8 minute read

Background

Network freedom is demanding for everyone, especially for programmers and researchers. However, because of the reason everyone knows, there is a barrier in Chinese mainland towards some sites(e.g. Google, Facebook, Twitter, Youtube, etc.). In the beginning, this post is only a note for myself about how to cross the network barrier, but many of my friends keep asking me how to have network freedom in China, so I revised this post and make things clearer and easy to understand. I hope this post can help you perform better in learning and developing. As an individual, we must have the ability to distinguish what information on the Internet should trust. And here, I claim that this post is only for learning and research.

If you want to buy a VPN (proxy), you do not need to read this post, most of VPN vendors provide a shared proxy server and limit bandwidth to users, so it may be real slow. Moreover, you may not trust the vendor and worry about they may monitor you data, so you can create your proxy server by yourself and exclusive bandwidth, if you wish to achieve that, you can read this post and learn how to do it. If there has something unclear, feel free to leave a comment.

Virtual Private Server(VPS) is a virtual machine run on cloud and used by individual. Companies like Google, ,Amazon, AWS, Alibaba, Tencent etc. provide their servers to customers, and people can use these server to host there website, do computing, set up proxy etc.

Here I will introduce how to set up a Google VPS and set up a network proxy server on it. For how to set up a website on VPS, refer to my post—Create your website on cloud.

Requirements

  • You need a temporary available VPN to visit Google and setup your server, and after you set up your server, you just switch to your own service and no need for the a temporary VPN.

How to get temporary available VPN?

you can find a VPN vendor and start a free trial, Lol.

  • You should have some background of computer system(especially Linux system), otherwise its may hard for you to understand some terms and implement these things. For this case, you can learn to build your proxy by some more step-by-step video tutorials, you may find it on Youtube by searching ssr and v2ray.

1. Set up cloud Virtual Private Server (VPS)

You can use any server which can visit freedom network, most of them are out side of China, and you can buy a mini-server from cloud server provider, e.g. Google, AWS, BandwagonHost. a mini-server often very cheap, and you can pay by a double currency credit card. Here I tell you how to set up a server on Google cloud.

  1. buy a VM on Google cloud (it has one year free trial now) or any other vendor, choose Debian Linux and the place near to get fast access (eg, asia-east, asia-noutheast, hongkong, Seoul)

  2. use ssh connect VPS (you can use browser ssh or ssh key on terminal)

  3. if you found ssh is slow, many be some problem with port 22. just change it

    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
    sudo vim /etc/ssh/sshd_config
    

    remove # before Port 22, and add new ports, e.g. Port xxxxx. note that do not delete Port 22, Otherwise, is you other port was baned, you can not link your server anymore.

    systemctl restart sshd  or /etc/init.d/sshd restart
    

    then you can

    ssh -p xxxxx user@ip
    scp -P username@server:(remote location) (local location)
    

check opening port

sudo netstat -tulpn | grep LISTEN

2. Set up proxy server

Here I list two popular ways to go through the special firewall, one is ssr, the other is v2ray. Both of them are kind of proxy protocol and can achieve your goal of visiting some banned websites.

SSR is a protocol to avoid censorship, recently it stopped maintain and GFW has ability to ban some of ssr data flow, so it is not very stable.

v2ray is a platform for anti-censorship, and it can use Vmess protocol, at least present it is more stable than SSR. V2ray is a strong and powerful tool, it not only a anti-censor tool, it also has many other functions, e.g. multi-hop network configuration, intra-net penetration etc.

2.1 Set up BBR and ssr

Set up BBR and ssr through script on VPS connected by ssh

sudo -i
wget --no-check-certificate https://github.com/iyuco/scripts/raw/master/bbr.sh
chmod +x bbr.sh
./bbr.sh

wget --no-check-certificate https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocksR.sh
./shadowsocksR.sh

and if you want to create multi-user accounts, the following one is more convenient

wget -N --no-check-certificate https://raw.githubusercontent.com/ToyoDAdoubi/doubi/master/ssrmu.sh && chmod +x ssrmu.sh && bash ssrmu.sh

Notice: Don’t forget set up you cloud server firewall to allow your ssr port in both http and https

2.2 Set up v2ray

Please refer the v2ray official website for detail. For more brainless method, refer toutyrater.

or you can just run this scrip to set up it without thinking

bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

I recommend you do it by your self if you know basic knowledge about computer, it is safer.

  1. synchronize you time first by

    sudo apt-get install ntp ntpdate -y
    sudo ntpdate -u ntp.api.bz 
    sudo hwclock -w                     # write to hardware
    date # check time
    

    list of time server

    time.nist.gov  
    time.nuri.net  
    0.asia.pool.ntp.org  
    1.asia.pool.ntp.org  
    2.asia.pool.ntp.org  
    3.asia.pool.ntp.org
    us.pool.ntp.org 
    ntp.api.bz
    

    you can use crontab create auto tasks for time synchronization, use crontab -e to edit configure file, add following line to the configure means synchronize time in 2:10 everyday.

    10 2 * * * sudo ntpdate -u ntp.api.bz
    
  2. download install script

    wget https://install.direct/go.sh   
    
  3. run install and set up

    sudo ./go.sh
    
  4. change your config.json file in /etc/v2ray/

  5. start v2ray

    sudo systemctl start v2ray
    

WebSocket+TLS+Nginx

WebSocket+TLS+Nginx configuration is a good choice in v2ray if you already have a website on the server. but if you are new to v2ray, you may just try basic TPC first.

