--- tags: - openclash - vless-reality - clash-config - router - dns - homelab --- # OpenClash 配置备份 > 路由器:`192.168.68.63` (iStoreOS, EasePi Pro) > 最后更新:2026-03-19 > 用途:仅国内视频/音乐走代理回国,其余全部直连 --- ## 1. 源配置 路径:`/etc/openclash/config/vless-reality.yaml` > DNS 段只写了最小声明,其余由 LuCI 覆写生成。 ```yaml # ============================================================ # VLESS + XTLS-Vision + REALITY(翻墙回国 - 旁路由) # 用途:仅国内视频/音乐走代理,其余全部直连 # 更新:2026-03-19 精简规则 + 安全加固 + sniffer 清理 # ============================================================ mixed-port: 7890 redir-port: 7892 tproxy-port: 7895 allow-lan: true bind-address: "*" mode: rule log-level: warning unified-delay: true external-controller: 192.168.68.63:9090 dns: enable: true listen: 0.0.0.0:7874 proxies: - name: "CN-Proxy" type: vless server: 8.138.1.192 port: 443 uuid: 04a7cfe3-10f6-4e38-8319-22a604e24018 network: tcp udp: true tls: true flow: xtls-rprx-vision servername: www.microsoft.com reality-opts: public-key: RTO_UOk5ncr3DAAYR08g08L0fo5ax9pmGFj8c8lXWgk short-id: "" client-fingerprint: chrome proxy-groups: - name: "Proxy" type: select proxies: - CN-Proxy - DIRECT rules: # K8s 节点直连(绕过 OpenClash) - SRC-IP-CIDR,192.168.68.11/32,DIRECT - SRC-IP-CIDR,192.168.68.21/32,DIRECT - SRC-IP-CIDR,192.168.68.22/32,DIRECT # 代理服务器本身必须直连(防环路) - IP-CIDR,8.138.1.192/32,DIRECT # 广告拦截 - GEOSITE,category-ads-all,REJECT # 私有网络直连 - IP-CIDR,127.0.0.0/8,DIRECT - IP-CIDR,10.0.0.0/8,DIRECT - IP-CIDR,172.16.0.0/12,DIRECT - IP-CIDR,192.168.0.0/16,DIRECT # === 国内视频/流媒体(走代理回国) === # Bilibili - DOMAIN-SUFFIX,bilibili.com,Proxy - DOMAIN-SUFFIX,bilivideo.com,Proxy - DOMAIN-SUFFIX,bilivideo.cn,Proxy - DOMAIN-SUFFIX,biliapi.net,Proxy - DOMAIN-SUFFIX,hdslb.com,Proxy - DOMAIN-SUFFIX,acgvideo.com,Proxy # 爱奇艺 - DOMAIN-SUFFIX,iqiyi.com,Proxy - DOMAIN-SUFFIX,iqiyipic.com,Proxy # 优酷 - DOMAIN-SUFFIX,youku.com,Proxy # 芒果TV - DOMAIN-SUFFIX,mgtv.com,Proxy # 搜狐视频 - DOMAIN-SUFFIX,sohu.com,Proxy # 腾讯视频 - DOMAIN-SUFFIX,v.qq.com,Proxy - DOMAIN-SUFFIX,video.qq.com,Proxy - DOMAIN-SUFFIX,livep.l.qq.com,Proxy - DOMAIN-SUFFIX,vd.l.qq.com,Proxy # 抖音/西瓜/字节 - DOMAIN-SUFFIX,douyin.com,Proxy - DOMAIN-SUFFIX,douyinpic.com,Proxy - DOMAIN-SUFFIX,douyincdn.com,Proxy - DOMAIN-SUFFIX,douyinstatic.com,Proxy - DOMAIN-SUFFIX,snssdk.com,Proxy - DOMAIN-SUFFIX,amemv.com,Proxy - DOMAIN-SUFFIX,ixigua.com,Proxy - DOMAIN-SUFFIX,pstatp.com,Proxy - DOMAIN-SUFFIX,bytedance.com,Proxy - DOMAIN-SUFFIX,byteimg.com,Proxy # 小红书 - DOMAIN-SUFFIX,xiaohongshu.com,Proxy - DOMAIN-SUFFIX,xhscdn.com,Proxy - DOMAIN-SUFFIX,xhslink.com,Proxy # === 国内音乐(走代理回国) === # 网易云音乐 - DOMAIN-SUFFIX,music.163.com,Proxy - DOMAIN-SUFFIX,163yun.com,Proxy - DOMAIN-SUFFIX,126.net,Proxy - DOMAIN-SUFFIX,netease.com,Proxy # 酷狗 - DOMAIN-SUFFIX,kugou.com,Proxy # 酷我 - DOMAIN-SUFFIX,kuwo.cn,Proxy # QQ音乐 - DOMAIN-SUFFIX,y.qq.com,Proxy - DOMAIN-SUFFIX,c.y.qq.com,Proxy - DOMAIN-SUFFIX,streamoc.music.tc.qq.com,Proxy # === 其他全部直连 === - MATCH,DIRECT hosts: "nas.colacoder.com": 192.168.68.70 "pve.colacoder.com": 192.168.68.70 "npm.colacoder.com": 192.168.68.70 "router.colacoder.com": 192.168.68.63 "adguard.colacoder.com": 192.168.68.63 "claw.colacoder.com": 192.168.68.70 "openvas.colacoder.com": 192.168.68.70 "invest-api.k8s.home": 192.168.68.240 "argocd.k8s.home": 192.168.68.240 "drone.k8s.home": 192.168.68.240 ``` --- ## 2. 自定义文件 ### 2.1 Fake-IP 排除列表 路径:`/etc/openclash/custom/openclash_custom_fake_filter.list` ``` +.colacoder.com +.k8s.home *.lan *.local *.localdomain *.home.arpa +.quay.io +.ghcr.io +.docker.io +.docker.com +.gcr.io +.k8s.io +.registry.k8s.io +.ecr.aws +.billo.life +.finance.yahoo.com ``` ### 2.2 自定义 Hosts 路径:`/etc/openclash/custom/openclash_custom_hosts.list` ```yaml nas.colacoder.com: 192.168.68.70 pve.colacoder.com: 192.168.68.70 npm.colacoder.com: 192.168.68.70 router.colacoder.com: 192.168.68.63 adguard.colacoder.com: 192.168.68.63 claw.colacoder.com: 192.168.68.70 openvas.colacoder.com: 192.168.68.70 invest-api.k8s.home: 192.168.68.240 argocd.k8s.home: 192.168.68.240 drone.k8s.home: 192.168.68.240 ``` ### 2.3 自定义 Sniffer 路径:`/etc/openclash/custom/openclash_custom_sniffer.yaml` ```yaml sniffer: force-dns-mapping: true parse-pure-ip: true override-destination: true sniff: QUIC: ports: [443] TLS: ports: [443, 8443] HTTP: ports: [80, 8080-8880] override-destination: true force-domain: [] skip-domain: - Mijia Cloud - dlg.io.mi.com - +.oray.com - +.sunlogin.net - +.push.apple.com ``` --- ## 3. LuCI 覆写设置 以下设置通过 LuCI 后台配置,会覆盖源配置中的对应字段: | 设置 | 值 | |------|-----| | 运行模式 | Fake-IP (TUN) | | 代理模式 | Rule 策略代理 | | 区域绕过 | 停用 | | 域名嗅探 | 启用 | | Default-NameServer | `8.8.8.8`, `1.1.1.1` | | NameServer | `8.8.8.8`, `1.1.1.1` | | Fallback | `dns.google`, `cloudflare-dns.com` (DoH) | | store-fake-ip | 启用 | | respect-rules | 启用 | | custom-fakeip-filter | 启用 (blacklist 模式) | | custom-host | 启用 | | custom-fallback-filter | 启用 | | china_ip_route | 启用 | | tcp-concurrent | 启用 | | IPv6 | 关闭 | | QUIC | 禁用 | --- ## 相关文档 - [[VLESS-REALITY-Router-iStoreOS]] -- 主网关配置文档 - [[OpenClash-Config-Review-2026-03-19]] -- 配置审计报告 - [[家庭网络基础设施]] -- 网络拓扑总览