一个。所以v2ray可以做这种事：inbounds接收流量，然后查routing，根据routing的设置转发到指定的outbounds中。

{
  "inbounds": [
    {
      "tag": "home",
      "port": YOUR PORT,
      "protocol": "vmess",
      "settings": {
    "clients": [{ "id": YOUR ID }]
      }
    },
    {
      "tag":"transparent",
      "port": 12345,
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy" 
        }
      }
    },
    {
      "port": 1080, 
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      },
      "settings": {
        "auth": "noauth"
      }
    }
  ],
  "outbounds": [
    {
      "tag": "proxy",
      "protocol": "vmess", 
      "settings": {
        "vnext": [
          {
            "address": "xx.xx.xx.xx", 
            "port": 1231, 
            "users": [{ "id":  "YOUR VPS ID" }]
          }
        ]
      },
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      },
      "mux": {
        "enabled": true
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIP"
      },
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      }      
    },
    {
      "tag": "block",
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      }
    },
    {
      "tag": "dns-out",
      "protocol": "dns",
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      }  
    }
  ],
  "dns": {
    "servers": [
      "8.8.8.8", 
      "1.1.1.1",
      "114.114.114.114",
      {
        "address": "223.5.5.5", 
        "port": 53,
        "domains": [
          "geosite:cn",
          "ntp.org",   
          "144.202.94.28" 
        ]
      }
    ]
  },
  "routing": {
    "domainStrategy": "IPOnDemand",
    "rules": [
      {
    "type": "field",
    "inboundTag": ["home"],
    "outboundTag": "direct"
      },
      { 
        "type": "field",
        "inboundTag": [
          "transparent"
        ],
        "port": 53,
        "network": "udp",
        "outboundTag": "dns-out" 
      },    
      { 
        "type": "field",
        "inboundTag": [
          "transparent"
        ],
        "port": 123,
        "network": "udp",
        "outboundTag": "direct" 
      },    
      {
        "type": "field", 
        "ip": [ 

          "223.5.5.5",
          "114.114.114.114"
        ],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "ip": [ 
          "8.8.8.8",
          "1.1.1.1"
        ],
        "outboundTag": "proxy" 
      },
      { 
        "type": "field", 
        "domain": [
          "geosite:category-ads-all"
        ],
        "outboundTag": "block"
      },
      { 
        "type": "field",
        "protocol":["bittorrent"], 
        "outboundTag": "direct"
      },
      { 
        "type": "field", 
        "ip": [
          "geoip:private"
        ],
        "outboundTag": "direct"
      }
    ]
  }
}

后续需要配置iptables规则，请参考链接：配置透明代理规则。（在设置iptables规则时，如果执行了其中代理网关本机的部分，会导致跨NAT无法连接，也就是路由器做端口映射后无法从外网连接旁路由，参见：v2ray作为内网网关时，公网访问局域网的服务器出错，既然如此那就不要代理网关本机了）

关于用v2ray做VPN，说实话v2ray并不合格，v2ray只支持TCP/UDP。我将它作为Wireguard的补充方案，是为了预防UDP干扰，不过现在只是做好准备而已。