翻牆網 ATGFW.ORG
Across The Great FireWall, We Can Reach Every Corner In The World.
Latest Post

多台电脑如何共享翻墙通道

Written By Wai Tam on 2014/07/27 | 27.7.14

多台电脑如何共享翻墙通道

★引子


  元旦前后,俺写了《如何隐藏你的踪迹,避免跨省追捕》系列的第6、7篇——《用虚拟机隐匿公网IP》。之后有不少网友到博客留言,询问如何让不同虚拟机的软件共享翻墙代理。
  所以,俺今天就来聊一聊"多台电脑共享翻墙通道"这个话题。今天介绍的招数,既可以在不同虚拟机之间共享翻墙通道,也可以在不同的实体机(包括PC、平板、手机)之间共享翻墙通道。

  顺便说一下:在《用虚拟机隐匿公网IP(配置图解)》一文的末尾,俺又补充了一个章节——"验证虚拟机的隔离性"。那些使用虚拟机方案隐匿公网IP的同学,为了保险起见,要记得验证一下隔离性。

★准备工作


  考虑到俺博客的读者,有很多人不是 IT 技术人员。所以,俺先通俗地扫盲若干基础知识。

◇什么是"翻墙"


  如果你对"翻墙"还不太了解,建议你先看看俺写的《如何翻墙》一文。这篇扫盲教程可以说是面面俱到,很适合翻墙方面的新手入门。

◇什么是"代理"


  "代理"好比是一个中转站,可以中转你的上网数据流量,以此来避开 GFW 这堵墙。
  翻墙代理通常包括两部分:代理软件,代理服务器。代理软件安装在你的电脑上,代理服务器通常都位于墙外(也就是境外)。当你通过代理上网时,你的浏览器并不是直接连到目标网站。而是通过如下几个步骤:
1. 浏览器发送数据到代理软件
2. 代理软件把你的数据发送到墙外的代理服务器
3. 代理服务器发送数据到目标网站

◇什么是"监听端口"


  代理软件要正常工作,通常都需要开启一个"监听端口"。浏览器通过这个"监听端口"来跟代理软件建立连接。只有建立了连接,浏览器才能把数据发送到代理软件上。端口号是一个数字,范围在 1 - 65535 之间。

◇如何看本机开启的监听端口


  对于 Windows 系统,在命令行窗口(先运行 cmd 就会出现命令行窗口)运行如下命令,可以看到本机开启的所有监听端口。
netstat -an | find "LISTEN"

  刚才有读者在留言中提问,俺再补充一下。用 netstat 的 o 选项可以看到每个监听端口分别是哪个进程开启的。命令如下
netstat -ano | find "LISTEN"

◇什么是监听端口的"绑定地址"


  以俺手头的虚拟机为例,执行刚才那个命令后,会显示如下
TCP  127.0.0.1:8118  0.0.0.0:0  LISTENING

  其中的 127.0.0.1 表示这个监听端口绑定的网卡地址,而 8118 表示监听的端口号。所谓的"绑定地址",意思就是说,这个监听端口只接受来自该网卡的连接。
  因为 127.0.0.1 表示本机网卡地址;所以,绑定在 127.0.0.1 表示该监听端口只接受来自本机的连接。
  如果要让某个监听端口接受任意连接(包括外部电脑的连接),可以把绑定地址设置为 0.0.0.0

◇小心防火墙的配置


  在《用虚拟机隐匿公网IP》一文,俺就特别用红字,提醒大伙儿要小心防火墙的设置。结果还是有很多人因为防火墙的问题而中招,功亏一篑。
  俺再啰嗦一下:
要特别小心操作系统中防火墙的设置。很多人是因为防火墙没设好,导致代理无法连通。

★如何共享翻墙的代理?