How to do WebSocket+TLS+Nginx?

make sure you install Nginx and configure ssl certificate configured in /etc/nginx/sites-enabled/default, and then you have to add your Websocket configuration to it, just add a new location into your server in the default file:

location /ray {                         # same as it in v2ray config
        proxy_redirect off;
        proxy_pass http://127.0.0.1:10000;    # assume the WebSocket listen on 10000
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        # Show realip in v2ray access.log
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

Refer here for detail configuration of v2ray client and server. If you add location to your orignal Nginx server , then the client port will be 443, or you can add listen port (e.g. 8080) in your server part in you Nginx configuration.

3. set up Linux PC client

3.1 set up ssr

wget http://www.djangoz.com/ssr sudo mv ssr /usr/local/bin sudo chmod 766 /usr/local/bin/ssr ssr install ssr config #this will install ssr to /usr/local/share/shadowsocksr

3.2 Set up v2ray client

same as server:

  1. synchronize you time first

  2. download install script

    wget https://install.direct/go.sh   
    
  3. run install and set up

    sudo go.sh
    
  4. move your config.json file to /etc/v2ray/ and delete the default config file

  5. start v2ray

    sudo systemctl start v2ray
    
  6. check status

    service v2ray status
    

ssr and v2ray coexist

If you want ssr and v2ray coexist, just set ssr client local port different from v2ray, e.g. v2ray inbound port: 1080, ssr port: 2080

v2ray with many protocols

On server, add new inbound instance with new setting (port, protocol, id, etc.).

On client, one way is switch the config file, the other way is add new inbound and new outbound with tag, then create route rule to map inbound and outbound. Then you can switch the required protocol by switching the proxy port of your browser.

v2ray with many users

There are many ways to do that. On server, single port with many users (add user to inbound-settings), many ports with many user (add a new inbound instance).

tsl+nginx with many users, single port is same as without tsl.

multi-port with many users should add new listening port in nginx (and in v2ray, one port is Okey).

Troubleshot

If there are some troubles, first check service v2ray status, and then you can try:

Set log level in config.jsonas info or debug, and check the log file, it usually located at /var/log/v2ray/. (on both client and server)

finally, you may use wireshark to analyze packages.

4. using socks on terminal with privoxy

Privoxy is a tool which can listen to specific port and forward it’s traffic to user defined socks proxys.

Privoxy setup

  1. sudo apt-get install privoxy

  2. edit /etc/privoxy/config, below is an example

    listen-address 127.0.0.1:8118   # in line 783
    forward-socks5 / 127.0.0.1:1080 .  # in line 1336
    
  3. sudo /etc/init.d/privoxy restart

Config bash

  1. configure terminal environment by run or add following to .bashrc

    export http_proxy="127.0.0.1:8118"
    export https_proxy="127.0.0.1:8118"
    

    or maybe you want set it manually, do not add the previous two lines, and add follows to .bashrc:

    #Set Proxy
    function setproxy() {
            export {http,https,ftp}_proxy="http://127.0.0.1:8118"
            export {HTTP,HTTPS,FTP}_PROXY="http://127.0.0.1:8118"
    }
       
    # Unset Proxy
    function unsetproxy() {
            unset {http,https,ftp}_proxy
            unset {HTTP,HTTPS,FTP}_PROXY
    }
    
  2. try curl http://www.google.com to test.

    Note that you can not use ping to test since it uses ICMP protocol, but the proxy only support HTTP, HTTPS, FTP and SOCKS.

    You may use httping for testing latency, it send a HEAD request (by default) to a web server and measures the time it took to get a response.

    if you use httping, you can test by

    httping -E http://www.google.com
    httping -x 127.0.0.1:8118 http://www.google.com
    

    for more details, refer man httping

Snap store with proxy

You can also apply proxy to system-wide by editing /etc/environment

  • The snap using /etc/environment as env variables, so you have to set proxy in it for snap, sudo vim /etc/environment, add
http_proxy=http://127.0.0.1:8118
https_proxy=http://127.0.0.1:8118
HTTP_PROXY=http://127.0.0.1:8118
HTTPS_PROXY=http://127.0.0.1:8118 
  • for snap>=2.28, use:
sudo snap set system proxy.http="http://127.0.0.1:8118"
sudo snap set system proxy.https="http://127.0.0.1:8118"
  • or you can edit snapd.service by sudo systemctl edit snapd.service add
[Service]
Environment=http_proxy=http://127.0.0.1:8118
Environment=https_proxy=http://127.0.0.1:8118

then

sudo systemctl daemon-reload
sudo systemctl restart snapd.service

Apt use proxy

  • The env variables do not effect the sudo apt update, you should do:
sudo vim /etc/apt/apt.conf.d/05proxy

add line

Acquire {
  HTTP::proxy "http://127.0.0.1:8118";
  HTTPS::proxy "http://127.0.0.1:8118";
}

Set up git proxy

git config --global http.proxy 'socks5://127.0.0.1:1080' 
git config --global https.proxy 'socks5://127.0.0.1:1080'

Chrome management

if you want to use chrome to manage your redirection, you can use Proxy SwitchyOmega extension.

5. set up other clients

5.1 SSR client

5.2 V2ray client

visit V2ray github rep to find it.

Special statement: This tutorial is only for learning and research, thanks.

Comments