科学上网
最新的新的翻墙神器 gost 暂时不理会v2ray了
目录
0.等改进
要用上cdn don sep 2023
https://github.com/haoel/haoel.github.io
关于优选IP,可以手动更改本地hosts文件指向最佳IP
1.设置Docker服务
1.docker install for debian11 on azure free https://docs.docker.com/engine/install/debian/ sudo apt-get update sudo apt-get install ca-certificates curl gnupg sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg # Add the repository to Apt sources: echo \ "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
开2.启 TCP BBR 拥塞控制算法
开启 TCP BBR 拥塞控制算法 sudo modprobe tcp_bbr echo "tcp_bbr" | sudo tee --append /etc/modules-load.d/modules.conf echo "net.core.default_qdisc=fq" | sudo tee --append /etc/sysctl.conf echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee --append /etc/sysctl.conf 保存生效 sudo sysctl -p 执行 sysctl net.ipv4.tcp_available_congestion_control sysctl net.ipv4.tcp_congestion_control 如果结果都有 bbr,则证明你的内核已开启 BBR。 执行 lsmod | grep bbr,看到有 tcp_bbr 模块即说明 BBR 已启动。
3生成证书
sep 2023 Mar 10 ,Jun 11 2024 renew Sep 10 ,2024 3. 申请域名和证书 你在 Cloudflare 上创建一个子域名解析到你的 VPS 上 IP 上(注:不要开启 Cloudflare 的 Proxy 模式) 最后,使用 Let's Encrypt 来签 一个证书。使用 Let's Encrypt 证书你需要在服务器上安装一个 certbot,点击 certbothttps://certbot.eff.org/instructions,你可以选择你的服务器,操作系统,然后就跟着指令走吧。 接下来,你需要申请一个证书(我们使用standalone的方式,然后,你需要输入你的电子邮件和你解析到 VPS 的域名): on gost vm 2024 Oct sudo apt install python3 python3-venv libaugeas0 apt install nginx 38 systemctl stop nginx 39 sudo certbot certonly --standalone --register-unsafely-without-email 40 ls 记得防火墙开 443 apt install snapd snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot sudo certbot --nginx #renew 2024 先关ng gost 最后再关ng 可能得kill 才行 , start gost 这种也行 或者看 自动更新证书 #renew sep 2024 /usr/bin/certbot renew --force-renewal root@Azure-Free-VM:~# sudo certbot --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): a.linuxsa.org Requesting a certificate for p.linuxsa.org Successfully received certificate. ng 其实就是用来生成证书而已 #这个不成功 因为ng 得kill才行 # m h dom mon dow command 0 0 1 */2 * /usr/bin/certbot renew --force-renewal 5 0 1 * * /usr/bin/docker restart gost
sudo certbot certonly --standalone
4. GOST
放到自己的hub.docker docker push evan886/gost:tagname vi /var/www/html/index.html <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> ##流量伪装和防探测-https cdn的使用下一个脚本哦 --mwss #!/bin/bash # 下面的四个参数需要改成你的 DOMAIN="YOU.DOMAIN.NAME" USER="username" PASS="password" PORT=443 BIND_IP=0.0.0.0 CERT_DIR=/etc/letsencrypt CERT=${CERT_DIR}/live/${DOMAIN}/fullchain.pem KEY=${CERT_DIR}/live/${DOMAIN}/privkey.pem sudo docker run -d --name gost \ -v ${CERT_DIR}:${CERT_DIR}:ro \ --net=host ginuerzh/gost \ -L "http2://${USER}:${PASS}@${BIND_IP}:${PORT}?cert=${CERT}&key=${KEY}&probe_resist=file:/var/www/html/index.html&knock=www.google.com" #写成一个脚本 sep 2023 cdn used ##gost 运行这前关掉ng systemctl stop nginx.service cloudflarey记得开proxy #!/bin/bash ## 下面的四个参数需要改成你的 DOMAIN="a.linuxsa.org" USER="abc" PASS="abc" PORT=443 BIND_IP=0.0.0.0 CERT_DIR=/etc/letsencrypt CERT=${CERT_DIR}/live/${DOMAIN}/fullchain.pem KEY=${CERT_DIR}/live/${DOMAIN}/privkey.pem sudo docker run -d --name gost \ -v ${CERT_DIR}:${CERT_DIR}:ro \ --net=host ginuerzh/gost \ -L "mwss://${USER}:${PASS}@${BIND_IP}:${PORT}?cert=${CERT}&key=${KEY}&probe_resist=file:/var/www/html/index.html&knock=www.google.com" #Oct 2024 using cdn cat gost.sh #!