-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsetup.txt
173 lines (112 loc) · 6.27 KB
/
setup.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# this guide will show you how to create a vmess server and an internal proxy
# to be able to access the free world internet when you live inside a country
# with a totalitarian regime like china or iran which the free internet is
# heavily blocked and normal vpn setups do not work.
# for this setup you need two servers:
# 1. a server inside your country where internet is blocked for users but this
# server must have access to the outside internet. we call this server 'INTERNAL'
# in this guide.
# 2. a server outside your country in the free world where internet is accessible
# for all human beings. we call this server 'EXTERNAL' in this guide.
# all operations in this file must be done using a non-root user which is in sudoers list.
# to add a user into sudoers list, execute below command as root on both servers:
sudo adduser USER_NAME sudo
# note that you can secure both your servers by following the
# guide at the final part of this file:
# linux/key-management/ssh.key.for.any.server.txt
# install netstat on both servers:
sudo apt install net-tools
# install ufw on both servers:
sudo apt-get install ufw
# install authbind only on INTERNAL server to be able to perform ssh
# tunneling on ports which require root access (low number ports such as 80)
# without root access:
sudo apt-get install authbind
# execute these commands to create and configure required
# INTERNAL_PORT files for authbind on INTERNAL server:
sudo touch /etc/authbind/byport/INTERNAL_PORT
sudo chmod 755 /etc/authbind/byport/INTERNAL_PORT
sudo chown USER_NAME:USER_NAME /etc/authbind/byport/INTERNAL_PORT
# install docker and docker-compose according to these files only on EXTERNAL server:
# linux/install/docker/install.docker.txt
# linux/install/docker/install.docker.compose.txt
# both servers should not have anything up on respective INTERNAL_PORT and EXTERNAL_PORT.
# if nginx or any other tools are installed and running on those port, you should remove
# them or change their port.
# check INTERNAL_PORT is free on INTERNAL server with this command:
sudo netstat -ano -p tcp | grep INTERNAL_PORT
# check EXTERNAL_PORT is free on EXTERNAL server with this command:
sudo netstat -ano -p tcp | grep EXTERNAL_PORT
# remove nginx with these commands on any of the two servers if you have
# set INTERNAL_PORT or EXTERNAL_PORT to 80, and the port is busy with nginx:
sudo apt-get remove nginx
sudo apt autoremove
# update both INTERNAL and EXTERNAL servers to the latest version:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get full-upgrade
# reboot each server after update is done:
sudo reboot
# make sure both servers have a correct time set by executing this on both:
date
# create this directory on the EXTERNAL server:
mkdir ~/proxy
# execute these commands on your local machine to copy these files
# into the newly created directory on the EXTERNAL server:
scp server/files/config.json USER_NAME@EXTERNAL:~/proxy
scp server/files/docker-compose.yml USER_NAME@EXTERNAL:~/proxy
# you should change the value of 'id' of already defined users in
# 'config.json' file with a new UUID for each user.
# you can also edit the 'config.json' file to add more users to it or remove
# some of already defined users. each user will need a separate UUID.
# you should also edit the 'config.json' file and replace 'VPN_SERVER_PUBLIC_IP'
# with the EXTERNAL server's public ip address in dns section.
# you can create UUID on this website:
# https://www.uuidgenerator.net/version4
# execute these commands on EXTERNAL server to run the v2ray service:
cd ~/proxy
docker-compose up -d
# execute this to check if container is up:
docker ps
# execute this on EXTERNAL server to check if EXTERNAL_PORT is assigned to v2ray:
sudo netstat -ano -p tcp | grep EXTERNAL_PORT
# note that you may only see the tcp6 EXTERNAL_PORT after executing
# the above command, that's fine and v2ray is up and running.
# execute these commands on INTERNAL server:
sudo ufw allow OpenSSH
sudo ufw allow INTERNAL_PORT
sudo ufw enable
# execute these commands on EXTERNAL server:
sudo ufw allow OpenSSH
sudo ufw allow EXTERNAL_PORT
sudo ufw enable
# now consider INTERNAL server as your local machine and EXTERNAL server as remote server.
# then create a pair of private and public keys, put the public key on EXTERNAL server
# and put both keys on INTERNAL server.
# you can check the below file to guide you through creating keys:
# linux/key-management/ssh.key.for.any.server.txt
# it is highly recommended to create the keys on INTERNAL server itself to prevent
# it from leaking during transmission from your local machine to INTERNAL server.
# it is highly recommended to set a really strong password when generating the key pair.
# because you want to put it on INTERNAL server. and also make sure that you only use
# this key for connecting to EXTERNAL server and never use it for anything else.
# this way even if your INTERNAL server provider spies on you, they only can access
# the EXTERNAL server not all your other servers.
# now test to check if you can ssh from INTERNAL to EXTERNAL server using the
# generated keys. execute this on INTERNAL server:
ssh -i PRIVATE_KEY_PATH USER_NAME@EXTERNAL
# if the connection was successful, execute this on INTERNAL server:
authbind --deep ssh -f -N -i PRIVATE_KEY_PATH -o GatewayPorts=true -L INTERNAL_PORT:0.0.0.0:EXTERNAL_PORT USER_NAME@EXTERNAL
# now both servers are ready, and you can configure your clients according
# to the 'clients' directory guide.
# it may be required that you restart the INTERNAL server once a day to get a fresh
# ssh tunnel, because ssh tunnel may get exhausted and connection speeds get reduced.
# for this you need to first reboot the INTERNAL server by executing this:
sudo reboot
# after the server is up again, execute this on INTERNAL server to create the ssh tunnel:
authbind --deep ssh -f -N -i PRIVATE_KEY_PATH -o GatewayPorts=true -L INTERNAL_PORT:0.0.0.0:EXTERNAL_PORT USER_NAME@EXTERNAL
# note that with this configuration, you can point your clients to either connect
# to INTERNAL server or to connect directly to EXTERNAL server. but connecting to EXTERNAL
# server usually gives you better connection speeds because there is no ssh tunnel in between.
# but if you are in a country where you can not access the free internet, you have to point
# your clients to INTERNAL server.