TechBlog
HomeBlogCategoriesTagsLinksGuestbookAbout
中
TechBlog

探索技术世界的无限可能。分享前沿技术、开发经验与行业洞察。

快速链接

  • 博客文章
  • 文章分类
  • 标签云
  • 关于我

热门分类

  • Technology
  • AI
  • Web Development
  • DevOps

© 2026 TechBlog. All rights reserved.

Built with using Next.js & Tailwind CSS

Back to posts
VPN

NAT VPS Optimal Node Setup

January 29, 2026
6 min read
#v2ray#clash#vless#vmess

💬 Comments

Ultimate Guide: German NAT VPS / IPv6 Only Setup (Argo Tunnel + WARP + BBR)

This guide will walk you through building a high-performance node on a German LXC NAT VPS (or IPv6-only VPS) using Cloudflare Argo Tunnel. This architecture perfectly solves common issues like lack of public IPv4, restricted ports, and dirty IP addresses.

Architecture Overview:

  • Ingress: Cloudflare Anycast IP -> Argo Tunnel (HTTP/2)
  • Middleware: X-UI Panel (VLESS/gRPC)
  • Egress: WARP (Unlocks streaming / Provides clean IPv6)
  • Optimization: BBR + TCP Window Tuning

Part 1: Manual Deployment Steps

1. Initialize Environment

Connect via SSH and update the system with necessary network tools.

apt update && apt upgrade -y
apt install -y curl wget sudo nano net-tools iptables-persistent

2. System Kernel Optimization (LXC Specific)

Enable BBR and optimize TCP windows for high-latency cross-continent connections. (Note: LXC shares the host kernel, so we enable modules without changing the kernel)

# 1. Enable BBR (if supported by host)
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
 
# 2. Optimize TCP Windows (Critical for 170ms+ latency)
cat <<EOF >> /etc/sysctl.conf
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 16384 16777216
EOF
 
# 3. Fix Ping permission issues in LXC containers
echo '0 2147483647' > /proc/sys/net/ipv4/ping_group_range
 
# Apply changes
sysctl -p

3. Install Cloudflare WARP (Outbound Traffic)

This assigns a clean exit IP to your VPS, preventing Google CAPTCHAs.

wget -N https://gitlab.com/fscarmen/warp/-/raw/main/menu.sh && bash menu.sh
# Recommended: Select [1] Install WARP -> [1] System Interface -> [2] IPv4 Priority or Dual Stack

4. Install 3x-ui Panel

bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)

Configuration Recommendations:

  • Panel Port: Set to 8080 (to match the script below).
  • Inbound Listen IP: Set to 127.0.0.1 (Only allow local tunnel access for security).
  • Inbound Port: 8080.

5. Deploy Cloudflared Tunnel (Intranet Penetration)

A. Install & Login

curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && dpkg -i cloudflared.deb
cloudflared tunnel login
# Copy the link provided and authorize via browser

B. Create Tunnel

# 1. Create a tunnel (Name it whatever you want, e.g., my-tunnel)
cloudflared tunnel create my-tunnel
 
# 2. Route DNS (Replace with your actual domain)
cloudflared tunnel route dns my-tunnel node.yourdomain.com

C. Configure Routing & Daemon Create the config file ~/.cloudflared/config.yml: (Replace <Your-Tunnel-ID> with the actual ID generated)

tunnel: <Your-Tunnel-ID>
credentials-file: /root/.cloudflared/<Your-Tunnel-ID>.json
protocol: http2
 
ingress:
  - hostname: node.yourdomain.com
    service: http://127.0.0.1:8080
  - service: http_status:404

Finally, install the system service for auto-start:

cloudflared service install
systemctl start cloudflared

Part 2: All-in-One Automation Script

If you prefer not to configure everything manually, use the script below. It automatically detects the environment, asks for your domain, and generates the configuration files.

How to use:

  1. Create file: nano setup.sh
  2. Paste the code below.
  3. Run: chmod +x setup.sh && ./setup.sh
#!/bin/bash
# ==========================================
# German NAT VPS / IPv6 Only Setup Script
# Blog Version - Auto Config for Argo Tunnel + WARP + BBR
# ==========================================
 
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
PLAIN='\033[0m'
 
# 1. Environment Init & LXC Optimization
echo -e "${GREEN}>>> [1/5] Initializing environment & kernel optimization...${PLAIN}"
apt update && apt install -y curl wget sudo nano net-tools
# Fix LXC Ping permissions
echo '0 2147483647' > /proc/sys/net/ipv4/ping_group_range
# Write BBR & TCP optimization parameters
sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf
sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.conf
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
# Optimize TCP window for high latency
cat <<EOF >> /etc/sysctl.conf
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 16384 16777216
EOF
sysctl -p
 
# 2. Install WARP
echo -e "${GREEN}>>> [2/5] Installing Cloudflare WARP...${PLAIN}"
echo -e "${YELLOW}Tip: In the interactive menu, recommend selecting [1] Install -> [2] IPv4 Priority${PLAIN}"
read -p "Press Enter to continue..."
wget -N https://gitlab.com/fscarmen/warp/-/raw/main/menu.sh && bash menu.sh
 
