会员注意:下面内容不适合本机场,请直接忽略。
声明:本文仅转载,版权归原作者所有,可能不适合本机场。如果你对 V2Ray 机场 感兴趣,点击这里: V2Ray 机场 在线节点 50+,开放注册!!还便宜!!!
前文 “V2Ray 教程” 介绍了V2Ray的基本用法,本文介绍V2Ray的高级使用技巧:流量伪装。客户端下载请访问:V2ray 客户端下载,拯救被墙的服务器请参考:拯救被墙的服务器。
为何需要流量伪装
从设立墙以来,我国的网络封锁技术一直是全球领先的。加上方校长等人持续做贡献,封锁和干扰技术也在不断演化和进步。传统的 VPN、ssh 隧道等科学上网方式渐渐被墙识别和干扰,访问境外网站越来越难,倒逼网民不断推动穿墙技术的发展。
科学上网这些年来,见证了诸多技术的兴起和消沉,自架服务器被绊者更是数不胜数。经历过谈笑风生的岁月,才知闷声发大财是人生真理。翻墙技术同样如此,一是不要高调和张扬,否则大概率被打击和屏蔽;其次流量尽量与常见流量接近,不要特立独行,例如使用非常用端口、自定义奇怪的协议。本文介绍的伪装是将穿墙流量用常见的 https/tls 方式包装,降低 vps 被 block 的几率。
前提条件
本文假设读者已经具备以下条件:
- 一台境外的 vps,购买可参考:一些 VPS 商家整理;
- 一个域名,无备案要求(备案了流量来往更顺畅,但意味着万一有事,被喝茶更容易了);
- 为域名申请一个证书,可以用免费的 Let’s Encrypt 证书,参考:使用 Let’s Encrypt 的免费证书
- 有基本 linux 技巧,能使用 vim/nano 等编辑器。
理论上来说,证书不是必须的。但没有 tls 加持或不做加密,墙直接能看出真实意图从而进行干扰,这也是为什么不建议伪装 http 流量的原因。本文给出的方法采用合法机构签发的证书对流量进行加密,不是做特征混淆得到的 tls 流量,从而更难被检测和干扰。
关于伪装技术的选择,websocket+tls+web 和 http2+tls+web 常用来做对比。理论上 http2 省去了 upgrade 的请求,性能更好。但实际使用中两者没有明显区别,加之某些 web 服务器(例如 nginx)不支持后端服务器为 http2,所以 websocket 的方式更流行。如果你要上 http2,记得 web 服务器不能用 nginx,要用后端支持 http2 的 caddy 等软件。
下文介绍流量伪装的配置步骤,演示域名为tlanyan.me,服务器为 linux(centos),web 服务器软件用 nginx,websocket+tls+web 组合,最终效果为:http/https 方式打开域名,显示正常的网页;V2Ray客户端请求特定的路径,例如https://tlanyan.me/awesomepath,能科学上网;浏览器直接请求https://tlanyan.me/awesomepath,返回”400 bad request”。即外部看起来完全是一个人畜无害的正规网站,特定手段请求特定网址才是科学上网的通道。
操作步骤
服务端涉及到了 nginx 和 v2ray,分别介绍其配置。
1. 配置 dns
先要设置 dns 解析,将域名解析到 vps 的 ip,例如www.tlanyan.me解析到 xxx.xxx.xx.xx。
如果你上了 cdn,则 dns 要解析到 cdn 给的 ip 或者别名网址(cname)。使用 cdn 能隐藏真实 vps 的 ip,避免 vps 被墙或能拯救被封锁 ip 的 vps,大多数情况下还能加速访问。用 cdn 的好处很多,但配置起来更麻烦,建议新手先摸透 https 流量伪装后再考虑上 cdn。
2. 配置 nginx
如果你已有域名并正确配置了 ssl 证书,可忽略这一步。
nginx 是市面上占有率最高的网站服务器软件,centos 7 系统安装 nginx 命令:yum install -y epel-release && yum install -y nginx。
linux 系统上 nginx 默认站点配置文件是/etc/nginx/conf.d/目录下的default.conf,我们对伪装网站进行全站 https 配置,示例内容如下:
<code class=" prettyprinted"><span class="pln">server </span><span class="pun">{</span><span class="pln">
listen </span><span class="lit">80</span><span class="pun">;</span><span class="pln">
server_name xxxxx</span><span class="pun">;</span> <span class="com"># 改成你的域名</span><span class="pln">
rewrite </span><span class="pun">^(.*)</span><span class="pln"> https</span><span class="pun">:</span><span class="com">//$server_name$1 permanent;</span>
<span class="pun">}</span><span class="pln">
server </span><span class="pun">{</span><span class="pln">
listen </span><span class="lit">443</span><span class="pln"> ssl http2</span><span class="pun">;</span><span class="pln">
server_name xxxxx</span><span class="pun">;</span><span class="pln">
charset utf</span><span class="pun">-</span><span class="lit">8</span><span class="pun">;</span>
<span class="com"># ssl 配置</span><span class="pln">
ssl_protocols </span><span class="typ">TLSv1</span><span class="pun">.</span><span class="lit">2</span> <span class="typ">TLSv1</span><span class="pun">.</span><span class="lit">3</span><span class="pun">;</span><span class="pln">
