|
最近,寡妇王的封锁越来越厉害,前阵子连Gmail都给全面封锁。实在令人气愤。
这里记载一篇搭建梯子的文章,以此表明决心。
首先购买一台国外的vps主机,土豪机有Linode、DigitalOcean,屌丝有bandwagonhost。再不济的话
去haphost弄个免费的vps,不过人品不好弄不到。我当然是属于人品好的那种了,哈哈哈哈,进入正题
啰嗦下,最好买到后重装下系统,推荐centos6, 然后
ssh连上vps后,先下载必备的几种开发工具,因为要在vps上编译安装【shadow+socks】
摘抄:(注意下:yum install 需要su权限)
centos7
If you want to be able to compile packages in red hat/centos, you can issue the following command:
yum -y install make gcc gcc-c++ kernel-devel git autoconf libtool libssl-dev openssl openssl-develnet-tools.x86_64 wget
或者:
yum groupinstall "Development Tools"
centos6:
yum -y install build-essential autoconf libtool libssl-dev gcc openssl openssl-devel makegcc
gcc-c++ gitnet-tools.x86_64 wget
上面是装一些必备的开发工具。接下来
yum install epel-release -y
yum install gcc gettext autoconf libtool automake make pcre-devel asciidoc xmlto udns-devel libev-devel -y
git clone https://github.com/shadowsocks/shadowsocks-libev.git
cd shadowsocks-libev
git submodule update --init --recursive
./autogen.sh && ./configure && make
sudo make install
出现的几个错误
configure:error: mbed TLS libraries not found。
这样的问题其实是出在缺少「mbed TLS」库,那么我们开始缺啥补啥。需要先安装mbed库,从官网https://tls.mbed.org/ 下载。
|
1
2
3
4
5
6
|
wgethttps://tls.mbed.org/download/mbedtls-2.5.1-apache.tgz
tarzxvf
mbedtls-2.5.1-apache.tgz
cdmbedtls-2.5.1
make
makeinstall
|
configure: error: The Sodium crypto library libraries not found.
wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.13.tar.gz
./configure
make && make check
sudo make install
如果make出错,用下面命令configure
./configure --with-sodium-include=/usr/local/include --with-sodium-lib=/usr/local/lib --with-mbedtls-include=/usr/local/include --with-mbedtls-lib=/usr/local/lib
还有其他报错:
wget https://c-ares.haxx.se/download/c-ares-1.13.0.tar.gz
./configure
make && make check
sudo make install
添加动态链接库配置
|
echo'/usr/local/lib'>>/etc/ld.so.conf.d/local.conf
echo
"/usr/local/lib" >> /etc/ld.so.conf
/sbin/ldconfig
|
配置【shadow+socks】vim /etc/shadowsocks/config.json{"server":"vps的ip","server_port":8080,"local_port":1080,"password":"password", #认证密码,填你自己id"timeout":60,"method":"table"
#加密方式,默认table,推荐aes-256-cfb}
或者用下面的方式运行
接下来运行【shadow+socks】nohup /usr/local/bin/ss-server -s IP地址 -p 端口 -k 密码 -m 加密方式 &比如:nohup /usr/local/bin/ss-server -s 156.132.67.213 -p 8981 -k admin888 -m aes-256-cfb
&
重启【shadow+socks】服务。/etc/init.d/shadowsocks stop/etc/init.d/shadowsocks
start
其实centos7好像全部是用systemctl restartss-server 这种命令了。
使用shadowsockswindows环境下需要下载客户端:http://sourceforge.net/projects/shadowsocksgui/files/dist/ 填入之前配置的参数,保存运行即可。 新建浏览器代理为如下:协议: socks5地址: 127.0.0.1端口: 刚才填的 local_port推荐配合
AutoProxy 或者 Proxy SwitchySharp 一起使用。
https://shadowsocks.org/en/download/servers.html
# cat /etc/ss/ss-libev.sh
#!/bin/bash
SCRIPTNAME=ss-libev.sh
case "$1" in
start)
(/usr/bin/ss-server -c /etc/ss/shadowsocks.json -u -A --acl /etc/ss/blacklist.txt -6 > /dev/null 2>&1 &)
echo "Shadowsocks-Libev Custom Server Service started"
;;
stop)
pkill -u nobody ss-server
echo "Shadowsocks-Libev Custom Server Service stopped"
;;
*)
echo "Usage: $SCRIPTNAME {start|stop}" >&2
exit 3
;;
esac
服务
# cat /etc/ss/ss-libev.service
[Unit]
Description=Shadowsocks-Libev Custom Server Service
Documentation=man:ss-server(1)
After=network.target
[Service]
Type=forking
User=nobody
Group=nogroup
LimitNOFILE=32768
ExecStart=/etc/ss/ss-libev.sh start
ExecStop=/etc/ss/ss-libev.sh stop
[Install]
WantedBy=multi-user.target
/etc/init.d/shadowsocks 脚本
#!/bin/bash
### BEGIN INIT INFO
#
# Provides: location_server
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: ss-server initscript
# Description: This file should be used to construct scripts to be placed in /etc/init.d.
#
### END INIT INFO
## Fill in name of program here.
IP_ADDR=`/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $2}'|tr -d "addr:"`
PROG="ss-server"
PROG_PATH="/usr/local/bin" ## Not need, but sometimes helpful (if $PROG resides in /opt for example).
