proxy-networking

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Proxy Networking

代理网络构建

Goal

目标

Build a relay-to-exit proxy network from user-supplied relay machines, exit machines, bandwidth, and relationship mappings.

Default target:

text

client -> relay sing-box VLESS Reality inbound -> WireGuard tunnel -> exit Linux egress

Flexible migration target:

text

client -> existing relay entrypoint -> existing Realm bridge -> WireGuard tunnel -> existing exit Xray/VLESS Reality

Use

v2ray-agent

vasma

as the preferred installer and manager for Xray or sing-box VLESS Reality when a host needs a new VLESS stack or already uses that project. Directly edit generated configs when preserving existing links, adding WireGuard behind an existing service, or making a small targeted repair.

Keep TCP/kernel tuning delegated to the

network-tune

skill in this repository. Use this skill for topology, proxy services, WireGuard links, maintenance, link generation, and per-link measurement.

基于用户提供的中继机器、出口机器、带宽及关联映射，构建中继到出口的代理网络。

默认目标拓扑：

text

client -> relay sing-box VLESS Reality inbound -> WireGuard tunnel -> exit Linux egress

灵活迁移目标拓扑：

text

client -> existing relay entrypoint -> existing Realm bridge -> WireGuard tunnel -> existing exit Xray/VLESS Reality

当主机需要新的VLESS栈或已在使用该项目时，优先使用

v2ray-agent

vasma

作为Xray或sing-box VLESS Reality的安装器与管理器。当需要保留现有链路、在现有服务后添加WireGuard或进行小范围定向修复时，直接编辑生成的配置文件。

将TCP/内核调优任务委托给本仓库中的

network-tune

技能。本技能负责拓扑设计、代理服务配置、WireGuard链路搭建、维护工作、链接生成及单链路性能测试。

Inputs To Normalize

需要标准化的输入

Collect or infer a topology table before changing hosts:

text

relays:
  - ip / ssh target / bandwidth / region / current services / desired public ports
exits:
  - ip / ssh target / bandwidth / region / current services / desired egress role
relationships:
  - relay -> one or more exits
  - per relationship: public inbound port, protocol preference, preserve existing link yes/no, label

If the user gives only IPs, use

root@IP

. Treat bandwidth values as operator intent; use Speedtest or iperf only to validate link behavior.

在修改主机前，收集或推断拓扑表：

text

relays:
  - ip / ssh目标 / 带宽 / 区域 / 当前服务 / 期望公网端口
exits:
  - ip / ssh目标 / 带宽 / 区域 / 当前服务 / 期望出口角色
relationships:
  - relay -> 一个或多个exits
  - 每个关联项：公网入站端口、协议偏好、是否保留现有链路、标签