◇问题


  大部分翻墙代理都会提供一个 HTTP 的代理端口(就是刚才说的"监听端口")。问题在于:很多翻墙代理的代理端口都绑定在 127.0.0.1 上。也就是说,这个代理只能被本机的软件使用,外部电脑的软件无法连接到该端口。

◇解决方案之 "修改配置"


  最简单的解决方案,就是修改翻墙软件的配置,让代理端口绑定到 0.0.0.0 上。

自由门
到它的设置界面,点"更多设置",然后勾选"用自由门做服务器",可以把监听端口绑定到 0.0.0.0
GoAgent
GoAgent 的配置信息存储在 proxy.ini 文件中。打开该文件找到 [listen] 字段,然后把该字段下面的 127.0.0.1 改为 0.0.0.0 即可。

  可惜的是,很多翻墙软件都没有提供配置文件让你修改监听端口绑定的地址。所以,俺下面传授一个通用的招数,无需修改配置文件,可以搞定任何翻墙代理,让它的监听端口被外部电脑使用。

◇解决方案之 "端口转发"


  所谓的"端口转发",通俗地说就是让 A 监听端口的数据转发到 B 监听端口。
B 监听端口就是你的翻墙软件原先开启的端口
A 监听端口是新开的,而且绑定地址是 0.0.0.0
  如此一来,外部电脑就可以用 A 端口作为代理的端口,数据都发给 A 端口,然后利用"端口转发"功能,把数据转向 B 端口(也就是翻墙工具自身的端口)

★如何搞端口转发?


  端口转发是本文的重点,所以俺单独开一个章节详细说。
  用来搞端口转发的工具有很多,如果你去 Google 一下 "TCP proxy" 或 "TCP redirection",应该能找到一大堆软件和解决方案。考虑到很多读者是菜鸟,俺挑选两种最简单的办法。

◇利用 Windows 自带的 netsh


准备工作
对于 Vista 以及更新版本的 Windows (比如 Win7 Win8 ...)可以直接使用该方案。
对于 Vista 之前的 Windows(比如 WinXP、Win2003),需要先安装 IPv6 协议栈。具体步骤如下:
1. 以管理员身份登录,进入"控制面板"下面的"网络连接"
2. 选中本地连接,点右键,在右键菜单选"属性"
3. 弹出"属性"对话框,点"安装"按钮
4. 弹出"选择网络组件类型"对话框,选"协议",再点"添加"
5. 在弹出的对话框中选"IPv6",点"确定"

命令详解
(以下命令需要管理员身份才能执行)
添加端口转发的命令
netsh interface portproxy add v4tov4 listenport=新开的监听端口 listenaddress=新开端口的绑定地址 connectaddress=要转发的地址 connectport=要转发的端口 protocol=tcp

删除端口转发的命令
netsh interface portproxy delete v4tov4 listenport=新开的监听端口 listenaddress=新开端口的绑定地址

命令举例
比方说,俺本地已经运行了 TOR,端口是 8118,绑定在 127.0.0.1
如果俺希望建立一个新的端口,端口号是 12345(这个端口号是俺随手编的,你也可以用其它端口号),绑定在 0.0.0.0
那么就执行如下命令。然后,发往 12345 端口的数据流就会被转发到 8118 端口。
netsh interface portproxy add v4tov4 listenport=12345 listenaddress=0.0.0.0 connectaddress=127.0.0.1 connectport=8118 protocol=tcp

为了保险起见,再用前面介绍的 netstat 命令,看一下本机开启的端口。如果正常的话,你就可以看到如下一行
TCP  0.0.0.0:12345  0.0.0.0:0  LISTENING

如果要删除该端口转发,就执行如下命令
netsh interface portproxy delete v4tov4 listenport=12345 listenaddress=0.0.0.0
删除之后,再用 netstat 命令查一下,这个 12345 的监听端口就看不到了

优点
无需安装任何第三方软件
一旦设置好就会持续有效——即使系统重新启动也没关系。

缺点
需要以管理员身份登录,才能执行上述命令。
该方法只能用于 Windows 系统。

◇利用 rinetd


获取软件
rinetd 是一个很小巧的、跨平台的、开源的工具,它能提供 TCP 端口转发的功能。它的官网在"这里",上面提供了 Linux 平台和 Windows 平台的软件包。考虑到大多数同学用的是 Windows,俺针对 Windows 的使用介绍一下。
把那个 rinetd.zip 下载到本地,解压出来,里面有好几个文件(包括源代码)。你只需取出其中的 rinetd.exe 其它文件不需要。

