search

aiastia / note

笔记
16 stars 5 forks source link

编译shadowsocksR-libev(未验证) #10

Open aiastia opened 7 years ago

aiastia commented 7 years ago

编译环境

ubuntu-16.04-server-amd64

编译过程

shadowsocks-rss-libev项目地址:https://github.com/breakwa11/shadowsocks-libev

安装编译必备软件 sudo apt-get install build-essential autoconf libtool libssl-dev gawk debhelper dh-systemd init-system-helpers pkg-config

下载源代码 git clone https://github.com/breakwa11/shadowsocks-libev.git

编译 dpkg-buildpackage -us -uc -i

安装 sudo dpkg -i shadowsocks-libev*.deb

shadowsocks-rss-libev使用方法

运行ss-server -h会得到以下说明

shadowsocks-libev 2.4.5

maintained by Max Lv max.c.lv@gmail.com and Linus Yang laokongzi@gmail.com

usage:

ss-server

   -s <server_host>           Host name or ip address of your remote server.
   -p <server_port>           Port number of your remote server.
   -l <local_port>            Port number of your local server.
   -k <password>              Password of your remote server.
   -m <encrypt_method>        Encrypt method: table, rc4, rc4-md5,
                              aes-128-cfb, aes-192-cfb, aes-256-cfb,
                              bf-cfb, camellia-128-cfb, camellia-192-cfb,
                              camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb,
                              rc2-cfb, seed-cfb, salsa20 and chacha20.

   [-a <user>]                Run as another user.
   [-f <pid_file>]            The file path to store pid.
   [-t <timeout>]             Socket timeout in seconds.
   [-c <config_file>]         The path to config file.
   [-n <number>]              Max number of open files.
   [-i <interface>]           Network interface to bind.

   [-u]                       Enable UDP relay,
   [-U]                       Enable UDP relay and disable TCP relay.
   [-A]                       Enable onetime authentication.
   [-w]                       Enable white list mode (when ACL enabled).

   [-d <addr>]                Name servers for internal DNS resolver.
   [--fast-open]              Enable TCP fast open.
                              with Linux kernel > 3.7.0.
   [--acl <acl_file>]         Path to ACL (Access Control List).
   [--manager-address <addr>] UNIX domain socket address.

   [-v]                       Verbose mode

ss-redir -o [obfs混淆协议] -O [protocol协议] -g [obfsparam混淆参数] -s [服务器地址] -p [服务器端口] -l [本地监听端口] -b [本地监听地址] -k [SS密码] -m [加密方式]

aiastia commented 7 years ago

选择libev版本因为树莓派硬件IO性能较弱,使用C编译性能更加。

安装

wget https://coding.net/u/sfantree/p/self_use_OSS/git/raw/master/source/shadowsocksr-libev-2.4.1.zip

git clone https://github.com/shadowsocksr/shadowsocksr-libev ssr

git clone https://github.com/shadowsocksr-rm/shadowsocksr-libev ssr

cd ssr ./configure --prefix=/usr/local/shadowsocksR --disable-documentation make -j4 make install 编译的过程有点慢,不想等的同学可以直接下载我编译好的,注意解压以后放到/usr/local/目录就行。

wget https://coding.net/u/sfantree/p/self_use_OSS/git/raw/master/have_complined_rasp_software/shadowsocksR_for_raspberrypi_armv7.tgz 创建一个目录存放SSr配置文件。

mkdir /usr/local/shadowsocksR/conf 新建一个json填写

{ "server":"123.123.123.123", "server_port":12121, "local_port":1080, "password":"123456", "timeout":600, "method":"aes-256-cfb", "protocol":"auth_sha1_v2", "obfs":"tls1.2_ticket_auth", "obfsparam":"" , "group":"sfantree", "local_address":"0.0.0.0", } 如果想让局域网的主机都可以享用sock5代理,可以在配置文件添加"local_address":"0.0.0.0"缺省路由。

启动

/usr/local/shadowsocksR/bin/ss-local -c /usr/local/shadowsocksR/conf/US.json > /dev/null & 更多选项可以使用/usr/local/shadowsocksR/bin/ss-local -h查看。

检查端口是否开启

netstat -ntlp

aiastia commented 7 years ago

停止 Shadowsocks-libev-server 运行,并启用 Shadowsocks-libev-redir

因为我们是客户端不需要 Shadowsocks-libev-server,而默认安装好之后会启动 Shadowsocks-libev-server 所以我们要停止他 systemctl stop shadowsocks-libev-server.service systemctl disable shadowsocks-libev-server.service systemctl enable shadowsocks-libev-redir@nero.service systemctl start shadowsocks-libev-redir@nero.service netstat -napt |grep 1090 回显如下

nero@Nero-pc:~$ sudo netstat -napt |grep redir Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:1090 0.0.0.0:* LISTEN 4665/ss-redir 这样表示 Shadowsocks-libev-redir 已经正常工作了 可以输入systemctl is-enabled shadowsocks-libev-redir@nero.service可以检查服务是否自启动. 配置 ipset 与 iptables

