科学上网

来自linux中国网wiki
跳到导航 跳到搜索

最新的新的翻墙神器 gost 暂时不理会v2ray了

0.等改进

要用上cdn don sep 2023

https://github.com/haoel/haoel.github.io

关于优选IP,可以手动更改本地hosts文件指向最佳IP

Hysteria 2.0让垃圾vps秒杀高端机场

1.设置Docker服务

1.docker install  for debian11 on azure free

https://docs.docker.com/engine/install/debian/

sudo apt-get update
sudo apt-get install ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg

# Add the repository to Apt sources:
echo \
  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update


 sudo apt-get install  -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin


开2.启 TCP BBR 拥塞控制算法

开启 TCP BBR 拥塞控制算法
sudo modprobe tcp_bbr
echo "tcp_bbr" | sudo tee --append /etc/modules-load.d/modules.conf

echo "net.core.default_qdisc=fq" | sudo tee --append /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee --append /etc/sysctl.conf

保存生效
sudo sysctl -p

执行

sysctl net.ipv4.tcp_available_congestion_control
sysctl net.ipv4.tcp_congestion_control

如果结果都有 bbr,则证明你的内核已开启 BBR。

执行 lsmod | grep bbr,看到有 tcp_bbr 模块即说明 BBR 已启动。

3生成证书

sep 2023 
Mar 10 ,Jun 11 2024  renew
Sep 10 ,2024

3.  申请域名和证书
你在 Cloudflare 上创建一个子域名解析到你的 VPS 上 IP 上(注:不要开启 Cloudflare 的 Proxy 模式)
最后,使用 Let's Encrypt 来签 一个证书。使用 Let's Encrypt 证书你需要在服务器上安装一个 certbot,点击 certbothttps://certbot.eff.org/instructions,你可以选择你的服务器,操作系统,然后就跟着指令走吧。

接下来,你需要申请一个证书(我们使用standalone的方式,然后,你需要输入你的电子邮件和你解析到 VPS 的域名):
on gost vm 


2024 Oct
  sudo apt install python3 python3-venv libaugeas0
apt install nginx 
   38  systemctl stop nginx 
   39  sudo certbot certonly --standalone --register-unsafely-without-email
   40  ls


记得防火墙开 443 

apt install snapd
 snap install --classic certbot
 ln -s /snap/bin/certbot /usr/bin/certbot
 sudo certbot --nginx

#renew  2024  先关ng  gost    最后再关ng 可能得kill 才行 , start gost  这种也行 或者看  自动更新证书
#renew sep 2024
/usr/bin/certbot renew --force-renewal

root@Azure-Free-VM:~# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): a.linuxsa.org 
Requesting a certificate for p.linuxsa.org

Successfully received certificate.

ng 其实就是用来生成证书而已 
#这个不成功 因为ng 得kill才行 
# m h  dom mon dow   command
0 0 1 */2 * /usr/bin/certbot renew --force-renewal
5 0 1 * * /usr/bin/docker restart gost


https://wiki.linuxchina.net/index.php/Nginx%E5%AE%89%E8%A3%85Let%E2%80%99s_Encrypt%E5%85%8D%E8%B4%B9SSL%E8%AF%81%E4%B9%A6

sudo certbot certonly --standalone

4. GOST

放到自己的hub.docker
docker push evan886/gost:tagname


vi /var/www/html/index.html

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>


##流量伪装和防探测-https   cdn的使用下一个脚本哦 --mwss 
#!/bin/bash

# 下面的四个参数需要改成你的
DOMAIN="YOU.DOMAIN.NAME"
USER="username"
PASS="password"
PORT=443

BIND_IP=0.0.0.0
CERT_DIR=/etc/letsencrypt
CERT=${CERT_DIR}/live/${DOMAIN}/fullchain.pem
KEY=${CERT_DIR}/live/${DOMAIN}/privkey.pem
sudo docker run -d --name gost \
    -v ${CERT_DIR}:${CERT_DIR}:ro \
    --net=host ginuerzh/gost \
    -L "http2://${USER}:${PASS}@${BIND_IP}:${PORT}?cert=${CERT}&key=${KEY}&probe_resist=file:/var/www/html/index.html&knock=www.google.com"






#写成一个脚本 sep 2023  cdn used 
##gost
运行这前关掉ng 
systemctl stop  nginx.service

cloudflarey记得开proxy 


#!/bin/bash

## 下面的四个参数需要改成你的
DOMAIN="a.linuxsa.org"
USER="abc"
PASS="abc"
PORT=443

BIND_IP=0.0.0.0
CERT_DIR=/etc/letsencrypt
CERT=${CERT_DIR}/live/${DOMAIN}/fullchain.pem
KEY=${CERT_DIR}/live/${DOMAIN}/privkey.pem
sudo docker run -d --name gost \
	    -v ${CERT_DIR}:${CERT_DIR}:ro \
	        --net=host ginuerzh/gost \
		    -L "mwss://${USER}:${PASS}@${BIND_IP}:${PORT}?cert=${CERT}&key=${KEY}&probe_resist=file:/var/www/html/index.html&knock=www.google.com"



