- 2011-12-6 21:26
- 短网址
- 字号
-
利用vps搭建dante-server配合世界通或tor翻墙
gpass的设置选项的“通道”有一个socks5加密通道选项。但是免费的socks5服务器很不好找,不是失效得快就是很快被GFW封锁。如果你有自己的vps,你可以在自己的vps上搭建socks5服务器。
原文转载自:http://briteming.blogspot.com/2011/11/vpsdante-servergpasstor.html
dante-server是一款比较好用的socks5服务器软件。下面说下如何搭建dante-server。
如果你的vps是debian/ubuntu系统,则:
# apt-get install apt-spy -y
# apt-get update -y
# apt-get install dante-server -y
然后修改dante-server的配置文件/etc/danted.conf如下:
在#logoutput: stderr的下面一行添加:
logoutput: syslog
在# Alternatively, the interface name can be used instead of the address.的下面一行添加:
internal: eth0 port = 1080 建议把1080改为其他端口,以免被扫描工具扫到
internal: 127.0.0.1 port = 1080 建议把1080改为其他端口,以免被扫描工具扫到
external: eth0
取消# method: username none的注释。
取消# user.notprivileged: nobody的注释。
在user.notprivileged: nobody的下面添加:
client pass {
from: 192.168.0.0/0 port 1-65535 to: 0.0.0.0/0
}
client pass {
from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
}
pass {
from: 192.168.0.0/0 to: 0.0.0.0/0
protocol: tcp udp
}
pass {
from: 127.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
修改# user.libwrap: libwrap为user.libwrap: nobody
然后保存更改。
然后运行/etc/init.d/danted start以启动dante-server.你可以把/etc/init.d/danted start添加到/etc/rc.local中。
验证dante-server是否安装成功-设置ff的socks5代理地址为yourdomain.com:1080,或your-vps-ip:1080,(建议把1080改为其他端口,以免被扫描工具扫到)然后访问ip138.com,如果页面显示你的vps的ip,则表明安装成功。
dante-server不会主动的释放已经占用的资源,用的 太频繁就会导致系统资源被占光,vps等于是死机了,只能重启vps。如果不重启vps,你在vps上建立的网站将无法访问,也无法登陆putty(打开 putty后,login as半天都不会显示。),用这台vps的SSH帐号即使能在myentunnel里登录,也无法翻墙。为了不让dante-server过快的用完系统资 源,有必要让dante-server每小时自动重启一次。此时就要祭出crontab了。在/etc/cron.hourly目录里新建一个 danted文件,编辑这个文件,在里面输入/etc/init.d/danted restart,保存编辑。然后把这个danted文件设为755属性。这样dante-server每小时就会自动重启一次,从而释放其占用的资源。
如果你的vps是centos/fedora 32bit系统,则:
# wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/miniupnpc-1.4-1.el5.rf.i386.rpm
# wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/dante-1.2.3-1.el5.rf.i386.rpm
# wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/dante-server-1.2.3-1.el5.rf.i386.rpm
# rpm -ivh miniupnpc-1.4-1.el5.rf.i386.rpm
# rpm -ivh dante-1.2.3-1.el5.rf.i386.rpm
# rpm -ivh dante-server-1.2.3-1.el5.rf.i386.rpm
(如果你的vps是centos/fedora 64bit系统,则把上面所有的i386改为x86_64)
然后修改dante-server的配置文件/etc/sockd.conf,修改的地方跟debian/ubuntu系统下的/etc/danted.conf要修改的地方几乎一样,只是/etc/danted.conf里的user.notprivileged在/etc/sockd.conf中变成了user.unprivileged。请对照着修改。
然后在putty.exe里运行/usr/sbin/sockd以启动dante-server, 这时会显示sockdexit(): truncate(/var/run/sockd.pid): No such file or directory (errno = 2),这是因为sockd要在/var/run/里生成sockd.pid文件,但/var/run/目录没有写入权限,把它的权限改为777:
# chmod 777 /var/run/,然后运行/usr/sbin/sockd就正常了。
你可以把/usr/sbin/sockd添加到/etc/rc.local中。
验证dante-server是否安装成功-设置ff的socks5代理地址为yourdomain.com:1080,或your-vps-ip:1080(建议把1080改为其他端口,以免被扫描工具扫到),然后访问ip138.com,如果页面显示你的vps的ip,则表明安装成功。
同debian系统下一样,在centos vps下,dante-server不 会主动的释放已经占用的资源,用的太频繁就会导致系统资源被占光,vps等于是死机了,只能重启vps。此时就要祭出crontab了。在/etc /cron.hourly目录里新建一个sockd文件,编辑这个文件,在里面输入/etc/init.d/sockd restart,保存编辑。然后把这个sockd文件设为755属性。这样dante-server每小时就会自动重启一次,从而释放其占用的资源。