# 3. Install X-UI
echo -e "${GREEN}>>> [3/5] Installing 3x-ui Panel...${PLAIN}"
echo -e "${YELLOW}Tip: Recommend setting panel port to 8080 to match default config${PLAIN}"
read -p "Press Enter to continue..."
bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)
 
# 4. Configure Cloudflared Tunnel
echo -e "${GREEN}>>> [4/5] Configuring Cloudflared Tunnel...${PLAIN}"
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && dpkg -i cloudflared.deb
 
echo -e "${YELLOW}>>> Please copy the link below to authorize Cloudflare in your browser:${PLAIN}"
cloudflared tunnel login
 
echo -e "\n"
read -p "Enter a name for your tunnel (e.g., my-vps): " TUNNEL_NAME
cloudflared tunnel create $TUNNEL_NAME
 
# Auto-fetch ID
TUNNEL_ID=$(cloudflared tunnel list | grep $TUNNEL_NAME | awk '{print $1}')
if [ -z "$TUNNEL_ID" ]; then
    echo -e "${RED}Tunnel creation failed. Please check authorization.${PLAIN}"
    exit 1
fi
 
read -p "Enter the full domain to bind (e.g., node.example.com): " DOMAIN_NAME
cloudflared tunnel route dns $TUNNEL_NAME $DOMAIN_NAME
 
# Generate config (Force HTTP2 to avoid UDP blocking)
mkdir -p /root/.cloudflared
cat <<EOF > /root/.cloudflared/config.yml
tunnel: $TUNNEL_ID
credentials-file: /root/.cloudflared/${TUNNEL_ID}.json
protocol: http2
ingress:
  - hostname: $DOMAIN_NAME
    service: http://127.0.0.1:8080
  - service: http_status:404
EOF
 
# 5. Persistence Service
echo -e "${GREEN}>>> [5/5] Creating Systemd Service...${PLAIN}"
cat <<EOF > /etc/systemd/system/cloudflared.service
[Unit]
Description=Cloudflare Tunnel
After=network.target
[Service]
Type=simple
User=root
ExecStart=/usr/bin/cloudflared tunnel --config /root/.cloudflared/config.yml run
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
EOF
 
systemctl daemon-reload
systemctl enable cloudflared
systemctl start cloudflared
 
echo -e "${GREEN}==============================================${PLAIN}"
echo -e "${GREEN}  Deployment Successful!  ${PLAIN}"
echo -e "Your Node Domain: ${YELLOW}${DOMAIN_NAME}${PLAIN}"
echo -e "Action Required: Go to X-UI panel, create an inbound with Port 8080 and Listen IP 127.0.0.1"
echo -e "${GREEN}==============================================${PLAIN}"

Part 3: Troubleshooting Guide

🔧 YouTube Client Can't Connect (WebUI Works Fine)

如果你的网页版正常,但 YouTube 等客户端无法访问,可能是出站策略的问题。

🎯 核心操作:强制开启 IPv6 优先

  1. 进入面板:在左侧菜单点击 Panel Settings (面板设置) -> Xray Configuration (Xray 配置)。
  2. 找代码:在右侧的 JSON 编辑框里,找到 "outbounds": [ 这一段。
  3. 修改 Freedom 节点:找到第一个 protocol 为 freedom 的那一段(这是负责直连出站的)。
  4. 加入关键代码:在 settings 的花括号 {} 里面,加上一句 "domainStrategy": "UseIPv6"。

修改后的代码长这样(注意逗号):

{
  "protocol": "freedom",
  "settings": {
    "domainStrategy": "UseIPv6"
  },
  "tag": "direct"
}
  • 原来的样子:可能 settings 是空的 {},或者只有 userLevel。
  • 改完的作用:这句话告诉 Xray,只要你要访问网站(比如 YouTube),死命令优先解析并连接 IPv6 地址。因为你的德国机器 IPv6 是干净的,而 IPv4 是几千人共用的"脏 IP",Google 看到 IPv4 就拦截,看到 IPv6 就放行。

⚡️ 还有一个可能的设置:Sniffing (流量探测)

如果你上面的改了还不行,那就是你把入站的 Sniffing 关了。

  1. 去 Inbounds (入站列表)。
  2. 点击你那个节点的 Edit (编辑)。
  3. 确保 Sniffing (流量探测) 开关是 开启 (Enable) 状态。
    • Sniffing 开启后,Xray 才能从流量里拆出 "youtube.com" 这个域名,然后利用上面的 UseIPv6 策略去走 IPv6。

一般就是改 domainStrategy: UseIPv6 这一招,改完记得点右下角的 Save (保存) 并 Restart Xray (重启)。 快去试试!

Client Connection Tips (For Blog Readers)

When configuring clients like v2rayN, Shadowrocket, or Clash:

  1. Address: Use a Cloudflare Optimized IP (e.g., visa.cn or cf.090227.xyz). Do NOT put your bound domain here.
  2. Port: 443
  3. SNI / Host / Pseudo Domain: Enter your bound domain (e.g., node.yourdomain.com).
  4. TLS: Must be ON.