全新ubuntu安装tproxy singbox并安装WG回家

特别鸣谢： O大佬的天书和一对一地指导；XBB 大佬 亲自规划 亲自手打；PH 大佬 折腾无极限；Mike大佬 看看帮助下 的全力支持

安装过程中如果出错，运行此命令查看
sudo journalctl -u sing-box –output cat -f

下面正式开始：
全新ubuntu23.10

apt update
apt upgrade -y 
dpkg-reconfigure tzdata    ( 修改时间 ）  
apt -y install curl git build-essential libssl-dev libevent-dev zlib1g-dev gcc-mingw-w64

curl -L https://go.dev/dl/go1.21.4.linux-amd64.tar.gz -o go1.21.4.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.21.4.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' > /etc/profile.d/golang.sh
source /etc/profile.d/golang.sh

go install -v -tags with_quic,with_grpc,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_clash_api,with_gvisor,with_v2ray_api,with_lwip,with_acme github.com/sagernet/sing-box/cmd/sing-box@latest

测试版本与上面正式版本二选一：
go install -v -tags with_quic,with_grpc,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_clash_api,with_gvisor,with_v2ray_api,with_lwip github.com/sagernet/sing-box/cmd/sing-box@v1.8.0-alpha.12

cp $(go env GOPATH)/bin/sing-box /usr/local/bin/
mkdir -p /usr/local/etc/sing-box

nano /etc/systemd/system/sing-box.service

下面是sing-box.service文件内容：

[Unit]
Description=sing-box service
Documentation=https://sing-box.sagernet.org
After=network.target nss-lookup.target

[Service]
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
ExecStart=/usr/local/bin/sing-box run -c /usr/local/etc/sing-box/config.json
Restart=on-failure
RestartSec=1800s
LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target

nano /usr/local/etc/sing-box/config.json     （这里复制黏贴下面的json文件内容）

  {
  "log": {
     "disabled": false,
     "level": "info",
     "output": "usr/local/etc/sing-box/sing-box.log",
     "timestamp": true
  },
  "dns": {
     "servers": [
    {
      "tag": "mosdns",
      "address": "udp://192.168.66.10:53",
      "strategy": "ipv4_only",
      "detour": "direct"
    },
    {
      "tag": "block",
      "address": "rcode://success"
    }
  ],
      "strategy": "prefer_ipv4",
      "disable_cache": false,
      "disable_expire": false
  },
  "inbounds": [
    {
      "type": "mixed",
      "listen": "::",
      "listen_port": 10000
    },
    {
      "type": "direct",
      "tag": "dns-in",
      "network": "udp",
      "listen": "::",
      "listen_port": 53
    },
     {
      "type": "tproxy",
      "tag": "tproxy-in",
      "listen": "::",
      "listen_port": 7896,
      "tcp_fast_open": true,
      "udp_fragment": true,
      "sniff": true,
      "sniff_override_destination": true,
      "domain_strategy": "ipv4_only",
      "sniff_timeout": "300ms",
      "udp_timeout": 300
    }  
  ],
  "outbounds": [
      {
          "type": "vless",
   "tag": "proxy",
          "server": "142.171.157.46",
          "server_port": 19573,
          "uuid": "1c8776e2-901f-4a0c-b298-3e3cc738f8b2",
          "flow": "xtls-rprx-vision",
          "tls": {
              "enabled": true,
              "server_name": "www.lovelive-anime.jp",
              "utls": {
                  "enabled": true,
                  "fingerprint": "chrome"
              },
              "reality": {
                  "enabled": true,
                  "public_key": "4comh-7Jm_wZXJQ5QiLSCbVGQIbMUzHUIBdb0aFtLzM",
                  "short_id": "609f93a8"
              }
          },
          "packet_encoding": "xudp"
      },
         {
          "type": "direct",
          "tag": "direct"
      },
      {
          "type": "block",
          "tag": "block"
      },
      {
          "type": "dns",
          "tag": "mosdns"
      }
  ],
  "route": {
   "geoip": {
      "path": "root/geoip.db",
      "download_url": "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db",
      "download_detour": "proxy"
      },
"geosite": {
      "path": "root/geosite.db",
      "download_url": "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db",
      "download_detour": "proxy"
      },
      "rules": [
      {
      "inbound": "dns-in",
      "outbound": "mosdns"
      },
      {
      "protocol": "dns",
      "outbound": "mosdns"
      },
      {
      "network": "udp",
      "port": 443,
      "outbound": "block"
      },		
      {
      "geosite": "cn",
      "geoip": [
        "private",
        "cn"
      ],
      "outbound": "direct"
      },
      {
      "geosite": "category-ads-all",
      "outbound": "block"
      }
  ],
      "final": "proxy",
      "auto_detect_interface": true,
      "default_mark": 1
  },
  "experimental": {
  "clash_api": {
  "external_controller": "0.0.0.0:9090",
  "store_selected": true
     }
   }
  }

sudo nano /etc/sysctl.conf（ 优先改动下面这个）

net.ipv4.ip_forward=1
sysctl --system

ubuntu open port 53

sudo lsof -i :53
nano /etc/systemd/resolved.conf
>
* / DNSStubListener=no

sudo systemctl reload-or-restart systemd-resolved

mkdir -p /root/hysteria && openssl ecparam -genkey -name prime256v1 -out /root/hysteria/private.key && openssl req -new -x509 -days 36500 -key /root/hysteria/private.key -out /root/hysteria/cert.pem -subj "/CN=bing.com"

systemctl enable --now sing-box
systemctl status sing-box

tproxy nftables :

sudo touch /etc/systemd/system/singbox-route.service
sudo nano /etc/systemd/system/singbox-route.service

