banner
Yuzhen

Yuzhen's Blog

🇨🇳 13 y.o. / Student & Developer & OIer / HAM & BGP Player
telegram
tg_channel
github
mastodon
email
zhihu

Dae + Juicity achieves high-performance transparent proxy

Recommend using VP.S server for deployment, and recommend purchasing Japan Tokyo (BBTEC) or Germany Frankfurt (CU Premium AS9929/10099).

Introduction#

Juicity is an emerging proxy protocol based on QUIC, released under the AGPL license at the end of July 2023.

Dae is a high-performance transparent proxy software based on eBPF for Linux platforms, released under the AGPL license in January 2023.

Server Configuration#

Official Documentation

Juicity provides builds for nearly 40 platforms, supporting Windows, macOS, and Linux systems, as well as x86, ARM, MIPS, and Risc-V platforms. The environment for setting up the server in this article is Debian 11, and the Juicity-Server version is v0.1.2.

  1. Download the release.
wget https://github.com/juicity/juicity/releases/download/v0.1.2/juicity-linux-x86_64_v3_avx2.zip
  1. Unzip the compressed file.
unzip juicity-linux-x86_64_v3_avx2.zip
  1. Generate a UUID using an online UUID generator and keep it for later use.
  2. Edit server.json.
cp example-server.json server.json
nano server.json

Example:

{
    "listen": ":<port>",
    "users": {
         "<generated UUID>": "<password>"
     },
     "certificate": "<certificate chain file>",
     "private_key": "<private key>",
     "congestion_control": "bbr",
     "fwmark": "0x1000",
     "send_through": "<server IP>",
     "log_level": "info"
}
  1. Run the server.
./juicity-server run -c server.json

Consider using daemon software or Systemd Service.

Client Configuration#

Official Documentation

Dae only supports Linux. Windows and MacOS users should refer to Juicity-Client.

This section is for configuration under NixOS.

  1. Install dae.
environment.systemPackages = with pkgs; [
  ...
  dae
  ...
];
  1. Create /etc/dae and edit the configuration file /etc/dae/config.dae.
mkdir -p /etc/dae
nano /etc/dae/client.json

Example:

global {
  wan_interface: auto
  log_level: info
  allow_insecure: false
  auto_config_kernel_parameter: true
}

node {
  fra: 'juicity://<UUID>:<password>@<domain>:<port>?congestion_control=bbr'
}

dns {
  upstream {
    googledns: 'tcp+udp://dns.google.com:53'
    alidns: 'udp://dns.alidns.com:53'
  }
  routing {
    request {
      fallback: alidns
    }
    response {
      upstream(googledns) -> accept
      !qname(geosite:cn) && ip(geoip:private) -> googledns
      fallback: accept
    }
  }
}

group {
  proxy {
    policy: min_moving_avg
  }
}

routing {
  pname(NetworkManager, systemd-resolved, dnsmasq) -> must_direct
  dip(224.0.0.0/3, 'ff00::/8') -> direct

  dip(geoip:private) -> direct
  dip(geoip:cn) -> direct
  domain(geosite:cn) -> direct

  fallback: proxy
}
  1. Create Systemd Service
systemd.services.dae = {
  enable = true;
  description = "Dae Client Service (config.dae)";
  after = [ "network.target" ];
  serviceConfig = {
    Type = "notify";
    User = "root";
    LimitNPROC = 512;
    LimitNOFILE = 1048576;
    ExecStartPre = "/run/current-system/sw/bin/dae validate -c /etc/dae/config.dae";
    ExecStart = "/run/current-system/sw/bin/dae run --disable-timestamp -c /etc/dae/config.dae";
    ExecReload = "/run/current-system/sw/bin/dae reload $MAINPID";
    Restart = "on-abnormal";
    WorkingDirectory = "/etc/dae";
  };
};

Save and compile the NixOS configuration.

Credit#

Thanks to @bradfordzhang for letting me know about this.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.