This tutorial also suitable for anyone who are not in China due to singbox also support wireguard protocal.
The lack of tutorials on setting up a proxy VM on Qubes is a major barrier for many Chinese users, which deters them from trying the OS.And It’s always very complex to config firewall rules to route all network packets to proxy vm.After days of searching, I finally find a decent way to setup a singbox proxy vm and no firewall rule needs to be configed!
缺乏关于如何在 Qubes 上设置代理虚拟机的教程,是许多中国用户的一大障碍,这使得他们不愿意尝试这个操作系统。而且,配置防火墙规则来将所有网络数据包路由到代理虚拟机通常都非常复杂。经过几天的搜索,我终于找到了一个不错的方法来设置一个 Sing-box 代理虚拟机,并且无需配置防火墙规则!
Steps
-
Create a new netvm called proxy-vm, and download singbox core from github repo. I suggest download the sing-box-linux-amd64.tar.gz package instead of rpm or deb package if you don’t want to install it into your template. But in this case you need to edit your own singbox systemd service to automatic start singbox when proxy-vm boot.
首先,创建一个名为proxy-vm的 NetVM,然后从 GitHub 仓库下载 Sing-box 核心。
我建议下载 sing-box-linux-amd64.tar.gz 压缩包,而不是 RPM 或 DEB 软件包,这样可以避免在你的模板安装第三方包(Template)而可以直接把singbox核心放在proxy-vm里面。但如果这么做,你就需要自己编辑 Sing-box 的 Systemd 服务,以便在proxy-vm启动时自动运行。 -
Extract the archive, put it into /usr/local/bin in proxy-vm and follow the Qubes official document
https://www.qubes-os.org/doc/bind-dirs/to bind /etc/sing-box to /rw/bind-dirs/etc/sing-box.
解压文件,将其放入proxy-vm的/usr/local/bin目录中,然后按照 Qubes 官方文档中关于https://www.qubes-os.org/doc/bind-dirs/的说明,将/etc/sing-box绑定到/rw/bind-dirs/etc/sing-box。 -
Download web ui from
https://github.com/MetaCubeX/metacubexd(read the “Use pre-built assets from gh-pages branch” section), or you can download any other ui you prefer.
从https://github.com/MetaCubeX/metacubexd下载网页界面(请阅读 “使用 gh-pages 分支的预构建资源” 部分),或者你也可以下载任何其他你喜欢的其他用户界面。
git clone https://github.com/metacubex/metacubexd.git -b gh-pages /rw/bind-dirs/etc/sing-box/ui
-
(Optional) Deploy a singbox subscribe config tool locally in a new vm
https://github.com/Toperlock/sing-box-subscribe/blob/main/docs/vercel-en.mdso that you don’t have to edit config yourself each time. This project can using template to generate config using your subscribe url that you get from your VPN service provider. It also provide a simple web-ui. Be aware that there are websites provide similar services which are very not secure. You may leak your proxy server passkey! Read the readme.md to deploy.
