NAT VPS Optimal Node Setup
6 分钟阅读
Ultimate Guide: German NAT VPS / IPv6 Only Setup (Argo Tunnel + WARP + BBR)
This guide will walk you through building a high-performance node on a German LXC NAT VPS (or IPv6-only VPS) using Cloudflare Argo Tunnel. This architecture perfectly solves common issues like lack of public IPv4, restricted ports, and dirty IP addresses.
Architecture Overview:
- Ingress: Cloudflare Anycast IP -> Argo Tunnel (HTTP/2)
- Middleware: X-UI Panel (VLESS/gRPC)
- Egress: WARP (Unlocks streaming / Provides clean IPv6)
- Optimization: BBR + TCP Window Tuning
Part 1: Manual Deployment Steps
1. Initialize Environment
Connect via SSH and update the system with necessary network tools.
apt update && apt upgrade -y
apt install -y curl wget sudo nano net-tools iptables-persistent
2. System Kernel Optimization (LXC Specific)
Enable BBR and optimize TCP windows for high-latency cross-continent connections. (Note: LXC shares the host kernel, so we enable modules without changing the kernel)
# 1. Enable BBR (if supported by host)
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
# 2. Optimize TCP Windows (Critical for 170ms+ latency)
cat <<EOF >> /etc/sysctl.conf
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 16384 16777216
EOF
# 3. Fix Ping permission issues in LXC containers
echo '0 2147483647' > /proc/sys/net/ipv4/ping_group_range
# Apply changes
sysctl -p
3. Install Cloudflare WARP (Outbound Traffic)
This assigns a clean exit IP to your VPS, preventing Google CAPTCHAs.
wget -N https://gitlab.com/fscarmen/warp/-/raw/main/menu.sh && bash menu.sh
# Recommended: Select [1] Install WARP -> [1] System Interface -> [2] IPv4 Priority or Dual Stack
4. Install 3x-ui Panel
bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)
Configuration Recommendations:
- Panel Port: Set to
8080(to match the script below). - Inbound Listen IP: Set to
127.0.0.1(Only allow local tunnel access for security). - Inbound Port:
8080.
5. Deploy Cloudflared Tunnel (Intranet Penetration)
A. Install & Login
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && dpkg -i cloudflared.deb
cloudflared tunnel login
# Copy the link provided and authorize via browser
B. Create Tunnel
# 1. Create a tunnel (Name it whatever you want, e.g., my-tunnel)
cloudflared tunnel create my-tunnel
# 2. Route DNS (Replace with your actual domain)
cloudflared tunnel route dns my-tunnel node.yourdomain.com
C. Configure Routing & Daemon
Create the config file ~/.cloudflared/config.yml:
(Replace <Your-Tunnel-ID> with the actual ID generated)
tunnel: <Your-Tunnel-ID>
credentials-file: /root/.cloudflared/<Your-Tunnel-ID>.json
protocol: http2
ingress:
- hostname: node.yourdomain.com
service: http://127.0.0.1:8080
- service: http_status:404
Finally, install the system service for auto-start:
cloudflared service install
systemctl start cloudflared
Part 2: All-in-One Automation Script
If you prefer not to configure everything manually, use the script below. It automatically detects the environment, asks for your domain, and generates the configuration files.
How to use:
- Create file:
nano setup.sh - Paste the code below.
- Run:
chmod +x setup.sh && ./setup.sh
#!/bin/bash
# ==========================================
# German NAT VPS / IPv6 Only Setup Script
# Blog Version - Auto Config for Argo Tunnel + WARP + BBR
# ==========================================
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
PLAIN='\033[0m'
# 1. Environment Init & LXC Optimization
echo -e "${GREEN}>>> [1/5] Initializing environment & kernel optimization...${PLAIN}"
apt update && apt install -y curl wget sudo nano net-tools
# Fix LXC Ping permissions
echo '0 2147483647' > /proc/sys/net/ipv4/ping_group_range
# Write BBR & TCP optimization parameters
sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf
sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.conf
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
# Optimize TCP window for high latency
cat <<EOF >> /etc/sysctl.conf
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 16384 16777216
EOF
sysctl -p
# 2. Install WARP
echo -e "${GREEN}>>> [2/5] Installing Cloudflare WARP...${PLAIN}"
echo -e "${YELLOW}Tip: In the interactive menu, recommend selecting [1] Install -> [2] IPv4 Priority${PLAIN}"
read -p "Press Enter to continue..."
wget -N https://gitlab.com/fscarmen/warp/-/raw/main/menu.sh && bash menu.sh
# 3. Install X-UI
echo -e "${GREEN}>>> [3/5] Installing 3x-ui Panel...${PLAIN}"
echo -e "${YELLOW}Tip: Recommend setting panel port to 8080 to match default config${PLAIN}"
read -p "Press Enter to continue..."
bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)
# 4. Configure Cloudflared Tunnel
echo -e "${GREEN}>>> [4/5] Configuring Cloudflared Tunnel...${PLAIN}"
curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && dpkg -i cloudflared.deb
echo -e "${YELLOW}>>> Please copy the link below to authorize Cloudflare in your browser:${PLAIN}"
cloudflared tunnel login
echo -e "\n"
read -p "Enter a name for your tunnel (e.g., my-vps): " TUNNEL_NAME
cloudflared tunnel create $TUNNEL_NAME
# Auto-fetch ID
TUNNEL_ID=$(cloudflared tunnel list | grep $TUNNEL_NAME | awk '{print $1}')
if [ -z "$TUNNEL_ID" ]; then
echo -e "${RED}Tunnel creation failed. Please check authorization.${PLAIN}"
exit 1
fi
read -p "Enter the full domain to bind (e.g., node.example.com): " DOMAIN_NAME
cloudflared tunnel route dns $TUNNEL_NAME $DOMAIN_NAME
# Generate config (Force HTTP2 to avoid UDP blocking)
mkdir -p /root/.cloudflared
cat <<EOF > /root/.cloudflared/config.yml
tunnel: $TUNNEL_ID
credentials-file: /root/.cloudflared/${TUNNEL_ID}.json
protocol: http2
ingress:
- hostname: $DOMAIN_NAME
service: http://127.0.0.1:8080
- service: http_status:404
EOF
# 5. Persistence Service
echo -e "${GREEN}>>> [5/5] Creating Systemd Service...${PLAIN}"
cat <<EOF > /etc/systemd/system/cloudflared.service
[Unit]
Description=Cloudflare Tunnel
After=network.target
[Service]
Type=simple
User=root
ExecStart=/usr/bin/cloudflared tunnel --config /root/.cloudflared/config.yml run
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable cloudflared
systemctl start cloudflared
echo -e "${GREEN}==============================================${PLAIN}"
echo -e "${GREEN} Deployment Successful! ${PLAIN}"
echo -e "Your Node Domain: ${YELLOW}${DOMAIN_NAME}${PLAIN}"
echo -e "Action Required: Go to X-UI panel, create an inbound with Port 8080 and Listen IP 127.0.0.1"
echo -e "${GREEN}==============================================${PLAIN}"
Part 3: Troubleshooting Guide
🔧 YouTube Client Can't Connect (WebUI Works Fine)
如果你的网页版正常,但 YouTube 等客户端无法访问,可能是出站策略的问题。
🎯 核心操作:强制开启 IPv6 优先
- 进入面板:在左侧菜单点击 Panel Settings (面板设置) -> Xray Configuration (Xray 配置)。
- 找代码:在右侧的 JSON 编辑框里,找到
"outbounds": [这一段。 - 修改 Freedom 节点:找到第一个
protocol为freedom的那一段(这是负责直连出站的)。 - 加入关键代码:在
settings的花括号{}里面,加上一句"domainStrategy": "UseIPv6"。
修改后的代码长这样(注意逗号):
{
"protocol": "freedom",
"settings": {
"domainStrategy": "UseIPv6"
},
"tag": "direct"
}- 原来的样子:可能
settings是空的{},或者只有userLevel。 - 改完的作用:这句话告诉 Xray,只要你要访问网站(比如 YouTube),死命令优先解析并连接 IPv6 地址。因为你的德国机器 IPv6 是干净的,而 IPv4 是几千人共用的"脏 IP",Google 看到 IPv4 就拦截,看到 IPv6 就放行。
⚡️ 还有一个可能的设置:Sniffing (流量探测)
如果你上面的改了还不行,那就是你把入站的 Sniffing 关了。
- 去 Inbounds (入站列表)。
- 点击你那个节点的 Edit (编辑)。
- 确保 Sniffing (流量探测) 开关是 开启 (Enable) 状态。
Sniffing开启后,Xray 才能从流量里拆出 "youtube.com" 这个域名,然后利用上面的UseIPv6策略去走 IPv6。
一般就是改 domainStrategy: UseIPv6 这一招,改完记得点右下角的 Save (保存) 并 Restart Xray (重启)。 快去试试!
Client Connection Tips (For Blog Readers)
When configuring clients like v2rayN, Shadowrocket, or Clash:
- Address: Use a Cloudflare Optimized IP (e.g.,
visa.cnorcf.090227.xyz). Do NOT put your bound domain here. - Port:
443 - SNI / Host / Pseudo Domain: Enter your bound domain (e.g.,
node.yourdomain.com). - TLS: Must be ON.