自动化部署「利群主機中转-自有國外機落地」的 SS-AnyTLS 隧道

Kusu等级-LV3-LeiKwan Square|利群主機廣場1个月前更新
1673

本專案用於自動化部署「B 中轉 + C 落地」的 SS → AnyTLS 隧道架構(基於 sing-box)。
最終在 Server B 產出可直接導入客戶端的 Shadowsocks(SS)URI,使用者僅需一鍵導入即可使用。

✅ 適用場景

  1. B 作為入口 / 中轉,C 作為出口 / 落地

    • B 位於靠近使用者的網路(如國內 / 低延遲)

    • C 位於實際出網的位置(如國際 / 落地)

  2. 希望將複雜的 sing-box 組態流程自動化

    • 腳本會自動安裝相依套件與 sing-box

    • 自動生成並寫入 /etc/sing-box/config.json

    • 自動啟用 systemd sing-box 服務

🧭 架構說明

Client → Server B(SS 節點中转)→ Server C(AnyTLS 節點落地)→ Internet

  • Server C(落地)

    • 提供 AnyTLS Inbound(TLS + 自簽憑證)

    • 預設監聽 TCP 8443

  • Server B(中轉)

    • 提供 Shadowsocks(SS-2022)入站

    • 將流量經由 AnyTLS 轉發至 Server C

    • 腳本會輸出可直接導入客戶端的 SS URI

🛠️ 使用方式

下載並執行腳本

curl -O https://raw.githubusercontent.com/Cyli00/ss2anytls-autodeploy/refs/heads/main/autodeploy.sh
chmod +x autodeploy.sh
bash autodeploy.sh

腳本為互動式選單建議先設定 Server C,再設定 Server B

🚀 快速部署流程

  1. Server C(落地)

    bash autodeploy.sh

    • 選擇 [2] C (Exit)

    • 設定監聽埠(可使用預設)

    • 複製輸出的 AnyTLS 連線資訊

  2. Server B(中轉)

    bash autodeploy.sh

    • 選擇 [1] B (Relay)

    • 貼上 Server C 的資訊

    • 設定 SS 監聽埠與節點名稱

    • 取得 SS URI

  3. 客戶端

    • 使用支援 SS URI 的客戶端(如 Mihomo、sing-box、v2rayN)

    • 直接匯入 URI 並測試連線

⚠️ 注意事項

  • 防火牆 / 安全組
    未放行埠口是最常見的無法連線原因。

  • 設定檔位置

    • sing-box:/etc/sing-box/config.json

    • 憑證:/etc/sing-box/certs

  • 可重複執行

    • 腳本支援新增多組 Inbound / Outbound

    • 既有設定會自動備份

🌐 雙出口 CN2 / 9929 機型:Server B 指定出口路由(重要)

若你使用的是 雙出口(CN2 / 9929) 伺服器,完成 B / C 部署後,務必在 Server B 設定出口路由,否則可能出現:

  • 回程 IP 不穩定

  • 流量走錯出口

  • 延遲與體驗異常

Server B 以 root 執行:

wget -qO dual-route.sh --no-check-certificate http://files.leikwanhost.com/dual-route.sh && chmod +x dual-route.sh && bash dual-route.sh

之後如需重新設定:

bash dual-route.sh

此腳本會:

  • 為每個 IPv4 建立獨立路由表

  • 確保「源進源出」

👉 建議順序

  1. 完成 ss2anytls-autodeploy(B / C)

  2. 在 Server B 執行 dual-route.sh

  3. 再次測試客戶端連線

This project is used to automatically deploy an SS → AnyTLS tunnel architecture with “Server B as relay + Server C as landing/exit” (based on sing-box).

The final result is a Shadowsocks (SS) URI generated on Server B, which can be directly imported into clients. Users only need one-click import to start using it.

✅ Applicable Scenarios

Server Roles

  • Server B as entry / relay

  • Server C as exit / landing

Deployment Characteristics

  • Server B is located close to users (e.g. domestic / low latency)

  • Server C is located at the actual outbound network (e.g. international / landing)

Automation Goals

  • Automate complex sing-box configuration workflows

  • The script will:

    • Automatically install required dependencies and sing-box

    • Automatically generate and write /etc/sing-box/config.json

    • Automatically enable the sing-box systemd service

🧭 Architecture Overview

Client → Server B (SS relay node) → Server C (AnyTLS landing node) → Internet

Server C (Landing / Exit)

  • Provides AnyTLS inbound (TLS + self-signed certificate)

  • Default listening port: TCP 8443

Server B (Relay)

  • Provides Shadowsocks (SS-2022) inbound

  • Forwards traffic to Server C via AnyTLS

  • The script outputs an SS URI that can be directly imported into clients

🛠️ Usage

Download and Run the Script

curl -O https://raw.githubusercontent.com/Cyli00/ss2anytls-autodeploy/refs/heads/main/autodeploy.sh
chmod +x autodeploy.sh
bash autodeploy.sh

The script uses an interactive menu.
It is recommended to configure Server C first, then Server B.

🚀 Quick Deployment Workflow

Server C (Landing)

bash autodeploy.sh

  • Select [2] C (Exit)

  • Set the listening port (default is acceptable)

  • Copy the generated AnyTLS connection information

Server B (Relay)

bash autodeploy.sh

  • Select [1] B (Relay)

  • Paste the Server C connection information

  • Set the SS listening port and node name

  • Obtain the SS URI

Client

  • Use a client that supports SS URI (e.g. Mihomo, sing-box, v2rayN)

  • Import the URI directly and test connectivity

⚠️ Notes

Firewall / Security Group

  • Unopened ports are the most common cause of connection failure.

Configuration File Locations

  • sing-box config: /etc/sing-box/config.json

  • Certificates: /etc/sing-box/certs

Re-runnable Script

  • The script supports adding multiple inbound / outbound configurations

  • Existing configurations are automatically backed up

🌐 Dual-Exit CN2 / 9929 Servers: Specify Outbound Routing on Server B (Important)

If you are using a dual-exit (CN2 / 9929) server, after completing Server B / C deployment, you must configure outbound routing on Server B, otherwise you may encounter:

  • Unstable return IP

  • Traffic exiting via the wrong route

  • Abnormal latency and poor user experience

Run as root on Server B:

wget -qO dual-route.sh --no-check-certificate http://files.leikwanhost.com/dual-route.sh && chmod +x dual-route.sh && bash dual-route.sh

To reconfigure later:

bash dual-route.sh

This script will:

  • Create an independent routing table for each IPv4 address

  • Ensure “traffic exits through the same IP it entered from”

👉 Recommended order

  1. Complete ss2anytls-autodeploy (Server B / C)

  2. Run dual-route.sh on Server B

  3. Test client connectivity again

2
2人已评分
分享
请登录后发表评论

    回复3
    查看全部
    最新最热
點擊這裏開始驗證利群用戶.
Click here to apply for a verified status for the complete function of LeiKwan Square
點擊這裏加入群聊. Click here to join the chat group on Telegram.
在手机上浏览此页面