#Oct 2024 using cdn 
 cat gost.sh 
#!/bin/bash

## 下面的四个参数需要改成你的
DOMAIN="x.linuxsa.org"
USER="evan"
PASS="evan"
PORT=443

BIND_IP=0.0.0.0
CERT_DIR=/etc/letsencrypt
CERT=${CERT_DIR}/live/${DOMAIN}/fullchain.pem
KEY=${CERT_DIR}/live/${DOMAIN}/privkey.pem
sudo docker run -d --name gost \
	    -v ${CERT_DIR}:${CERT_DIR}:ro \
	        --net=host ginuerzh/gost \
		    -L "mwss://${USER}:${PASS}@${BIND_IP}:${PORT}?cert=${CERT}&key=${KEY}&probe_resist=file:/var/www/html/index.html&knock=www.google.com"





#gost.sh  这个不是用CDN的 想用CDN 看下面那个哦 
# 在 CloudFlare 上,请将TLS/SSL设置为 完全


#!/bin/bash
#Sep 2023  6. 流量伪装和防探测 加上一下
# 下面的四个参数需要改成你的
DOMAIN="YOU.DOMAIN.NAME"
USER="username"
PASS="password"
PORT=443

BIND_IP=0.0.0.0
CERT_DIR=/etc/letsencrypt
CERT=${CERT_DIR}/live/${DOMAIN}/fullchain.pem
KEY=${CERT_DIR}/live/${DOMAIN}/privkey.pem
sudo docker run -d --name gost \
    -v ${CERT_DIR}:${CERT_DIR}:ro \
    --net=host ginuerzh/gost \
    -L "http2://${USER}:${PASS}@${BIND_IP}:${PORT}?cert=${CERT}&key=${KEY}&probe_resist=code:404&knock=www.google.com"





#!/bin/bash
#这个是使用CDN的
# 下面的四个参数需要改成你的
DOMAIN="YOU.DOMAIN.NAME"
USER="username"
PASS="password"
PORT=443

BIND_IP=0.0.0.0
CERT_DIR=/etc/letsencrypt
CERT=${CERT_DIR}/live/${DOMAIN}/fullchain.pem
KEY=${CERT_DIR}/live/${DOMAIN}/privkey.pem
sudo docker run -d --name gost \
    -v ${CERT_DIR}:${CERT_DIR}:ro \
    --net=host ginuerzh/gost \
    -L "mwss://${USER}:${PASS}@${BIND_IP}:${PORT}?cert=${CERT}&key=${KEY}&probe_resist=code:404&knock=www.google.com"


DNS

For DNS records proxied to Cloudflare, Cloudflare’s IP addresses are returned in DNS queries instead of your original server IP address. This allows Cloudflare to optimize, cache, and protect all requests for your website.

DNS 最好用proxied ,怕有时流量不够

3.usage

 curl -v "https://www.google.com" --proxy "https://xx.linuxsa.org" --proxy-user 'evan:evan'


接下来就是证书的自动化更新。

可以使用命令 crontab -e 来编辑定时任务: 应该2个月更新一次就行了啦

0 0 1 * * /usr/bin/certbot renew --force-renewal
5 0 1 * * /usr/bin/docker restart gost

这样,服务器就配置完成了。客户端请移动后面的客户端章节。

    使用 Cloudflare 的注意事项

4. client 配置

科学上网之 Gost 方案 has Gost 手机客户端使用

https://github.com/ginuerzh/gost/releases

 gost -L socks5://:1080 -F 'https://USER:PASS@DOMAIN:443'


 /home/evan/data/apps/gost-linux-amd64 -L socks5://:1081 -F 'https://evan:[email protected]:443'

#CDN的用这个 推荐哦 
 /home/evan/data/apps/gost-linux-amd64 -L socks5://:1081 -F 'mwss://evan:[email protected]:443'

自启动

Windows


通过Windows的sc命令可以创建一个Windows服务:

sc create gost binpath= "C:\gost.exe -L :8080" start= auto

Linux

通过Systemd来管理GOST进程

新建/etc/systemd/system/gost.service脚本:


[Unit] Description=GO Simple Tunnel After=network.target Wants=network.target

[Service] Type=simple ExecStart=/usr/local/bin/gost -L=:8080 Restart=always

[Install] WantedBy=multi-user.target 设置为开机启动


systemctl enable gost 启动服务

systemctl start gost

android

在用的科学上网方式:GOST+Cloudflare/Tailscale


科学上网之 Gost 方案 v2

github.com


➜  ~ cat .ssh/config 
### github.com
Host github.com
    Hostname github.com
    #ProxyCommand nc -x localhost:1081 %h %p
    ProxyCommand nc -x localhost:1080 %h %p
    # git-for-windows 下可以用 connect 代替 nc
    # ProxyCommand connect -S localhost:1085 %h %p

给手机或其它机器代理使用

  ufw allow 8118 #这样安全点

@myxps:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
8118                       ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
8118 (v6)                  ALLOW       Anywhere (v6)             


 systemctl stop  ufw
 ystemctl start  privoxy.service

https://help.ubuntu.com/community/UFW

国内白名单网络原理及应对方法

探讨福建泉州白名单网络原理及应对方法

trouble shooting

有时连不上 ,试一下 curl 如果google 不行 ,换个 cdn ip host一下就好了 哈哈


  1. sep 2024

Invalid SSL certificate

dns 从cname 改为 A 写ip又好了

see also

Chrome firefox配置SwitchyOmega翻墙

References

https://github.com/haoel/haoel.github.io