電訊茶室 - Powered by Discuz! Board

標題: Openwrt v2ray server + tls1.3 + websocket + webserver + cert + cdn 保護篇 [打印本頁]

作者: tomleehk 時間: 2019-9-28 14:11 標題: Openwrt v2ray server + tls1.3 + websocket + webserver + cert + cdn 保護篇

本帖最後由 tomleehk 於 2020-4-6 13:33 編輯

Preparation
1. A router running openwrt v2ray server + tls + websocket + webserver + cert
ref. http://www.telecom-cafe.com/foru ... &extra=page%3D1
2. A paid or free domain registration, e.g. www.freenom.com
3. A registered CDN service subscription, e.g. www.cloudflare.com
4. V2ray client ( e.g. Kitsunebi )
5. Knowledge of UNIX/openwrt
6. Concept of domain
7. Concept of CDN

Background and Target
The GFW can identify whether an ip is residential or not.
Keep using a residential ip increases the risk to be blocked by GFW.
Use CDN ip to make the residential ip of your router hidden. Only the CDN ip will be exposed to GFW whereas CDN ip is commonly and widely used by commercial website all around the world.
Therefore normally GFW will not block a CDN ip.

作者: tomleehk 時間: 2019-9-28 14:12

本帖最後由 tomleehk 於 2019-9-28 23:05 編輯

Domain Registration

Using www.freenom.com as example,

1. At http://www.freenom.com/en/index.html,
verify the availability of your preferred domain, e.g. nogfw
and click the <<Check Availability>> button

It will then show the availability of nogfw.tk, nogfw.cf... etc.
Select your preference by clicking the button <<Get it Now!>>
Then click the button <<checkout>>

2. Then follow the subsequent steps which are rather straight forward.
At the screen when you see the button <<Verify My Email Address>>
Input your email address accordingly and
click the button <<Verify My Email Address>>.
Then follow the instructions, such as creating password,
until you see your selected domain,
e.g. nogfw.cf is registered successfully under your account

3. Your email address will be your account id.

作者: tomleehk 時間: 2019-9-28 14:12

本帖最後由 tomleehk 於 2020-4-6 13:34 編輯

CDN registration

Using www.cloudflare.com as example

1. Create an account at https://dash.cloudflare.com/sign-up
2. Login cloudflare at https://dash.cloudflare.com/login
3. At https://dash.cloudflare.com/, upper right hand corner ,
click the button <<+ Add site>>
4. Add your domain, e.g. nogfw.cf,
then click the button <<Add site>>,
then follow the steps accordingly to select the plan,
e.g. "free plan" then click <<confirm plan>> button.
5.At the screen to add DNS record for your domain, add
CNAME, nogfw.cf, testhost.ddnsfree.com, proxied
whereas testhost.ddnsfree.com is the domain for your openwrt v2ray router.
[attach]4455[/attach]
see http://www.telecom-cafe.com/foru ... =7749&pid=47343
6. Then click the button <<Add Record>>, <<Continue>>,
it will show a screen to change the nameservers.
7. At your browser, open a new tab and access your domain registration website.
e.g. https://my.freenom.com/clientarea.php?action=domains
At your domain, e.g. nogfw.cf, click the button <<Manage Domain>>
Then click the button <<Manage Freenom DNS>> and
Select the option <<Use custom nameservers (enter below)>>
Then enter the nameservers of step 6 and
then click the button <<Change Nameservers>>
8. At your browser, go back to the tab of step 6, at the buttom
Click the button <<Done, check nameServers>>
9. Then at the support portal for your domain, e.g. nogfw.cf
Click the button SSL/TLS, select the option "Full"
[attach]4454[/attach]
10. Then select the tab <<Edge Certificates>>
TLS 1.3 - On
Minimum TLS Version - TLS 1.3
[attach]4519[/attach]

If everythings are fine, nogfw.cf will be proxied to testhost.ddnsfree.com after a few minutes.

At the browser, if you access nogfw.cf, you will see the login sample webpage of
http://www.telecom-cafe.com/foru ... =7749&pid=47345

Verification
1. Use browser to access nogfw.cf, verify the valid certificate issued by cloudflare for nogfw.cf
2. Use browser to access testhost.ddnsfree.com, verify the valid certificate issued by Let's encrypt for testhost.ddnsfree.com

Therefore, you should be able to access the webpage on the openwrt v2ray router via cloudflare and via the original domain in parallel before you move on.

