最近2年一直使用 v2ray 的WSS模式进行科学上网,最近有空研究了一下新的xray,并把科学上网的服务端全部换成了xray,且使用 VLESS over TCP with XTLS 模式,将整个部署优化过程记录下来作为安装指南。以下操作全部基于 KVM 虚拟的纯净的 Debian 10 系统,且以 root 用户登录系统
1. 必要准备
重新安装系统
按照文章《通过网络安装全新的 Debian 10 Buster》 重新安装纯净的 Debian 10 系统,并作相关必要配置。
字符集优化
1.编辑 vi 配置文件 vi /etc/vim/vimrc.tiny
修改并增加其中2行
set nocompatible
set backspace=2
2.设置字符集 vi .vimrc
输入以下内容
set fileencodings=utf-8,gb2312,gb18030,gbk,ucs-bom,cp936,latin1
set enc=utf8
set fencs=utf8,gbk,gb2312,gb18030
set nocompatible
set backspace=2
2. 安装 Xray 服务端,vless+tcp+xtls 模式
1.使用官方的安装脚本 Xray-install 安装
apt install build-essential -y
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install -u root
相关文件自动安装为
installed: /usr/local/bin/xray
installed: /usr/local/share/xray/geoip.dat
installed: /usr/local/share/xray/geosite.dat
installed: /usr/local/etc/xray/config.json
installed: /var/log/xray/
installed: /var/log/xray/access.log
installed: /var/log/xray/error.log
installed: /etc/systemd/system/xray.service
installed: /etc/systemd/system/xray@.service
2.编辑配置文件:
这里使用单用户配置 vi /usr/local/etc/xray/config.json
3.写入以下配置信息,根据具体情况(主要有3处)自行修改:
{
"log": {
"access": "/var/log/xray/access.log",
"error": "/var/log/xray/error.log",
"loglevel": "warning"
},
"inbounds": [
{
"port": 10000, //修改为自己需要的端口号
"protocol": "vless",
"settings": {
"clients": [
{
"id": "b0fecfb3-6984-4cb0-ab84-58499efbdcdd", //修改为自己需要的用户UUID
"flow": "xtls-rprx-direct"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "xtls",
"xtlsSettings": {
"serverName": "domain.com", //修改为证书对应的域名
"alpn": [
"h2",
"http/1.1"
],
"minVersion": "1.2",
"fingerprint": "chrome",
"certificates": [
{
"certificateFile": "/usr/local/nginx/conf/ssl/domain.com.crt", //修改为域名对应的证书
"keyFile": "/usr/local/nginx/conf/ssl/domain.com.key" //修改为域名证书对应的私钥
}
]
}
}
}
],
"outbounds": [
{
"protocol": "freedom"
},
{
"protocol": "Blackhole",
"tag": "reject"
}
],
"routing": {
"domainStrategy": "AsIs",
"domainMatcher": "mph",
"rules": [
{
"type": "field",
"domain": [
"geosite:category-ads-all",
"geosite:private"
],
"ip": [
"geoip:private"
],
"network": "tcp,udp",
"outboundTag": "reject"
}
]
}
}
因为使用的流量转发服务不支持443端口,所以就没有使用到xray在443端口进行回落分流的特性,选择了最简单的单一协议配置,仅在服务端部署了 VLESS 协议,请根据自身具体情况自行修改。
其他配置请参考:Xray-examples
4.启动服务
systemctl enable xray.service
systemctl start xray.service
3. 相关优化
优化内核参数,开启 BBR
TCP BBR 拥塞控制算法目的是要尽量跑满带宽,并且尽量不要有排队的情况。
编辑 vi /etc/sysctl.conf
输入以下内容:
fs.file-max = 104857600
fs.inotify.max_user_instances = 8192
fs.nr_open = 10485760
net.core.default_qdisc=fq
net.core.netdev_max_backlog = 65536
net.core.rmem_default = 262144
net.core.rmem_max = 67108864
net.core.somaxconn = 65536
net.core.wmem_default = 262144
net.core.wmem_max = 67108864
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_congestion_control = hybla
net.ipv4.tcp_congestion_control=bbr
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_rmem = 16384 262144 67108864
net.ipv4.tcp_sack = 1
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_wmem = 8192 262144 67108864
net.netfilter.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.nf_conntrack_max = 6553500
保存生效 sysctl -p
其中某行:net.ipv4.tcp_congestion_control = hybla
hybla
适用于高延迟网络(如美国,欧洲等) htcp
适用于低延迟的网络(如日本,香港等)
检查是否开启bbr算法
sysctl net.ipv4.tcp_available_congestion_control
sysctl net.ipv4.tcp_congestion_control
sysctl net.core.default_qdisc
返回值一般为:
net.ipv4.tcp_available_congestion_control = bbr hybla cubic reno
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq
执行 lsmod | grep bbr
返回值有 tcp_bbr
模块即说明 bbr 已启动。
其他优化
1.修改 vi /etc/rc.local
文件,开机自动加载一遍内核参数
在 exit 0
前一行加入 sysctl -p
2.修改 vi /etc/profile
文件,加入 ulimit -SHn 1024000
然后 重启服务器 执行 ulimit -n
,查询返回为 1024000
即可
3.修改 vi /etc/security/limits.conf
文件中以下内容为:
* soft nproc 1000000
* hard nproc 1000000
* soft nofile 1000000
* hard nofile 1000000
root soft nproc 1000000
root hard nproc 1000000
root soft nofile 1000000
root hard nofile 1000000
4.修改 vi /etc/pam.d/common-session
文件,加入 session required pam_limits.so
参考: