- 2011-12-6 21:26
- 短網址
- 字型大小
-
利用vps搭建dante-server配合世界通或tor翻牆
gpass的設置選項的「通道」有一個socks5加密通道選項。但是免費的socks5伺服器很不好找,不是失效得快就是很快被GFW封鎖。如果你有自己的vps,你可以在自己的vps上搭建socks5伺服器。
原文轉載自:https://briteming.blogspot.com/2011/11/vpsdante-servergpasstor.html
dante-server是一款比較好用的socks5伺服器軟體。下面說下如何搭建dante-server。
如果你的vps是debian/ubuntu系統,則:
# apt-get install apt-spy -y
# apt-get update -y
# apt-get install dante-server -y
然後修改dante-server的配置文件/etc/danted.conf如下:
在#logoutput: stderr的下面一行添加:
logoutput: syslog
在# Alternatively, the interface name can be used instead of the address.的下面一行添加:
internal: eth0 port = 1080 建議把1080改為其他連線埠,以免被掃描工具掃到
internal: 127.0.0.1 port = 1080 建議把1080改為其他連線埠,以免被掃描工具掃到
external: eth0
取消# method: username none的註解。
取消# user.notprivileged: nobody的註解。
在user.notprivileged: nobody的下面添加:
client pass {
from: 192.168.0.0/0 port 1-65535 to: 0.0.0.0/0
}
client pass {
from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
}
pass {
from: 192.168.0.0/0 to: 0.0.0.0/0
protocol: tcp udp
}
pass {
from: 127.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
修改# user.libwrap: libwrap為user.libwrap: nobody
然後保存更改。
然後運行/etc/init.d/danted start以啟動dante-server.你可以把/etc/init.d/danted start添加到/etc/rc.local中。
驗証dante-server是否安裝成功-設置ff的socks5代理地址為yourdomain.com:1080,或your-vps-ip:1080,(建議把1080改為其他連線埠,以免被掃描工具掃到)然後訪問ip138.com,如果頁面顯示你的vps的ip,則表明安裝成功。
dante-server不會主動的釋放已經佔用的資源,用的 太頻繁就會導致系統資源被佔光,vps等於是死機了,只能重啟vps。如果不重啟vps,你在vps上建立的網站將無法訪問,也無法登陸putty(打開 putty後,login as半天都不會顯示。),用這台vps的SSH帳號即使能在myentunnel里登錄,也無法翻牆。為了不讓dante-server過快的用完系統資 源,有必要讓dante-server每小時自動重啟一次。此時就要祭出crontab了。在/etc/cron.hourly目錄里新建一個 danted文件,編輯這個文件,在裡面輸入/etc/init.d/danted restart,保存編輯。然後把這個danted文件設為755屬性。這樣dante-server每小時就會自動重啟一次,從而釋放其佔用的資源。
如果你的vps是centos/fedora 32bit系統,則:
# wget https://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/miniupnpc-1.4-1.el5.rf.i386.rpm
# wget https://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/dante-1.2.3-1.el5.rf.i386.rpm
# wget https://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/dante-server-1.2.3-1.el5.rf.i386.rpm
# rpm -ivh miniupnpc-1.4-1.el5.rf.i386.rpm
# rpm -ivh dante-1.2.3-1.el5.rf.i386.rpm
# rpm -ivh dante-server-1.2.3-1.el5.rf.i386.rpm
(如果你的vps是centos/fedora 64bit系統,則把上面所有的i386改為x86_64)
然後修改dante-server的配置文件/etc/sockd.conf,修改的地方跟debian/ubuntu系統下的/etc/danted.conf要修改的地方几乎一樣,只是/etc/danted.conf里的user.notprivileged在/etc/sockd.conf中變成了user.unprivileged。請對照著修改。
然後在putty.exe里運行/usr/sbin/sockd以啟動dante-server, 這時會顯示sockdexit(): truncate(/var/run/sockd.pid): No such file or directory (errno = 2),這是因為sockd要在/var/run/里生成sockd.pid文件,但/var/run/目錄沒有寫入許可權,把它的許可權改為777:
# chmod 777 /var/run/,然後運行/usr/sbin/sockd就正常了。
你可以把/usr/sbin/sockd添加到/etc/rc.local中。
驗証dante-server是否安裝成功-設置ff的socks5代理地址為yourdomain.com:1080,或your-vps-ip:1080(建議把1080改為其他連線埠,以免被掃描工具掃到),然後訪問ip138.com,如果頁面顯示你的vps的ip,則表明安裝成功。
同debian系統下一樣,在centos vps下,dante-server不 會主動的釋放已經佔用的資源,用的太頻繁就會導致系統資源被佔光,vps等於是死機了,只能重啟vps。此時就要祭出crontab了。在/etc /cron.hourly目錄里新建一個sockd文件,編輯這個文件,在裡面輸入/etc/init.d/sockd restart,保存編輯。然後把這個sockd文件設為755屬性。這樣dante-server每小時就會自動重啟一次,從而釋放其佔用的資源。
然後啟動gpass.exe,在gpass的設置選項的「通道」標籤欄下,選擇socks5加密通道,然後在下面的socks5伺服器欄填寫你的vps的ip或主機名,連線埠填1080(建議把1080改為其他連線埠,以免被掃描工具掃到),用戶名和密碼留空,點擊下方的「啟用」按鈕。然後把瀏覽器的快捷方式拖放到gpass的上網程序窗口中。在gpass的上網程序窗口中,雙擊該瀏覽器的圖標即可在打開的瀏覽器中,愜意的翻牆了。
建議使用k-meleon瀏覽器(https://k-meleon.org/download/)。我搭配ie或chrome使用時,ie或chrome容易停止響應。
世界通下載
雖然有了vps,可以直接用ssh帳號翻牆。但是並不能說有了ssh,VPN就沒搭建的必要了。同樣,socks5代理的搭建也是有其意義和價值的。
---------------------------------------------------------------------------------------------------------------------
在新版的tor vidalia 程序中,點擊「設置中繼伺服器」-「網路」-勾選「我使用代理伺服器連接到網路」-address欄填寫你的vps的主機名或ip,連線埠填寫你的dante server的連線埠,
type選擇socks 5,然後點擊「確定」。這樣通過你建立的socks 5代理,即可很順利的連接上tor網路,設置瀏覽器的socks代理為127.0.0.1:9050,從而用tor翻牆。
作者email:luckypoem#gmail.com
-------------------------------------------------------------------------------------------------
From Wiki
When working on a private LAN with no direct internet access available, squid is normally used a proxy server for internet and ftp traffic. SSH or scp (or other traffic) however, will require a SOCKS server in order to reach the internet.
Dante socks server provides just that.
Contents[hide] |
How to install dante socks server on debian (ubuntu is similar):
apt-get install dante-server
This installs dante onto your debian server. By default it will not start (it will try to start - but will fail saying "no internal interfaces are configured etc...").
To configure Dante socks server:
vi /etc/danted.conf
By default - most required lines will be uncommented. The following lines need to be inserted/ uncommented in danted.conf
#logoutput: stderr
logoutput: syslog
#the above line will send any logs to /var/log/syslog instead to a terminal
internal: eth0 port = 1080
internal: 127.0.0.1 port = 1080
external: eth0
method: username none
#the above puts no username or password. Access will instead be controlled via client ip address/range.
#if there is no username or password - then danted socks server needs to run as nobody, i.e.
#method: pam
# if you choose to use pam instead - a valid username&password as required for sshing to the socks server is required.
#Note: not sure if proxy login details are sent in clear text.
#user.privileged: proxy
user.notprivileged: nobody
client pass {
from: 192.168.0.0/0 port 1-65535 to: 0.0.0.0/0 (黑體字是我改的)
}
client pass {
from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
#Finally block other traffic
block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
}
pass {
from: 192.168.0.0/0 to: 0.0.0.0/0 (黑體字是我改的)
protocol: tcp udp
}
pass {
from: 127.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
Once the config is complete. Start/Restart dante socks server:
/etc/init.d/danted start
If there is a problem with the config - it will tell you immediately on trying to start the danted daemon.
Test Dante Socks Server
netstat -n -a #check to see if server is listening on 1080
Make sure the firewall is open. Add appropriate rule as on Iptables_Firewall. Test also with winscp or putty.
Other SOCKS Servers
Note that putty itself can provide a SOCKS 5 server!! (But putty needs to be able to connect to an external server/computer firstly!)
To configure socks to act as a socks v5 server:
Open Putty, Go to CONNECTION -> SSH -> TUNNELS In the Source Port - put 1080 In the Destination Port - put 1080 Click on the Dynamic radio button for "Dynamic Port Forwarding"
Connect to an server with external access. Telnet localhost 1080 and it should connect.
Also note - SOCKS v5 can be setup using ssh on the command line.
ssh user@server.com -D 1080 # -D is for Dynamic Port Forwarding.
More info on Dante's Config at:
https://trekweb.com/~jasonb/articles/dante_tunnel.shtml
from https://wiki.kartbuilding.net/index.php/Dante_Socks_Server
----------------------------------------------------------------------
下載dante
https://www.inet.no/dante/
下載源碼, 解壓之
make
make install
默認安裝到 /usr/local/
執行檔為 /usr/local/sbin/sockd
添加一個新的用戶sockd。為保證安全,將登錄 shell 設置為 /bin/false
具體適用的配置文件如下:
sockd.conf :
#連接到伺服器上用的網卡,連線埠
internal: eth0 port = 1080
#從伺服器連向外部的網卡
external: eth0
#驗証方式,這裡適用系統賬戶
method: username
user.privileged: root
user.notprivileged: sockd
#日誌存放地點
logoutput: /var/log/sockd/sockd.log
## client access rules
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0 #internal network
log: connect disconnect
}
## server operation access rules
#allow bind to ports greater than 1023
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0 port gt 1023
command: bind
log: connect disconnect
}
#allow outgoing connections (tcp and udp)
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: connect udpassociate
log: connect disconnect
}
#allow replies to bind, and incoming udp packets
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bindreply udpreply
log: connect error
}
#log the rest
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
dante不會主動的釋放已經佔用的資源,用的太頻繁就會導致系統資源被佔光,只能重啟。為此,有一個笨拙(但有效)的解決方案。
在計畫任務的 /etc/cron.daily 里添加一個文件,名字隨便。比如,sockdkill,內容如下:
#restart sockd everyday
sleep 60
DAY=`date +%Y%m%d`
cp /var/log/sockd/sockd.log /var/log/sockd/sockd.log.${DAY}
cd /var/log/sockd
gzip sockd.log.${DAY}
killall sockd 1>/dev/null 2>/dev/null
killall sockd 1>/dev/null 2>/dev/null
echo > /var/log/sockd/sockd.log
/etc/init.d/sockd start
然後每天會重啟一次dante,更新系統日誌。
-------------------------------------------------------------------------------------------------------------------------------------------------
| Configuring a DANTE SOCKS Proxy |
| I have been using the Dante SOCKS v4 and v5 compatible proxy server for quite a few months now. A SOCKS proxy is a general purpose proxying daemon. It works great for tunneling things like HTTP and AOL IM through a trusted relay over a secure connection. The untrusted medium could be a wireless link or a corporate network with a draconian Web access policy. The SOCKS proxy provides the connection proxying mechanism and the tunnel (via OpenSSH) provides the security. It's possible you do not need to install and configure Dante. OpenSSH supports basic SOCKS emulation. For example, the following will setup a basic SOCKS proxy on localhost accessible via port 1080 and tunnel it securely to the target host, rebecca. From there, a connection is made in a fashion similar to what a real SOCKS proxy would do. jasonb@faith:~$ ssh -D 1080 rebecca If the above doesn't work for your application, you can read on for information on configuring and installing Dante, a complete SOCKS proxy solution. Obtaining and Configuring Dante # apt-get update # apt-get install dante-server Thereafter, you can skip the source compilation step and move on to the configuration file. For non Debian users, obtain a copy of Dante. The most recently version is 1.1.14 as of this writing. Unpack the sourceball, browse the various documentation files, then run a configure similar to the following. jasonb@faith:~/src$ tar -zxvf dante-1.1.14.tar.gz ... jasonb@faith:~/src$ cd dante-1.1.14 jasonb@faith:~/src/dante-1.1.14$ jasonb@faith:~/src/dante-1.1.14$ ./configure \ --with-sockd-conf=/etc/danted.conf Configuring Dante 