作者: tomleehk 時間: 2019-9-28 14:12

本帖最後由 tomleehk 於 2020-4-6 14:22 編輯

Modification to lighttpd configuration

Using lighttpd as illustration, sample configuration file should have

server.modules = ("mod_openssl","mod_proxy")
server.document-root = "/www/webproj/"
server.upload-dirs = ( "/tmp" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "http"
server.groupname = "www-data"
index-file.names = ( "index.php", "index.html",
"index.htm", "default.htm",
"index.lighttpd.html" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
### Options that are useful but not always necessary:
#server.chroot = "/"
server.port = 8080
#server.bind = "localhost"
#server.tag = "lighttpd"
#server.errorlog-use-syslog = "enable"
#server.network-backend = "write"
### Use IPv6 if available
#include_shell "/usr/share/lighttpd/use-ipv6.pl"
#dir-listing.encoding = "utf-8"
#server.dir-listing = "enable"
include "/etc/lighttpd/mime.conf"
include_shell "cat /etc/lighttpd/conf.d/*.conf"
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/www/ssl/lighttpd.pem"
ssl.ca-file = "/www/ssl/ca_bundle.crt"
ssl.openssl.ssl-conf-cmd = ("Ciphersuites" => "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
$HTTP["url"] =~ "^/vpath" {
$HTTP["host"] == "nogfw.cf" {
proxy.header = ( "upgrade" => "enable")
proxy.server = ( "" => (("host" => "127.0.0.1","port" => 8443)))
}
else {
$HTTP["host"] == "testhost.ddnsfree.com" {
proxy.header = ( "upgrade" => "enable")
proxy.server = ( "" => (("host" => "127.0.0.1","port" => 8443)))
}
else {
url.redirect = ( "" => "/" )
}
}
}

複製代碼

This is the only change needed on the v2ray router.

$HTTP["host"] == "nogfw.cf" {
....
}
else {
$HTTP["host"] == "testhost.ddnsfree.com" {
...
}

複製代碼

Reboot router and then
1. Use browser to access nogfw.cf, verify the valid certificate issued by cloudflare for nogfw.cf
2. Use browser to access testhost.ddnsfree.com, verify the valid certificate issued by Let's encrypt for testhost.ddnsfree.com

作者: tomleehk 時間: 2019-9-28 14:12

本帖最後由 tomleehk 於 2019-10-5 18:37 編輯

Create a new endpoint option at your v2ray client

Using Kitsunebi as illustration,
the client configuration for the new endpoint option should have

Address - nogfw.cf
Port - 443
UUID - c50bf28e-98cd-a351-b8d5-d60d56c376c7
Alterid - 64
Security - auto
Network - ws
Path - /vpath
Host - nogfw.cf
TLS - check

Test and verify both the new endpoint option(using nogfw.cf) and,
the original endpoint option(using testhost.ddnsfree.com)
http://www.telecom-cafe.com/foru ... =7749&pid=47346
can access the v2ray server properly in parallel.

作者: tomleehk 時間: 2019-9-28 22:34

本帖最後由 tomleehk 於 2019-9-28 22:51 編輯

Modification to v2ray configuration and certificate on the webserver

There is
1) NO NEED to change the original v2ray configuration, and
2) NO NEED to change the original certificate on the webserver

作者: tomleehk 時間: 2019-9-28 22:43

本帖最後由 tomleehk 於 2019-9-29 20:03 編輯

Comment

This CDN approach has a disadvantage that it unavoidably slows down the v2ray throughput since normally your v2ray router and CDN are located at different geographical zones. Therefore, at your client, it is better to allow endpoint options to access your v2ray router via cloudflare and via the original domain in parallel.

If the original domain option can be used, keep using it.
If the original domain ip is blocked, switch to use the CDN endpoint option.

拯救被墙的IP，CDN + v2ray，安全的科学上网方法
https://blog.sprov.xyz/2019/03/11/cdn-v2ray-safe-proxy/

作者: tomleehk 時間: 2019-9-28 22:46

[Reserved]

歡迎光臨電訊茶室 (http://telecom-cafe.com/forum/)

Powered by Discuz! 7.2