若用户仅提供IP，则使用

root@IP

作为SSH目标。将带宽值视为运维意图；仅使用Speedtest或iperf验证链路行为。

Workflow

工作流程

Run preflight before changing any host:
- Read
```
references/preflight.md
```
  .
- Mark a host or relationship as
```
blocked
```
  when kernel, package, disk, SSH, port, or UDP direction checks fail.
- Keep blocked relationships on their current working path and report the exact blocker.
Inventory every relay and exit over SSH:
- OS, kernel, public/private IPs, interfaces, routes, bandwidth notes.
- Services:
```
sing-box
```
  ,
```
xray
```
  ,
```
realm
```
  ,
```
wg-quick@*
```
  ,
```
nginx
```
  ,
```
hysteria
```
  ,
```
tuic
```
  .
- Config paths:
```
/root/realm.toml
```
  ,
```
/etc/v2ray-agent/xray/conf
```
  ,
```
/etc/sing-box
```
  ,
```
/usr/local/etc/sing-box
```
  ,
```
/etc/wireguard
```
  .
Classify each relationship:
- Fresh build: relay terminates VLESS Reality with sing-box and exits through WireGuard.
- Existing Realm bridge: keep the client-facing port and change Realm's remote target to the exit WireGuard IP.
- Existing sing-box/Xray entry: add only missing inbounds, outbounds, routes, peers, or systemd persistence.
Create a per-link plan:
- WireGuard tunnel address, port, MTU, preshared key, allowed IPs.
- WireGuard interface name, compressed to Linux's 15-byte interface limit.
- Relay inbound tag and public port.
- Exit egress behavior: NAT gateway for fresh builds, or private Xray target for bridge preservation.
- Connection direction: relay dials exit, or exit dials relay when exit-side public UDP ingress is unavailable.
- Verification commands and rollback paths.
Apply one relationship at a time using the state model in
```
references/link-state.md
```
:
- Back up all touched files with timestamps.
- Follow
```
references/ssh-execution.md
```
  for SSH invocation shape.
- Follow
```
references/package-policy.md
```
  before installing packages.
- Use
```
v2ray-agent
```
  /
```
vasma
```
  for fresh VLESS Reality stacks when appropriate.
- Create or update WireGuard peers.
- Create or update sing-box, Realm, Xray, NAT, and systemd units according to the selected pattern.
- For Realm bridge updates, follow
```
references/realm-safety.md
```
  and prefer
```
scripts/patch-realm-endpoint.py
```
  .
Verify:
- Read
```
references/verification.md
```
  .
- ```
wg show
```
  , ping over WireGuard, TCP reachability to private exit target.
- ```
iperf3
```
  public UDP, WireGuard TCP, and reverse direction tests.
- Client-facing port reachability from the relay.
- Service persistence after reboot when the user permits reboot verification.
Report:
- Topology, active services, per-link private IPs, throughput, pacing, rollback paths.
- Completed relationships, preserved relationships, blocked relationships, and required host repairs.
- Mention VLESS share links can be generated on request. Provide links only when requested.

在修改任何主机前执行预检：
- 阅读
```
references/preflight.md
```
  。
- 当内核、包、磁盘、SSH、端口或UDP方向检查失败时，将主机或关联项标记为
```
blocked
```
  。
- 保留被阻断关联项的当前工作路径，并报告具体的阻断原因。
通过SSH盘点所有中继和出口机器：
- 操作系统、内核、公网/私有IP、接口、路由、带宽记录。
- 服务：
```
sing-box
```
  、
```
xray
```
  、
```
realm
```
  、
```
wg-quick@*
```
  、
```
nginx
```
  、
```
hysteria
```
  、
```
tuic
```
  。
- 配置路径：
```
/root/realm.toml
```
  、
```
/etc/v2ray-agent/xray/conf
```
  、
```
/etc/sing-box
```
  、
```
/usr/local/etc/sing-box
```
  、
```
/etc/wireguard
```
  。
对每个关联项进行分类：
- 全新构建：中继通过sing-box终止VLESS Reality连接，并通过WireGuard连接到出口。
- 现有Realm桥接：保留面向客户端的端口，将Realm的远程目标修改为出口WireGuard IP。
- 现有sing-box/Xray入口：仅添加缺失的入站、出站、路由、对等节点或systemd持久化配置。
创建单链路规划：
- WireGuard隧道地址、端口、MTU、预共享密钥、允许的IP范围。
- WireGuard接口名称，压缩至Linux的15字节接口限制。
- 中继入站标签和公网端口。
- 出口行为：全新构建时作为NAT网关，或在保留桥接时作为私有Xray目标。
- 连接方向：当中 Exit 侧公网UDP入站不可用时，选择中继主动连接出口，或出口主动连接中继。
- 验证命令和回滚路径。
参照
```
references/link-state.md
```
中的状态模型，逐一应用关联项配置：
- 为所有修改的文件添加时间戳备份。
- 遵循
```
references/ssh-execution.md
```
  中的SSH调用规范。
- 安装包前遵循
```
references/package-policy.md
```
  。
- 适当时使用
```
v2ray-agent
```
  /
```
vasma
```
  部署全新VLESS Reality栈。
- 创建或更新WireGuard对等节点。
- 根据所选模式创建或更新sing-box、Realm、Xray、NAT及systemd单元。
- 更新Realm桥接时，遵循
```
references/realm-safety.md
```
  ，优先使用
```
scripts/patch-realm-endpoint.py
```
  。
验证：
- 阅读
```
references/verification.md
```
  。
- 执行
```
wg show
```
  、WireGuard内ping测试、私有出口目标的TCP可达性测试。
- 执行
```
iperf3
```
  公网UDP、WireGuard TCP及反向方向测试。
- 从中验证面向客户端的端口可达性。
- 若用户允许重启验证，则测试重启后的服务持久性。
报告：
- 拓扑结构、运行中服务、单链路私有IP、吞吐量、 pacing、回滚路径。
- 已完成的关联项、保留的关联项、被阻断的关联项及所需的主机修复工作。
- 提及可按需生成VLESS共享链接，仅在用户请求时提供链接。

