Proxy to bypass G.F.W
前言
包含nginx 4层代理实现443端口共用
ssl证书
参考
https://yanyong.cc/post/certbot-cloudflare-letsencrypt/
安装nginx
1
| sudo apt -y install nginx libnginx-mod-stream
|
v2ray
config.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| {
"log": {
"loglevel": "warning"
},
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"ip": [
"geoip:private"
],
"outboundTag": "block"
}
]
},
"inbounds": [
{
"port": 16800,
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid"
}
]
},
"streamSettings": {
"network": "ws",
"security": "none", // TLS已经交给nginx处理
"wsSettings": {
"path": "/abcdefg" // 复杂点避免嗅探
}
},
"sniffing": {
"enabled": false
},
"allocate": {
"strategy": "always"
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
]
}
|
运行
1
| sudo docker run -d --name v2ray --network=host --restart=always -v /etc/v2ray/:/etc/v2ray/ -e TZ=Asia/Shanghai v2fly/v2fly-core:v4.45.2
|
nginx配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| server {
listen 127.0.0.1:20350 ssl http2;
server_name v2ray.yanyong.cc;
# SSL
ssl_certificate /etc/letsencrypt/live/yanyong.cc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yanyong.cc/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yanyong.cc/chain.pem;
# security
include nginxconfig.io/security.conf;
# WebSocket reverse proxy
location /abcdefg {
proxy_pass http://127.0.0.1:16800;
include nginxconfig.io/proxy.conf;
}
location / {
return 301 https://yanyong.cc;
}
# additional config
include nginxconfig.io/general.conf;
}
|
参考链接:
https://www.v2fly.org/
https://github.com/v2fly/v2ray-core
https://github.com/v2fly/v2ray-examples
https://hub.docker.com/r/v2fly/v2fly-core
xray
config.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
| {
"log": {
"loglevel": "warning"
},
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"ip": [
"geoip:private"
],
"outboundTag": "block"
}
]
},
"inbounds": [
{
"port": 20351,
"listen": "127.0.0.1",
"protocol": "vless",
"settings": {
"clients": [
{
"id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid", // 填写你的 UUID
"level": 0,
"email": "[email protected]"
}
],
"decryption": "none",
"fallbacks": [
{
"dest": 80
},
{
"path": "/abcdefg", // 必须换成自定义的 PATH
"dest": 16801,
"xver": 1
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"alpn": [
"http/1.1"
],
"certificates": [
{
"certificateFile": "/etc/xray/ssl/fullchain.pem", // 换成你的证书,绝对路径
"keyFile": "/etc/xray/ssl/privkey.pem" // 换成你的私钥,绝对路径
}
]
}
}
},
{
"port": 16801,
"listen": "127.0.0.1",
"protocol": "vless",
"settings": {
"clients": [
{
"id": "uuiduuid-uuid-uuid-uuid-uuiduuiduuid", // 填写你的 UUID
"level": 0,
"email": "[email protected]"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "ws",
"security": "none",
"wsSettings": {
"acceptProxyProtocol": true, // 提醒:若你用 Nginx/Caddy 等反代 WS,需要删掉这行
"path": "/abcdefg" // 必须换成自定义的 PATH,需要和上面的一致
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"tag": "direct"
},
{
"protocol": "blackhole",
"tag": "block"
}
]
}
|
运行
1
| sudo docker run -d --name xray --network=host --restart=always -v /etc/xray:/etc/xray -e TZ=Asia/Shanghai ghcr.io/xtls/xray-core:25.3.6
|
自动更新证书,编辑/etc/letsencrypt/renewal-hooks/deploy/xray.sh
1
2
3
4
5
6
7
| #!/bin/bash
if [ ! -d /etc/xray/ssl ]; then
mkdir /etc/xray/ssl
fi
cp /etc/letsencrypt/live/yanyong.cc/{privkey.pem,fullchain.pem} /etc/xray/ssl/
chmod 400 /etc/xray/ssl/*
docker restart xray
|
参考链接:
https://xtls.github.io/
https://github.com/XTLS/Xray-core
https://github.com/XTLS/Xray-examples
镜像1:
https://github.com/xtls/Xray-core/pkgs/container/xray-core
镜像2:
https://hub.docker.com/r/teddysun/xray
trojan
config.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| {
"run_type": "server",
"local_addr": "127.0.0.1",
