Firewall

Concepts

1. The paramount is to get your own VPS (virtual private server) - a server located outside of the firewall. VPS can be bought from commercial supplier. If you possess a PC outside of the firewall, that can be treated as your own VPS. Most users don't own a physical PC outside the firewall, which is an awkward situation urging them buying VPS.
2. Then you can deploy VPN or Shadowsocks (ss) servers on your own VPS.
3. Up to now, a local VPN or ss needs installed.
4. After that, you can penetrate the firewall through VPN or ss.
5. VPN and ss are parallel services. You only need one of them unless you would like to switch between these two services for better QoS.
   1. ss支持区分国内外流量，传统VPN在翻出墙外后访问国内站点会变慢.
   2. ss use small number of memory.
6. Choose ss instead of VPN.

VPS

There are many VPS suppliers of which I chose bandwagonhost.com or the so-called "搬瓦工". bandwagonhost is easy to manage by web portal including installing VPN or ss server, offering different kinds of pricing package specifying RAM, DISK, BANDWIDTH etc.

My choice is $9.99 USD annually. Of course, it will reminds you to register your web account before paying through paypal.

Pay attention to the pricing link which is an inviting link. If you buy VPS through bandwagonhost.com, you might not locate the $9.99 USD annually pricing package.

You need to wait for a few minutes for VPS system initialization. The default VPS system is CentOS6 x86. You can also reinstall or choose a different operating system.

1. bandwagonhost: the web portal login. The most important page is Services -> My Services.
   1. You can also click on KiviVM Control Panel to get to the 2nd step.
2. KiviVM Control Panel: VPS management page. Briefly go through the management panel.
   1. The first tool I avail of is two-factor authentication (iOS Google Authenticator) thus another temporary code is required for each login into KiviVM.

   2. Since CentOS6 x86 root password is not send through email any more, generate root password through root password modification on the lest panel. You can now SSH into your VPS Centos with clients like Putty, MobaXterm and even SSH command line. Attention: the default SSH port is different from normal 22. You can get the port from Main controls.

      Don't use the root password often (create a new user account for daily operation, see below). If you need root privilege, just generate a new one!

   3. Under KiviVM password modification, set password for KiviVM Control Panel.

3. You can SSH into VPS often to do work. First SSH as root, then create a daily use user account.

    adduser username
    passwd username
   

   Then SSH as username for daily operation.

    ssh -p xxx username@host
   

   A better way of SSH, please refer to OpenSSH.

ss server Python version

1. At the bottom of KiviVM Control Panel lies KiviVM Extras from which you find Shadowsocks Server. What a relief! You no longer are bothered installing ss server manually. The default is Shadowsocks Python version. After installing finished, click Go back. Instructions on setting ss client for Windows system is illustrated. ss server will run automatically after the automatic installation.

   1. Command ps -ef | grep ssserver will print the ss server command:

      root       415     1  0 01:21 ?        00:00:00 /usr/bin/python /usr/bin/ssserver -p 443 -k PASSWORD -m aes-256-cfb --user nobody --workers 2 -d start
      nobody     417   415  0 01:21 ?        00:00:02 /usr/bin/python /usr/bin/ssserver -p 443 -k PASSWORD -m aes-256-cfb --user nobody --workers 2 -d start
      nobody     418   415  0 01:21 ?        00:00:02 /usr/bin/python /usr/bin/ssserver -p 443 -k PASSWORD -m aes-256-cfb --user nobody --workers 2 -d start
      root       822   708  0 07:03 pts/0    00:00:00 grep ssserver	
      

   2. ssserver -h will show help information
   3. -d means run as a daemon in the background.
   4. --workers 2 will generate two processes belong to user nobody
   5. This automatic method does not run ssserver with a configuration file, but with bare command line arguments.

   6. ss server was set to run at boot. Let's check:

      [root@localhost ~]# ls /etc/rc.local -al

      [root@localhost ~]# cat /etc/rc.d/rc.local

      /usr/bin/ssserver -p cat /root/.kiwivm-shadowsocks-port -k cat /root/.kiwivm-shadowsocks-password -m cat /root/.kiwivm-shadowsocks-encryption –user nobody –workers 2 -d start

      Pay attention to the command line arguments are stored in /root/.kiwivm-shadowsocks-* files.

   7. Add option --forbidden-ip 127.0.0.1,::1 to the /etc/rc.d/rc.local file ssserver command for security reason.

2. Of course, you can also install ss server manually. Among the others, there mainly four versions of ss server: Python version, C libev version, Go version, and C++ with Qt version. Take the Python version as an example:

   yum install python-setuptools && easy_install pip
   pip install shadowsocks
   

   1. /usr/bin/python /usr/bin/ssserver -p 443 -k PASSWORD -m aes-256-cfb --user nobody --workers 2 -d start as step 1.
   2. ssserver can also run with -c parameter to specify a configuration file rather than command parameters.
   3. ssserver -c /path/to/shadowsocks.json -d start for example.