ssl_ciphers ECDHE</span><span class="pun">-</span><span class="pln">RSA</span><span class="pun">-</span><span class="pln">AES256</span><span class="pun">-</span><span class="pln">GCM</span><span class="pun">-</span><span class="pln">SHA512</span><span class="pun">:</span><span class="pln">DHE</span><span class="pun">-</span><span class="pln">RSA</span><span class="pun">-</span><span class="pln">AES256</span><span class="pun">-</span><span class="pln">GCM</span><span class="pun">-</span><span class="pln">SHA512</span><span class="pun">:</span><span class="pln">ECDHE</span><span class="pun">-</span><span class="pln">RSA</span><span class="pun">-</span><span class="pln">AES256</span><span class="pun">-</span><span class="pln">GCM</span><span class="pun">-</span><span class="pln">SHA384</span><span class="pun">:</span><span class="pln">DHE</span><span class="pun">-</span><span class="pln">RSA</span><span class="pun">-</span><span class="pln">AES256</span><span class="pun">-</span><span class="pln">GCM</span><span class="pun">-</span><span class="pln">SHA384</span><span class="pun">:</span><span class="pln">ECDHE</span><span class="pun">-</span><span class="pln">RSA</span><span class="pun">-</span><span class="pln">AES256</span><span class="pun">-</span><span class="pln">SHA384</span><span class="pun">;</span><span class="pln">
ssl_ecdh_curve secp384r1</span><span class="pun">;</span><span class="pln">
ssl_prefer_server_ciphers on</span><span class="pun">;</span><span class="pln">
ssl_session_cache shared</span><span class="pun">:</span><span class="pln">SSL</span><span class="pun">:</span><span class="lit">10m</span><span class="pun">;</span><span class="pln">
ssl_session_timeout </span><span class="lit">10m</span><span class="pun">;</span><span class="pln">
ssl_session_tickets off</span><span class="pun">;</span><span class="pln">
ssl_certificate xxxxx</span><span class="pun">;</span> <span class="com"># 改成你的证书地址</span><span class="pln">
ssl_certificate_key xxxx</span><span class="pun">;</span> <span class="com"># 改成证书密钥文件地址</span><span class="pln">
access_log </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">nginx</span><span class="pun">/</span><span class="pln">xxxx</span><span class="pun">.</span><span class="pln">access</span><span class="pun">.</span><span class="pln">log</span><span class="pun">;</span><span class="pln">
error_log </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">nginx</span><span class="pun">/</span><span class="pln">xxx</span><span class="pun">.</span><span class="pln">error</span><span class="pun">.</span><span class="pln">log</span><span class="pun">;</span><span class="pln">
root </span><span class="pun">/</span><span class="pln">usr</span><span class="pun">/</span><span class="pln">share</span><span class="pun">/</span><span class="pln">nginx</span><span class="pun">/</span><span class="pln">html</span><span class="pun">;</span><span class="pln">
location </span><span class="pun">/</span> <span class="pun">{</span><span class="pln">
index index</span><span class="pun">.</span><span class="pln">html</span><span class="pun">;</span>
<span class="pun">}</span>
<span class="pun">}</span></code>
改完后用nginx -t命令查看有无配置错误,没问题的话systemctl restart nginx启动 nginx。打开浏览器在地址栏输入域名,应该能看到 https 访问的 nginx 欢迎页。
新域名如何快速做一个像模像样的网站?最简单的办法是从网上下载网站模板,上传 web 服务器的根目录(默认是/usr/share/nginx/html)。对于伪装站来说,静态站足够。如果你的境外流量比较大,建议用爬虫或者其他手段做一个看起来受欢迎、流量大的站点,例如美食博客,图片站等。
3. 安装配置 V2Ray
详细过程可参考上篇:V2Ray 教程