然后启动gpass.exe,在gpass的设置选项的“通道”标签栏下,选择socks5加密通道,然后在下面的socks5服务器栏填写你的vps的ip或主机名,端口填1080(建议把1080改为其他端口,以免被扫描工具扫到),用户名和密码留空,点击下方的“启用”按钮。然后把浏览器的快捷方式拖放到gpass的上网程序窗口中。在gpass的上网程序窗口中,双击该浏览器的图标即可在打开的浏览器中,惬意的翻墙了。
建议使用k-meleon浏览器(http://k-meleon.org/download/)。我搭配ie或chrome使用时,ie或chrome容易停止响应。
世界通下载
虽然有了vps,可以直接用ssh帐号翻墙。但是并不能说有了ssh,VPN就没搭建的必要了。同样,socks5代理的搭建也是有其意义和价值的。
---------------------------------------------------------------------------------------------------------------------
在新版的tor vidalia 程序中,点击“设置中继服务器”-“网络”-勾选“我使用代理服务器连接到网络”-address栏填写你的vps的主机名或ip,端口填写你的dante server的端口,
type选择socks 5,然后点击“确定”。这样通过你建立的socks 5代理,即可很顺利的连接上tor网络,设置浏览器的socks代理为127.0.0.1:9050,从而用tor翻墙。
作者email:luckypoem#gmail.com
-------------------------------------------------------------------------------------------------
From Wiki
When working on a private LAN with no direct internet access available, squid is normally used a proxy server for internet and ftp traffic. SSH or scp (or other traffic) however, will require a SOCKS server in order to reach the internet.
Dante socks server provides just that.
Contents[hide] |
How to install dante socks server on debian (ubuntu is similar):
apt-get install dante-server
This installs dante onto your debian server. By default it will not start (it will try to start - but will fail saying "no internal interfaces are configured etc...").
To configure Dante socks server:
vi /etc/danted.conf
By default - most required lines will be uncommented. The following lines need to be inserted/ uncommented in danted.conf
#logoutput: stderr
logoutput: syslog
#the above line will send any logs to /var/log/syslog instead to a terminal
internal: eth0 port = 1080
internal: 127.0.0.1 port = 1080
external: eth0
method: username none
#the above puts no username or password. Access will instead be controlled via client ip address/range.
#if there is no username or password - then danted socks server needs to run as nobody, i.e.
#method: pam
# if you choose to use pam instead - a valid username&password as required for sshing to the socks server is required.
#Note: not sure if proxy login details are sent in clear text.
#user.privileged: proxy
user.notprivileged: nobody
client pass {
from: 192.168.0.0/0 port 1-65535 to: 0.0.0.0/0 (黑体字是我改的)
}
client pass {
from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
#Finally block other traffic
block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
}
pass {
from: 192.168.0.0/0 to: 0.0.0.0/0 (黑体字是我改的)
protocol: tcp udp
}
pass {
from: 127.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
Once the config is complete. Start/Restart dante socks server:
/etc/init.d/danted start
If there is a problem with the config - it will tell you immediately on trying to start the danted daemon.
Test Dante Socks Server
netstat -n -a #check to see if server is listening on 1080
Make sure the firewall is open. Add appropriate rule as on Iptables_Firewall. Test also with winscp or putty.
