VPS 流量中转

原创

现在我有两台服务器，一台服务器 B 能够稳定连接 GPT 等外网服务，但是我本地连接他比较慢，另一台服务器 A 我连接他比较快，而且 A 连接 B 也比较快，这种情况下，我们继续要服务器 A 当做中转来连接服务器 B，让我们享受高速的外网服务，这里的服务器 A 就是中转机，B 就是落地机。

下面直接展示通过 v2ray 流量转发的方式如何配置两台机器。

假设我们要进行分流，比如只让中转机的 GPT 等服务走落地鸡，然后返回中转机返回给我们，让 Google 等服务走中转机然后直接返回给我们，如下所示

# 1. 直连路径 (Direct Path): 适用于 Google/YouTube，中转机直接出站，低延迟
User <==双向==> Relay(中转) <==双向==> Google/YouTube

# 2. 隧道路径 (Tunnel Path): 适用于 GPT/Netflix，通过落地机 IP 出站，绕过限制
User <==双向==> Relay(中转) <==加密隧道==> Egress(落地) <==双向==> GPT

这里我们配置中转机的 v2ray 的文件如下

➜ ~ cat /usr/local/etc/v2ray/config.json
{
  "log": {
    "access": "/tmp/v2ray-access.log",
    "error": "/tmp/v2ray-error.log",
    "loglevel": "warning"
  },
  "inbound": {
    "protocol": "vmess",
    "listen": "127.0.0.1",
    "port": ====================中转机==========================,
    "settings": {
      "clients": [
        {
          "id": "====================中转机=============================",
          "alterID": 0
        }
      ]
    },
    "streamSettings": {
      "network": "ws",
      "wsSettings": {
        "path": "/======================中转机==========================="
      }
    },
    "sniffing": {
      "enabled": true,
      "destOverride": ["http", "tls"],
      "metadataOnly": false
    }
  },

  "outbounds": [
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {}
    },
    {
      "tag": "ToHawaii",
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "======================落地鸡===========================",
            "port": ====================落地鸡=============================,
            "users": [
              {
                "id": "===============落地鸡======================",
                "alterID": 0,
                "security": "auto"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp"
      }
    }
  ],

  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
        {
        "type": "field",
        "domain": [
            "domain:chatgpt.com",
            "domain:sora.chatgpt.com",
            "domain:openai.com",
            "domain:auth.openai.com",
            "domain:oaistatic.com",
            "domain:oaiusercontent.com",
            "domain:gemini.google.com"
        ],
        "outboundTag": "ToHawaii"
        }
    ]
  }
}

落地鸡设置

{
  "log": {
    "access": "/tmp/v2ray-access.log",
    "error": "/tmp/v2ray-error.log",
    "loglevel": "warning"
  },
    "inbound": {
        "protocol": "vmess",
        "listen": "0.0.0.0",
        "port": ======================落地鸡===========================,
        "settings": {
            "clients": [
                {
                    "id": "======================落地鸡===========================",
                    "alterID":0
                }
            ]
        },
        "streamSettings": {
            "network": "tcp"
        }
    },
    "outbound": {
        "protocol": "freedom",
        "settings": {}
    }
}

此外一般来讲落地鸡的流量带宽比较低，他只是作为出口，不允许入口的存在，所以我们可以把非中转机的入口地址都给 ban 掉，来保护落地鸡

整体来讲，开启 22 端口来保证能够连上，避免落地鸡失联，这里我们用 ufw 防火墙，首先开启 22 端口，以下操作都是在落地鸡上运行的

➜ ~ ufw status
Status: inactive
➜ ~ sudo ufw allow 22/tcp
Rules updated
Rules updated (v6)

然后允许你的中转机 A 来连接落地鸡

➜ ~ sudo ufw allow from <你的主机 A ip> to any port 20201 proto tcp
Rules updated
➜ ~ sudo ufw deny 20201/tcp
Rules updated
Rules updated (v6)
➜ ~ sudo ufw default deny incoming
sudo ufw default allow outgoing
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)
➜ ~ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
➜ ~ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
20201/tcp                  ALLOW IN    <你的主机 A ip>   
20201/tcp                  DENY IN     Anywhere                  
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
20201/tcp (v6)             DENY IN     Anywhere (v6)             

这样你可以从 22 端口登录，并且，v2ray 端口只允许 A 的 ip 进入，其他 ip 会 ban 掉，注意这里的 ipv6 最好也封掉，保证安全

本文由 Yonghui Wang 创作，采用 知识共享署名4.0 国际许可协议进行许可
本站文章除注明转载/出处外，均为本站原创或翻译，转载前请务必署名
最后编辑时间为: Dec 18, 2025 12:30 pm