PROG_ARGS="-s $IP_ADDR -p portxxx -k passwordxxx -m aes-256-cfb -t 3600 -u -d 8.8.8.8 --fast-open"
PID_PATH="/var/run/"
start() {
if [ -e "$PID_PATH/$PROG.pid" ]; then
## Program is running, exit with error.
echo "Error! $PROG is currently running!" 1>&2
exit 1
else
## Change from /dev/null to something like /var/log/$PROG if you want to save output.
$PROG_PATH/$PROG $PROG_ARGS 2>&1 >/var/log/$PROG &
pid=`pgrep $PROG`
echo "$PROG started"
echo $pid > "$PID_PATH/$PROG.pid"
fi
}
stop() {
echo "begin stop"
if [ -e "$PID_PATH/$PROG.pid" ]; then
## Program is running, so stop it
pid=`pgrep $PROG`
kill $pid
rm -f "$PID_PATH/$PROG.pid"
echo "$PROG stopped"
else
## Program is not running, exit with error.
echo "Error! $PROG not started!" 1>&2
exit 1
fi
}
## Check to see if we are running as root first.
## Found at http://www.cyberciti.biz/tips/shell-root-user-check-script.html
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
case "$1" in
start)
start
exit 0
;;
stop)
stop
exit 0
;;
reload|restart|force-reload)
stop
start
exit 0
;;
**)
echo "Usage: $0 {start|stop|reload}" 1>&2
exit 1
;;
esac
chkconfig
--add shadowsocks
chkconfig --list shadowsocks
写了个简单的进程守护脚本,有同样需要的朋友可参考
#!/bin/sh
while true;do
count=`ps -A|grep ss-server`
if [ "$?" != "0" ]; then
echo "$(date "+%y-%m-%d %H:%M:%S") no ss-server, run it" >> /var/log/ssguardian.log
/etc/init.d/shadowsocks start
else
echo "$(date "+%y-%m-%d %H:%M:%S") OK" >> /var/log/ssguardian.log
fi
sleep 10
done
这个脚本的作用是 通过ps命令判断shadowsocks的进程是否存在,不在就重新启动它,存在就不作任何操作。这是个循环操作,执行完之后休眠10秒,再次运行,如此往复。
用nohup命令把它丢在后台运行
nohup sh ssguardian.sh 2>&1 &
运行日志通过以下命令查看
tail -f /var/log/ssguardian.log
ps:此脚本可以把倒数第四第五行注释掉,以免日志增加过快。
Linode的centos更换系统内核后,会打不开ssh,下面有解决方法,原因是新的内核默认开启selinux
在 CentOS 7 中修改 sshd 的端口
- 编辑
/etc/ssh/sshd_config
添加/修改 Port XX 行(把 XX 改成需要设定的端口)
-
查看防火墙是否开启
systemctl status firewalld.service
如果开启,需要在防火墙上开放上面的端口:
# 先查看是否已经添加了
firewall-cmd --zone=public --list-port
# 如果添加了该端口,可忽略这条命令。把 XX 改成实际需要修改的端口
firewall-cmd --zone=public --add-port=XX/tcp --permanent
# 重新加载
firewall-cmd --reload
-
查看 SELinux 是否开启
sestatus -v
如果显示 disabled 则表示 SELinux 已经关闭,可略过本步骤。
如果需要关闭 SELinux,可以编辑/etc/selinux/config:
把SELINUX=enforcing这一行改成:
SELINUX=disabled
然后重启,可再次输入sestatus -v来查看是否已经关闭了。
如果不想关闭 SELinux,可以在 SELinux 中允许上面设定的 sshd 端口:
要修改 SELinux 的设置,需要使用semanage命令,而系统本身默认没有安装,可以通过yum
provides semanage来查看哪个包提供该命令。 从该命令可知是由policycoreutils-python这个包来提供,然后安装该包:
yum install policycoreutils-python
安装好该包后,可以通过下面的命令查看目前 sshd 在 SELinux 中的端口:
semanage port -l | grep ssh
一般会显示:
ssh_port_t tcp 22
这时,我们可以把 port 添加到 SELinux 的ssh_port_t中:
semanage port -a -t ssh_port_t -p tcp XX
之后再次运行semange port -l | grep ssh就可以看到刚才添加的 port 了。
-
现在我们重启 sshd 就可以看到新的 port 生效了。
systemctl restart sshd.service
systemctl status sshd.service
PS: 如果 SELinux 是开启状态,并且未把端口添加到 SELinux 中就重启 sshd,则在systemctl status sshd.service中显示启动 sshd 失败,提示(code=exited,
status=255)。 在journalctl -u sshd.service中显示error:
Bind to port xxxx on 0.0.0.0 failed: Permission denied.
| 
转播