Other SOCKS Servers
Note that putty itself can provide a SOCKS 5 server!! (But putty needs to be able to connect to an external server/computer firstly!)
To configure socks to act as a socks v5 server:
Open Putty, Go to CONNECTION -> SSH -> TUNNELS In the Source Port - put 1080 In the Destination Port - put 1080 Click on the Dynamic radio button for "Dynamic Port Forwarding"
Connect to an server with external access. Telnet localhost 1080 and it should connect.
Also note - SOCKS v5 can be setup using ssh on the command line.
ssh user@server.com -D 1080 # -D is for Dynamic Port Forwarding.
More info on Dante's Config at:
http://trekweb.com/~jasonb/articles/dante_tunnel.shtml
from http://wiki.kartbuilding.net/index.php/Dante_Socks_Server
----------------------------------------------------------------------
下载dante
http://www.inet.no/dante/
下载源码, 解压之
make
make install
默认安装到 /usr/local/
可执行文件为 /usr/local/sbin/sockd
添加一个新的用户sockd。为保证安全,将登录 shell 设置为 /bin/false
具体适用的配置文件如下:
sockd.conf :
#连接到服务器上用的网卡,端口
internal: eth0 port = 1080
#从服务器连向外部的网卡
external: eth0
#验证方式,这里适用系统账户
method: username
user.privileged: root
user.notprivileged: sockd
#日志存放地点
logoutput: /var/log/sockd/sockd.log
## client access rules
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0 #internal network
log: connect disconnect
}
## server operation access rules
#allow bind to ports greater than 1023
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0 port gt 1023
command: bind
log: connect disconnect
}
#allow outgoing connections (tcp and udp)
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: connect udpassociate
log: connect disconnect
}
#allow replies to bind, and incoming udp packets
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bindreply udpreply
log: connect error
}
#log the rest
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
dante不会主动的释放已经占用的资源,用的太频繁就会导致系统资源被占光,只能重启。为此,有一个笨拙(但有效)的解决方案。
在计划任务的 /etc/cron.daily 里添加一个文件,名字随便。比如,sockdkill,内容如下:
#restart sockd everyday
sleep 60
DAY=`date +%Y%m%d`
cp /var/log/sockd/sockd.log /var/log/sockd/sockd.log.${DAY}
cd /var/log/sockd
gzip sockd.log.${DAY}
killall sockd 1>/dev/null 2>/dev/null
killall sockd 1>/dev/null 2>/dev/null
echo > /var/log/sockd/sockd.log
/etc/init.d/sockd start
然后每天会重启一次dante,更新系统日志。
-------------------------------------------------------------------------------------------------------------------------------------------------
| Configuring a DANTE SOCKS Proxy |
| I have been using the Dante SOCKS v4 and v5 compatible proxy server for quite a few months now. A SOCKS proxy is a general purpose proxying daemon. It works great for tunneling things like HTTP and AOL IM through a trusted relay over a secure connection. The untrusted medium could be a wireless link or a corporate network with a draconian Web access policy. The SOCKS proxy provides the connection proxying mechanism and the tunnel (via OpenSSH) provides the security. It's possible you do not need to install and configure Dante. OpenSSH supports basic SOCKS emulation. For example, the following will setup a basic SOCKS proxy on localhost accessible via port 1080 and tunnel it securely to the target host, rebecca. From there, a connection is made in a fashion similar to what a real SOCKS proxy would do. jasonb@faith:~$ ssh -D 1080 rebecca If the above doesn't work for your application, you can read on for information on configuring and installing Dante, a complete SOCKS proxy solution. Obtaining and Configuring Dante # apt-get update # apt-get install dante-server Thereafter, you can skip the source compilation step and move on to the configuration file. For non Debian users, obtain a copy of Dante. The most recently version is 1.1.14 as of this writing. Unpack the sourceball, browse the various documentation files, then run a configure similar to the following. jasonb@faith:~/src$ tar -zxvf dante-1.1.14.tar.gz ... jasonb@faith:~/src$ cd dante-1.1.14 jasonb@faith:~/src/dante-1.1.14$ jasonb@faith:~/src/dante-1.1.14$ ./configure \ --with-sockd-conf=/etc/danted.conf Configuring Dante 