(可选)在一个新的虚拟机中本地部署一个 Sing-box 订阅配置工具https://github.com/Toperlock/sing-box-subscribe/blob/main/docs/vercel-cn.md,这样你就不必每次都手动编辑配置了。这个项目可以使用模板,利用你从 VPN 服务提供商那里获取的订阅链接来生成配置,它也提供了一个简单的网页界面。请注意,有些网站也提供类似的服务,但它们非常不安全,你可能会因此泄露你的代理服务器密钥!阅读readme.md来安装,此处不展开。 -
Config /rw/bind-dirs/etc/sing-box/config.json ,and use the singbox config template I provide below. You need to add your own proxy server infos in outbounds, and make sure you modify the web-ui’s password in ‘experimental - secret’ otherwise it`s not secure
请配置 /rw/bind-dirs/etc/sing-box/config.json,并使用我下面提供的 Sing-box 配置模板。你需要在 outbounds 部分添加你自己的代理服务器信息,同时务必修改 experimental - secret 中的网页界面密码,否则存在安全风险。(模板默认全局代理不分流)
{
"log": {
"disabled": false,
"level": "error",
"timestamp": true
},
"experimental": {
"clash_api": {
"external_controller": "127.0.0.1:6400",
"external_ui": "/etc/sing-box/ui",
"secret": "",
"default_mode": "Proxy"
},
"cache_file": {
"enabled": true,
"store_fakeip": false
}
},
"dns": {
"fakeip": {
"enabled": true,
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
},
"rules": [
{
"clash_mode": "Proxy",
"server": "remote"
},
{
"clash_mode": "Direct",
"server": "local"
}
],
"servers": [
{
"type": "https",
"server": "1.1.1.1",
"detour": "proxy",
"tag": "remote"
},
{
"type": "https",
"server": "223.5.5.5",
"tag": "local"
},
{
"type": "hosts",
"path": [],
"predefined": {},
"tag": "block"
},
{
"type": "local"
}
],
"strategy": "prefer_ipv4"
},
"inbounds": [
{
"address": ["10.139.1.0/30", "fdfe:dcba:9876::1/126"],
"route_address": ["0.0.0.0/1", "128.0.0.0/1", "::/1", "8000::/1"],
"route_exclude_address": [
"192.168.0.0/16",
"172.16.0.0/12",
"fc00::/7",
"10.137.0.0/16",
"10.138.0.0/16",
"fd09:24ef:4179::a89:0/112",
"fd09:24ef:4179::a8a:0/112"
],
"stack": "gvisor",
"auto_route": true,
"strict_route": true,
"sniff": true,
"type": "tun"
},
{
"listen": "127.0.0.1",
"listen_port": 2333,
"tag": "mixed-in",
"type": "mixed",
"users": []
}
],
"outbounds": [
{
"tag":"proxy",
"type":"selector",
"outbounds":[
"auto",
"direct",
"{all}"
]
},
{
"tag":"auto",
"type":"urltest",
"outbounds":[
"{all}"
],
"url": "http://www.gstatic.com/generate_204",
"interval": "10m",
"tolerance": 50
},
{
"type": "direct",
"tag": "direct"
}
],
"route": {
"auto_detect_interface": true,
"default_domain_resolver": "local",
"final": "proxy",
"rules": [
{
"action": "sniff"
},
{
"protocol": "dns",
"action": "hijack-dns"
},
{
"clash_mode": "Direct",
"outbound": "direct"
},
{
"clash_mode": "Proxy",
"outbound": "proxy"
},
{
"ip_is_private": true,
"outbound": "direct"
}
]
}
}
- Run singbox with command:
运行 Sing-box:
sudo singbox run
- Open 127.0.0.1:6400 in firefox to open the web-ui.
在 Firefox 中打开127.0.0.1:6400以访问网页用户界面。 - Set your appvm’s netvm to proxy-vm. And it should work! No any firewall rules need to be add.
将你的应用程序虚拟机(AppVM)的网络虚拟机(NetVM)设置为proxy-vm。这样就可以正常工作了!无需添加任何防火墙规则。 - (Optional) Test dns leak in
ipleak.net
在ipleak.net上测试 DNS 泄漏
Key point
Singbox can handle almost every thing by itself as long as you are using a correct config. The key point of the config that I provide are in the inbound section:
只要你使用正确的配置,Sing-box 几乎可以独自处理所有事情。我提供的这份配置,其关键点都在 inbound(入站)部分:
- “stack”: “gvisor”: “gvisor” mode do not need to modify firewall rules and work perfect in Qubes! “system” mode will not work if you don`t modify firewall config. And “gvisor” mode are more secure than “system”.
- Do not set “auto_redirect”: true: Singbox’s official document highly recommand to enable auto_redirect in linux. But it will mess with the nftables config and just stop working in Qubes.
"stack": "gvisor":“gvisor”模式不需要修改防火墙规则就可以完美运行,而**"system"** 模式如果不修改防火墙配置,将无法工作。而"gvisor"模式也比"system"模式更安全。- 不要将
"auto_redirect"设置为true:尽管 Sing-box 官方文档强烈推荐在 Linux 上启用auto_redirect,但这会搞乱nftables的配置,并导致其在 Qubes 中停止工作。
