Firewall
12 May 2015 • Leave CommentsConcepts
- The paramount is to get your own VPS (virtual private server) - a server located outside of the firewall. VPS can be bought from commercial supplier. If you possess a PC outside of the firewall, that can be treated as your own VPS. Most users don't own a physical PC outside the firewall, which is an awkward situation urging them buying VPS.
- Then you can deploy VPN or Shadowsocks (ss) servers on your own VPS.
- Up to now, a local VPN or ss needs installed.
- After that, you can penetrate the firewall through VPN or ss.
- VPN and ss are parallel services. You only need one of them unless you would like to switch between these two services for better QoS.
- ss支持区分国内外流量,传统VPN在翻出墙外后访问国内站点会变慢.
- ss use small number of memory.
- Choose ss instead of VPN.
VPS
There are many VPS suppliers of which I chose bandwagonhost.com
or the so-called "搬瓦工". bandwagonhost
is easy to manage by web portal including installing VPN or ss server, offering different kinds of pricing package specifying RAM, DISK, BANDWIDTH etc.
My choice is $9.99 USD annually. Of course, it will reminds you to register your web account before paying through paypal.
Pay attention to the pricing link which is an inviting link. If you buy VPS through bandwagonhost.com, you might not locate the $9.99 USD annually pricing package.
You need to wait for a few minutes for VPS system initialization. The default VPS system is CentOS6 x86
. You can also reinstall or choose a different operating system.
- bandwagonhost: the web portal login. The most important page is
Services -> My Services
.- You can also click on
KiviVM Control Panel
to get to the 2nd step.
- You can also click on
- KiviVM Control Panel: VPS management page. Briefly go through the management panel.
- The first tool I avail of is
two-factor authentication
(iOS Google Authenticator) thus another temporary code is required for each login into KiviVM. -
Since CentOS6 x86 root password is not send through email any more, generate root password through
root password modification
on the lest panel. You can now SSH into your VPS Centos with clients like Putty, MobaXterm and even SSH command line. Attention: the default SSH port is different from normal 22. You can get the port fromMain controls
.Don't use the root password often (create a new user account for daily operation, see below). If you need root privilege, just generate a new one!
- Under
KiviVM password modification
, set password for KiviVM Control Panel.
- The first tool I avail of is
-
You can SSH into VPS often to do work. First SSH as root, then create a daily use user account.
adduser username passwd username
Then SSH as username for daily operation.
ssh -p xxx username@host
A better way of SSH, please refer to OpenSSH.
ss server Python version
- At the bottom of
KiviVM Control Panel
liesKiviVM Extras
from which you findShadowsocks Server
. What a relief! You no longer are bothered installing ss server manually. The default is Shadowsocks Python version. After installing finished, clickGo back
. Instructions on setting ss client for Windows system is illustrated. ss server will run automatically after the automatic installation.-
Command
ps -ef | grep ssserver
will print the ss server command:root 415 1 0 01:21 ? 00:00:00 /usr/bin/python /usr/bin/ssserver -p 443 -k PASSWORD -m aes-256-cfb --user nobody --workers 2 -d start nobody 417 415 0 01:21 ? 00:00:02 /usr/bin/python /usr/bin/ssserver -p 443 -k PASSWORD -m aes-256-cfb --user nobody --workers 2 -d start nobody 418 415 0 01:21 ? 00:00:02 /usr/bin/python /usr/bin/ssserver -p 443 -k PASSWORD -m aes-256-cfb --user nobody --workers 2 -d start root 822 708 0 07:03 pts/0 00:00:00 grep ssserver
ssserver -h
will show help information-d
means run as a daemon in the background.--workers 2
will generate two processes belong to usernobody
- This automatic method does not run
ssserver
with a configuration file, but with bare command line arguments. -
ss server was set to run at boot. Let's check:
[root@localhost ~]# ls /etc/rc.local -al
[root@localhost ~]# cat /etc/rc.d/rc.local
/usr/bin/ssserver -p
cat /root/.kiwivm-shadowsocks-port
-kcat /root/.kiwivm-shadowsocks-password
-mcat /root/.kiwivm-shadowsocks-encryption
–user nobody –workers 2 -d startPay attention to the command line arguments are stored in
/root/.kiwivm-shadowsocks-*
files. - Add option
--forbidden-ip 127.0.0.1,::1
to the /etc/rc.d/rc.local filessserver
command for security reason.