编写配置文件
rinetd 的配置文件很简单,就是一个普通的文本文件,每一行对应一条转发规则。每一条转发规则包含4个字段,分别如下,字段之间用空格分开。
绑定地址 监听端口 转发的地址 转发的端口

配置文件举例
比方说,俺本地已经运行了 TOR,端口是 8118,绑定在 127.0.0.1
如果俺希望通过 rinetd 建立一个新的端口,端口号是 12345(这个端口号是俺随手编的,你也可以用其它端口号),绑定在 0.0.0.0
那么,转发规则就这么写
0.0.0.0 12345 127.0.0.1 8118

运行
把刚才写好的配置文件保存成 config.txt(俺只是举例,你也可以用其它文件名),把该文件跟 rinetd.exe 放到同一个目录。
运行 cmd 进入 Windows 的命令行窗口,然后进入 rinetd.exe 所在的目录,执行如下命令
rinetd.exe -c config.txt

上述命令执行之后,命令行窗口的光标会停止不动。不要以为 rinetd 死了,其实它已经开始工作。这时候千万不要关闭这个 cmd 窗口。为了保险起见,另外开一个 cmd 窗口,再用前面介绍的 netstat 命令,看一下本机开启的端口。如果正常的话,你就可以看到如下一行
TCP  0.0.0.0:12345  0.0.0.0:0  LISTENING

优点
该软件很小巧(整个下载包才 100 多 KB),而且是绿色软件。几乎不占用啥系统资源
无需管理员即可运行
跨平台

缺点
每次你关机或用户注销,rinetd 就退出了,下次要重新运行(为了方便,你可以把 rinetd 的启动命令加入 Windows 的启动项)

★如何共享翻墙的VPN?


◇问题


  用 VPN 翻墙,虽然可以让本机的所有网络软件自动通过 VPN 服务器中转。但是其它电脑的软件无法使用本机的 VPN 网络。

◇解决方案之 "Privoxy"


  "VPN 翻墙" 跟 "代理翻墙" 的技术原理不同——VPN 软件本身是不开启监听端口的。所以刚才介绍的端口转发,对于 VPN 软件是无效滴!
  不过没关系,咱们可以在本机运行 Web 代理或 SOCKS 代理,把监听端口绑定到 0.0.0.0,就可以让其它电脑的软件通过本机的 VPN 翻墙。考虑到大部分人翻墙都是为了浏览网页,俺重点介绍一下 Privoxy 这个工具。

获取软件
Privoxy 是一个老牌的、跨平台的,开源的 Web 代理软件,官网在"这里"。
在官网上有 exe 安装包,也有 zip 的压缩包(免安装)。下哪个看你自己的喜好(俺喜欢免安装的,比较绿色)。

修改配置文件
Privoxy 默认的监听端口是8118,绑定在 127.0.0.1 上。为了让其它电脑能连上来,需要修改绑定的地址。
Privoxy 的配置文件是 config.txt 。打开它,搜索 listen-address 会看到如下一行
listen-address  127.0.0.1:8118
修改为
listen-address  0.0.0.0:8118
即可

运行
直接双击 Privoxy.exe
为了保险起见,再用前面介绍的 netstat 命令,看一下本机开启的端口。如果正常的话,你就可以看到如下一行
TCP  0.0.0.0:8118  0.0.0.0:0  LISTENING

★如何共享虚拟机中的翻墙软件


  (还不了解虚拟机的同学,可以先看俺写的《扫盲操作系统虚拟机》系列教程)
  有些网友(包括俺)会单独开一个虚拟机(Guest OS),专门用来安装翻墙工具。在这个虚拟机上,除了翻墙工具,不放其它任何东西。这样做的好处之一是:即使某些翻墙工具有后门,也不会威胁到真实系统(Host OS)的安全。
  那么,如何把虚拟机中的翻墙工具共享给其它电脑(Host OS 之外的系统)用捏?

