Configuration Example
You can configure Egern's parameters in the Profile.yaml file.
Here is an example of a Profile.yaml file:
---
# Enable IPv6. Default is false
ipv6: false
# HTTP proxy port. Default is 3080
http_port: 3080
# SOCKS proxy port. Default is 3090
socks_port: 3090
# Allow external connections to access the proxy on the device through Wi-Fi. Default is false
allow_external_connections: false
# Virtual Interface Only mode. Default is false
vif_only: false
# Specifies particular hosts whose network traffic should bypass the Tunnel's HTTP proxy and route directly through the virtual network interface. Default is an empty array
bypass_tunnel_proxy:
- *.example.com
# Hide VPN icon. Default is false
hide_vpn_icon: false
# Allow the user to specify one or more DNS server addresses. When there are requests to query records from these specific DNS server addresses, the system intercepts those requests and returns a fake IP address. This ensures that subsequent TCP and UDP traffic is directed to the domain using this fake IP to control or modify network traffic routing. Default is an empty array
hijack_dns:
- '*'
# Specify a custom GeoIP database URL. Egern will automatically update the database weekly. Default is null
geoip_db_url: null
# Specify a custom ASN database URL. Egern will automatically update the database weekly. Default is null
asn_db_url: null
# Custom proxy latency test URL. Default is null
proxy_latency_test_url: null
# Custom direct latency test URL. Default is null
direct_latency_test_url: null
# The virtual network interface does not use the default route, splitting into smaller routes to resolve issues like HomeKit camera not working. Default is false
compat_route: false
# If enabled, the system will route network traffic through the tunnel, except for traffic from specified system services necessary for device functionality. Default is false
include_all_networks: false
# If enabled, the system will include traffic from Apple Push Notification Service (APN), provided that all networks are also enabled. Default is false
include_apns: false
# If enabled, the system will include cellular network services such as Wi-Fi calling, MMS, SMS, and visual voicemail, provided that all networks are also enabled. This does not affect services using only cellular networks (e.g., VoLTE), which are automatically excluded. Default is false
include_cellular_services: false
# If enabled, the system will include network connections to hosts on the local network (e.g., AirPlay, AirDrop, and CarPlay), provided that all networks are also enabled. Default is false
include_local_networks: false
# Routes included in the virtual interface. Default is an empty array
vif_included_routes:
- 192.168.0.1/32
# Routes excluded from the virtual interface. Default is an empty array
vif_excluded_routes:
- 192.168.0.1/32
dns:
bootstrap:
- system # Use system's default DNS configuration as bootstrap.
upstreams: # Define the list of upstream DNS servers.
google: # Use Google Public DNS as one of the upstream servers.
- https://8.8.8.8 # First Google DNS server.
- https://8.8.4.4 # Backup Google DNS server.
forward: # DNS request forwarding rules.
- wildcard:
match: '*.cn' # Forward all requests ending with .cn to the system default DNS.
value: system
- proxy_rule_set: # Match domain names from the ACL4SSR China Domain list.
match: https://github.com/ACL4SSR/ACL4SSR/raw/master/Clash/ChinaDomain.list
value: system # Use system default DNS for these domains.
- regex:
match: ^ad\..*|^ads\..* # Regex matching domains starting with "ad." or "ads." (usually ad-related).
value: quic://dns.adguard-dns.com # Use AdGuard QUIC DNS for these ad-related domains.
- wildcard:
match: '*' # Match all other domains not caught by the previous rules.
value: google # Forward these domain requests to Google's DNS.
hosts: # Local DNS resolution mappings.
example.com: www.example.com # Resolve example.com to www.example.com.
localhost: 127.0.0.1 # Resolve localhost to 127.0.0.1.
block_ips: # List of blocked IP addresses or subnets.
- 1.2.3.4 # Block IP address 1.2.3.4.
- 4.3.2.1/32 # Block IP address 4.3.2.1/32 (single IP).
public_ip_lookup_url: https://ifconfig.me/ip # URL to query the public IP address for obtaining the device's public IP.