   4. A simple configuration file /etc/shadowsocks.json:

      {
      “server”:”0.0.0.0″,
      “local_address”: “127.0.0.1”,
      “local_port”:1080,
      “server_port”: 8388,
      “password”: “password”,
      “timeout”:60,
      “method”:”aes-256-cfb”,
      “fast_open”: false,
      “workers”: 2
      }
      

   5. multiple users:

      {
      “server”:”0.0.0.0″,
      “local_address”: “127.0.0.1”,
      “local_port”:1080,
      “port_password”:
      {
       “8388”: “password8388″,
       “8398”: “password8398″,
       “8418”: “password8418″
        },
      “timeout”:60,
      “method”:”aes-256-cfb”,
      “fast_open”: false,
      “workers”: 2
      }
      

3. Shadowsocks server ssserver并没有加入到开机启动，如果需要则要创建一个启动脚本，使其开机启动。
4. Refer to shadowsocks 2.6.8; VPS之自建shadowsocks服务器（Centos及Ubuntu方法）
5. 特别要注意：CentOS 6的/etc/rc.local里的命令必须要提供全路径，仅仅提供命令名重启时不运行。如要用/usr/bin/ssserver，而不是ssserver.

ss client

###Windows

There are many clients available, my current windows 8.1 client is shadowsocks-csharp. Fill in the encryption method, server port, password, and proxy port for client. The default proxy mode is PAC (Proxy auto-config) not Global.

###Linux

Basically, different shadowsocks on Linux system share serve and client - YES, the same package. For example, my banwagonhost uses Python shadowsocks, while Gentoo uses the same package. After installation, the package will install both server side and client side. Usually server side command is ssserver or ss-server, while client side command is sslocal or ss-local.

# emerge -av shadowsocks

Run sslocal -h to show the detailed help message.

# sslocal -s xx.xx.xx.xx -p yyyy -b 127.0.0.1 -l zzzz -k PASSWORD -m aes-256-cfb -d start

If each time to input this command, then it is tedious, so need to write a script shadowsocks-sslocal.sh. If you'd like, add it to boot:

#!/bin/bash

/usr/bin/python /usr/bin/sslocal -s xx.xx.xx.xx -p yyyy -b 127.0.0.1 -l zzzz -k PASSWORD -m aes-256-cfb --log-file /var/log/shadowsocks-ssloal.log -d start

Move this script to /usr/local/sbin/. Details refer to bin sbin difference. Change access mode to 755 and added to root:root.

So each time, if need get out of GFW:

# /usr/local/sbin/shawdowsocks-sslocal.sh

Up to now, connected to my VPS server! But one step further - foxy proxy for Firefox. After installing, Add New Proxy and Add New Pattern Subscriptioin -> Go.

https://autoproxy-gfwlist.googlecode.com/svn/trunk/gfwlist.txt

Refer to this link for usage: shadowsocks-go. Though this is shadowsocks-go version, but the principle is the similar.

PAC VS Global on WIndows

pac是只对被墙的使用ss，全局就是无论什么网站都用ss。

pac可以自己修改，添加任意网站。当然也可以用网上网友维护的文件，最有名的是就是GFWlist列表。windows下右键点击ss client，出现一个菜单"Update PAC from GFWlist" 。

说的简单点，就是一个被Q网址收集汇总，只要配对上就会走代理，没有配对上就不走代理，这样子就节省了一些流量，包括上网速度等问题。

参考ShadowSocks教程:SS软件中的pac自动代理模式是什么？

VPS credentials

1. Official web portal client area
2. KiviVM Control Panel two-factor authentication:
   1. KiviVM password
   2. Temporary code from Google Authenticator.
3. CentOS6 x86 root password: ssh into CentOS for OS-specific management.
4. ss server password for ss client connectoin on Shadowsocks Server of KiviVM control panel.

References

1. shadowsocks.org
2. shadowsocks github
3. shadowsocks搭建教程
4. ShadowSocks教程:Bandwagonhost搬瓦工一键安装Shadowsocks新手小白教程

Notes

1. SwichSharp is no longer needed.
2. If VPS CentOS restarted, then make sure to run ssserver again as a daemon if you don't set it run on boot.
3. DO NOT use OpenVPN on VPS. GFW can easily siniff OpenVPN traffic and block VPS IP.
4. ss优化