sing-box TCP Brutal配置

TCP Brutal是Hysteria中的同名拥塞控制算法移植到TCP的版本，sing-box率先做了支持。

更多详细的介绍请移步项目页面查看：

https://Github.com/apernet/tcp-brutal/blob/master/README.zh.md
https://sing-box.sagernet.org/configuration/shared/tcp-brutal/

前提条件：需要Linux内核版本5.8或更高，debian11-12默认内核都是满足的。这里我用debian11测试。

首先编译Brutal的Linux内核模块，这里我选择直接打包成deb，这样弄一次后，其他的机器就可以直接用deb安装了，方便不少。

安装依赖：

apt -y update  apt -y install build-essential linux-headers-$(uname -r) dkms dh-make git

获取项目代码、创建dkms压缩包：

git clone https://github.com/apernet/tcp-brutal.git  cd tcp-brutal  make dkms-tarball

看一下dkms.conf文件的内容：

cat dkms.conf

类似：

PACKAGE_NAME="tcp-brutal"  PACKAGE_VERSION="1.0.0.r7.g845241d"  ...

根据查看到的PACKAGE_NAME和PACKAGE_VERSION创建相应的目录：

mkdir -p /usr/src/tcp-brutal-1.0.0.r7.g845241d

把压缩包文件解压到相应的目录

tar -xzf dkms.tar.gz --strip-components=2 -C /usr/src/tcp-brutal-1.0.0.r7.g845241d

将包纳入dkms管理、构建deb包、安装deb包：

cd /usr/src/tcp-brutal-1.0.0.r7.g845241d  dkms add -m tcp-brutal -v 1.0.0.r7.g845241d  dkms mkdeb  dpkg -i tcp-brutal-dkms_1.0.0.r7.g845241d_amd64.deb

查看状态，如有类似回显说明一切正常：

root@imlala:~# dkms status  tcp-brutal, 1.0.0.r7.g845241d, 5.10.0-26-amd64, x86_64: installed

[备注1]

如果不构建deb包，可以在本机执行如下命令直接安装brutal内核模块：

dkms install -m tcp-brutal -v 1.0.0.r7.g845241d

[备注2]

如果构建了deb包，后续在其他机器上安装brutal内核模块的话就很方便了。先把deb包传到对应的机器：

scp tcp-brutal-dkms_1.0.0.r7.g845241d_amd64.deb [email protected]:/opt

然后执行如下命令即可：

cd /opt  dpkg -i tcp-brutal-dkms_1.0.0.r7.g845241d_amd64.deb  apt install -f  dkms status

现在我们还需要加载brutal模块：

modprobe brutal

检查模块是否加载成功，如有类似如下回显说明正常：

root@imlala:~# lsmod | grep brutal  brutal                 20480  0

将brutal模块设置为开机自动加载：

echo "brutal" > /etc/modules-load.d/brutal.conf

至此brutal内核模块的配置就完成了。

现在我们要编译安装个sing-box的beta版本，先安装依赖：

apt -y install curl build-essential libssl-dev zlib1g-dev gcc-mingw-w64

安装go：

curl -L https://go.dev/dl/go1.21.4.linux-amd64.tar.gz -o go1.21.4.linux-amd64.tar.gz  tar -C /usr/local -xzf go1.21.4.linux-amd64.tar.gz  echo 'export PATH=$PATH:/usr/local/go/bin' > /etc/profile.d/golang.sh  source /etc/profile.d/golang.sh

编译的时候可以自己添加参数来支持更多的功能：

https://sing-box.sagernet.org/installation/build-from-source/#build-tags

这里我需要用到reality和utls所以就加了这两个。

编译Linux平台的二进制文件：

go install -v -tags   with_reality_server,  with_utls   github.com/sagernet/sing-box/cmd/[email protected]

编译windows平台的二进制文件：

env GOOS=windows GOARCH=amd64 CGO_ENABLED=0 CC=x86_64-w64-mingw32-gcc   go install -v -tags   with_reality_server,  with_utls   github.com/sagernet/sing-box/cmd/[email protected]

复制编译好的文件：

cp $(go env GOPATH)/bin/sing-box /usr/local/bin/

新建sing-box需要用到的目录：

mkdir -p /usr/local/etc/sing-box

新建systemd服务：

systemctl edit --full --force sing-box.service

写入如下配置：

[Unit]  Description=sing-box service  Documentation=https://sing-box.sagernet.org  After=network.target nss-lookup.target    [Service]  CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE  AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE  ExecStart=/usr/local/bin/sing-box run -c /usr/local/etc/sing-box/config.json  Restart=on-failure  RestartPreventExitStatus=23  LimitNOFILE=infinity    [Install]  WantedBy=multi-user.target

