Openwrt v2ray server + tls1.3 + websocket + webserver + cert + cdn 保護篇

tomleehk

Preparation
1. A router running openwrt v2ray server + tls + websocket + webserver + cert
ref. http://www.telecom-cafe.com/foru ... &extra=page%3D1
2. A paid or free domain registration, e.g. www.freenom.com
3. A registered CDN service subscription, e.g. www.cloudflare.com
4. V2ray client ( e.g. Kitsunebi )
5. Knowledge of UNIX/openwrt
6. Concept of domain
7. Concept of CDN


Background and Target
The GFW can identify whether an ip is residential or not.
Keep using a residential ip increases the risk to be blocked by GFW.
Use CDN ip to make the residential ip of your router hidden. Only the CDN ip will be exposed to GFW whereas CDN ip is commonly and widely used by commercial website all around the world.
Therefore normally GFW will not block a CDN ip.

tomleehk

Domain Registration

Using www.freenom.com as example,

1. At http://www.freenom.com/en/index.html,
   verify the availability of your preferred domain, e.g. nogfw
   and click the <<Check Availability>> button
  
    It will then show the availability of nogfw.tk, nogfw.cf... etc.
    Select your preference by clicking the button <<Get it Now!>>
    Then click the button <<checkout>>

2. Then follow the subsequent steps which are rather straight forward.
    At the screen when you see the button <<Verify My Email Address>>
    Input your email address accordingly and
    click the button <<Verify My Email Address>>.
    Then follow the instructions, such as creating password,
    until you see your selected domain,
    e.g. nogfw.cf is registered successfully under your account

3. Your email address will be your account id.

tomleehk

CDN registration

Using www.cloudflare.com as example

1. Create an account at https://dash.cloudflare.com/sign-up
2. Login cloudflare at https://dash.cloudflare.com/login
3. At https://dash.cloudflare.com/, upper right hand corner ,
    click the button <<+ Add site>>
4. Add your domain, e.g. nogfw.cf,
    then click the button <<Add site>>,
    then follow the steps accordingly to select the plan,
    e.g. "free plan" then click <<confirm plan>> button.
5.At the screen to add DNS record for your domain, add
   CNAME, nogfw.cf, testhost.ddnsfree.com, proxied
   whereas testhost.ddnsfree.com is the domain for your openwrt v2ray router.
   
   see http://www.telecom-cafe.com/foru ... =7749&pid=47343
6. Then click the button <<Add Record>>, <<Continue>>,
    it will show a screen to change the nameservers.
7. At your browser, open a new tab and access your domain registration website.
    e.g. https://my.freenom.com/clientarea.php?action=domains
    At your domain, e.g. nogfw.cf, click the button <<Manage Domain>>
    Then click the button <<Manage Freenom DNS>> and
    Select the option <<Use custom nameservers (enter below)>>
    Then enter the nameservers of step 6 and
    then click the button <<Change Nameservers>>
8. At your browser, go back to the tab of step 6, at the buttom
    Click the button <<Done, check nameServers>>
9. Then at the support portal for your domain, e.g. nogfw.cf
    Click the button SSL/TLS, select the option "Full"

10. Then select the tab <<Edge Certificates>>
      TLS 1.3 - On
      Minimum TLS Version - TLS 1.3



If everythings are fine, nogfw.cf will be proxied to testhost.ddnsfree.com after a few minutes.

At the browser, if you access nogfw.cf, you will see the login sample webpage of
http://www.telecom-cafe.com/foru ... =7749&pid=47345

Verification
1. Use browser to access nogfw.cf, verify the valid certificate issued by cloudflare for nogfw.cf
2. Use browser to access testhost.ddnsfree.com, verify the valid certificate issued by Let's encrypt for testhost.ddnsfree.com

Therefore, you should be able to access the webpage on the openwrt v2ray router via cloudflare and via the original domain in parallel before you move on.

tomleehk

Modification to lighttpd configuration

Using lighttpd as illustration, sample configuration file should have

1. server.modules = ("mod_openssl","mod_proxy")
   
2. 
   
3. server.document-root        = "/www/webproj/"
   
4. server.upload-dirs          = ( "/tmp" )
   
5. server.errorlog             = "/var/log/lighttpd/error.log"
   
6. server.pid-file             = "/var/run/lighttpd.pid"
   
7. server.username             = "http"
   
8. server.groupname            = "www-data"
   
9. 
   
