Serv00搭建wireproxy套warp(解决UDP端口限制)+Xray(使用最新XHTTP协议)套Cloudflare

介绍

最近注册了S14赛季的Serv00,想搭个代理玩玩。但由于Serv00原生IP很脏,所以套warp是必须的。在VPS上低权限的情况下搭建warp一般是用wireproxy这个userspace的wireguard实现工具。wireproxy需要监听一个TCP端口作为socks5入站,并同时开启一个随机的UDP端口作为和Cloudflare服务器交互。然而由于Serv00的端口限制,不能自由选择开启的端口,因此在Serv00上基本上总是出现端口绑定失败的情况:

DEBUG: 2024/12/16 08:19:45 UAPI: Updating private key
DEBUG: 2024/12/16 08:19:45 peer(bmXO…fgyo) - UAPI: Created
DEBUG: 2024/12/16 08:19:45 peer(bmXO…fgyo) - UAPI: Updating persistent keepalive interval
DEBUG: 2024/12/16 08:19:45 peer(bmXO…fgyo) - UAPI: Updating preshared key
DEBUG: 2024/12/16 08:19:45 peer(bmXO…fgyo) - UAPI: Updating endpoint
DEBUG: 2024/12/16 08:19:45 peer(bmXO…fgyo) - UAPI: Adding allowedip
DEBUG: 2024/12/16 08:19:45 peer(bmXO…fgyo) - UAPI: Adding allowedip
ERROR: 2024/12/16 08:19:45 Unable to update bind: listen udp6 :14977: bind: operation not permitted
DEBUG: 2024/12/16 08:19:45 Interface state was Down, requested Up, now Down
2024/12/16 08:19:45 listen udp6 :14977: bind: operation not permitted

现有的解决方法(链接)通常是使用本地代理软件,如Clash来添加warp端点,作为第二跳代理,然后将Serv00作为第一跳代理,在本地形成代理链。但由于代理链运行在墙内,中间的通信可能存在网络性能问题,并且增加了配置的复杂性。

本文介绍了一种解决在Serv00上启动wireproxy遇到的UDP端口限制的方法,在服务器上运行warp客户端,并配置Xray服务端将流量转入同一台服务器上的warp,达到提升性能和简化配置复杂性的目的。同时墙内客户端和服务端的连接使用Xray最新开发的XHTTP协议,搭配Cloudflare,解决了墙内无法直连Serv00的问题。

Serv00配置

首先需要在Serv00的Web界面进行操作。

端口配置

Port reservation处开启3个端口:

  • 26646/tcp:Xray的入站监听端口;
  • 11542/tcp:wireproxy的socks5监听端口;
  • 9956/udp:wireproxy的udp端口。

程序执行权限

Additional services → Run your own applications 开启权限。

下面运行wireproxy和Xray的时候,可以用screen或者nohup这些工具让他们在后台运行。screen具体用法可以谷歌。

wireproxy配置

首先需要下载wireproxy。serv00的服务器采用的是freebsd,而wireproxy官方只提供了linux的版本,因此需要自己编译。可以参考Go通过设置GOOS=freebsd环境变量来交叉编译。这里直接提供编译好的版本:下载。如果不放心可以自己下载源码编译。

然后下载wgcf,用于创建warp账号。注意架构要选freebsd amd64的。

在Serv00上运行:

# 授予执行权限,请将相应的执行文件名字修改为你自己下载的
chmod +x wgcf_2.2.23_freebsd_amd64
chmod +x wireproxy-freebsd

# 使用wgcf创建warp账号
./wgcf_2.2.23_freebsd_amd64 register
./wgcf_2.2.23_freebsd_amd64 generate

修改生成的wgcf-profile.conf文件:

[Interface]
PrivateKey = MPSl4DWdB6xxxxxxxxxhEFx5TIAvzdqiSHc=
Address = 172.16.0.2/32, 2606:4700:110:8278:582c:43db:5af3:96fd/128
DNS = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
MTU = 1280
ListenPort = 9956
[Peer]
PublicKey = bmXOC+F1FxxxxxxxxuVo51h2wPfgyo=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = engage.cloudflareclient.com:2408
[Socks5]
BindAddress = 0.0.0.0:11542

改动如下:

  • ListenPort = 9956,指定监听的UDP端口,请改成刚刚在Serv00面板创建的。如果不加这一行就会产生文章开头的那种报错
  • 增加[Socks5]区域,其中BindAddress = 0.0.0.0:11542的端口号请改成刚刚在Serv00面板创建的。

启动wireproxy:

[xxxxx@s14]:<~/warp>$ ./wireproxy-freebsd -c wgcf-profile.conf 
DEBUG: 2024/12/16 08:37:48 UAPI: Updating private key
DEBUG: 2024/12/16 08:37:48 UAPI: Updating listen port
DEBUG: 2024/12/16 08:37:48 peer(bmXO…fgyo) - UAPI: Created
DEBUG: 2024/12/16 08:37:48 peer(bmXO…fgyo) - UAPI: Updating persistent keepalive interval
DEBUG: 2024/12/16 08:37:48 peer(bmXO…fgyo) - UAPI: Updating preshared key
DEBUG: 2024/12/16 08:37:48 peer(bmXO…fgyo) - UAPI: Updating endpoint
DEBUG: 2024/12/16 08:37:48 peer(bmXO…fgyo) - UAPI: Adding allowedip
DEBUG: 2024/12/16 08:37:48 peer(bmXO…fgyo) - UAPI: Adding allowedip
DEBUG: 2024/12/16 08:37:48 UDP bind has been updated
DEBUG: 2024/12/16 08:37:48 peer(bmXO…fgyo) - Starting
DEBUG: 2024/12/16 08:37:48 Interface state was Down, requested Up, now Up
DEBUG: 2024/12/16 08:37:48 Routine: encryption worker 1 - started
DEBUG: 2024/12/16 08:37:48 Routine: decryption worker 1 - started
DEBUG: 2024/12/16 08:37:48 Routine: handshake worker 1 - started
DEBUG: 2024/12/16 08:37:48 Routine: encryption worker 2 - started
DEBUG: 2024/12/16 08:37:48 Routine: decryption worker 2 - started
DEBUG: 2024/12/16 08:37:48 Routine: handshake worker 2 - started
DEBUG: 2024/12/16 08:37:48 Routine: encryption worker 3 - started
DEBUG: 2024/12/16 08:37:48 Routine: decryption worker 3 - started
DEBUG: 2024/12/16 08:37:48 Routine: handshake worker 3 - started
DEBUG: 2024/12/16 08:37:48 Routine: encryption worker 4 - started
DEBUG: 2024/12/16 08:37:48 Routine: decryption worker 4 - started
DEBUG: 2024/12/16 08:37:48 Routine: handshake worker 4 - started
DEBUG: 2024/12/16 08:37:48 Routine: encryption worker 5 - started
DEBUG: 2024/12/16 08:37:48 Routine: decryption worker 5 - started
DEBUG: 2024/12/16 08:37:48 Routine: handshake worker 5 - started
DEBUG: 2024/12/16 08:37:48 Routine: TUN reader - started
DEBUG: 2024/12/16 08:37:48 Routine: event worker - started
DEBUG: 2024/12/16 08:37:48 Interface up requested
DEBUG: 2024/12/16 08:37:48 Routine: receive incoming v4 - started
DEBUG: 2024/12/16 08:37:48 Routine: receive incoming v6 - started
DEBUG: 2024/12/16 08:37:48 peer(bmXO…fgyo) - Routine: sequential sender - started
DEBUG: 2024/12/16 08:37:48 peer(bmXO…fgyo) - Routine: sequential receiver - started

没有报错说明启动成功。使用curl进行测试:

[xxxx@s14]:<~/warp>$ curl -x socks5h://127.0.0.1:11542 ipv4.ip.sb # 注意改成你自己的代理端口
104.28.193.182

可以看到成功连接到warp了。

Xray服务端配置

下载Xray(注意要下载freebsd-64的),解压。新建文件config.json,如下:

{
    "log": {
        "access": "access.log",
        "error": "error.log",
        "loglevel": "info"
    },
    "inbounds": [
        {
            "listen": "0.0.0.0",
            "port": 26646,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "c331c125-c959-4fe9-9343-3818643b61f8"
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "xhttp",
                "security": "tls",
                "tlsSettings": {
                    "serverName": "serv00.example.in",
                    "certificates": [
                        {
                            "certificate": [
                                "-----BEGIN CERTIFICATE-----",
                                "MIIDIjCCAsigAwIBAgIURZN70v8bQs7TRB+b1QAQpRrpYOMwCgYIKoZIzj0EAwIw",
                                "gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T",
                                "YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL",
                                "Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0",
                                "eTAeFw0yNDEyMTYwNjI2MDBaFw0zOTEyMTMwNjI2MDBaMGIxGTAXBgNVBAoTEENs",
                                "b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw",
                                "JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49",
                                "AgEGCCqGSM49AwEHA0IABF+r4fFgLoo6bnmxgUpx1mEj/axYzm0y2ZRsk2romnlp",
                                "2UzLmJGLSWxavTeRhR99UeTw6zruIrXRxQvKKhwTYOWjggEsMIIBKDAOBgNVHQ8B",
                                "Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB",
                                "/wQCMAAwHQYDVR0OBBYEFD5S0OmNAkFl6hquyRwpPiPN+cn+MB8GA1UdIwQYMBaA",
                                "FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw",
                                "AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAlBgNV",
                                "HREEHjAcgg0qLmxpdHRsZXJhLmluggtsaXR0bGVyYS5pbjA8BgNVHR8ENTAzMDGg",
                                "L6AthitodHRwOi8vY3JsLmNsb3VkZmxhcmUuY29tL29yaWdpbl9lY2NfY2EuY3Js",
                                "MAoGCCqGSM49BAMCA0gAMEUCIG69OC3XMk0KjQuHoMX/WCtvGrD+d6Gry/z37imD",
                                "HJp8AiEAmcDSr/pLjsu5zZOp2wbhVe+J1l7c6ex4X+as393PdWg=",
                                "-----END CERTIFICATE-----"
                            ],
                            "key": [
                                "-----BEGIN PRIVATE KEY-----",
                                "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgaF+HT09FgVaOhHs8",
                                "lb1arvPbM5gVlAUG/5gvehXodHihRANCAARfq+HxYC6KOm55sYFKcdZhI/2sWM5t",
                                "MtmUbJNq6Jp5adlMy5iRi0lsWr03kYUffVHk8Os67iK10cULyiocE2Dl",
                                "-----END PRIVATE KEY-----"
                            ]
                        }
                    ]
                },
                "xhttpSettings": {
                    "host": "serv00.example.in",
                    "path": "/serv00",
                    "mode": "auto"
                }
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls"
                ]
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "socks",
            "settings":{
                "servers": [
                    {
                        "address": "127.0.0.1",
                        "port": 11542
                    }
                ]
            }
        }
    ],
    "routing": {}
}

要点如下:

  • 26646改成刚刚Serv00面板创建的Xray端口;
  • 11542改成wireproxy监听的socks5端口;
  • UUID请自己生成;
  • serv00.example.in请改成你自己的域名(有两个地方);
  • certificates这里使用的是Cloudflare 15年的回源证书,你可以在Cloudflare后台SSL/TLS → Origin Server生成你自己的。

XHTTP自定义配置请参考:https://github.com/XTLS/Xray-core/discussions/4113

Xray其他配置请参考:https://xtls.github.io/

运行:

./xray -c config.json

Cloudflare配置

  • 增加你自己的域名serv00.example.in,A记录解析到Serv00的IP。比如S14的就是188.68.234.53。要开启橙色小云;
  • 确认SSL/TLS → Overview中的Current encryption mode为full;
  • Rules → Origin Rules增加一个Change Port规则,端口改成Xray的监听端口;

Xray客户端配置

如下config.json:

{
    "log": {
        "access": "access-client.log",
        "error": "error-client.log",
        "loglevel": "info"
    },
    "inbounds": [
        {
            "listen": "0.0.0.0",
            "port": 10808,
            "protocol": "socks",
            "settings": {}
        },
        {
            "listen": "0.0.0.0",
            "port": 10801,
            "protocol": "http",
            "settings": {}
        }
    ],
    "outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "serv00.example.in",
                        "port": 443,
                        "users": [
                            {
                                "id": "c331c125-c959-4fe9-9343-3818643b61f8",
                                "encryption": "none"
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "xhttp",
                "security": "tls",
                "tlsSettings": {
                    "serverName": "serv00.example.in",
                    "allowInsecure": true,
                    "fingerprint":"chrome"
                },
                "xhttpSettings": {
                    "host": "serv00.example.in",
                    "path": "/serv00",
                    "mode": "auto"
                }
            },
            "tag": "proxy"
        },
        {
            "protocol": "freedom",
            "tag": "direct"
        }
    ],
    "routing": {}
}

要点如下:

  • serv00.example.in请改成你自己的域名(有3个地方);
  • UUID改成你刚刚自己生成的;

在Windows平台上启动Xray客户端的示例命令如下:

xray.exe -c config.json

测试:

λ curl -x socks5h://127.0.0.1:10808 ipv4.ip.sb -v
*   Trying 127.0.0.1:10808...
* SOCKS5 connect to ipv4.ip.sb:80 (remotely resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 () port 10808
* using HTTP/1.x
* Connected to 127.0.0.1 (127.0.0.1) port 10808
* using HTTP/1.x
> GET / HTTP/1.1
> Host: ipv4.ip.sb
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Mon, 16 Dec 2024 07:54:59 GMT
< Content-Type: text/plain
< Content-Length: 15
< Connection: keep-alive
< Cache-Control: no-cache
< CF-Cache-Status: DYNAMIC
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oIrBvJt%2FH6L1i9hvmzl6A8lz726S11xQt%2FG%2FRMYSPtLHaYsYqmrQSxzzHchoDUFsR4NK19i%2BMNyjCbhzaF4Dg4rQoxMw%2BC3WtbnFh5lwVunAOBoe5Vs9ugzdZoE%3D"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Server: cloudflare
< CF-RAY: 8f2d1bc67981b194-WAW
< alt-svc: h3=":443"; ma=86400
< server-timing: cfL4;desc="?proto=TCP&rtt=0&min_rtt=0&rtt_var=0&sent=0&recv=0&lost=0&retrans=0&sent_bytes=0&recv_bytes=0&delivery_rate=0&cwnd=0&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
<
104.28.193.182
* Connection #0 to host 127.0.0.1 left intact


λ lip 104.28.193.182
Offline lookup result of 104.28.193.182:
+-----------+----------------+----------------+------+-----+------------+
|  SOURCE   |    COUNTRY     |     REGION     | CITY | ISP | ADDITIONAL |
+-----------+----------------+----------------+------+-----+------------+
| ip2region |      美国      |                |      |     |            |
+-----------+----------------+----------------+------+-----+------------+
|   qqwry   | 美国  CZ88.NET |                |      |     |            |
+-----------+----------------+----------------+------+-----+------------+
|   ipip    | CLOUDFLARE.COM | CLOUDFLARE.COM |      |     |            |
+-----------+----------------+----------------+------+-----+------------+
Fetching results from online sources...
Online lookup result of 104.28.193.182:
+--------+---------+---------+--------+--------------------------------+------------+
| SOURCE | COUNTRY | REGION  |  CITY  |              ISP               | ADDITIONAL |
+--------+---------+---------+--------+--------------------------------+------------+
| ip-api | Poland  | Mazovia | Warsaw |  Cloudflare, Inc., Cloudflare  |            |
|        |         |         |        | WARP, AS13335 Cloudflare, Inc. |            |
+--------+---------+         +        +--------------------------------+------------+
| ipinfo |   PL    |         |        |    AS13335 Cloudflare, Inc.    |            |
|        |         |         |        |  cloudflare.com, Cloudflare,   |            |
|        |         |         |        |              Inc.              |            |
+--------+---------+---------+--------+--------------------------------+------------+

可以看到已经是warp的IP了。

网络拓扑如下:

本机 -> (墙) -> Cloudflare -> (Serv00)Xray -> (Serv00)wireproxy -> Cloudflare Warp
76 Likes

感谢大佬教程

XHTTP协议的主要功能是上下行分离,你的配置我没看懂或者没看到分离,那用XHTTP的优势是什么

对的,确实没有分离。只是用一个最简配置作为演示,仅仅用来穿透CDN而已。

xray 本身支持 Wireguard 出站,爲啥還要套個 wireproxy。

好像也会遇到开头的那个UDP端口无法绑定的问题

话说这个真有影响么,虽然我也在用

消息刚刚出来,还不好说。这边有一个讨论帖 【爆】Cloudflare 官方禁止搭建代理

先mark再说 :tieba_087: :tieba_087:

所以如果Xray的Wireguard能支持UDP端口绑定,就不用这么复杂了?

不行,运行不了wgcf_2.2.23_freebsd_amd64,给运行权限了还是不行-bash: ./wgcf_2.2.23_freebsd_amd64: 拒绝访问,用的是ct8的,两个应该是差不多的吧重启就行了,哈哈

大佬 wireproxy 如何优选ip啊

如果指的是服务端连到warp的IP的话,可以改 engage.cloudflareclient.com这个地方

大佬牛牪犇,问就是不明白

nmap -sS 88.68.234.53 -p 1-65535 ,扫一下免费的socks5 :tieba_025:

0.0.0.0 都知道什么意思 :tieba_025:

1 Like

可以的很强,感谢佬

感谢大佬教程

佬,这个要怎么在v2ray上用呢,
pc上xray -c config.json是通过了,但不会用

如果是客户端的话,可以看一下官方文档相关的教程 Project X

./wireproxy-freebsd -c wgcf-profile.conf 运行没多久容易闪退,有什么办法没有?

1 Like