◇步骤1


  首先,你还是需要参照前面介绍的方法:
如果用代理翻墙,就搞端口转发;
如果用 VPN 翻墙,就新开一个 Web 代理。

◇步骤2


  配置虚拟机的网卡模式,可以有两种搞法。

对于 NAT 模式的网卡
你需要添加端口映射。主流的虚拟机软件(包括 VMware 和 VirtualBox)都有此功能。
该功能类似于刚才提到的端口转发,其原理是:把 Host OS 上的某个端口映射到某个虚拟机的 NAT 网卡上的另一个端口。
该方法配置稍嫌麻烦。如果你对网络和虚拟机不太熟悉,俺不推荐用这种搞法,还是改用 Bridge 模式比较省事儿。

对于 Bridge 模式的网卡
如果网卡是 Bridge 模式,那就简单了,无需任何额外设置
因为这种模式的虚拟网卡,对于 Host OS 之外的网络是可见的。也就是说,(Host OS 之外的)其它电脑可以直接访问到此网卡——因此其它电脑的软件就能直接连上虚拟机中的代理端口。

★结尾


  暂且写到这里。如果列位看官针对此话题有啥疑问,或者在实践过程中碰到啥困难,可以到本文留言,俺会尽量解答。
版权声明
本博客所有的原创文章,作者皆保留版权。转载必须包含本声明,保持本文完整,并以超链接形式注明作者编程随想和本文原始地址:
http://program-think.blogspot.com/2013/01/cross-host-use-gfw-tool.html

goagent 更新至 v3.1.19正式版, 减少卡顿现象。

Written By Guests Zhen on 2014/07/21 | 21.7.14

goagent 3.1.19 正式版下载 http://goo.gl/qFyRk

公告

  • 出现路由器断流的现象,请适当调低 [gae]window 的值。

最近更新

  • [0720 否] 3.1.19 正式版, 减少卡顿现象。

简易教程

  • 部署 goagent
    1. 申请Google Appengine并创建appid。
    2. 下载goagent最新版 https://code.google.com/p/goagent/
    3. 修改local\proxy.ini中的[gae]下的appid=你的appid(多appid请用|隔开)
    4. 双击server\uploader.bat 开始上传, 成功后即可使用了(地址127.0.0.1:8087)
      • MacOS/Linux 请在 Terminal 执行 cd server && python uploader.zip
  • 使用 goagent
    • Chrome请安装 SwitchySharp 插件(拖放 SwitchySharp.crx 到扩展设置),然后导入 SwitchyOptions.bak
    • Firefox请安装 FoxyProxy ,Firefox需要导入证书,方法请见 FAQ
    • IE/Opera 用户请右击 goagent.exe 托盘图标设置 IE 代理。

图文教程

常见问题

配置介绍

更新历史

贡献列表


Lantern更新至1.4.2 开放公测!无需邀请!

Written By Guests Zhen on 2014/07/16 | 16.7.14

Lantern客户端1.4.2下载:https://github.com/getlantern/lantern/releases
【新用户必看】:
1、Lantern是免费的,但是官方正在募捐,地址:https://www.indiegogo.com/projects/fund-internet-freedom-with-lantern
2、Lantern不支持手机和平板;
3、安装Lantern之前必须安装谷歌浏览器和JAVA,JAVA的位数和谷歌浏览器的位数保持一致;
4、关于安装过程中出现“磁盘空间不足"的提示,请看这里:https://github.com/getlantern/lantern/issues/1469
5、安装好之后,关于出现“转圈”/"错误白框"/"卡在google Talk..."的解决办法就是挂VPN,推荐一个PoVPN,可以免费用一天VIP,选择香港路线,开启"全局加速"模式:http://t.cn/RvXY1l3
6、新用户不能加好友,Lantern默认的是"自动代理",默认加入开机启动项;
7、lantern安装和使用教程:http://www.atgfw.org/2013/11/lantern-for-xp.html http://www.atgfw.org/2013/11/lantern-for-win7.html
8、如果你觉得Lantern速度慢又不好用的话,建议你选择其他翻墙手段,也可以找我推荐。

