global { ##### Software options. # tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program. # In normal case, you do not need to use it. tproxy_port: 12345 # Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed # iptables tproxy rules. tproxy_port_protect: true # Set non-zero value to enable pprof. pprof_port: 0 # If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy # rules. so_mark_from_dae: 0 # Log level: error, warn, info, debug, trace. log_level: info # Disable waiting for network before pulling subscriptions. disable_waiting_network: false # Enable fast redirect for local TCP connections. There is a known kernel issue that breaks certain clients/proxies, such as nadoo/glider. Users may enable this experimental option at their own risks. enable_local_tcp_fast_redirect: false ##### Interface and kernel options. # The LAN interface to bind. Use it if you want to proxy LAN. # Multiple interfaces split by ",". #lan_interface: docker0 # The WAN interface to bind. Use it if you want to proxy localhost. # Multiple interfaces split by ",". Use "auto" to auto detect. wan_interface: auto # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do. auto_config_kernel_parameter: true ##### Node connectivity check. # These options, as defaults, are effective when no definition is given in the group. # Host of URL should have both IPv4 and IPv6 if you have double stack in local. # First is URL, others are IP addresses if given. # Considering traffic consumption, it is recommended to choose a site with anycast IP and less response. #tcp_check_url: 'http://cp.cloudflare.com' tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111' # The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass # accounting for this kind of traffic. tcp_check_http_method: HEAD # This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check # TCP DNS connectivity of nodes. # First is URL, others are IP addresses if given. # This DNS should have both IPv4 and IPv6 if you have double stack in local. #udp_check_dns: 'dns.google:53' udp_check_dns: 'dns.google:53,8.8.8.8,2001:4860:4860::8888' check_interval: 30s # Group will switch node only when new_latency <= old_latency - tolerance. check_tolerance: 50ms ##### Connecting options. # Optional values of dial_mode are: # 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path # respectively, and makes the IP version requested by the application meet expectations. For example, if you # use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6. # This may solve some wierd full-cone problem if your are be your node support that. Sniffing will be disabled # in this mode. # 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent # if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will # re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing. # That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it. # 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose # DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not # go through dae, dae cannot split traffic by domain. # 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover # domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources. dial_mode: domain # Allow insecure TLS certificates. It is not recommended to turn it on unless you have to. allow_insecure: false # Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful # in high latency LAN network. sniffing_timeout: 100ms # TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello. tls_implementation: tls # The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls. # See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17 utls_imitate: chrome_auto # Multipath TCP (MPTCP) support. If is true, dae will try to use MPTCP to connect all nodes, but it will only take # effects when the node supports MPTCP. It can use for load balance and failover to multiple interfaces and IPs. mptcp: false # The maximum bandwidth for accessing the Internet. It is useful for some specific protocols (e.g., Hysteria2), # which will perform better with bandwith information provided. The unit can be b, kb, mb, gb, tb or bytes per second. # supported formats: https://v2.hysteria.network/docs/advanced/Full-Client-Config/#bandwidth bandwidth_max_tx: '200 mbps' # uplink, or '200 m' or '200 mb' or '200 mbps' or 25000000(which is 200/8*1000*1000) bandwidth_max_rx: '1 gbps' # downlink, or '1 g' or '1 gb' or '1 gbps' or 125000000(which is 1000/8*1000*1000) } # Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool. # Support to give the subscription a tag, and filter nodes from a given subscription in the group section. subscription { # Add your subscription links here. my_sub: 'https://www.example.com/subscription/link' another_sub: 'https://example.com/another_sub' 'https://example.com/no_tag_link' 'file://relative/path/to/mysub.sub' # Put subscription content in /etc/dae/relative/path/to/mysub.sub } # Nodes defined here will be merged as a part of the global node pool. node { # Add your node links here. # Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, hysteria2, etc. # Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md 