10. index-file.names            = ( "index.php", "index.html",
    
11.                                 "index.htm", "default.htm",
    
12.                                 "index.lighttpd.html" )
    
13. 
    
14. static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
    
15. 
    
16. ### Options that are useful but not always necessary:
    
17. #server.chroot               = "/"
    
18. server.port                 = 8080
    
19. #server.bind                 = "localhost"
    
20. #server.tag                  = "lighttpd"
    
21. #server.errorlog-use-syslog  = "enable"
    
22. #server.network-backend      = "write"
    
23. 
    
24. ### Use IPv6 if available
    
25. #include_shell "/usr/share/lighttpd/use-ipv6.pl"
    
26. 
    
27. #dir-listing.encoding        = "utf-8"
    
28. #server.dir-listing          = "enable"
    
29. 
    
30. include       "/etc/lighttpd/mime.conf"
    
31. include_shell "cat /etc/lighttpd/conf.d/*.conf"
    
32. 
    
33. $SERVER["socket"] == ":443" {
    
34.   ssl.engine = "enable"
    
35.   ssl.pemfile = "/www/ssl/lighttpd.pem"
    
36.   ssl.ca-file = "/www/ssl/ca_bundle.crt"
    
37.   ssl.openssl.ssl-conf-cmd = ("Ciphersuites" => "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")
    
38.   ssl.use-sslv2 = "disable"
    
39.   ssl.use-sslv3 = "disable"
    
40. }
    
41. 
    
42. $HTTP["url"] =~ "^/vpath" {
    
43.   $HTTP["host"] == "nogfw.cf" {
    
44.      proxy.header = ( "upgrade" => "enable")
    
45.      proxy.server = ( "" => (("host" => "127.0.0.1","port" => 8443)))
    
46.   }
    
47.   else {
    
48.      $HTTP["host"] == "testhost.ddnsfree.com" {
    
49.          proxy.header = ( "upgrade" => "enable")
    
50.          proxy.server = ( "" => (("host" => "127.0.0.1","port" => 8443)))
    
51.      }
    
52.      else {
    
53.           url.redirect = ( "" => "/" )
    
54.       }
    
55.   }
    
56. }

複製代碼

This is the only change needed on the v2ray router.

1. 
   
2.   $HTTP["host"] == "nogfw.cf" {
   
3.   ....
   
4.   }
   
5.   else {
   
6.      $HTTP["host"] == "testhost.ddnsfree.com" {
   
7.    ...
   
8.      }

複製代碼

Reboot router and then
1. Use browser to access nogfw.cf, verify the valid certificate issued by cloudflare for nogfw.cf
2. Use browser to access testhost.ddnsfree.com, verify the valid certificate issued by Let's encrypt for testhost.ddnsfree.com

tomleehk

Create a new endpoint option at your v2ray client

Using Kitsunebi as illustration,
the client configuration for the new endpoint option should have

Address - nogfw.cf
Port - 443
UUID - c50bf28e-98cd-a351-b8d5-d60d56c376c7
Alterid - 64
Security - auto
Network - ws
Path - /vpath
Host - nogfw.cf
TLS - check

Test and verify both the new endpoint option(using nogfw.cf) and,
the original endpoint option(using testhost.ddnsfree.com)
http://www.telecom-cafe.com/foru ... =7749&pid=47346
can access the v2ray server properly in parallel.

tomleehk

Modification to v2ray configuration and certificate on the webserver

There is
1) NO NEED to change the original v2ray configuration, and
2) NO NEED to change the original certificate on the webserver

tomleehk

Comment

This CDN approach has a disadvantage that it unavoidably slows down the v2ray throughput since normally your v2ray router and CDN are located at different geographical zones. Therefore, at your client, it is better to allow endpoint options to access your v2ray router via cloudflare and via the original domain in parallel.

If the original domain option can be used, keep using it.
If the original domain ip is blocked, switch to use the CDN endpoint option.

拯救被墙的IP，CDN + v2ray，安全的科学上网方法
https://blog.sprov.xyz/2019/03/11/cdn-v2ray-safe-proxy/

tomleehk

[Reserved]