項目主頁:https://getlantern.org/
官方下載鏈接:
windows https://s3.amazonaws.com/lantern/newest.exe
Mac OS X https://s3.amazonaws.com/lantern/newest.dmg
Linux https://s3.amazonaws.com/lantern/newest-64.deb
來源: https://plus.google.com/106594138319562877946/posts/87Rr82CDTbE

安卓软件-无限制免费翻墙 寻路VPN V1.320- 翻墙不需要懂技术

Written By Guests Zhen on 2014/07/13 | 13.7.14

只需轻轻一按,即可科学上网,从此访问Twitter, Facebook, Youtube等全世界最好的网站不再受到限制。
为移动上网专门优化,即使重启飞行模式,都能保持在线。



特色:
* 无需注册, 无需设置
* 不限制速度, 不限制流量
* 智能分流,访问国内网站不走代理
* 多国代理,一键测速©技术,轻松选择最快线路
* 不限时免费使用,但选择线路功能需要购买。
关键词:
科学上网,VPN,隐私保护,安全上网,翻墙,Twitter, Facebook, Youtube, fqrouter, shadowsocks

[7-10] V1.320 更新:
提高不同国家的连通能力。

解除7分钟限制方法:

方法一:连接后,进程管理,停止寻路后台运行即可。
方法二:把系统语言改成英文,就没有限制。


GOOGLE PLAY下載鏈接:https://play.google.com/store/apps/details?id=com.biganiseed.reindeer&hl=zh_CN
注:如果从Play无法下载,可从此处下载 http://zh.swably.com/a/16325?r=reindeer_playstore

轻松组建跨越物理邊界的全球虚拟网络 ZeroTier One简介

Written By Guests Zhen on 2014/07/10 | 10.7.14

ZeroTier One是什麼?
試想一下,在不久的將來,我們可以通過無形的線路到達地球上任何地方的網絡環境。ZeroTier One提供這樣的技術,通過模擬一個虛擬的網絡中心、一個更開放的網絡系統。其中包括證書和密鑰的設置,鏈路配置和路由都是自動的。

項目主頁:https://www.zerotier.com/

下載:
Windows (7, 8, Server 2008+)
Macintosh (Intel 10.6+)
More Platforms and Open Source
加入的方式很簡單,在項目主頁:https://www.zerotier.com/ 下載符合你系統的ZeroTier One程式、並執行安裝。


安裝後系統會出現一張虛擬的網路界面卡。
軟件運行界面如下。然後按右邊的【OK】
進入項目主頁右邊的 【Create and Control Networks】【Sign In去創建或者管理網絡。
你可以在此界面直接註冊賬戶,如果你有google賬戶,
可以直接使用你的google賬戶登錄。


登錄後根據畫面的提示,直接輸入你需要創建的網絡的名字,
再按【create network】即可創建一個虛擬的網絡
創建後,可以根據需要設置網絡的屬性,如【Description:】【Access Control:Private Network (uncheck to make network public)】【Frame Types Allowed: IPv4    IPv6    IPX    No Filtering】【IPv4 Addressing: Do Not Manage Assignment (let OS or user do it)】
【 Have ZeroTier Assign IPv4 Addresses】
【Broadcast: Enable Wildcard MAC (ff:ff:ff:ff:ff:ff)】
其中的網絡ID.【Network ID】是別人需要加入你的網絡所需要知道的信息。別人需要知道這個ID,才可以申請加入該網絡。

回到 ZeroTier One軟件的主界面,在右下方的Network ID的輸入16位的Network ID 如(8056c2e21c9cbec2),即可申請加入該網絡。


網絡的管理者,可以在項目主頁https://www.zerotier.com/admin.html設置Member的授權,(付費用戶,可以啟用橋接功能。及不受最多10用戶的限制。)

作為該網絡的管理者,也建議你在ZeroTier One軟件的主界面輸入你的網絡ID,授權、並長期保持在線,別人才可以通過你的網絡訪問更廣闊的互聯網。

快速入門【Quick Start】

Getting the Software

Download ZeroTier One, install it, and run the app.
If you're running Linux or have built from source, see the command line wiki for instructions on how to control ZeroTier One from the command line. More information about Linux installation can be found here.

