Dae + Juicity achieves high-performance transparent proxy

Recommend using VP.S server for deployment, and recommend purchasing Japan Tokyo (BBTEC) or Germany Frankfurt (CU Premium AS9929/10099).

Introduction#

Juicity is an emerging proxy protocol based on QUIC, released under the AGPL license at the end of July 2023.

Dae is a high-performance transparent proxy software based on eBPF for Linux platforms, released under the AGPL license in January 2023.

juicity/juicity

juicity is a quic-based proxy protocol implementation.

Go85286

daeuniverse/dae

eBPF-based Linux high-performance transparent proxy solution.

Go3310205

Server Configuration#

Official Documentation

Juicity provides builds for nearly 40 platforms, supporting Windows, macOS, and Linux systems, as well as x86, ARM, MIPS, and Risc-V platforms. The environment for setting up the server in this article is Debian 11, and the Juicity-Server version is v0.1.2.

Download the release.

wget https://github.com/juicity/juicity/releases/download/v0.1.2/juicity-linux-x86_64_v3_avx2.zip

Unzip the compressed file.

unzip juicity-linux-x86_64_v3_avx2.zip

Generate a UUID using an online UUID generator and keep it for later use.
Edit server.json.

cp example-server.json server.json
nano server.json

Example:

{
    "listen": ":<port>",
    "users": {
         "<generated UUID>": "<password>"
     },
     "certificate": "<certificate chain file>",
     "private_key": "<private key>",
     "congestion_control": "bbr",
     "fwmark": "0x1000",
     "send_through": "<server IP>",
     "log_level": "info"
}

Run the server.

./juicity-server run -c server.json

Consider using daemon software or Systemd Service.

Client Configuration#

Official Documentation

Dae only supports Linux. Windows and MacOS users should refer to Juicity-Client.

This section is for configuration under NixOS.

Install dae.

environment.systemPackages = with pkgs; [
  ...
  dae
  ...
];

Create /etc/dae and edit the configuration file /etc/dae/config.dae.

mkdir -p /etc/dae
nano /etc/dae/client.json

Example:

global {
  wan_interface: auto
  log_level: info
  allow_insecure: false
  auto_config_kernel_parameter: true
}

node {
  fra: 'juicity://<UUID>:<password>@<domain>:<port>?congestion_control=bbr'
}

dns {
  upstream {
    googledns: 'tcp+udp://dns.google.com:53'
    alidns: 'udp://dns.alidns.com:53'
  }
  routing {
    request {
      fallback: alidns
    }
    response {
      upstream(googledns) -> accept
      !qname(geosite:cn) && ip(geoip:private) -> googledns
      fallback: accept
    }
  }
}

group {
  proxy {
    policy: min_moving_avg
  }
}

routing {
  pname(NetworkManager, systemd-resolved, dnsmasq) -> must_direct
  dip(224.0.0.0/3, 'ff00::/8') -> direct

  dip(geoip:private) -> direct
  dip(geoip:cn) -> direct
  domain(geosite:cn) -> direct

  fallback: proxy
}

Create Systemd Service

systemd.services.dae = {
  enable = true;
  description = "Dae Client Service (config.dae)";
  after = [ "network.target" ];
  serviceConfig = {
    Type = "notify";
    User = "root";
    LimitNPROC = 512;
    LimitNOFILE = 1048576;
    ExecStartPre = "/run/current-system/sw/bin/dae validate -c /etc/dae/config.dae";
    ExecStart = "/run/current-system/sw/bin/dae run --disable-timestamp -c /etc/dae/config.dae";
    ExecReload = "/run/current-system/sw/bin/dae reload $MAINPID";
    Restart = "on-abnormal";
    WorkingDirectory = "/etc/dae";
  };
};

Save and compile the NixOS configuration.

Credit#

Thanks to @bradfordzhang for letting me know about this.