开源互联网自由工具

与关心的人分享安全的互联网

一条命令部署不可检测的代理服务器——防火墙、TLS、路由,全部默认加固。通过二维码分享访问权限。

开始使用 阅读文档
Connection page — what your friends receive

你的朋友收到的页面 — 查看演示

MIT 许可证
4 种语言
100% 开源
工作原理

三步获得安全互联网

你需要一台 VPS(每月 $5 的服务器)和笔记本上的终端。Meridian 处理其余一切。

步骤 1 — 安装
curl -sSf https://getmeridian.org/install.sh | bash
然后
步骤 2 — 部署
meridian deploy

向导会询问服务器 IP 并处理其余事项。或直接传递参数 — 查看 CLI 参考

Meridian deploy output

幕后发生了什么

1
安装 Docker 并通过 3x-ui 面板部署 Xray
2
生成 x25519 密钥对 ——用于 Reality 认证的唯一加密密钥
3
加固服务器 ——UFW 防火墙(仅 22 + 443 端口)、仅密钥认证、BBR
4
配置 VLESS+Reality 在 443 端口——伪装真实 TLS 服务器的代理
5
启用 XHTTP ——通过 nginx 的额外隐蔽性,无需额外端口
6
输出二维码 并生成包含连接说明的 HTML 页面
可随时安全重新运行。完全幂等——凭证保留,设置原地更新。
命令生成器

构建你的命令

交互式配置参数并复制完整命令。支持所有 Meridian CLI 操作。

Deploy VLESS+Reality proxy. Configures Docker, Xray, firewall, and TLS automatically.

Your VPS public IPv4 address, or "local" to deploy on this server. Leave empty for interactive mode.
Default: root. Non-root users get sudo automatically.
IP or name of the exit server this relay forwards to. Must be deployed first.
Optional. Adds CDN fallback via Cloudflare and web panel access.
Site that Reality impersonates. Default: www.microsoft.com. Use meridian scan for optimal targets.
Name for the first client. Default: "default".
Label shown on connection pages.
Emoji or image URL for the connection page.
Color palette for the connection page.
Optional friendly name for the relay (e.g. "ru-moscow").
Port on the relay server. Default: 443.
Copies an AI-ready prompt to clipboard for ChatGPT/Claude troubleshooting.
Add --yes flag. For CI/automation or non-interactive SSH sessions. 
meridian deploy

First time? Just run meridian deploy — the interactive wizard guides you through everything.
技术

为什么审查者无法检测

传统 VPN 具有独特的流量特征。VLESS+Reality 与正常网页浏览无法区分。

深度包检测 (DPI)

DPI analyzes traffic patterns to identify proxy protocols. VPNs like OpenVPN and WireGuard have distinctive packet signatures that are trivial to block.

VLESS+Reality produces traffic byte-for-byte identical to a normal HTTPS connection. No headers, no patterns, no packet sizes that distinguish it from regular web browsing.

主动探测

Censors connect to suspicious servers and try to fingerprint them. If a server responds differently than the website it claims to be, it gets blocked.

Reality uses the TLS certificate from a real website (e.g., microsoft.com). When a probe connects, your server completes the handshake using Microsoft's actual certificate. The probe sees a legitimate server. Only clients with your private key get the proxy tunnel.

TLS 指纹识别

Every TLS client sends a unique "Client Hello" fingerprint. Censors flag connections where the fingerprint doesn't match the claimed application.

Meridian uses uTLS to impersonate Chrome's exact TLS fingerprint — the same one used by billions of devices. Your traffic is indistinguishable from someone browsing the web with Chrome.

连接

扫描即连

部署后,你会得到一个带二维码的连接页面。发送给需要的人——一键连接。

ShadowRocket iOS Streisand iOS v2RayTun iOS v2rayNG Android NekoBox Android FlClash All platforms sing-box All platforms Hiddify All platforms Karing All platforms V2Box All platforms Happ All platforms v2rayN Windows Clash Verge Rev Windows
设备时钟必须精确到 30 秒以内。请启用自动日期/时间。
架构

工作原理

Meridian architecture — nginx SNI routing and TLS, Xray Reality
独立模式(无域名)

nginx sits on port 443 and routes traffic by TLS SNI using its stream module. Reality connections route to Xray, while nginx's http module handles everything else — serving connection pages over HTTPS with a Let's Encrypt IP certificate (via acme.sh). XHTTP transport runs through nginx via path-based routing — no extra port exposed.

The 3x-ui panel is reverse-proxied by nginx on a secret path — accessible via HTTPS, no SSH tunnel needed.

域名模式(CDN 回退)

Adds three components on top of standalone:

nginx stream inspects TLS SNI without terminating encryption. nginx http terminates TLS with Let's Encrypt certificates managed by acme.sh. VLESS+WSS provides a CDN fallback through Cloudflare — works even if your server's IP is blocked.

中继模式(境内入口)

A lightweight Realm TCP forwarder on a domestic server relays port 443 to your exit server abroad. All protocols work through the relay with end-to-end encryption — the relay never sees your traffic.

Deploy with meridian relay deploy RELAY_IP. Client connection pages are automatically regenerated with relay routes.

准备好开始了吗?

安装 Meridian,部署到你的服务器,并与需要的人分享访问权限。整个过程大约需要五分钟。

安装 Meridian 阅读文档