How It Works: ZeroTier Addresses and Network IDs

Two kinds of numbers control everything. They look like this:
2cf72b4985
- The author's laptop's ZeroTier address
8056c2e21c000001
- Network ID of Earth, a public network
16-digit network ID identifies a virtual network. A 10-digit address identifies a device.
To join a network from a device, enter the network's ID and click "Join." To authorize a device to join a private network, log in to the network administration interface and authorize it by its address. (Public networks don't require authorization. Anyone can join them.)
These numbers are not secrets. They're safe to freely distribute. The graphical control panel has a convenient feature to make it easier for users to send these numbers around: if you click on your computer's address (shown in the lower left hand corner) or a network ID, it is automatically copied to the clipboard. This makes it easy to paste it into a chat window, an e-mail, etc.
>> Hey, can you add my new laptop to the company network? It's 01d34db33f.
Those two kinds of numbers are all there is to it.

Use Cases and Patterns for Deployment

What about the intricacies of deployment in a larger organization? These patterns should help you get started. They are listed from easiest to most complex. If you're starting from scratch we recommend starting with a fully virtual LAN and then proceeding to bridging when/if you need it.
The third option (gateway / firewall) is more or less mutually exclusive to the first two and is against the "spirit" of project, but it can be used to allow users in highly restricted networks to access remote virtual LANs.
What?How?Who?Why?Why Not?
Virtual LAN
  • Install ZeroTier One on everything and use a virtual LAN as your primary network.
  • If you have physical LANs, use them as commodity net access pipes only.
  • Groups with no legacy network infrastructure who want to start fresh with full network virtualization.
  • Organizations with no physical site, like mobile teams and startups without offices.
  • Associations that inherently span physical boundaries, like academic collaborations between universities.
  • Almost zero configuration: create a network, install the software, and join it!
  • Network is completely mobile and location-agnostic.
  • Can evolve into the next pattern with no reconfiguration of existing systems.
  • Only devices that can run ZeroTier One can participate.
  • No mobile support yet. Several options are in development.
  • Small performance hit vs. a naked physical LAN due to encryption and protocol overhead.
Bridged Physical and Virtual
  • Install ZeroTier One on an always-on server at a physical site and bridge the virtual interface to the physical one.
  • Also install the software on mobile machines and remote desktops, giving each a "virtual wire" to the physical LAN.
  • Organizations with a central location and existing infrastructure and want something more like a conventional VPN.
  • Users who want to connect legacy systems and "dumb" devices (printers, faxes, etc.) to a virtual LAN.
  • Preserves existing network configuration
  • Connects old OSes and devices that can't run ZeroTier One
  • Requires an always-on gateway server such as a Linux router and some system administration.
  • Uses more bandwidth since each active bridge must get almost all multicast/broadcast traffic.
  • Complexities may arise when mobile users are also on the physical LAN.
Virtual Network Behind Gateway
  • Install ZeroTier One on a firewall or gateway box and treat the virtual LAN as an external network.
  • Set up routes and firewall rules to enable access.
  • Organizations with security restrictions prohibiting open bridging to a mobile network or the installation of software like ZeroTier One on internal systems.
  • Broadcast domain isolation and fine-grained IP/port control for better security isolation.
  • Uses a little less bandwidth than a bridged configuration.
  • Requires the most configuration and administration.
  • Announcements like mDNS/Bonjour and Netbios will not work without special setup.
Virtual LAN
Instead of setting up a LAN and then figuring out how to access it remotely or just entrusting everything to the cloud, why not virtualize? For a small team you can have a virtual LAN running in just a few minutes.
1. Install ZeroTier One on all the systems that you wish to be a part of your network. This may include desktops, laptops, physical servers, and virtual systems in the cloud.
2. Create a network for your organization. For simple networks we recommend using ZeroTier's built-in IP assignment feature. Select an IP range that is unlikely to conflict with home networks and coffee shop WiFis and that provides enough room for all your devices. The pull-down box provides some suggestions.
3. On each device, join your new network via its 16-digit network ID. Unless you've made your network public or pre-authorized all your devices by entering their addresses on the web, ACCESS_DENIED will be shown as the network's status.
4. Return to the control panel. The 10-digit ZeroTier addresses of the devices you've connected should now be listed. If you recognize them, click the check box beside each address to authorize it. It might also be helpful for future reference to enter a description for each in its notes field.
Over the next few minutes the network status on each device should change to OK and it should get an IP address. You'll see these assignments appear on the web control panel too. You now have an imaginary office LAN that works no matter where you or anyone else is physically located.
From this point forward, treat the virtual interface on each device as if it were plugged into your office network switch. When you set up internal services such as wikis, source control systems, bug trackers, domain controllers, file shares, etc., configure them to bind and allow traffic to/from this interface's address. Treat your "real" network the way you would treat a hotel WiFi: as a pipe to access the Internet and nothing more.
Everything that works over an ordinary ethernet should work on your virtual one, even iTunes music sharing and LAN games.
Bridged Physical and Virtual
Bridging is presently an experimental feature. See this blog post. In-depth documentation is coming shortly.
Virtual Network Behind Gateway
You're a network administrator at a high-security national lab, and security restrictions prohibit you from installing anything like ZeroTier One behind your firewall. Some of the users on your network want to access a virtual LAN belonging to an academic collaboration spanning several universities. How do you allow this?
The easiest answer may be to install ZeroTier One on a system outside your firewall, such as in the DMZ or even entirly outside your network boundary. Give this box's 10-digit address to the administrator of the virtual network you want to join, and join it. This gateway will get an IP on the virtual net, an address that you will treat as if it were an external IP on the open Internet.
The easiest approach is to set up your virtual LAN gateway as a "masquerading" NAT router. Configure it to statically NAT traffic from your internal IP range to appear behind the gateway's IP on the virtual network and enable connection tracking. Finally, configure your core router to route traffic to the virtual network's IP space via the gateway. If people on the virtual LAN also need to connect in to services behind your firewall, you can accomplish this by mapping ports on the gateway's virtual LAN IP (which you're treating as external) back into your LAN to their appropriate destinations.
If you want to actually map the virtual LAN's IP range into your internal network without employing NAT, you'll have to collaborate with the administrators of the virtual network and give them your internal IP range. They will have to add routes to this range via your gateway, allowing users of the virtual ethernet to "see" your internal LAN. Using firewall rules on the gateway or on your core router you can still control which IP:port combinations are permitted entry and exit.
This configuration looks almost identical to a NAT router on the open Internet. As such, it sort of breaks the paradigm and defeats the purpose. It's by far the most inconvenient of any option presented here. But for some users it might be the only option available.
Exact configuration details are beyond the scope of this document, but there are many guides and helper applications for operating systems like Linux to assist in firewall rule configuration. Just remember that you're treating your gateway's virtual network interface to the virtual LAN as if it were an interface to a broadband modem or other Internet connection.