我目前用的是比较傻瓜的方案,国内的IP走国内,其余 IP 全走 shadowsocks-libev-redir 下载配置文件到\/etc下,并且导入ipset cd /etc sudo wget https://cloud.neroxps.cn/seafhttp/files/fa4b4273-cce8-4db3-b49e-faed66b1adf2/ipset.conf ipset ipset restore -f /etc/ipset.conf 配置iptables,由于iptables调用到ipset里面的配置,所以必须先设置好ipset再配iptables,否则会出错.配置不了 iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports 1090 iptables -t nat -A OUTPUT -m set --match-set nogfwnet dst -j RETURN iptables -t nat -A OUTPUT -d [shadowsocks-server-ip] -j RETURN iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j RETURN iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN 配置好后保存iptables iptables-save > /etc /iptables.conf 设置开机应用ipset与iptables 修改/etc/network/interfaces末尾添加以下内容 pre-up ipset restore -f /etc/ipset.conf pre-up iptables-restore < /etc/iptables.conf 至此重启可以测试一下,重启后运行以下命令 sudo iptables -t nat -L -n nero@Nero-pc:~$ sudo iptables -t nat -L -n [sudo] password for nero: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination RETURN all -- 0.0.0.0/0 47.88.192.12 RETURN all -- 0.0.0.0/0 127.0.0.0/8 RETURN all -- 0.0.0.0/0 192.168.0.0/16 RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set nogfwnet dst REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 redir ports 1090 Chain POSTROUTING (policy ACCEPT) target prot opt source destination sudo ipset list |more nero@Nero-pc:~$ sudo ipset list |more Name: nogfwnet Type: hash:net Revision: 6 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 244960 References: 1 Members: 103.215.32.0/21 45.248.232.0/22 122.12.15.0/24 103.244.232.0/22 还有很多很多很多很多很多很多很多很多 sudo ps aux |grep redir nero@Nero-pc:~$ sudo ps aux |grep redir root 2864 0.0 0.0 24828 4464 ? Ss 15:34 0:00 /usr/bin/ss-redir -c /etc/shadowsocks-libev/config.json nero 4654 0.0 0.0 21292 1032 pts/18 S+ 16:13 0:00 grep --color=auto redir 回显以上信息表示我们配置已经正常!接下来要解决 DNS 解析的问题! 使用 dnsmasq+pdnsd+gfwlist 来解决 DNS 污染问题

原理

Ubuntu 默认已安装了 dnsmasq,只需要安装 pdnsd。 首先解说下他们的工作原理。 dns 解析原理 综上图所属 dnsmasq 负责全局的 DNS 解析与分类,dnsmasq 接受到DNS请求时与配置文件 \/etc\/dnsmasq.d\/gfwlist.conf 做对比。 符合的话丢给 pdnsd,pdnsd 收到解析请求后,将请求用 TCP 方式将域名查询请求丢给 OpenDns。(为何要用 TCP?因为 DNS 默认是 UDP 的传输方式,而并不是所有的 shadowsocks 服务器都支持 UDP 转发,故此使用 pdnsd 是一个比较稳妥的办法) 不符合的包则丢给系统默认的 DNS 进行解。 1.配置 dnsmasq

系统默认会启动一个dnsmasq(据说是用来做缓存)我们需要关闭它,否则会启用两个dnsmasq. sudo vim \/etc\/NetworkManager\/NetworkManager.conf [main] plugins=ifupdown,keyfile,ofono

dns=dnsmasq

[ifupdown] managed=false 将 dns=dnsmasq 注释掉即可. 配置 dnsmasq. sudo vim \/etc\/dnsmasq.conf server=/githubusercontent.com/127.0.0.1#8053 server=/github.io/127.0.0.1#8053 添加 gfwlist 获取域名走 pdnsd 查询,防止污染. 2.配置 Pdnsd

Ubuntu 默认没有安装 Pdnsd. apt-get install pdnsd 添加 pdnsd 配置 sudo vim \/usr\/share\/pdnsd\/user.conf global { perm_cache=2048; cache_dir="/var/pdnsd"; run_as="pdnsd"; server_port = 8053; server_ip = 127.0.0.1; status_ctl = on; query_method=tcp_only; min_ttl=1m; max_ttl=1w; timeout=5; }

server { label= "opendns"; ip = 208.67.222.222, 208.67.220.220; port = 443; root_server = on; uptest= none; }

server { label= "google dns"; ip = 8.8.8.8, 8.8.4.4; root_server = on; uptest= none; } 将配置应用到pdnsd sudo vim \/etc\/default\/pdnsd

do we start pdnsd ?