# Proxy list
proxies:
# Shadowsocks protocol
- shadowsocks:
# Proxy name
name: MyShadowsocks
# Encryption method. Supports chacha20-ietf-poly1305, aes-256-gcm, aes-128-gcm.
method: chacha20-ietf-poly1305
# Password
password: Password
# Server address
server: 127.0.0.1
# Server port
port: 443
# Enable TCP Fast Open
tfo: false
# Enable UDP relay
udp_relay: false
# Data obfuscation. Supports http and tls.
obfs: http
# Host for HTTP obfuscation or SNI for TLS obfuscation
obfs_host: www.bing.com
# URI for HTTP obfuscation
obfs_uri: "http://www.bing.com/"
# Trojan protocol
- trojan:
# Proxy name
name: MyTrojan
# Server address
server: 127.0.0.1
# Server port
port: 443
# TLS SNI
sni: www.bing.com
# Password
password: Password
# Enable TCP Fast Open
tfo: false
# Enable UDP relay
udp_relay: true
# Vless protocol
- vless:
# Proxy name
name: MyVless
# Server address
server: 127.0.0.1
# Server port
port: 443
# User ID
user_id: 27848739-7e62-4138-9fd3-098a63964b6b
# Enable TCP Fast Open
tfo: false
# Enable UDP relay
udp_relay: true
# Transport protocol. Supports tls, ws, wss. tls uses sni, ws and wss use uri.
transport:
wss:
uri: "wss://www.bing.com/"
# Vmess protocol
- vmess:
# Proxy name
name: MyVmess
# Server address
server: 127.0.0.1
# Server port
port: 443
# User ID
user_id: 27848739-7e62-4138-9fd3-098a63964b6b
# Encryption method. Supports auto, none, aes-128-gcm, chacha20-poly1305.
security: auto
# Use deprecated protocol
legacy: false
# Enable TCP Fast Open
tfo: false
# Enable UDP relay
udp_relay: true
# Transport protocol. Supports tls, ws, wss. tls uses sni, ws and wss use uri.
transport:
wss:
uri: "wss://www.bing.com/"
# Hysteria2 protocol
- hysteria2:
# Proxy name
name: MyVless
# Server address
server: 127.0.0.1
# Server port
port: 443
# Authentication
auth: your_password
# TLS SNI
sni: www.bing.com
# Obfuscation type
obfs: salamander
# Obfuscation password
obfs_password: cry_me_a_r1ver
# Skip TLS verification, default is false
skip_tls_verify: false
# Socks5 protocol
- socks5:
# Proxy name
name: MySocks
# Server address
server: 127.0.0.1
# Server port
port: 443
# Username
username: Username
# Password
password: Password
# Enable TCP Fast Open
tfo: false
udp_relay: true
# HTTP protocol
- http:
# Proxy name
name: MySocks
# Server address
server: 127.0.0.1
# Server port
port: 443
# Username
username: Username
# Password
password: Password
# Enable TCP Fast Open
tfo: false
# Policy group configuration list
policy_groups:
# Manually selected policy group
- select:
# Group name
name
: Select
# List of policies included
policies:
- MyShadowsocks
- MyTrojan
# Auto test policy group
- auto_test:
# Group name
name: AutoTest
# List of policies included
policies:
- MyShadowsocks
- MyTrojan
# Check interval. Default 1 day
interval: 86400
# Tolerance for policy switching. Default 100 ms
tolerance: 100
# Test timeout for policy group. Default 5 s
timeout: 5
# Fallback policy group
- fallback:
# Group name
name: Fallback
# List of policies included
policies:
- MyShadowsocks
- MyTrojan
# Check interval. Default 1 day
interval: 86400
# Test timeout for policy group. Default 5 s
timeout: 5
# Load balance policy group
- load_balance:
# Group name
name: Select
# List of policies included
policies:
- MyShadowsocks
- MyTrojan
# External resource policy group
- external:
# Group name
name: MyExternal
# Policy group type. Supports select, auto_test, fallback, load_balance
type: select
# Group URL. Can be a local path or a remote proxy link
urls:
- "Can be a local path or remote proxy link"
# Filter
filter: ".*"
# Check interval. Default 1 day
interval: 86400
# Tolerance for policy switching. Default 100 ms
tolerance: 100
# Test timeout for policy group. Default 5 s
timeout: 5
# Update interval. Default 1 day
update_interval: 86400
# Proxy rule list
rules:
# Domain rule
- domain:
# Matching domain
match: example.com
# Policy used
policy: REJECT
# Domain keyword rule
- domain_keyword:
# Matching domain keyword
match: example
# Policy used
policy: DIRECT
# Domain suffix rule
- domain_suffix:
# Matching domain suffix
match: example.com
# Policy used
policy: DIRECT
# Domain regex rule
- domain_regex:
# Matching URL regex
match: ".*\\.com$"
# Policy used
policy: Proxy
# GeoIP rule
- geoip:
# Matching geographic location
match: US
# Policy used
policy: Proxy
# IPv4 CIDR rule
- ip_cidr:
# Matching IPv4 CIDR
match: 192.168.0.1/24
# Policy used
policy: DIRECT
# IPv6 CIDR rule
- ip_cidr6:
# Matching IPv6 CIDR
match: "2001:db8::/32"
# Policy used
policy: REJECT
# URL regex rule
- url_regex:
# Matching URL regex
match: "http://.*\\.com$"
# Policy used
policy: DIRECT
# Rule set
- rule_set:
# Matching rule set URL. Can be a local path or a remote proxy link
match: "https://example.com/example.yaml"
# Policy used
policy: Proxy
# Update interval. Default 1 day
update_interval: 86400
# ASN rule
- asn:
# Matching ASN code or organization
match: "1234"
# Policy used
policy: DIRECT
# Default policy
- default:
# Policy used
policy: Proxy
# URL rewrite list
url_rewrites:
# Matching URL
- match: example.com
# Redirect location
location: new.example.com
# Redirect status code
status_code: 301
# HTTP request/response header rewrite list
header_rewrites:
# Add header
- add:
# Matching URL regex
match: example.com
# Header name
name: Content-Type
# Header value
value: application/json
# Rewrite type (request or response)
type: response
# Replace header
- replace:
# Matching URL regex
match: example.com
# Header name
name: Content-Type
# Header value
value: application/json
# Rewrite type (request or response)
type: response
# Delete header
- delete:
# Matching URL regex
match: example.com
# Header name
name: Content-Type
# Rewrite type (request or response)
type: request
# HTTP body rewrite list
body_rewrites:
# Matching URL regex
- match: example.com
# Content to find
find: old content
# Content to replace
replace: new content
# Rewrite type (request or response)
type: response
# Scripting configuration list
scriptings:
# HTTP request script
- http_request:
# Script name
name: HTTP Script 1
# Matching URL regex
match: example.com
# Script URL. Can be a local path or a remote proxy link
script_url: "http://script.example.com/script.js"
# Update interval. Default 1 day
update_interval: 86400
# Maximum body size. In bytes
max_size: 131072
# Enable debugging
debug: true
# Timeout in seconds
timeout: 30
# Is request body required
body_required: false
# HTTP response script
- http_response:
# Script name
name: HTTP Script 1
# Matching URL regex
match: example.com
# Script URL. Can be a local path or a remote proxy link
script_url: "http://script.example.com/script.js"
# Update interval. Default 1 day
update_interval: 86400
# Maximum body size. In bytes
max_size: 131072
# Enable debugging
debug: true
# Timeout in seconds
timeout: 30
# Is response body required
body_required: false
# Scheduled task script
- schedule:
# Script name
name: Scheduled Script 1
# Cron expression
cron: 0 0 * * *
# Script URL. Can be a local path or a remote proxy link
script_url: "http://script.example.com/script.js"
# Update interval. Default 1 day
update_interval: 86400
# Timeout
timeout: 30
# MITM configuration
mitm:
# Is enabled
enabled: true
# CA certificate file path
ca_p12: ""
# CA certificate password
ca_passphrase: "123456"
# MITM hostname list
hostnames:
- example.com
# HTTP capture configuration list
http_captures:
# Matching hostname
- example.com
# Module configuration list
modules:
# Module URL. Can be a local path or a remote proxy link
- url: "https://example.com/module.yaml"
# Update interval. Default 1 day
update_interval: 86400
# Is enabled
enabled: true