"local_port": 20352,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"password": [
"123456"
],
"log_level": 2,
"ssl": {
"cert": "/config/ssl/fullchain.pem",
"key": "/config/ssl/privkey.pem",
"key_password": "",
"cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
"cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
"prefer_server_cipher": true,
"alpn": [
"http/1.1"
],
"alpn_port_override": {
"h2": 81
},
"reuse_session": true,
"session_ticket": false,
"session_timeout": 600,
"plain_http_response": "",
"curves": "",
"dhparam": ""
},
"tcp": {
"prefer_ipv4": false,
"no_delay": true,
"keep_alive": true,
"reuse_port": false,
"fast_open": false,
"fast_open_qlen": 20
},
"mysql": {
"enabled": false,
"server_addr": "127.0.0.1",
"server_port": 3306,
"database": "trojan",
"username": "trojan",
"password": "",
"key": "",
"cert": "",
"ca": ""
}
}
|
运行
latest版本其实就是v1.16.0版本,docker仓库没有v1.16.0的tag,v1.16.0是目前最后一个版本,上一次更新时间是2020.6.10
1
| sudo docker run -d --name trojan --network=host --restart=always -v /etc/trojan:/config trojangfw/trojan
|
自动更新证书,编辑/etc/letsencrypt/renewal-hooks/deploy/trojan.sh
1
2
3
4
5
6
7
| #!/bin/bash
if [ ! -d /etc/trojan/ssl ]; then
mkdir /etc/trojan/ssl
fi
cp /etc/letsencrypt/live/yanyong.cc/{privkey.pem,fullchain.pem} /etc/trojan/ssl/
chmod 400 /etc/trojan/ssl/*
docker restart trojan
|
参考链接:
https://trojan-gfw.github.io/trojan/
https://github.com/trojan-gfw/trojan
https://github.com/trojan-gfw/trojan/tree/master/examples
https://hub.docker.com/r/trojangfw/trojan
trojan-go
config.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| {
"run_type": "server",
"local_addr": "127.0.0.1",
"local_port": 20353,
"remote_addr": "127.0.0.1",
"remote_port": 80,
"log_level": 2,
"password": [
"123456"
],
"ssl": {
"cert": "/etc/trojan-go/ssl/fullchain.pem",
"key": "/etc/trojan-go/ssl/privkey.pem"
},
"router": {
"enabled": true,
"block": [
"geoip:private"
]
},
"websocket": {
"enabled": true,
"path": "/abcdefg"
}
}
|
运行
v0.10.6,上一次更新时间是2021.9.14
1
| sudo docker run --name trojan-go -d -v /etc/trojan-go/:/etc/trojan-go --network=host --restart=always -e TZ=Asia/Shanghai p4gefau1t/trojan-go:v0.10.6
|
自动更新证书,编辑/etc/letsencrypt/renewal-hooks/deploy/trojan-go.sh
1
2
3
4
5
6
7
| #!/bin/bash
if [ ! -d /etc/trojan-go/ssl ]; then
mkdir /etc/trojan-go/ssl
fi
cp /etc/letsencrypt/live/yanyong.cc/{privkey.pem,fullchain.pem} /etc/trojan-go/ssl/
chmod 400 /etc/trojan-go/ssl/*
docker restart trojan-go
|
参考链接:
https://p4gefau1t.github.io/trojan-go/
https://github.com/p4gefau1t/trojan-go
https://github.com/p4gefau1t/trojan-go/tree/master/example
https://p4gefau1t.github.io/trojan-go/basic/full-config/
https://hub.docker.com/r/p4gefau1t/trojan-go
配置443端口共用
启用stream模块
1
| sudo ln -s /usr/share/nginx/modules-available/mod-stream.conf /etc/nginx/modules-enabled/mod-stream.conf
|
编辑nginx.conf中添加以下内容
1
2
3
| stream {
include /etc/nginx/stream.d/*.conf;
}
|
编辑/etc/nginx/stream.d/sni.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| map $ssl_preread_server_name $backend_name {
v2ray.yanyong.cc v2ray;
xray.yanyong.cc xray;
trojan.yanyong.cc trojan;
trojan-go.yanyong.cc trojan-go;
default web;
}
upstream v2ray {
server 127.0.0.1:20350;
}
upstream xray {
server 127.0.0.1:20351;
}
upstream trojan {
server 127.0.0.1:20352;
}
upstream trojan-go {
server 127.0.0.1:20353;
}
upstream web {
server 127.0.0.1:80;
}
server {
listen 443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
}
|
建议
如何选择:安全性 > 稳定性 > 速度
https://www.chengxiaobai.com/essays/v2ray-trojan-xray
不建议开启mux,不一定会提高网速有可能反而更慢
https://p4gefau1t.github.io/trojan-go/advance/mux/
https://www.v2fly.org/config/outbounds.html#muxobject
不建议开启tcp fast open,更容易被识别?
