Autostart clash in tun mode on AX3600

README.md

Prerequisite

1. Download and put the clash premium core under /etc/clash
2. Modify your config.yaml based on config.yaml.example

Installation Guide

Please consult the following script:

mv clashtun /etc/init.d/clashtun
mv start_clash.sh /etc/clash/start_clash.sh

chmod +x /etc/init.d/clashtun
chmod +x /etc/clash/start_clash.sh

/etc/init.d/clashtun enable
/etc/init.d/clashtun start

clashtun

#!/bin/sh /etc/rc.common

USE_PROCD=1
START=99

start_service() {
	procd_open_instance
	procd_set_param respawn
    procd_set_param stdout 1
    procd_set_param stderr 1
	procd_set_param command /etc/clash/start_clash.sh
	procd_close_instance
}

stop_service() {
    killall clash
    iptables -t mangle -F PREROUTING
    iptables -t mangle -F CLASH
    iptables -t mangle -X CLASH
    iptables -t nat -D PREROUTING -p tcp --dport 53 -j REDIRECT --to 1053
    iptables -t nat -D PREROUTING -p udp --dport 53 -j REDIRECT --to 1053
    ip6tables -t nat -D PREROUTING -p tcp --dport 53 -j REDIRECT --to 1053
    ip6tables -t nat -D PREROUTING -p udp --dport 53 -j REDIRECT --to 1053
}

config.yaml.example

mixed-port: 7890
ipv6: true
interface-name: pppoe-wan
tun:
  enable: true
  stack: system
  dns-hijack:
    - 119.29.29.29:53
    - 119.28.28.28:53
    - 223.5.5.5:53
    - 223.6.6.6:53
    - 1.2.4.8:53
    - 182.254.116.116:53
dns:
  enable: true
  listen: 0.0.0.0:1053
  enhanced-mode: redir-host
  nameserver:
    - https://223.5.5.5/dns-query
    - https://doh.pub/dns-query
  fallback:
    - tls://1.0.0.1:853
    - tls://8.8.4.4:853
  fallback-filter:
    geoip: true

start_clash.sh

#!/bin/sh

/etc/clash/clash -d /etc/clash >/dev/null &

# create a ipv4 ipset for cn routes
ipset create chnroutes4 hash:net
http_proxy=127.0.0.1:7890 curl 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | grep ipv4 | grep CN | awk -F '|' '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' | while read -r cidr; do ipset add chnroutes4 $cidr; done

# setup packet marking
iptables -t mangle -N CLASH
iptables -t mangle -F CLASH
iptables -t mangle -A CLASH -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A CLASH -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A CLASH -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A CLASH -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A CLASH -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A CLASH -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A CLASH -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A CLASH -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A CLASH -m set --match-set chnroutes4 dst -j RETURN
iptables -t mangle -A CLASH -j MARK --set-xmark 129

# redirect traffic where ports < 8192
iptables -t mangle -F PREROUTING
iptables -t mangle -A PREROUTING -p udp -m udp --dport 8192:65535 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 8192:65535 -j RETURN
iptables -t mangle -A PREROUTING -j CLASH

# redirect dns
iptables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to 1053
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to 1053
ip6tables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to 1053
ip6tables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to 1053

# add firewall rules
iptables -I FORWARD -o utun -j ACCEPT
iptables -I FORWARD -i utun -j ACCEPT

# setup routes for marked packets
ip route add default dev utun table 129
ip rule add fwmark 129 lookup 129

wait