System Reference¶

Last Updated: 2026-01-15
Status: ✅ FULLY OPERATIONAL

Quick Status Check¶

# Check router status
ssh [email protected]
/etc/init.d/openclash status
curl -s http://127.0.0.1:9090/proxies/Proxy | grep "now"

# Test connectivity (should return 168.148.92.254)
curl https://ipinfo.io/ip

# Expected: Active proxy = LA-VMess, all proxies alive=true

System Architecture¶

WiFi Clients (192.168.0.x, 192.168.188.x)
    ↓ OpenClash interception
Router (192.168.192.77 - OpenWrt + OpenClash)
    ↓ LA-VMess (default)
LA VPS (vmiss.ata.lol - Caddy + Xray WITHOUT mux)
    ↓ WebSocket/TLS
StarVPN SOCKS5 (proxy.starzone.io:51313)
    ↓ Exit
Internet (Exit IP: 168.148.92.254)

Configured Proxies¶

Proxy	VPS	Performance	Status
LA-VMess 🏆	vmiss.ata.lol	906ms HTTPS, 4.71 MB/s	PRIMARY
LA-VLESS	vmiss.ata.lol	915ms HTTPS	Alternative

Egress IP: 168.148.92.254 (Spectrum Business LA)
Recommendation: Use LA-VMess for all traffic

Traffic Routing (Loyalsoldier)¶

Rule Priority (top to bottom)¶

Local IPs (192.168.x.x, 10.x.x.x) → DIRECT
Ad/Tracking domains (~200,000 domains) → REJECT
iCloud/Apple (218 domains) → Apple group
Google services (143 domains) → Google group → Proxy
Telegram → Telegram group → Proxy
Known international sites (~30,000 domains) → Proxy
Chinese domains (114,825 domains) → China group → DIRECT
Chinese IPs (9,056 ranges) → DIRECT
MATCH (catchall) → Proxy ← Critical rule

Total rules: 345,000+ domains and IP ranges

Expected Performance¶

Destination	Route	Latency	Notes
Local network	DIRECT	<10ms	LAN traffic
Chinese sites	DIRECT	50-200ms	Baidu, Bilibili, etc.
International sites	LA-VMess	900-1500ms	Google, GitHub, etc.
Ads/trackers	REJECT	Blocked	200,000+ domains
Unknown sites	LA-VMess	900-1500ms	MATCH rule

Essential Commands¶

Check Status¶

# OpenClash service
ssh [email protected] "/etc/init.d/openclash status"

# Current proxy
ssh [email protected] "curl -s http://127.0.0.1:9090/proxies/Proxy | grep 'now'"

# Monitor live traffic
ssh [email protected] "tail -f /tmp/openclash.log | grep -E '192.168.0|192.168.188'"

Switch Proxy¶

# Switch to LA-VMess (recommended)
ssh [email protected] "curl -X PUT http://127.0.0.1:9090/proxies/Proxy \
  -H 'Content-Type: application/json' \
  -d '{\"name\":\"LA-VMess\"}'"

# Switch to LA-VLESS (alternative)
ssh [email protected] "curl -X PUT http://127.0.0.1:9090/proxies/Proxy \
  -H 'Content-Type: application/json' \
  -d '{\"name\":\"LA-VLESS\"}'"

Restart Services¶

# Restart OpenClash
ssh [email protected] "/etc/init.d/openclash restart"

# Restart LA VPS
ssh -p 22222 [email protected] "cd /root/proxy-stack && docker compose restart"

Test Connectivity¶

# From WiFi client (should return 168.148.92.254)
curl https://ipinfo.io/ip

# From router (test proxy latency)
ssh [email protected] "time curl -s https://www.google.com/generate_204"
# Expected: ~0.9 seconds (LA-VMess)

File Locations¶

Router (192.168.192.77)¶

/etc/openclash/
├── vmiss_lahk_dual.yaml                           ← Active config (6.5K)
├── vmiss_lahk_dual.yaml.backup_20260114_213518    ← Pre-Loyalsoldier backup
├── vmiss_direct.yaml                               ← Old config (obsolete)
├── vmiss_multiprotocol.yaml                        ← Old config (obsolete)
└── ruleset/                                        ← Loyalsoldier rules (345K+ entries)
    ├── reject.yaml (3.5 MB)
    ├── direct.yaml (2.3 MB)
    ├── proxy.yaml (595 KB)
    ├── cncidr.yaml (197 KB)
    ├── apple.yaml, google.yaml, icloud.yaml
    ├── private.yaml, telegramcidr.yaml
    └── (9 rule sets total)