1.1.14: ... jasonb@faith:~/src/dante-1.1.14$ make -j2 ... jasonb@faith:~/src/dante-1.1.14$ su jasonb@faith:~/src/dante-1.1.14# make install ^D Once that's done, it's time to take a crack at the configuration file. It's expected to live in /etc/sockd.conf by default and /etc/danted.conf if you're using the Debian package or my configuration above. faith:/# cat /etc/danted.conf # See examples/sockd.conf for additional details First, logging is enabled via the syslog mechanism and internal and external addresses are bound. The internal bindings include a port specification. The external one, of course, does not. The external binding cannot be an interface for versions prior to 1.1.7, but that shouldn't be a problem as of this writing. If you have a static IP, that's fine, too. logoutput: syslog internal: eth1 port = 1080 internal: 127.0.0.1 port = 1080 external: 1.2.3.4 # or external: eth0 Next, we define some basic authentication items. Dante supports things like identd and PAM authentication, but I did not configure those. For this proxy's simple task I went without authentication. method: username none # Not using authentication, so unnecessary #user.privileged: proxy user.notprivileged: nobody Finally, we define the access controls for this daemon. They are checked against in the order they appear in the configuration file. It's important not to allow the world to access your proxy server, since bad things can happen. client pass {
from: 192.168.0.0/16 port 1-65535 to: 0.0.0.0/0
}
client pass {
from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
These next four directives control who can speak to what. Requests from anywhere to the loopback addresses are dropped. Next, connections from the loopback addresses and 192.168.0.0/16 are allowed to speak to anyone using either the tcp or udp protocols. Finally, all other requests are dropped. block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
}
pass {
from: 192.168.0.0/16 to: 0.0.0.0/0
protocol: tcp udp
}
pass {
from: 127.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
Now you can fire up Dante. faith:# sockd -V (or the danted binary on Debian) faith:# sockd -d That will start Dante in debugging mode. Start your favourite Web browser and tell it to use a SOCKS proxy server. Don't accidently use an HTTP proxy, because that won't work. Visit a working URI and see if it loads. If it does, you're good to go. If not, check /var/log for useful clues. Dante will complain if something isn't working correctly, like it isn't able to bind to a port or it's denying you access. #!/bin/bash
set +x
# Script to screw Danted's head on straight after an IP change
IF=eth0
PERL=/usr/bin/perl
DANTED=/etc/danted.conf
IP=$(/sbin/ip addr show $IF | grep inet |\
awk '{ print $2 }' | awk -F\/ '{ print $1 }')
$PERL -0777 -pi -e "s/^external.*/external: $IP/gm" $DANTED
# HUPing Danted won't rebind it to a new static address
#kill -SIGHUP `pidof -s /usr/sbin/danted`
/etc/init.d/danted stop > /dev/null
sleep 1
/etc/init.d/danted start > /dev/null
Getting Your Tunnel Ready Now, it's fun time. With OpenSSH, you can securely tunnel your SOCKS connection to the server running Dante, preventing anyone in between your client and your server from intercepting your session. Assuming you have OpenSSH installed and configured on both the client and the server running Dante, the following should do the trick. jasonb@faith:~$ ssh -L 1080:localhost:1080 rebecca If you do not have Dante listening on 127.0.0.1, you will need to substitute in an address or hostname that it is listening on. The last argument is, of course, the actual machine running OpenSSH you're connecting to. It need not be the machine running Dante, but it likely will be. For more fun with OpenSSH tunneling you can read my VNC over SSH article. Links and Useful Resources
FROM http://blog.edseek.com/~jasonb/articles/dante_tunnel.shtml |
原文标题:利用vps搭建dante-server配合世界通或tor翻墙 - 美博园
美博园文章均为“原创 - 首发”,请尊重辛劳撰写,转载请以上面完整链接注明来源!
软件版权归原作者!个别转载文,本站会注明为转载。
网 友 留 言
2条评论 in “利用vps搭建dante-server配合世界通或tor翻墙”这里是你留言评论的地方