粘贴下面内容

[Unit]
Description=sing-box TProxy Rules
After=network.target
Wants=network.target

[Service]
User=root
Type=oneshot
RemainAfterExit=yes
#there must be spaces before and after semicolons
ExecStart=/sbin/ip rule add fwmark 1 table 100 ; /sbin/ip route add local default dev lo table 100 ; /sbin/ip -6 rule add fwmark 1 table 101 ; /sbin/ip -6 route add local ::/0 dev lo table 101
ExecStop=/sbin/ip rule del fwmark 1 table 100 ; /sbin/ip route del local default dev lo table 100 ; /sbin/ip -6 rule del fwmark 1 table 101 ; /sbin/ip -6 route del local ::/0 dev lo table 101

[Install]
WantedBy=multi-user.target

systemctl enable --now singbox-route


nano /etc/nftables.conf

粘贴下面内容：

    table inet singbox {
	    set local_ipv4 {
	    	type ipv4_addr
		    flags interval
		    elements = {
		    	10.0.0.0/8,
			    127.0.0.0/8,
			    169.254.0.0/16,
			    172.16.0.0/12,
			    192.168.0.0/16,
			    240.0.0.0/4
	    	}
	    }

	set local_ipv6 {
		type ipv6_addr
		flags interval
		elements = {
			::ffff:0.0.0.0/96,
			64:ff9b::/96,
			100::/64,
			2001::/32,
			2001:10::/28,
			2001:20::/28,
			2001:db8::/32,
			2002::/16,
			fc00::/7,
			fe80::/10
		}
	}

	chain singbox-tproxy {
		fib daddr type { unspec, local, anycast, multicast } return
		ip daddr @local_ipv4 return
		ip6 daddr @local_ipv6 return
		udp dport { 123 } return
		meta l4proto { tcp, udp } meta mark set 1 tproxy to :7896 accept
	}

	chain singbox-mark {
		fib daddr type { unspec, local, anycast, multicast } return
		ip daddr @local_ipv4 return
		ip6 daddr @local_ipv6 return
		udp dport { 123 } return
		meta mark set 1
	}

	chain mangle-output {
		type route hook output priority mangle; policy accept;
		meta l4proto { tcp, udp } skgid != 1 ct direction original goto singbox-mark
	}

	chain mangle-prerouting {
		type filter hook prerouting priority mangle; policy accept;
		iifname { wg0, lo, ens18 } meta l4proto { tcp, udp } ct direction original goto singbox-tproxy
	}
}
table ip wg2nat {
    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
    }
   
    chain INPUT {
        type nat hook input priority 100; policy accept;
    }
    
    chain OUTPUT {
        type nat hook output priority -100; policy accept;
    }
  
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "ens18" ip saddr 10.7.0.0/24 masquerade comment "wireguard-nat-rule"
    }
}

nft flush ruleset
nft -f /etc/nftables.conf
nft list ruleset
systemctl enable --now nftables

修改后：

systemctl restart nftables
reboot

WG 的安装：

wget git.io/wireguard -O wireguard-install.sh && bash wireguard-install.sh

下面10.7.0.0 是WG 网段， 要替换自己的， 下面的10.0.0.218 是我的SINGBOX VM IP ， 还有51820 端口，都要替换自己的

sudo touch /etc/systemd/system/wg-route.service
sudo nano /etc/systemd/system/wg-route.service

[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/nft add rule ip nat POSTROUTING ip saddr 10.7.0.0/24 oifname != lo snat 10.0.0.218
ExecStart=/usr/sbin/nft add rule ip filter INPUT udp dport 51820 counter accept
ExecStart=/usr/sbin/nft add rule ip filter FORWARD ip saddr 10.7.0.0/24 counter accept
ExecStart=/usr/sbin/nft add rule ip filter FORWARD ct state related,established counter accept
ExecStop=/usr/sbin/nft delete rule ip nat POSTROUTING ip saddr 10.7.0.0/24 oifname != lo snat 10.0.0.218
ExecStop=/usr/sbin/nft delete rule ip filter INPUT udp dport 51820 counter accept
ExecStop=/usr/sbin/nft delete rule ip filter FORWARD ip saddr 10.7.0.0/24 counter accept
ExecStop=/usr/sbin/nft delete rule ip filter FORWARD ct state related,established counter accept
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

systemctl enable --now wg-route
reboot