1.1.14: ... jasonb@faith:~/src/dante-1.1.14$ make -j2 ... jasonb@faith:~/src/dante-1.1.14$ su jasonb@faith:~/src/dante-1.1.14# make install ^D Once that's done, it's time to take a crack at the configuration file. It's expected to live in /etc/sockd.conf by default and /etc/danted.conf if you're using the Debian package or my configuration above. faith:/# cat /etc/danted.conf # See examples/sockd.conf for additional details First, logging is enabled via the syslog mechanism and internal and external addresses are bound. The internal bindings include a port specification. The external one, of course, does not. The external binding cannot be an interface for versions prior to 1.1.7, but that shouldn't be a problem as of this writing. If you have a static IP, that's fine, too. logoutput: syslog internal: eth1 port = 1080 internal: 127.0.0.1 port = 1080 external: 1.2.3.4 # or external: eth0 Next, we define some basic authentication items. Dante supports things like identd and PAM authentication, but I did not configure those. For this proxy's simple task I went without authentication. method: username none # Not using authentication, so unnecessary #user.privileged: proxy user.notprivileged: nobody Finally, we define the access controls for this daemon. They are checked against in the order they appear in the configuration file. It's important not to allow the world to access your proxy server, since bad things can happen. client pass {
from: 192.168.0.0/16 port 1-65535 to: 0.0.0.0/0
}
client pass {
from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
These next four directives control who can speak to what. Requests from anywhere to the loopback addresses are dropped. Next, connections from the loopback addresses and 192.168.0.0/16 are allowed to speak to anyone using either the tcp or udp protocols. Finally, all other requests are dropped. block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
}
pass {
from: 192.168.0.0/16 to: 0.0.0.0/0
protocol: tcp udp
}
pass {
from: 127.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
Now you can fire up Dante. faith:# sockd -V (or the danted binary on Debian) faith:# sockd -d That will start Dante in debugging mode. Start your favourite Web browser and tell it to use a SOCKS proxy server. Don't accidently use an HTTP proxy, because that won't work. Visit a working URI and see if it loads. If it does, you're good to go. If not, check /var/log for useful clues. Dante will complain if something isn't working correctly, like it isn't able to bind to a port or it's denying you access. #!/bin/bash
set +x
# Script to screw Danted's head on straight after an IP change
IF=eth0
PERL=/usr/bin/perl
DANTED=/etc/danted.conf
IP=$(/sbin/ip addr show $IF | grep inet |\
awk '{ print $2 }' | awk -F\/ '{ print $1 }')
$PERL -0777 -pi -e "s/^external.*/external: $IP/gm" $DANTED
# HUPing Danted won't rebind it to a new static address
#kill -SIGHUP `pidof -s /usr/sbin/danted`
/etc/init.d/danted stop > /dev/null
sleep 1
/etc/init.d/danted start > /dev/null
Getting Your Tunnel Ready Now, it's fun time. With OpenSSH, you can securely tunnel your SOCKS connection to the server running Dante, preventing anyone in between your client and your server from intercepting your session. Assuming you have OpenSSH installed and configured on both the client and the server running Dante, the following should do the trick. jasonb@faith:~$ ssh -L 1080:localhost:1080 rebecca If you do not have Dante listening on 127.0.0.1, you will need to substitute in an address or hostname that it is listening on. The last argument is, of course, the actual machine running OpenSSH you're connecting to. It need not be the machine running Dante, but it likely will be. For more fun with OpenSSH tunneling you can read my VNC over SSH article. Links and Useful Resources
FROM https://blog.edseek.com/~jasonb/articles/dante_tunnel.shtml |
原文標題:利用vps搭建dante-server配合世界通或tor翻牆 - 美博園
美博園文章均為「原創 - 首發」,請尊重辛勞撰寫,轉載請以上面完整鏈接註明來源!
軟體著作權歸原作者!個別轉載文,本站會註明為轉載。
網 友 留 言
2條評論 in “利用vps搭建dante-server配合世界通或tor翻牆”這裡是你留言評論的地方
