Инструкция по установке прозрачного прокси xray для маршрутизации трафика с MikroTik через VLESS + Reality.
MikroTik → Linux (xray-gateway) → VPS (3X-UI) → Интернет
| Компонент | IP | Роль |
|---|---|---|
| MikroTik | 192.168.0.1 | Маршрутизатор |
| Linux (xray) | 192.168.0.131 | Прозрачный прокси |
| VPS (3X-UI) | 185.238.168.59 | Выходной сервер |
apt update apt install -y ca-certificates curl gnupg install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg chmod a+r /etc/apt/keyrings/docker.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null apt update apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin systemctl enable docker systemctl start docker
Проверка:
docker --version
mkdir -p /opt/xray-gateway cd /opt/xray-gateway
nano /opt/xray-gateway/config.json
Содержимое:
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"tag": "socks",
"port": 10808,
"listen": "0.0.0.0",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true
}
},
{
"tag": "transparent",
"port": 12345,
"listen": "0.0.0.0",
"protocol": "dokodemo-door",
"settings": {
"network": "tcp,udp",
"followRedirect": true
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
}
],
"outbounds": [
{
"tag": "proxy",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "185.238.168.59",
"port": 443,
"users": [
{
"id": "eac6da3c-e718-4661-80d5-d96838618122",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"fingerprint": "chrome",
"serverName": "google.com",
"publicKey": "Ks7lJ4awVwB_yxTXNadU0CWUdIP3Jie28tJv60omWFk",
"shortId": "0f432ce5",
"spiderX": "/"
}
}
},
{
"tag": "direct",
"protocol": "freedom"
}
],
"routing": {
"rules": [
{
"type": "field",
"ip": ["geoip:private"],
"outboundTag": "direct"
}
]
}
}
nano /opt/xray-gateway/docker-compose.yml
Содержимое:
services: xray: image: ghcr.io/xtls/xray-core:latest container_name: xray-gateway restart: unless-stopped command: ["run", "-c", "/etc/xray/config.json"] network_mode: host volumes: - ./config.json:/etc/xray/config.json:ro
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf sysctl -p
Добавляем правила для разрешённых IP-адресов:
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 151.252.108.239 -j REDIRECT --to-ports 12345 iptables -t nat -A PREROUTING -i eth0 -p tcp -s 85.175.4.197 -j REDIRECT --to-ports 12345
Сохраняем правила:
DEBIAN_FRONTEND=noninteractive apt install -y iptables-persistent netfilter-persistent save
cd /opt/xray-gateway docker compose up -d
Логи контейнера:
docker compose -f /opt/xray-gateway/docker-compose.yml logs -f
Тест подключения:
curl -x socks5://127.0.0.1:10808 https://ifconfig.me
Должен вернуть 185.238.168.59 (IP VPS сервера).
Добавляем маршрут в таблицу to_vpn:
/ip route add dst-address=0.0.0.0/0 gateway=192.168.0.131 routing-table=to_vpn distance=1
Проверка:
/ip route print where routing-table=to_vpn
| Команда | Описание |
|---|---|
docker compose up -d | Запуск |
docker compose down | Остановка |
docker compose restart | Перезапуск |
docker compose logs -f | Просмотр логов |
iptables -t nat -A PREROUTING -i eth0 -p tcp -s НОВЫЙ_IP -j REDIRECT --to-ports 12345 netfilter-persistent save
iptables -t nat -D PREROUTING -i eth0 -p tcp -s УДАЛЯЕМЫЙ_IP -j REDIRECT --to-ports 12345 netfilter-persistent save
iptables -t nat -L PREROUTING -n --line-numbers
/opt/xray-gateway/ ├── config.json └── docker-compose.yml