5uy4n9
commented
1 year ago [OUT-C 3.3.3.3] 出口服务器
防火墙配置
1. 使用 iptables 允许来自 [CN-A 1.1.1.1] 的所有连接,拒绝所有其他连接。
Is the server here a typo? seems like should be [INTER-B 2.2.2.2]
Open gfwspot opened 1 year ago
5uy4n9
commented
1 year ago [OUT-C 3.3.3.3] 出口服务器
防火墙配置
1. 使用 iptables 允许来自 [CN-A 1.1.1.1] 的所有连接,拒绝所有其他连接。
Is the server here a typo? seems like should be [INTER-B 2.2.2.2]
gfwspot
commented
1 year ago [OUT-C 3.3.3.3] 出口服务器
防火墙配置
1. 使用 iptables 允许来自 [CN-A 1.1.1.1] 的所有连接,拒绝所有其他连接。Is the server here a typo? seems like should be [INTER-B 2.2.2.2]
Updated, Thanks for the note!
HaoweiCh
commented
1 year ago buy yourself a alibabaglobal vps in HongKong and do WS forward. shadowsocks through vless over ws + tls.
aliyun3221
commented
1 year ago stupid
2378
commented
1 year ago 技术上是隐了
但从网络社工学的角度看:CN-A 长期对海外 单一IP单一端口的INTER-B 发生有效链接 有没有可能反而增大暴露风险?
如果比较 终端-A 和 A-B 之间的 链接时段、时段流量 至少可以判断是个跳板吧
各种实名的 CN-A 我是不太敢这么干
Technically, it is hidden
But from the perspective of network engineering: CN-A has been effectively linked to overseas single-IP single-port INTER-B for a long time, is it possible to increase the risk of exposure instead?
If we compare the link time and traffic between Terminal-A and A-B, we can at least judge that it is a stepping stone, right?
I don't dare to do this for CN-A with various real names
sora987
commented
1 year ago 楼主方案的最大难点在CN-A,国内轻量基本都是1M-8M的小水管,哪怕30M的价格也非常可怕,不适合普通人。
The problem of OP's solution is CN-A server. Cheap light application servers in China only have extremely low bandwidth. Even for a 30M bandwidth server, the cost would be so high normal user would not want to get one.
mailsex
commented
1 year ago 如果能贴一下代码就好了
It would be nice if you could post the code
OnlyCharacters
commented
1 year ago 墙:看我伪造个IP~
Wall: Watch me spoof an IP~
brglng
commented
1 year ago 能解释下原理么?
Can you explain the principles?
cross-hello
commented
1 year ago תודה לאל. Now we know how to stably run ssr in China mainland.
yuedai
commented
9 months ago 为什么还需要一个中转服务器?是因为中转服务器到国内的路由比较好,但是机器可能很便宜?
Why do you even need a transit server? Is it because the transit server is better routed to the country, but the machine might be cheap?
随着近期墙不断加高,我向大家分享一下我目前在用的 shadowsocks 搭建思路,这种方案稳定运行了几年,尤其包括天安门大屠杀周年以及两会等敏感日期,以及现在(日常维护除外)。
环境 和 软件:
缺点:
使用这种方法翻墙带宽流量成本会达到传统方案的三倍或更多; 出国段需要寻找优质线路;
流程:
[你的电脑] -> [CN-A 1.1.1.1] -> [INTER-B 2.2.2.2] -> [OUT-C 3.3.3.3]
通用建议:
[CN-A 1.1.1.1] 中国服务器
防火墙配置
注意事项:
此服务器需要根据你当前的运营商和所在地区进行挑选和测试,确保你的电脑到这台服务器的连接稳定,没有过多的绕路和延迟。 需要清理此服务器的所有云监控或云厂商植入的监控软件,安全卫士等插件。 此服务器位于中国且接受所有入站连接,但是出站访问为白名单模式,只允许访问 [INTER-B 2.2.2.2] 这台机器。
[INTER-B 2.2.2.2] 中转服务器
防火墙配置
注意事项:
此服务器需要根据你的 CN-A 机器进行挑选和测试,确保 CN-A 到这台服务器的连接稳定,没有过多的绕路和延迟。 需要清理此服务器的所有云监控或云厂商植入的监控软件,安全卫士等插件。 此服务器位于境外并且与 CN-A 服务器有着良好的连接和延迟。
[OUT-C 3.3.3.3] 出口服务器
防火墙配置
服务器配置
注意事项:
此服务器建议与 INTER-B 在同一个国家或者地区。 【重要】确保此服务器供应商的可靠性,比如不会遵守中国法律,或没有中资背景(建议:AWS,AZURE,Linode 等知名公有云)。 此服务器只允许来自 INTER-B 的入站连接。
在你的翻墙软件中使用 CN-A 1.1.1.1 的 IP 地址和上面 OUT-C 3.3.3.3 中设置的密码及加密方式访问即可。
最后:
我不会在这里贴出具体命令和一键脚本,抱歉。祝大家有一个愉快的上网体验,早日润。
With the recent wall increasing in height, I would like to share with you the shadowsocks build idea I am currently using, which has been running steadily for several years, especially including the anniversary of the Tiananmen Massacre and sensitive dates such as the two sessions, and now (except for routine maintenance).
Environment and software:
Disadvantages:
Cost of bandwidth traffic for walling using this method can be three or more times that of traditional solutions. The need to find quality lines for the outbound segment.
Process:
[Your PC] -> [CN-A 1.1.1.1] -> [INTER-B 2.2.2.2] -> [OUT-C 3.3.3.3]
General recommendations:
[CN-A 1.1.1.1] China Server
Firewall Configuration
Caution:
This server needs to be selected and tested based on your current carrier and location to ensure that your computer's connection to this server is stable without excessive detours and delays. This server needs to be cleaned of all cloud monitoring or monitoring software implanted by the cloud vendor, security guards and other plugins. This server is located in China and accepts all inbound connections, but outbound access is in whitelist mode, allowing access only to the machine [INTER-B 2.2.2.2].
[INTER-B 2.2.2.2] Transit server
Firewall configuration
Caution:
This server needs to be selected and tested according to your CN-A machine to ensure that the connection from CN-A to this server is stable without excessive bypasses and delays. This server needs to be cleaned of all cloud monitoring or monitoring software implanted by the cloud vendor, security guards, and other plugins. This server is located offshore and has a good connection and latency to the CN-A server.
[OUT-C 3.3.3.3] Exit server
Firewall configuration
Server configuration
Caution:
This server is recommended to be in the same country or region as INTER-B. [Important] Ensure the reliability of this server provider, e.g., will not comply with Chinese laws, or does not have a Chinese background (recommended: AWS, AZURE, Linode, and other well-known public clouds). This server will only allow inbound connections from INTER-B.
Just use the IP address of CN-A 1.1.1.1 and the password and encryption set in OUT-C 3.3.3.3 above to access it in your wall-working software.
Finally:
I won't post the specific commands and one-click scripts here, sorry. I wish you all have a pleasant internet experience and run soon.