'socks5://localhost:1080' mylink: 'ss://LINK' node1: 'vmess://LINK' node2: 'vless://LINK' chains: 'tuic://LINK -> vmess://LINK' hysteria2: 'hysteria2://password@server-ip:port/?sni=domain' } # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples. dns { # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only # respond to type A queries and response empty answer to type AAAA queries. #ipversion_prefer: 4 # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results # for these domains. #fixed_domain_ttl { # ddns.example.org: 10 # test.example.org: 3600 #} upstream { # Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp/h3/http3/quic/https/tls. # If the protocol is h3/http3/https, it supports setting a custom path, that is, the format can be "protocol://host:port/custom path". # If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose # IPv4 or IPv6 to use according to group policy (such as min latency policy). # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing. # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended. alidns: 'udp://dns.alidns.com:53' googledns: 'tcp+udp://dns.google:53' # alih3: 'h3://dns.alidns.com:443' # alih3_path: 'h3://dns.alidns.com:443/dns-query' # alihttp3: 'http3://dns.alidns.com:443' # alihttp3_path: 'http3://dns.alidns.com:443/dns-query' # ali_quic: 'quic://dns.alidns.com:853' # h3_custom_path: 'h3://dns.example.com:443/custom-path' # http3_custom_path: 'http3://dns.example.com:443/custom-path' # ali_doh: 'https://dns.alidns.com:443' # ali_dot: 'tls://dns.alidns.com:853' # doh_custom_path: 'https://dns.example.com:443/custom-path' } routing { # According to the request of dns query, decide to use which DNS upstream. # Match rules from top to bottom. request { # Lookup China mainland domains using alidns, otherwise googledns. qname(geosite:cn) -> alidns # fallback is also called default. fallback: googledns } } # routing { # # According to the request of dns query, decide to use which DNS upstream. # # Match rules from top to bottom. # request { # # fallback is also called default. # fallback: alidns # } # # According to the response of dns query, decide to accept or re-lookup using another DNS upstream. # # Match rules from top to bottom. # response { # # Trusted upstream. Always accept its result. # upstream(googledns) -> accept # # Possibly polluted, re-lookup using googledns. # ip(geoip:private) && !qname(geosite:cn) -> googledns # # fallback is also called default. # fallback: accept # } # } } # Node group (outbound). group { my_group { # No filter. Use all nodes. # Randomly select a node from the group for every connection. #policy: random # Select the first node from the group for every connection. #policy: fixed(0) # Select the node with min last latency from the group for every connection. #policy: min # Select the node with min moving average of latencies from the group for every connection. policy: min_moving_avg } group2 { # Filter nodes from the global node pool defined by the subscription and node section above. #filter: subtag(my_sub) && !name(keyword: 'ExpireAt:') # Multiple filters indicate 'or' logic. #filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:') # Filter nodes from the global node pool defined by tag. #filter: name(node1, node2) # Filter nodes and give a fixed latency offset to archive latency-based failover. # In this example, there is bigger possibility to choose US node even if original latency of US node is higher. filter: name(HK_node) filter: name(US_node) [add_latency: -500ms] # Select the node with min average of the last 10 latencies from the group for every connection. policy: min_avg10 } steam { # Filter nodes from the global node pool defined by the subscription and node section above. filter: subtag(my_sub) && !name(keyword: 'ExpireAt:') # Select the node with min moving average of latencies from the group for every connection. policy: min_moving_avg # Override tcp_check_url in global. tcp_check_url: 'http://test.steampowered.com' # Override tcp_check_http_method in global #tcp_check_http_method: HEAD # Override udp_check_dns in global #udp_check_dns: 'dns.google:53,8.8.8.8,2001:4860:4860::8888' # Override check_interval in global #check_interval: 30s # Override check_tolerance in global #check_tolerance: 50ms } } # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples. routing { ### Preset rules. # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to # WAN. pname(NetworkManager) -> direct # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being # forwarded by the proxy. # "dip" means destination IP. dip(224.0.0.0/3, 'ff00::/8') -> direct # This line allows you to access private addresses directly instead of via your proxy. If you really want to access # private addresses in your proxy host network, modify the below line. dip(geoip:private) -> direct ### Write your rules below. # Disable h3 because it usually consumes too much cpu/mem resources. l4proto(udp) && dport(443) -> block dip(geoip:cn) -> direct domain(geosite:cn) -> direct fallback: my_group }