/bin/bash ## 下面的四个参数需要改成你的 DOMAIN="x.linuxsa.org" USER="evan" PASS="evan" PORT=443 BIND_IP=0.0.0.0 CERT_DIR=/etc/letsencrypt CERT=${CERT_DIR}/live/${DOMAIN}/fullchain.pem KEY=${CERT_DIR}/live/${DOMAIN}/privkey.pem sudo docker run -d --name gost \ -v ${CERT_DIR}:${CERT_DIR}:ro \ --net=host ginuerzh/gost \ -L "mwss://${USER}:${PASS}@${BIND_IP}:${PORT}?cert=${CERT}&key=${KEY}&probe_resist=file:/var/www/html/index.html&knock=www.google.com" #gost.sh 这个不是用CDN的 想用CDN 看下面那个哦 # 在 CloudFlare 上,请将TLS/SSL设置为 完全 #!/bin/bash #Sep 2023 6. 流量伪装和防探测 加上一下 # 下面的四个参数需要改成你的 DOMAIN="YOU.DOMAIN.NAME" USER="username" PASS="password" PORT=443 BIND_IP=0.0.0.0 CERT_DIR=/etc/letsencrypt CERT=${CERT_DIR}/live/${DOMAIN}/fullchain.pem KEY=${CERT_DIR}/live/${DOMAIN}/privkey.pem sudo docker run -d --name gost \ -v ${CERT_DIR}:${CERT_DIR}:ro \ --net=host ginuerzh/gost \ -L "http2://${USER}:${PASS}@${BIND_IP}:${PORT}?cert=${CERT}&key=${KEY}&probe_resist=code:404&knock=www.google.com" #!/bin/bash #这个是使用CDN的 # 下面的四个参数需要改成你的 DOMAIN="YOU.DOMAIN.NAME" USER="username" PASS="password" PORT=443 BIND_IP=0.0.0.0 CERT_DIR=/etc/letsencrypt CERT=${CERT_DIR}/live/${DOMAIN}/fullchain.pem KEY=${CERT_DIR}/live/${DOMAIN}/privkey.pem sudo docker run -d --name gost \ -v ${CERT_DIR}:${CERT_DIR}:ro \ --net=host ginuerzh/gost \ -L "mwss://${USER}:${PASS}@${BIND_IP}:${PORT}?cert=${CERT}&key=${KEY}&probe_resist=code:404&knock=www.google.com"
DNS
For DNS records proxied to Cloudflare, Cloudflare’s IP addresses are returned in DNS queries instead of your original server IP address. This allows Cloudflare to optimize, cache, and protect all requests for your website. DNS 最好用proxied ,怕有时流量不够
3.usage
curl -v "https://www.google.com" --proxy "https://xx.linuxsa.org" --proxy-user 'evan:evan' 接下来就是证书的自动化更新。 可以使用命令 crontab -e 来编辑定时任务: 应该2个月更新一次就行了啦 0 0 1 * * /usr/bin/certbot renew --force-renewal 5 0 1 * * /usr/bin/docker restart gost 这样,服务器就配置完成了。客户端请移动后面的客户端章节。 使用 Cloudflare 的注意事项
4. client 配置
科学上网之 Gost 方案 has Gost 手机客户端使用
https://github.com/ginuerzh/gost/releases
gost -L socks5://:1080 -F 'https://USER:PASS@DOMAIN:443' /home/evan/data/apps/gost-linux-amd64 -L socks5://:1081 -F 'https://evan:[email protected]:443' #CDN的用这个 推荐哦 /home/evan/data/apps/gost-linux-amd64 -L socks5://:1081 -F 'mwss://evan:[email protected]:443'
自启动
Windows
通过Windows的sc命令可以创建一个Windows服务: sc create gost binpath= "C:\gost.exe -L :8080" start= auto
Linux
通过Systemd来管理GOST进程
新建/etc/systemd/system/gost.service脚本:
[Unit]
Description=GO Simple Tunnel
After=network.target
Wants=network.target
[Service] Type=simple ExecStart=/usr/local/bin/gost -L=:8080 Restart=always
[Install] WantedBy=multi-user.target 设置为开机启动
systemctl enable gost
启动服务
systemctl start gost
github.com
➜ ~ cat .ssh/config ### github.com Host github.com Hostname github.com #ProxyCommand nc -x localhost:1081 %h %p ProxyCommand nc -x localhost:1080 %h %p # git-for-windows 下可以用 connect 代替 nc # ProxyCommand connect -S localhost:1085 %h %p
给手机或其它机器代理使用
ufw allow 8118 #这样安全点 @myxps:~# ufw status Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 8118 ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 8118 (v6) ALLOW Anywhere (v6) systemctl stop ufw ystemctl start privoxy.service
https://help.ubuntu.com/community/UFW
国内白名单网络原理及应对方法
trouble shooting
有时连不上 ,试一下 curl 如果google 不行 ,换个 cdn ip host一下就好了 哈哈
- sep 2024
Invalid SSL certificate
dns 从cname 改为 A 写ip又好了
see also
Chrome firefox配置SwitchyOmega翻墙