References

参考资料

Read the matching reference before implementation:

```
references/topology-workflow.md
```
for inventory, build/update decision rules, and verification.
```
references/v2ray-agent.md
```
for using
```
v2ray-agent
```
/
```
vasma
```
as the VLESS Reality implementation layer.
```
references/config-patterns.md
```
for WireGuard, sing-box, Realm, Xray, NAT, tuning, and rollback patterns.
```
references/preflight.md
```
for host checks before any change.
```
references/link-state.md
```
for per-relationship state tracking and resume behavior.
```
references/wireguard-rules.md
```
for interface naming, address planning, and connection direction.
```
references/realm-safety.md
```
for safe Realm endpoint updates.
```
references/ssh-execution.md
```
for SSH execution patterns in batch changes.
```
references/package-policy.md
```
for conservative package installation rules.
```
references/verification.md
```
for acceptance checks.
```
references/vless-links.md
```
for extracting and generating VLESS Reality share links.

Use

scripts/gen-vless-link.py

to generate share links from known fields. Use

scripts/patch-realm-endpoint.py

to update one Realm endpoint safely.

Example:

bash

scripts/gen-vless-link.py \
  --host 8.209.199.131 \
  --port 15659 \
  --uuid 00000000-0000-0000-0000-000000000000 \
  --sni www.example.com \
  --public-key REALITY_PUBLIC_KEY \
  --short-id abcd1234 \
  --flow xtls-rprx-vision \
  --name "relay-8-to-exit-45"

实施前阅读对应参考文档：

```
references/topology-workflow.md
```
：盘点、构建/更新决策规则及验证流程。
```
references/v2ray-agent.md
```
：使用
```
v2ray-agent
```
/
```
vasma
```
作为VLESS Reality实现层的指南。
```
references/config-patterns.md
```
：WireGuard、sing-box、Realm、Xray、NAT、调优及回滚模式。
```
references/preflight.md
```
：修改前的主机检查规范。
```
references/link-state.md
```
：关联项状态跟踪及恢复行为。
```
references/wireguard-rules.md
```
：接口命名、地址规划及连接方向规则。
```
references/realm-safety.md
```
：安全更新Realm端点的指南。
```
references/ssh-execution.md
```
：批量修改中的SSH执行模式。
```
references/package-policy.md
```
：保守的包安装规则。
```
references/verification.md
```
：验收检查规范。
```
references/vless-links.md
```
：提取及生成VLESS Reality共享链接的指南。

使用

scripts/gen-vless-link.py

从已知字段生成共享链接。使用

scripts/patch-realm-endpoint.py

安全更新单个Realm端点。

示例：

bash

scripts/gen-vless-link.py \
  --host 8.209.199.131 \
  --port 15659 \
  --uuid 00000000-0000-0000-0000-000000000000 \
  --sni www.example.com \
  --public-key REALITY_PUBLIC_KEY \
  --short-id abcd1234 \
  --flow xtls-rprx-vision \
  --name "relay-8-to-exit-45"

Safety Rules

安全规则

Prefer preserving working client-facing links during migration.
Back up every edited remote file with a timestamp.
Keep existing unrelated inbounds and exits active.
Use
```
systemctl reload
```
when supported; use restart only after validating config syntax.
Limit live traffic disruption to the specific relationship being changed.
Treat generated VLESS links as sensitive credentials.
Treat a relationship as blocked when preflight fails; leave its current working route in place.
Never run a multi-link batch as one opaque operation; each relationship needs its own state and verification result.

迁移时优先保留可用的面向客户端链路。
为所有编辑的远程文件添加时间戳备份。
保持现有无关的入站及出口服务处于活跃状态。
支持
```
systemctl reload
```
时优先使用；仅在验证配置语法正确后使用重启操作。
将实时流量中断限制在正在修改的特定关联项范围内。
将生成的VLESS链接视为敏感凭证。
预检失败时将关联项标记为阻断，保留其当前工作路由。
绝不能将多链路批量操作作为单一不透明任务执行；每个关联项都需要独立的状态跟踪和验证结果。