Docker 的 Macvlan 模式可以让容器以 L2 级的虚拟网桥连接宿主机的物理网卡,实现获得独立的 IP 地址,再搭配 Clash Tun 模式可以轻松地实现局域网内的网关透明代理
这一套实现效果会类似于 Docker 版 OpenWrt 透明代理,原理上是一样的,Docker OpenWrt 也是借助 Macvlan 来实现
下面将在 debian12 上实现一个基于 Docker + mihomo 的透明代理网关,达到对局域网内设备的透明代理效果(国内外分流 + Fake-IP 模式)
以下操作默认已经安装了 Docker 和 Docker Compose,并且对基本的 Docker 命令有一定了解
首先创建一个目录:
mkdir mihomo && cd mihomo
接下来创建一个 compose.yaml 文件,内容如下:
services:
mihomo:
image: debian:stable
container_name: mihomo
privileged: false # 不需要特权模式
restart: unless-stopped
dns:
- 127.0.0.1 # 启用 fake-ip 则这里一定要声明为容器本身的 dns,避免 docker 容器 dns 干扰
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- ./app:/app
command: ["/app/mihomo-linux-amd64-v1.19.10", "-d", "/app/config"]
networks:
macvlan_net:
ipv4_address: 192.168.1.2 # 替换为你的静态 IP
sysctls:
net.ipv4.ip_forward: 1
networks:
macvlan_net:
driver: macvlan
driver_opts:
parent: enp1s0 # 替换为你的物理网卡名称
ipam:
config:
- subnet: 192.168.1.0/24 # 替换为你的子网
gateway: 192.168.1.1 # 替换为你的网关
将上述内容保存为 compose.yaml 文件,并在同一目录下创建一个 app 目录,将 mihomo-linux-amd64-v1.19.10 可执行文件放入其中:
mkdir app && cd app
wget https://github.com/MetaCubeX/mihomo/releases/download/v1.19.10/mihomo-linux-amd64-v1.19.10.gz
gzip -d mihomo-linux-amd64-v1.19.10.gz
chmod +x mihomo-linux-amd64-v1.19.10
先运行 docker compose 命令来启动容器:
docker compose up -d
此时目录结构如下:
# tree -L 2
.
├── app
│ ├── config
│ ├── example.yaml
│ └── mihomo-linux-amd64-v1.19.10
└── compose.yaml
修改 config/config.yaml 文件,并配置 Clash Tun 模式,参考配置文件如下:
log-level: info
secret: "password"
# Web UI 配置
external-controller: 0.0.0.0:9090
external-ui: ui
external-ui-url: https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip
#自定义 geodata url
geox-url:
geoip: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
geosite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
mmdb: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb"
# Tun 配置
tun:
enable: true
stack: system # gvisor/mixed
dns-hijack:
- 0.0.0.0:53 # 需要劫持的 DNS
auto-detect-interface: true # 自动识别出口网卡
auto-route: true # 配置路由表
dns:
enable: true
ipv6: false # 禁用 IPv6 DNS 查询
listen: 0.0.0.0:53
nameserver: [8.8.8.8, 1.1.1.1]
fallback: [223.5.5.5, 223.6.6.6]
fake-ip-range: 198.18.0.1/16 # fake-ip 模式下分配的虚拟 IP 段
enhanced-mode: fake-ip # 启用 fake-ip 模式,防止 DNS 污染和透明代理
# # 按域名分流 DNS 查询
nameserver-policy:
# 命中以下规则集的域名,DNS 查询会走国内 DNS
RULE-SET:direct,apple,icloud,applications: [192.168.1.1] # 替换为你的 DNS 服务器 IP
fake-ip-filter:
- +.msftconnecttest.com
- +.msftncsi.com
- rule-set:direct
# 订阅节点
proxy-providers:
your-subscribe:
type: http
url: https://example.com/your-subscribe-url
interval: 3600
path: ./subscribes/your-subscribe.yaml
# 代理组
proxy-groups:
- name: default
type: select
url: https://www.gstatic.com/generate_204
interval: 300
use:
- your-subscribe
# 规则提供者
# https://github.com/Loyalsoldier/clash-rules
rule-providers:
# 直连域名列表
direct:
type: http
behavior: domain
url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/direct.txt
path: ./ruleset/direct.yaml
interval: 86400
# 代理域名列表
proxy:
type: http
behavior: domain
url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/proxy.txt
path: ./ruleset/proxy.yaml
interval: 86400
# 广告域名列表
reject:
type: http
behavior: domain
url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/reject.txt
path: ./ruleset/reject.yaml
interval: 86400
# 苹果域名列表
apple:
type: http
behavior: domain
url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/apple.txt
path: ./ruleset/apple.yaml
interval: 86400
# iCloud 域名列表
icloud:
type: http
behavior: domain
url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/icloud.txt
path: ./ruleset/icloud.yaml
interval: 86400
# GFW 域名列表
gfw:
type: http
behavior: domain
url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/gfw.txt
path: ./ruleset/gfw.yaml
interval: 86400
# 非中国大陆使用的顶级域名列表
tld-not-cn:
type: http
behavior: domain
url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/tld-not-cn.txt
path: ./ruleset/tld-not-cn.yaml
interval: 86400
# Telegram 使用的 IP 地址列表
telegramcidr:
type: http
behavior: ipcidr
url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/telegramcidr.txt
path: ./ruleset/telegramcidr.yaml
interval: 86400
# 局域网 IP 地址列表
lancidr:
type: http
behavior: ipcidr
url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/lancidr.txt
path: ./ruleset/lancidr.yaml
interval: 86400
# 中国大陆 IP 地址列表
cncidr:
type: http
behavior: ipcidr
url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/cncidr.txt
path: ./ruleset/cncidr.yaml
interval: 86400
# 需要直连的常见软件列表
applications:
type: http
behavior: domain
url: https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/applications.txt
path: ./ruleset/applications.yaml
interval: 86400
# 分流规则排序,根据需要调整优先级
rules:
- RULE-SET,cncidr,DIRECT
- RULE-SET,direct,DIRECT
- RULE-SET,icloud,DIRECT
- RULE-SET,lancidr,DIRECT
- RULE-SET,applications,DIRECT
- RULE-SET,apple,default
- RULE-SET,gfw,default
- RULE-SET,proxy,default
- RULE-SET,telegramcidr,default
- RULE-SET,tld-not-cn,default
- RULE-SET,reject,REJECT
- MATCH,DIRECT
访问 192.168.1.2:9090/ui 访问 Clash 的 Web UI,在上面修改完毕后可动态加载配置文件,无需重启
将局域网内其他设备的 ip 与 dns 设置为容器 ip,测试分流效果即可