https://github.com/trojan-gfw/trojan/issues/388
参考链接:
http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html
https://www.chengxiaobai.com/trouble-maker/trojan-shared-443-port-scheme#more
IKEv2
此次安装版本为5.9.8
1
2
3
4
5
| $ apt-cache madison charon-systemd
charon-systemd | 5.9.8-5+deb12u1 | http://deb.debian.org/debian bookworm/main amd64 Packages
charon-systemd | 5.9.8-5+deb12u1 | http://security.debian.org/debian-security bookworm-security/main amd64 Packages
strongswan | 5.9.8-5+deb12u1 | http://deb.debian.org/debian bookworm/main Sources
strongswan | 5.9.8-5+deb12u1 | http://security.debian.org/debian-security bookworm-security/main Sources
|
安装charon-systemd
1
| sudo apt -y install charon-systemd libstrongswan-extra-plugins libcharon-extra-plugins
|
配置nginx,用于webroot模式获取证书
1
2
3
4
5
6
7
8
| server {
listen 80;
server_name strongswan.yanyong.cc;
location ^~ /.well-known/acme-challenge/ {
root /srv/www/_letsencrypt;
}
}
|
获取ssl证书
1
2
3
4
5
6
7
| sudo certbot certonly --webroot -w /srv/www/_letsencrypt \
-d strongswan.yanyong.cc \
--key-type rsa \
--email [email protected] \
--agree-tos \
--no-eff-email \
--deploy-hook 'systemctl reload nginx'
|
自动更新证书,编辑/etc/letsencrypt/renewal-hooks/deploy/strongswan.sh
1
2
3
4
5
6
7
8
| #!/bin/bash
cp /etc/letsencrypt/live/strongswan.yanyong.cc/cert.pem /etc/swanctl/x509/
cp /etc/letsencrypt/live/strongswan.yanyong.cc/chain.pem /etc/swanctl/x509ca/
cp /etc/letsencrypt/live/strongswan.yanyong.cc/privkey.pem /etc/swanctl/private/
chmod 400 /etc/swanctl/x509/cert.pem
chmod 400 /etc/swanctl/x509ca/chain.pem
chmod 400 /etc/swanctl/private/privkey.pem
swanctl --load-all
|
编辑/etc/swanctl/conf.d/strongswan.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| authorities {
letsencrypt {
cacert = chain.pem
}
}
connections {
ikev2-eap-mschapv2 {
version = 2
proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,aes256-sha384-modp2048-modp1024,default
rekey_time = 0s
pools = primary-pool-ipv4
fragmentation = yes
dpd_delay = 30s
# dpd_timeout doesn't do anything for IKEv2. The general IKEv2 packet timeouts are used.
send_cert = always
unique = never
local-1 {
certs = cert.pem
id = strongswan.yanyong.cc
}
remote-1 {
auth = eap-mschapv2
# go ask the client for its eap identity.
eap_id = %any
}
children {
ikev2-eap-mschapv2 {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
}
}
}
}
pools {
primary-pool-ipv4 {
addrs = 172.16.255.0/24
dns = 1.1.1.1, 8.8.8.8
}
}
secrets {
eap-carol {
id = carol
secret = "carolspassword"
}
}
|
重载配置
1
| sudo swanctl --load-all
|
常用命令
1
2
| sudo systemctl status strongswan
sudo journalctl -u strongswan
|
编辑/etc/sysctl.d/strongswan.conf
1
2
| net.ipv4.ip_forward=1
net.ipv4.ip_no_pmtu_disc=1
|
生效配置
1
| sudo sysctl -p /etc/sysctl.d/strongswan.conf
|
配置iptables
打开ssh、http、https等端口
1
2
3
4
5
| sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
|
strongswan部分
1
2
3
4
5
6
7
8
9
10
11
12
| # IKE & MobIKE
sudo iptables -A INPUT -p udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -m conntrack --ctstate NEW -j ACCEPT
# NAT
sudo iptables -t nat -A POSTROUTING -s 172.16.255.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 172.16.255.0/24 -o eth0 -j MASQUERADE
# MTU/MSS
sudo iptables -t mangle -A FORWARD -s 172.16.255.0/24 -o eth0 -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
sudo iptables -t mangle -A FORWARD -s 172.16.255.0/24 -o eth0 -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
# forward ESP-tunneled traffic
sudo iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 172.16.255.0/24 -j ACCEPT
sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 172.16.255.0/24 -j ACCEPT
|
默认DROP
1
2
| sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
|
安装iptables-persistent
1
2
3
4
5
| echo 'iptables-persistent iptables-persistent/autosave_v4 boolean true' | sudo debconf-set-selections
echo 'iptables-persistent iptables-persistent/autosave_v6 boolean false' | sudo debconf-set-selections
sudo apt -y install iptables-persistent
sudo netfilter-persistent save
sudo rm /etc/iptables/rules.v6
|
编辑/etc/iptables/rules.v4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| *mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -s 172.16.255.0/24 -o eth0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-A FORWARD -s 172.16.255.0/24 -o eth0 -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23422 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 172.16.255.0/24 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 172.16.255.0/24 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.255.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.16.255.0/24 -o eth0 -j MASQUERADE
COMMIT
|
参考链接:
https://github.com/strongswan/strongswan
https://docs.strongswan.org/docs/5.9/index.html
https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html
https://docs.strongswan.org/docs/5.9/swanctl/swanctlDir.html
https://docs.strongswan.org/docs/5.9/howtos/forwarding.html
https://docs.strongswan.org/docs/5.9/features/mobike.html
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04#step-6-configuring-the-firewall-kernel-ip-forwarding
https://github.com/strongswan/strongswan/blob/master/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules
https://lists.strongswan.org/pipermail/users/2015-November/008999.html
