Saturday, February 13, 2016

在vps上搭建stunnel,在客户机器用chrome来翻墙的详细教程

如果你有自己的vps,可在vps上搭建stunnel,用来翻墙。

 

如果你的vps是centos/fedora系统,则
# yum install stunnel -y
但是我在/etc/stunnel/里面并未发现stunnel.conf,这是因为没有缺省的conf文件的缘故。解决办法:
# yum install yum-utils -y
# repoquery –list stunnel (用此命令可得到stunnel软件包的文件列表)
显示如下内容:
/etc/stunnel
/usr/lib/libstunnel.so
/usr/sbin/stunnel
/usr/sbin/stunnel3
/usr/share/doc/stunnel-4.15
/usr/share/doc/stunnel-4.15/AUTHORS
/usr/share/doc/stunnel-4.15/BUGS
/usr/share/doc/stunnel-4.15/COPYING
/usr/share/doc/stunnel-4.15/COPYRIGHT.GPL
/usr/share/doc/stunnel-4.15/CREDITS
/usr/share/doc/stunnel-4.15/Certificate-Creation
/usr/share/doc/stunnel-4.15/ChangeLog
/usr/share/doc/stunnel-4.15/NEWS
/usr/share/doc/stunnel-4.15/PORTS
/usr/share/doc/stunnel-4.15/README
/usr/share/doc/stunnel-4.15/TODO
/usr/share/doc/stunnel-4.15/VNC_StunnelHOWTO.html
/usr/share/doc/stunnel-4.15/faq.stunnel-2.html
/usr/share/doc/stunnel-4.15/pop3-redirect.xinetd
/usr/share/doc/stunnel-4.15/sfinger.xinetd
/usr/share/doc/stunnel-4.15/stunnel-pop3s-client.conf
/usr/share/doc/stunnel-4.15/stunnel-sfinger.conf
/usr/share/doc/stunnel-4.15/stunnel.conf-sample
/usr/share/doc/stunnel-4.15/transproxy.txt
/usr/share/doc/stunnel-4.15/tworzenie_certyfikatow.html
/usr/share/man/fr/man8/stunnel.8.gz
/usr/share/man/man8/stunnel.8.gz
/usr/share/man/pl/man8/stunnel.8.gz
上面的/usr/share/doc/stunnel-4.15/stunnel.conf-sample即为stunnel.conf的样板文件。
# cp /usr/share/doc/stunnel-4.15/stunnel.conf-sample /etc/stunnel/stunnel.conf
等下我们要编辑stunnel.conf文件。
# cd /etc/stunnel
# openssl req -new -x509 -days 3650 -nodes -out public.crt -keyout private.key
运行上面这条命令后,在/etc/stunnel里会生成public.crt和private.key文件。
然后编辑stunnel.conf文件:
cert = /etc/stunnel/public.crt
key = /etc/stunnel/private.key
;chroot = /var/run/stunnel/ (说明:注释掉chroot = /var/run/stunnel/ 因为/var/run/stunnel并不存在,所以在其前面加;号。
pid = /tmp/stunnel.pid (说明:pid = 的值修改为/tmp/stunnel.pid或/opt/stunnel.pid)
;[ssmtp] (注释掉[ssmtp])
;accept  = 465(注释掉accept  = 465)
;connect = 25  (注释掉connect = 25)
[https]
accept  = 440 (注意这里的端口号不一定非要是443不可)
connect = tinyproxy的端口号8888

(附录:

安装轻量级的http proxy-tinyproxy

如果你的系统是debian/ubuntu,则
# apt-get install tinyproxy -y
配置文件在/etc/tinyproxy.conf
如果你的系统是centos/fedora,则

rpm -Uvh http://ift.tt/XRtZac
(http://ift.tt/1wurFKD,如果你的系统为centos 7 x86_64位)
yum update
# yum install tinyproxy -y
配置文件在/etc/tinyproxy/tinyproxy.conf
然后编辑tinyproxy.conf,不要把Allow 127.0.0.1注释掉,Allow 127.0.0.1的意思是只允许同一台机器-localhost即vps访问这个tinyproxy,拒绝互联网上的其他ip访问这个tiny proxy。“Port 8888 ”这行的8888可改为其他端口(4位数的。我改为5位数的,启动不了tinyproxy),这样安全些。

然后启动tinyproxy即可:
# tinyproxy )

然后重启stunnel服务:
# killall stunnel
# /usr/sbin/stunnel

然后回到本地机器,带参数–proxy-server=https://vps_ip:440 –ignore-certificate-errors启动chrome,即可在chrome中翻墙。

如果你的vps是debian/ubuntu系统,则
# apt-get install stunnel -y
这里的stunnel跟centos/fedora下的stunnel一样,是不能用/etc/init.d/stunnel start命令来启动的,因为/etc/init.d/下没有stunnel文件。
运行apt-get install stunnel -y时,显示:

正在添加系统用户”stunnel4″ (UID 106)…

正在添加新组”stunnel4″ (GID 110)…

正在将新用户”stunnel4″ (UID 106)添加到组”stunnel4″…

无法创建主目录”/var/run/stunnel4″

SSL tunnels disabled, see /etc/default/stunnel4

root@AR:~# ls /var/run/

apache2 mount  shm      upstart-socket-bridge.pid

apache2.pid network  squid3.pid  upstart-udev-bridge.pid

container_type rsyslogd.pid  squid.pid   user

crond.pid saslauthd  sshd      utmp

crond.reboot screen  sshd.pid    xinetd.pid

lock sendmail stunnel4

motd.dynamic sendsigs.omit.d  udev

(/var/run/stunnel4目录其实是存在的。)

root@AR:~# chown -R stunnel4:stunnel4 /var/run/stunnel4/

root@AR:~# nano /etc/default/stunnel4

(把/etc/default/stunnel4文件里的ENABLED的值改为1)

root@AR:~#

# find / -name stunnel (查找stunnel,显示:

/usr/share/doc/stunnel
/usr/lib/stunnel
/usr/bin/stunnel
/etc/stunnel )
stunnel的执行文件为/usr/bin/stunnel
# /usr/bin/stunnel
会有如下错误提示:
2011.05.22 16:01:15 LOG7[2027:3074864816]: Snagged 64 random bytes from /root/.rnd
2011.05.22 16:01:15 LOG7[2027:3074864816]: Wrote 1024 new random bytes to /root/.rnd
2011.05.22 16:01:15 LOG7[2027:3074864816]: RAND_status claims sufficient entropy for the PRNG
2011.05.22 16:01:15 LOG7[2027:3074864816]: PRNG seeded successfully
2011.05.22 16:01:15 LOG7[2027:3074864816]: Certificate: /etc/stunnel/stunnel.pem
2011.05.22 16:01:15 LOG7[2027:3074864816]: Certificate loaded
2011.05.22 16:01:15 LOG7[2027:3074864816]: Key file: /etc/stunnel/stunnel.pem
2011.05.22 16:01:15 LOG7[2027:3074864816]: Private key loaded
2011.05.22 16:01:15 LOG7[2027:3074864816]: SSL context initialized for service stunnel
inetd mode must define a remote host or an executable “
# nano /usr/bin/stunnel (打开/usr/bin/stunnel文件查看一下,里面有显示$stunnel_bin=’usr/bin/stunnel4′;
于是知道stunnel的真正的执行文件为/usr/bin/stunnel4而不是/usr/bin/stunnel
# /usr/bin/stunnel4
# find / -name stunnel4 (显示:

root@AR:~# find / -name stunnel4

/var/log/stunnel4

/var/lib/stunnel4

/etc/init.d/stunnel4

/etc/default/stunnel4

/etc/logrotate.d/stunnel4

/usr/bin/stunnel4

/usr/share/doc/stunnel4

/usr/share/lintian/overrides/stunnel4

/usr/share/doc-base/stunnel4

/run/stunnel4

root@AR:~# )

# cd /usr/share/doc/stunnel4/examples/ (进入后,会发现里面有stunnel.conf-sample文件,stunnel.conf-sample就是stunnel.conf的样板文件。)
# cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/stunnel.conf
# cd /etc/stunnel/
# openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
这里生成的cert文件和key文件都是stunnel.pem,二者合而为一了。运行上面这条命令后,在/etc/stunnel/里会生成stunnel.pem文件。
然后编辑stunnel.conf文件:
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid
;[ssmtp] (注释掉[ssmtp])
;accept  = 465(注释掉accept  = 465)
;connect = 25  (注释掉connect = 25)
[https]
accept  = 440 (注意这里的端口号不一定非要是443不可)
connect = tinyproxy的端口号8888
然后重启stunnel服务:
# killall stunnel4
# /usr/bin/stunnel4

然后回到本地机器,带参数–proxy-server=https://vps_ip:440 –ignore-certificate-errors启动chrome,即可在chrome中翻墙。

chrome支持https proxy的功能极大的方便了天朝网民!

如果你的客户机器为mac,则在终端里运行open “/applications/Google Chrome.app/” –args –proxy-server=https://vps_ip:440 –ignore-certificate-errors即可。

你可把open “/applications/Google Chrome.app/” –args –proxy-server=https://vps_ip:440 –ignore-certificate-errors保存为start-chrome-stunnel.sh,

赋予start-chrome-stunnel.sh可执行权限:

chmod 755 start-chrome-stunnel.sh

以后,想要用chrome翻墙时,运行./start-chrome-stunnel.sh即可。

如果你的vps系统为centos7,还需运行

systemctl mask firewalld
systemctl stop firewalld
这样操作后即可。意思是屏蔽和终止firewalld服务。我的vps系统为centos7,我搭建好stunnel和tinyproxy后,在自己的本地机器里用带参数启动的chrome就是翻墙不成功。
后来想起可能是firewalld 惹的祸,运行以上2条命令后,就解决问题了。
vps上的backend(即stunnel.conf中connect的值)当然也可使用squid,不过不能是加密的squid.如果你的vps上已经编译了一个加密的squid,那么你就需要另行编译一个普通的squid,然后即可用这个普通的squid作为stunnel的backend.这个普通的squid的配置文件squid.conf无需做任何修改。当然如果你愿意的话,也可修改其默认的3128端口为其他端口。
wget http://ift.tt/1PyYPhe
tar zxvf squid-3.5.13.tar.gz
cd squid-3.5.13
./configure --prefix=/usr/local/squid-3.5.13
make
make install
squid的可执行文件为/usr/local/squid-3.5.13/sbin/squid,运行/usr/local/squid-3.5.13/sbin/squid, squid就启动了。
在stunnel.conf中,
...
[https]
accept = 440
connect = 3128


来源:翻墙论坛 briteming

原文:http://ift.tt/1R10hwm




via 细节的力量 http://ift.tt/20uUbXG

No comments:

Post a Comment