/tmp/
└── openclash.log                                   ← Live traffic log

/root/
└── maintenance_log                                 ← Operations history

LA VPS (vmiss.ata.lol)¶

/root/proxy-stack/
├── docker-compose.yml
├── README.md
├── xray/config.json                                ← VLESS + VMess
└── caddy/Caddyfile                                 ← TLS termination

Maintenance¶

Weekly: Update Loyalsoldier Rules¶

ssh [email protected]
cd /etc/openclash/ruleset

# Download latest rules
wget -q -O reject.yaml https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt
wget -q -O proxy.yaml https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt
wget -q -O direct.yaml https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt
wget -q -O cncidr.yaml https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt
wget -q -O apple.yaml https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt
wget -q -O google.yaml https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt
wget -q -O icloud.yaml https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt
wget -q -O private.yaml https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt
wget -q -O telegramcidr.yaml https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt

# Restart OpenClash
/etc/init.d/openclash restart

echo "$(date): Updated Loyalsoldier rules" >> /root/maintenance_log

Daily: Monitor Logs¶

ssh [email protected] "tail -50 /tmp/openclash.log"

# Look for:
# - Client IPs appearing (confirms traffic interception)
# - "match Match using Proxy[LA-VMess]" (catchall working)
# - "match RuleSet(...)" (rule providers working)
# - No repeated errors

Monthly: Performance Check¶

# Quick latency test
ssh [email protected] "time curl -s https://www.google.com/generate_204"
# Expected: ~0.9s (LA-VMess)

# Check VPS services
ssh -p 22222 [email protected] "cd /root/proxy-stack && docker compose ps"
# Expected: All "Up"

Troubleshooting¶

Issue: Client External IP Wrong¶

Test:

# From WiFi client
curl https://ipinfo.io/ip
# Expected: 168.148.92.254

If different IP returned: 1. Check if client IP appears in router logs:

ssh [email protected] "tail -f /tmp/openclash.log | grep 192.168.0.XXX"

2. If no logs: Traffic bypassing OpenClash, restart router 3. If logs present but wrong IP: Check StarVPN status

Issue: Slow Performance (>2000ms HTTPS)¶

Test:

ssh [email protected] "curl -w '%{time_total}\n' -o /dev/null -s https://www.google.com/generate_204"

Diagnosis: - 900-1500ms: Normal (LA-VMess) - >2000ms: Problem (check StarVPN or VPS)

Resolution: 1. Check current proxy: curl -s http://127.0.0.1:9090/proxies/Proxy | grep "now" 2. Ensure LA-VMess is selected 3. Check VPS services running 4. Test StarVPN directly: curl --socks5 proxy.starzone.io:51313 https://google.com

Issue: Sites Not Loading¶

Diagnosis:

# Check if OpenClash is running
ssh [email protected] "/etc/init.d/openclash status"

# Check if rules loaded
ssh [email protected] "curl -s http://127.0.0.1:9090/providers/rules | head -c 500"

Resolution: 1. Restart OpenClash: /etc/init.d/openclash restart 2. If still failing, restore backup:

cp /etc/openclash/vmiss_lahk_dual.yaml.backup_20260114_213518 \
   /etc/openclash/vmiss_lahk_dual.yaml
/etc/init.d/openclash restart

Issue: VPS Services Down¶

Check status:

ssh -p 22222 [email protected] "cd /root/proxy-stack && docker compose ps"

Restart if needed:

ssh -p 22222 [email protected] "cd /root/proxy-stack && docker compose restart"

Issue: Proxies Show alive=false¶

Symptoms: Health checks failing, TLS handshake errors

Check Xray logs for mux errors:

ssh -p 22222 [email protected] "cd /root/proxy-stack && docker compose logs --tail=50 xray"
# Look for: "common/mux: failed to fetch all input > io: read/write on closed pipe"

Resolution: 1. Verify mux is disabled in /root/proxy-stack/xray/config.json 2. Should have: "mux": {"enabled": false} 3. If mux is enabled, disable it and restart Xray 4. Note: Clash client is incompatible with Xray mux over SOCKS5 backend

Configuration Details¶

Credentials (Shared)¶

UUID: ba684106-2b2d-49bf-8e6f-66f5d0bde5c2
StarVPN SOCKS5: proxy.starzone.io:51313
Exit IP: 168.148.92.254
VPS SSH Port: 22222