新建sing-box的配置文件：

nano /usr/local/etc/sing-box/config.json

这里我配置一个vless-reality节点：

{    "log": {      "level": "info"    },    "inbounds": [      {        "type": "vless",        "tag": "vless-in",        "listen": "0.0.0.0",        "listen_port": 443,        "users": [          {            "name": "imlala",            "uuid": "219c8c62-430a-439a-a6f6-d8f6a2a225a2",            "flow": ""          }        ],        "tls": {          "enabled": true,          "server_name": "go.dev",          "reality": {            "enabled": true,            "handshake": {              "server": "go.dev",              "server_port": 443            },            "private_key": "mPVhErJjoa-hx7K8TAzVR_hiKM3UYuuTQEoECcSqNFE",            "short_id": [              "9534dcf8c8d0c43f"            ]          }        },        "multiplex": {          "enabled": true,          "padding": true,          "brutal": {            "enabled": true,            "up_mbps": 300,            "down_mbps": 300          }        }      }    ],    "outbounds": [      {        "type": "direct",        "tag": "direct"      }    ]  }

[备注1]

请注意这套配置不支持xtls-rprx-vision，所以flow需要留空。

[备注2]

sing-box generate uuid // 生成uuid  sing-box generate reality-keypair // 生成private_key、public_key  sing-box generate rand 8 --hex // 生成short_id

启动sing-box并设置开机自启：

systemctl enable --now sing-box

客户端配置，这里我给出一个自己目前在用的，tun模式：

{    "log": {      "level": "info",      "timestamp": true    },    "dns": {      "servers": [        {          "tag": "cloudflare",          "address": "https://1.1.1.1/dns-query"        },        {          "tag": "dnspod",          "address": "https://1.12.12.12/dns-query",          "detour": "direct"        },        {          "tag": "block",          "address": "rcode://success"        }      ],      "rules": [        {          "geosite": "category-ads-all",          "server": "block",          "disable_cache": true        },        {        	"outbound": "any",        	"server": "dnspod"        },        {          "geosite": "cn",          "server": "dnspod"        }      ],      "strategy": "ipv4_only"    },    "inbounds": [      {        "type": "tun",        "tag": "tun-in",        "interface_name": "tun0",        "inet4_address": "172.28.0.1/30",        "auto_route": true,        "strict_route": true,        "stack": "system",        "sniff": true      }    ],    "outbounds": [      {        "type": "vless",        "tag": "vless-out",        "server": "1.2.3.4",        "server_port": 443,        "uuid": "219c8c62-430a-439a-a6f6-d8f6a2a225a2",        "flow": "",        "tls": {          "enabled": true,          "server_name": "go.dev",          "utls": {            "enabled": true,            "fingerprint": "chrome"           },          "reality": {            "enabled": true,            "public_key": "2Gga7qZ8dA8agbF2lAnojBC_Nr90mxys_yMaJarty3A",            "short_id": "9534dcf8c8d0c43f"          }        },        "packet_encoding": "xudp",        "multiplex": {        	"enabled": true,        	"protocol": "h2mux",          "max_streams": 10,        	"padding": true,        	"brutal":{        	  "enabled": true,        	  "up_mbps": 30,        	  "down_mbps": 1000        	}        }      },      {        "type": "direct",        "tag": "direct"      },      {        "type": "block",        "tag": "block"      },      {        "type": "dns",        "tag": "dns"      }    ],    "route": {      "geoip": {        "download_url": "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db",        "download_detour": "vless-out"       },      "geosite": {        "download_url": "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db",        "download_detour": "vless-out"      },      "rules": [        {          "protocol": "dns",          "outbound": "dns"        },        {          "geosite": "cn",          "geoip": [            "cn",            "private"          ],          "outbound": "direct"        },        {          "geosite": "category-ads-all",          "outbound": "block"        }      ],      "auto_detect_interface": true    }  }

[备注1]

tun模式注意windows防火墙拦截，自己手动允许一下：

这样一波操作下来，可以说基本上只要不涉及到grpc和http2的协议现在都可以用上brutal了，这就很牛逼了。。。