发表于

v2

Authors

V2

1. 机器

可以选择 Bandwagonhost 或者 GigsGigsCloud 或者一切其他有 CN2 GIA 线路的机器,这里就跳过机器准备了,默认有机器可用

2. Software

安装相关软件,脚本在下面

// 安裝執行檔和 .dat 資料檔
# bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

其配置文件在 /usr/local/etc/v2ray/config.json

启动停止命令

service v2ray start
service v2ray stop

3. Sysctl.conf 优化

改动文件/etc/sysctl.conf

贴一个自用的 不保证好用就是了

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

###################################################################
# Magic system request Key
# 0=disable, 1=enable all
# Debian kernels have this set to 0 (disable the key)
# See https://www.kernel.org/doc/Documentation/sysrq.txt
# for what other values do
#kernel.sysrq=1

###################################################################
# Protected links
#
# Protects against creating or following links under certain conditions
# Debian kernels have both set to 1 (restricted)
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
#fs.protected_hardlinks=0
#fs.protected_symlinks=0
# max open files
fs.file-max = 1024000
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096

# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
#net.ipv4.tcp_tw_recycle = 1
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# TCP receive buffer
#net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1
# forward ipv4
net.ipv4.ip_forward = 1
#net.core.default_qdisc=fq_pie
net.core.default_qdisc=cake
#net.ipv4.tcp_congestion_control=bbr2
net.ipv4.tcp_congestion_control=bbr
#net.ipv4.tcp_ecn=1
vm.swappiness=30
vm.vfs_cache_pressure = 200
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_timestamps = 1

然后执行sysctl -p使其生效

4. ulimit 优化

vi /etc/security/limit.conf

*                 soft	  nproc           10240
*                 hard	  nproc           10240
*                 soft    nofile          10240
*                 hard    nofile          10240

root              soft    nproc           10240
root              hard    nproc           10240
root              soft    nofile          10240
root              hard    nofile          10240

vi /etc/profile

ulimit -n 10240
ulimit -u 8192
ulimit -m unlimited

5. ufw

apt-get install ufw -y
ufw allow {想要放行的端口}
ufw list numbered # 查询放行的端口
ufw delete {行号} # 删除记录 建议删除v6相关

6. Prometheus Grafana

1. 安装 exporter

  • 在机器上执行以下命令下载 exporter
wget -O /tmp/v2ray-exporter https://github.com/wi1dcard/v2ray-exporter/releases/latest/download/v2ray-exporter_linux_amd64 && \
mv /tmp/v2ray-exporter /usr/local/bin/v2ray-exporter && \
chmod +x /usr/local/bin/v2ray-exporter
  • 安装完之后执行启动 exporter
nohup v2ray-exporter --v2ray-endpoint "127.0.0.1:10080" > /var/log/v2ray-exporter.log 2>&1 &

上面的 endpoint 是 v2 config 中数据统计的 endpoint

2. 安装 Prometheus

  • 下载 地址
  • 解压
  • chmod +x Prometheus binary
  • 启动 Prometheus
    nohup prometheus --config.file /etc/prometheus/prometheus.yml --web.external-url=/v2ray > /var/log/prometheus.log 2>&1 &

prometheus 配置样例:

global:
 scrape_interval: 15s
 scrape_timeout: 5s
scrape_configs:
 - job_name: v2ray
   metrics_path: /scrape #可定义(虽然我也忘了这个是干什么的)
   static_configs:
    - targets: [127.0.0.1:9550]  # 这个是exporter暴露出来 给到Prometheus

// TODO dashboard 以及 haproxy 转发 配置

7. 域名 DNS SSL

  • 域名 域名随便申请一个就行了,无论是 free 的还是 non-free 的,只要是自己的就行

  • DNS 建议部署 3 套 DNS,DNSpod,阿里 DNS,Hurricane Electric Free DNS

    或者直接用CloudFlare的也行,但是 cloudflare 的 DNS 在国内不是很友好,而且他不能和其他 DNS 提供商共同解析

  • SSL DNSpod 有提供单域名 free 1 年 无限续期的 SSL 证书,Cloudflare也是。可以使用他们之中的任意一家的 SSL 证书,或者使用Let's Encrypt的证书,但是它需要手动刷新,刷新时间是 3 个月

8. 内核优化

我个人使用的是 XanMod 这个内核的Real Time版本,它包含一套BBR + cake的调度算法,还有他自己的一个FQ-PIE的调度算法,然后它也同时提供了一系列patch来优化TCP等其他功能,但是这个patch需要自己编译内核

安装方法

  • 添加 apt repo

    echo 'deb http://deb.xanmod.org releases main' | sudo tee /etc/apt/sources.list.d/xanmod-kernel.list

  • 添加 GPG key

    wget -qO - https://dl.xanmod.org/gpg.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/xanmod-kernel.gpg add -

  • 安装内核

    sudo apt update && sudo apt install linux-xanmod

  • 重启机器

    reboot

上面命令中的 linux-xanmod 可选下面几种:
linux-xanmod [5.15]
linux-xanmod-edge [5.16]
linux-xanmod-lts [5.10]
linux-xanmod-tt [5.15-tt]
linux-xanmod-rt-edge [5.15-rt]
linux-xanmod-rt [5.10-rt]

Extra: 安装 v2ray-exporter & promethus 脚本

#!/bin/bash
# 安装v2ray-exporter
wget -O /tmp/v2ray-exporter https://github.com/wi1dcard/v2ray-exporter/releases/latest/download/v2ray-exporter_linux_amd64
mv /tmp/v2ray-exporter /usr/local/bin/v2ray-exporter
chmod +x /usr/local/bin/v2ray-exporter
# 安装promethus
wget -O /tmp/prometheus.tar.gz https://github.com/prometheus/prometheus/releases/download/v2.30.3/prometheus-2.30.3.linux-amd64.tar.gz
tar -xvzf prometheus.tar.gz
mv /tmp/prometheus-2.30.3.linux-amd64/prometheus /usr/local/bin/prometheus
chmod +x /usr/local/bin/prometheus
echo "安装程序完成"
# 安装必要配置
mkdir -p /etc/prometheus
rm -f /etc/prometheus/prometheus.yml
wget -O /etc/prometheus/prometheus.yml https://raw.githubusercontent.com/masachi/v2ray-exporter/master/prometheus.yml
echo "安装配置完成"
# 启动服务
nohup v2ray-exporter --v2ray-endpoint "127.0.0.1:10080" > /var/log/v2ray-exporter.log 2>&1 &
nohup prometheus --config.file /etc/prometheus/prometheus.yml --web.external-url=/v2ray > /var/log/prometheus.log 2>&1 &
echo "启动服务结束"