到此为止,nginx 和 V2ray 应该都能各自独立正常工作。如果有一个出现问题,应该先解决再继续下面的操作。
4. 服务端配置 websocket
这节中我们将 nginx 和 v2ray 结合。
首先我们选择一个路径,建议为二级或者较长的一级路径,例如/abc/def或/awesomepath。
接着配置 nginx 将这个路径的访问都转发到 v2ray。在/etc/nginx/conf.d/default.conf的第二个server段中增加以下转发配置:
<code class=" prettyprinted"><span class="pln">location </span><span class="pun">/</span><span class="pln">awesomepath </span><span class="pun">{</span> <span class="com"># 与 V2Ray 配置中的 path 保持一致</span><span class="pln">
proxy_redirect off</span><span class="pun">;</span><span class="pln">
proxy_pass http</span><span class="pun">:</span><span class="com">//127.0.0.1:12345; # 假设 v2ray 的监听地址是 12345</span><span class="pln">
proxy_http_version </span><span class="lit">1.1</span><span class="pun">;</span><span class="pln">
proxy_set_header </span><span class="typ">Upgrade</span><span class="pln"> $http_upgrade</span><span class="pun">;</span><span class="pln">
proxy_set_header </span><span class="typ">Connection</span> <span class="str">"upgrade"</span><span class="pun">;</span><span class="pln">
proxy_set_header </span><span class="typ">Host</span><span class="pln"> $host</span><span class="pun">;</span>
<span class="com"># Show real IP in v2ray access.log</span><span class="pln">
proxy_set_header X</span><span class="pun">-</span><span class="typ">Real</span><span class="pun">-</span><span class="pln">IP $remote_addr</span><span class="pun">;</span><span class="pln">
proxy_set_header X</span><span class="pun">-</span><span class="typ">Forwarded</span><span class="pun">-</span><span class="typ">For</span><span class="pln"> $proxy_add_x_forwarded_for</span><span class="pun">;</span>
<span class="pun">}</span></code>
配置好后重启 nginx:systemctl restart nginx。
配置 v2ray 接受 nginx 传来的数据。在“inbounds”中新增“streamSetting”配置,传输协议使用“websocket”。配置好后config.json文件看起来是:
<code class=" prettyprinted"><span class="pun">{</span>
<span class="str">"log"</span><span class="pun">:</span> <span class="pun">{</span>
<span class="str">"loglevel"</span><span class="pun">:</span> <span class="str">"warning"</span><span class="pun">,</span>
<span class="str">"access"</span><span class="pun">:</span> <span class="str">"/var/log/v2ray/access.log"</span><span class="pun">,</span>
<span class="str">"error"</span><span class="pun">:</span> <span class="str">"/var/log/v2ray/error.log"</span>
<span class="pun">},</span>
<span class="str">"inbounds"</span><span class="pun">:</span> <span class="pun">[{</span>
<span class="str">"port"</span><span class="pun">:</span> <span class="lit">12345</span><span class="pun">,</span>
<span class="str">"protocol"</span><span class="pun">:</span> <span class="str">"vmess"</span><span class="pun">,</span>
<span class="str">"settings"</span><span class="pun">:</span> <span class="pun">{</span>
<span class="str">"clients"</span><span class="pun">:</span> <span class="pun">[</span>
<span class="pun">{</span>
<span class="str">"id"</span><span class="pun">:</span> <span class="str">"xxxxx"</span><span class="pun">,</span> <span class="com"># 可以使用 v2ctl uuid 生成</span>
<span class="str">"level"</span><span class="pun">:</span> <span class="lit">1</span><span class="pun">,</span>
<span class="str">"alterId"</span><span class="pun">:</span> <span class="lit">64</span>