-
-
Of course, you can also install ss server manually. Among the others, there mainly four versions of ss server: Python version, C libev version, Go version, and C++ with Qt version. Take the Python version as an example:
yum install python-setuptools && easy_install pip pip install shadowsocks
/usr/bin/python /usr/bin/ssserver -p 443 -k PASSWORD -m aes-256-cfb --user nobody --workers 2 -d start
as step 1.ssserver
can also run with-c
parameter to specify a configuration file rather than command parameters.ssserver -c /path/to/shadowsocks.json -d start
for example.-
A simple configuration file
/etc/shadowsocks.json
:{ “server”:”0.0.0.0″, “local_address”: “127.0.0.1”, “local_port”:1080, “server_port”: 8388, “password”: “password”, “timeout”:60, “method”:”aes-256-cfb”, “fast_open”: false, “workers”: 2 }
-
{ “server”:”0.0.0.0″, “local_address”: “127.0.0.1”, “local_port”:1080, “port_password”: { “8388”: “password8388″, “8398”: “password8398″, “8418”: “password8418″ }, “timeout”:60, “method”:”aes-256-cfb”, “fast_open”: false, “workers”: 2 }
- Shadowsocks server
ssserver
并没有加入到开机启动,如果需要则要创建一个启动脚本,使其开机启动。 - Refer to shadowsocks 2.6.8; VPS之自建shadowsocks服务器(Centos及Ubuntu方法)
- 特别要注意:CentOS 6的/etc/rc.local里的命令必须要提供全路径,仅仅提供命令名重启时不运行。如要用/usr/bin/ssserver,而不是ssserver.
ss client
###Windows
There are many clients available, my current windows 8.1 client is shadowsocks-csharp. Fill in the encryption method
, server port
, password
, and proxy port
for client. The default proxy mode is PAC
(Proxy auto-config) not Global
.
###Linux
Basically, different shadowsocks on Linux system share serve and client - YES, the same package. For example, my banwagonhost
uses Python shadowsocks, while Gentoo uses the same package. After installation, the package will install both server side and client side. Usually server side command is ssserver
or ss-server
, while client side command is sslocal
or ss-local
.
# emerge -av shadowsocks
Run sslocal -h
to show the detailed help message.
# sslocal -s xx.xx.xx.xx -p yyyy -b 127.0.0.1 -l zzzz -k PASSWORD -m aes-256-cfb -d start
If each time to input this command, then it is tedious, so need to write a script shadowsocks-sslocal.sh
. If you'd like, add it to boot:
#!/bin/bash
/usr/bin/python /usr/bin/sslocal -s xx.xx.xx.xx -p yyyy -b 127.0.0.1 -l zzzz -k PASSWORD -m aes-256-cfb --log-file /var/log/shadowsocks-ssloal.log -d start
Move this script to /usr/local/sbin/
. Details refer to bin sbin difference. Change access mode to 755
and added to root:root
.
So each time, if need get out of GFW:
# /usr/local/sbin/shawdowsocks-sslocal.sh
Up to now, connected to my VPS server! But one step further - foxy proxy for Firefox. After installing, Add New Proxy
and Add New Pattern Subscriptioin -> Go
.
https://autoproxy-gfwlist.googlecode.com/svn/trunk/gfwlist.txt
Refer to this link for usage: shadowsocks-go. Though this is shadowsocks-go version, but the principle is the similar.
PAC VS Global on WIndows
pac是只对被墙的使用ss,全局就是无论什么网站都用ss。
pac可以自己修改,添加任意网站。当然也可以用网上网友维护的文件,最有名的是就是GFWlist列表。windows下右键点击ss client,出现一个菜单"Update PAC from GFWlist" 。
说的简单点,就是一个被Q网址收集汇总,只要配对上就会走代理,没有配对上就不走代理,这样子就节省了一些流量,包括上网速度等问题。
参考ShadowSocks教程:SS软件中的pac自动代理模式是什么?
VPS credentials
- Official web portal client area
- KiviVM Control Panel two-factor authentication:
- KiviVM password
- Temporary code from
Google Authenticator
.
- CentOS6 x86 root password: ssh into CentOS for OS-specific management.
- ss server password for ss client connectoin on
Shadowsocks Server
of KiviVM control panel.
References
- shadowsocks.org
- shadowsocks github
- shadowsocks搭建教程
- ShadowSocks教程:Bandwagonhost搬瓦工一键安装Shadowsocks新手小白教程
Notes
- SwichSharp is no longer needed.
- If VPS CentOS restarted, then make sure to run
ssserver
again as a daemon if you don't set it run on boot. - DO NOT use OpenVPN on VPS. GFW can easily siniff OpenVPN traffic and block VPS IP.
- ss优化