START_DAEMON=yes

auto-mode, overrides /etc/pdsnd.conf if set [see /usr/share/pdnsd/]

AUTO_MODE=user

optional CLI options to pass to pdnsd(8)

START_OPTIONS= 启动pdnsd systemctl start pdnsd 设置随系统服务启动 systemctl enable pdnsd 3.使用 gfwlist2dnsmasq 生成 dnsmasq 配置文件

gfwlist2dnsmasq 是 github 上的一个项目,他可以通过获取 github 另一个项目 gfwlist 的 gfwlist.txt,生成 \/etc\/dnsmasq.d\/gfwlist.conf 此脚本有两个,gfwlist2dnsmasq.py 是自动添加 ipset 选项,gfwlist2dnsmasq_noipset.py 是只添加 gfwlist 的域名则走 pdnsd. 安装git sudo apt-get install git 下载 gfwlist2dnsmasq 项目 git clone https:\/\/github.com\/cokebar\/gfwlist2dnsmasq.git cd gfwlist2dnsmasq chmod +x gfwlist2dnsmasq*.py vim .\/gfwlist2dnsmasq_noipset mydnsip = '127.0.0.1' mydnsport = '8053' 将 mydnsport 修改为 8053 ,因为pdnsd我们配置是8053的端口. 运行脚本获取 dnsmasq 规则文件. .\/gfwlist2dnsmasq_noipset.py 运行完毕后根目录会出现一个 dnsmasq_list.conf,将其移动到 dnsmasq 规则目录即可. sudo mv dnsmasq_list \/etc\/dnsmasq.d 重启 dnsmasq systemctl restart dnsmasq 配置 dnsmasq 随系统服务启动 systemctl enable dnsmasq 4.测试 DNS 解析情况

安装 dnsutils sudo apt-get install dnsutils 运行 dig 查询 www.facebook.com 解析正常的话应当出现star-mini.c10r.facebook.com. 60 IN A 31.13.78.35

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 www.facebook.com

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46613

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1024

;; QUESTION SECTION:

;www.facebook.com. IN A

;; ANSWER SECTION:

www.facebook.com. 2262 IN CNAME star-mini.c10r.facebook.com.

star-mini.c10r.facebook.com. 60 IN A 31.13.78.35

;; Query time: 124 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Mon Aug 01 21:43:13 CST 2016

;; MSG SIZE rcvd: 90 以下是被污染的例子,www.facebook.com. 1126 IN A 59.24.3.173,这个地址根本不是 facebook 的 ip 地址.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @202.96.128.86 www.facebook.com

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5400

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;www.facebook.com. IN A

;; ANSWER SECTION:

www.facebook.com. 1126 IN A 59.24.3.173

;; Query time: 8 msec

;; SERVER: 202.96.128.86#53(202.96.128.86)

;; WHEN: Mon Aug 01 21:42:04 CST 2016

;; MSG SIZE rcvd: 50

aiastia commented 7 years ago

本次编译环境在Debian 8下进行,目标环境为联想Newifi,第一件要做的是先把编译环境准备好,开始安装必须的编译环境。

apt-get update && apt-get install gcc g++ binutils patch bzip2 flex bison make autoconf gettext texinfo unzip sharutils libncurses5-dev ncurses-term zlib1g-dev gawk git ccache asciidoc 下载官方提供的SDK工具包以及ShadowsocksR的源码

sudo su cd ~ wget http://downloads.openwrt.org/chaos_calmer/15.05.1/ramips/mt7620/OpenWrt-SDK-15.05.1-ramips-mt7620_gcc-4.8-linaro_uClibc-0.9.33.2.Linux-x86_64.tar.bz2 tar jxf OpenWrt-SDK-15.05.1-ramips-mt7620_gcc-4.8-linaro_uClibc-0.9.33.2.Linux-x86_64.tar.bz2 cd /root/OpenWrt-SDK-15.05.1-ramips-mt7620_gcc-4.8-linaro_uClibc-0.9.33.2.Linux-x86_64/package/ git clone https://github.com/bettermanbao/openwrt-shadowsocksR-libev-full.git cd ../ 后面的编译过程中可能遇到几个错误,比如

configure: error: Cannot find pcre library. Configure --with-pcre=DIR

解决办法:

./scripts/feeds update ./scripts/feeds install libpcre libopenssl libpolarssl 进入配置界面

make menuconfig 选择Network,取消选择mbedtls的两项,退出保存即可。

make package/openwrt-shadowsocksR-libev-full/compile V=s 如果编译顺利完成的话,编译好的ipk就已经在~/OpenWrt-SDK-15.05.1-ramips-mt7620_gcc-4.8-linaro_uClibc-0.9.33.2.Linux-x86_64/bin/ramips/packages/base目录中了。

aiastia commented 7 years ago

apt-get install libpcre3 libpcre3-dev

aiastia commented 7 years ago

Debian / Ubuntu

sudo apt-get install --no-install-recommends build-essential autoconf libtool libssl-dev libpcre3-dev asciidoc xmlto

CentOS / Fedora / RHEL

sudo yum install gcc autoconf libtool automake make zlib-devel openssl-devel asciidoc xmlto ./configure && make sudo make install

aiastia commented 7 years ago

已验证 上面可行

aiastia commented 6 years ago

ss 的编译

./configure --with-sodium-include=/usr/include --with-sodium-lib=/usr/lib --with-mbedtls-include=/usr/include --with-mbedtls-lib=/usr/lib