<span class="pun">}</span>
<span class="pun">]</span>
<span class="pun">},</span>
<span class="str">"streamSettings"</span><span class="pun">:</span> <span class="pun">{</span> <span class="com"># 载体配置段,设置为 websocket</span>
<span class="str">"network"</span><span class="pun">:</span> <span class="str">"ws"</span><span class="pun">,</span>
<span class="str">"wsSettings"</span><span class="pun">:</span> <span class="pun">{</span>
<span class="str">"path"</span><span class="pun">:</span> <span class="str">"/awesomepath"</span> <span class="com"># 与 nginx 中的路径保持一致</span>
<span class="pun">}</span>
<span class="pun">},</span>
<span class="str">"listen"</span><span class="pun">:</span> <span class="str">"127.0.0.1"</span> <span class="com"># 出于安全考虑,建议只接受本地链接</span>
<span class="pun">}],</span>
<span class="str">"outbounds"</span><span class="pun">:</span> <span class="pun">[{</span>
<span class="str">"protocol"</span><span class="pun">:</span> <span class="str">"freedom"</span><span class="pun">,</span>
<span class="str">"settings"</span><span class="pun">:</span> <span class="pun">{}</span>
<span class="pun">},{</span>
<span class="str">"protocol"</span><span class="pun">:</span> <span class="str">"blackhole"</span><span class="pun">,</span>
<span class="str">"settings"</span><span class="pun">:</span> <span class="pun">{},</span>
<span class="str">"tag"</span><span class="pun">:</span> <span class="str">"blocked"</span>
<span class="pun">}],</span>
<span class="str">"routing"</span><span class="pun">:</span> <span class="pun">{</span>
<span class="str">"rules"</span><span class="pun">:</span> <span class="pun">[</span>
<span class="pun">{</span>
<span class="str">"type"</span><span class="pun">:</span> <span class="str">"field"</span><span class="pun">,</span>
<span class="str">"ip"</span><span class="pun">:</span> <span class="pun">[</span><span class="str">"geoip:private"</span><span class="pun">],</span>
<span class="str">"outboundTag"</span><span class="pun">:</span> <span class="str">"blocked"</span>
<span class="pun">}</span>
<span class="pun">]</span>
<span class="pun">}</span>
<span class="pun">}</span></code>
注意:json 文件不支持注释,上述配置中”#”号及后续内容都要删掉。
配置无误后,重启 v2ray 服务:systemctl restart v2ray。
如何测试 nginx 与 v2ray 结合没有问题?打开浏览器,输入域名及其他路径,应该显示正常网页或者页面不存在,说明 nginx 正常工作;输入域名加 v2ray 路径,例如https://tlanyan.me/awesomepath,应该出现”Bad Request”,说明 nginx 将流量转发给了 v2ray,并且 v2ray 收到了请求。
客户端设置
最后是配置客户端,以 Windows 平台的V2RayW软件为例说明使用方法。
打开V2RayW,右键托盘图标,点击“配置”。在弹框中新建或修改已有的服务器,输入服务器 ip,端口写 443,把用户 id、额外 id 信息填上,网络类型选择”ws”。接着点“传输设置”,找到“websocket”,路径一栏输入 nginx 和 v2ray 中的路径,例如“/awesomepath”;http 头部输入:
<code class=" prettyprinted"><span class="pun">{</span>
<span class="str">"Host"</span><span class="pun">:</span><span class="str">"你的域名,例如 www.tlanyan.me"</span>
<span class="pun">}</span></code>
截图如下:
接着点击“tls”,勾选“启用传输层加密 tls”,在“服务器域名”的输入框中输入域名,截图如下:
信息填写正确后,点击“保存”。打开浏览器访问 google.com,youtube.com 等网站,配置无误的话应该都能正常打开。
如果对 nginx/v2ray 以及客户端的配置不熟悉,建议使用这个 v2ray 配置生成工具:v2ray 配置生成
总结
https/tls 会加密路径信息,仅靠中间环节捕捉到的流量包极难区分是正常请求还是夹带私货的流量。这也显示了 v2ray 的强大之处:通过配置不同的协议和载体,就能对进出的流量做定制。从流量伪装、反向代理的功能上看,v2ray 毫无疑问的是一个强大的网络框架/工具,科学上网功能只是其一个成功应用。
比较让人遗憾的是 v2ray 的 ios 客户端均收费,客户端下载请访问:V2ray 客户端下载。