Protocols (LA VPS)¶

VMess: Port 10001, path /vmess
VLESS: Port 10002, path /vless
Transport: WebSocket over TLS (port 443)
Mux: DISABLED (incompatible with Clash client)

DNS Configuration¶

Mode: fake-ip (198.18.0.1/16)
Primary: 223.5.5.5, 119.29.29.29, 114.114.114.114
Fallback: 8.8.8.8:853 (TLS), 1.1.1.1:853 (TLS)

Performance Baselines¶

LA-VMess¶

HTTPS latency: 906ms
HTTP latency: 411-536ms
Download speed: 4.71 MB/s
VPS → StarVPN: 79ms

Custom Routing Examples¶

Edit /etc/openclash/vmiss_lahk_dual.yaml on router:

Force Specific Domain Direct¶

rules:
  # ... existing rules ...

  # Custom: Force domain through proxy
  - DOMAIN-SUFFIX,example.com,Proxy

  # Must be last
  - MATCH,Proxy

Force Steam Direct (Faster Downloads)¶

rules:
  # ... existing rules ...

  # Custom: Steam downloads direct
  - DOMAIN-SUFFIX,steampowered.com,DIRECT
  - DOMAIN-SUFFIX,steamcontent.com,DIRECT

  # Must be last
  - MATCH,Proxy

Block Specific Domain¶

rules:
  # ... existing rules ...

  # Custom: Block domain
  - DOMAIN-SUFFIX,unwanted-site.com,REJECT

  # Must be last
  - MATCH,Proxy

After editing:

ssh [email protected] "/etc/init.d/openclash restart"

Success Indicators¶

Healthy System¶

✅ OpenClash service running
✅ Clash process active
✅ Client IPs visible in logs
✅ HTTPS latency 900-1500ms
✅ Download speed ~4.7 MB/s
✅ External IP shows 168.148.92.254
✅ VPS services all "Up"
✅ 345,000+ rules loaded

Problems¶

❌ OpenClash service stopped
❌ No client IPs in logs (traffic bypassing)
❌ HTTPS latency >2000ms
❌ Download speed <2 MB/s
❌ External IP not 168.148.92.254
❌ VPS services "Restarting" or "Exit"
❌ Frequent connection timeouts

Implementation History¶

Jan 14, 2026 - VPS Setup¶

Deployed LA VPS with Xray + Caddy
Configured VLESS + VMess protocols
Connected to StarVPN SOCKS5 backend
Set LA-VMess as primary

Jan 14, 2026 - Loyalsoldier Implementation¶

WiFi clients only App Store working, all else failed
Root cause: No comprehensive routing rules, traffic bypassing proxy
Solution: Implemented Loyalsoldier rule sets (345,000+ rules)
Critical fix: Added MATCH,Proxy catchall rule
Result: 100% traffic routing success, all clients working

Jan 15, 2026 - Documentation Cleanup¶

Consolidated 17 MD files into single reference
Removed obsolete configs and test scripts
Streamlined maintenance documentation
Created this master reference document

Jan 15, 2026 - Mux Incompatibility Fix (CRITICAL)¶

Problem: All proxies showing alive=false, TLS handshake failures
Symptoms: Router and WiFi clients could not access GitHub/YouTube
Root cause: Xray mux enabled on VPS incompatible with Clash client
Error pattern: common/mux: failed to fetch all input > io: read/write on closed pipe
Solution: Disabled mux in Xray outbound config on LA VPS
Result: All proxies now working, health checks passing, full connectivity restored
Lesson: Clash → Xray → SOCKS5 chain works WITHOUT mux enabled

Jan 15, 2026 - Removed HK Endpoints¶

Removed HK-VMess and HK-VLESS from router configuration
Simplified to LA-only setup (LA-VMess primary, LA-VLESS backup)
Updated all documentation to reflect single-VPS architecture
Result: Cleaner config, easier maintenance

Quick Start (New AI Agent)¶

Read this file - Complete system overview
Check status: ssh [email protected] "/etc/init.d/openclash status"
Verify proxy: Should be LA-VMess (primary)
Monitor logs: Watch for client IPs and proper routing
Reference: See troubleshooting section for common issues

System Status: ✅ PRODUCTION READY
Active Configuration: Loyalsoldier + LA-VMess (single VPS)
Last Verified: 2026-01-15
Next Review: Weekly rule update recommended