Troubleshooting Firewall Issues

Complete instructions for configuring your local firewall is beyond the scope of this guide since every operating system (or third party firewall app) works differently, but here are some guidelines to get you started.
Virtual networks look like any other kind of LAN or WiFi network to your operating system, so traffic over them is subject to local firewall rules. (This differs from some VPNs.) If you find it impossible to communicate— or especially if others find it impossible to communicate with you— it is likely that your local firewall is blocking traffic.
Many firewalls have two ways of treating a network: a "public" or "untrusted" mode and a "home or office network" or "trusted" mode. More restrictive rules are applied to the former, while the latter is subjected to less restriction or none at all. Since your firewall doesn't know anything about ZeroTier, it's likely that it will place its virtual networks in the untrusted category until you tell it otherwise. You may have to change this to allow others to access services on your computer. (On the other hand, if you're trying out public networks you may want to leave those in untrusted mode.)
Many firewalls block ICMP PING messages. If a user cannot ping you, you may still be able to communicate.
Some firewalls may interfere with ZeroTier One itself. The first time you install, you may receive a dialog box asking you if you want to allow the ZeroTier One service to communicate with the Internet. At a minimum, your firewall must permit the establishment of outbound UDP conversations to the Internet on port 9993 or TCP connections on port 443. (UDP is strongly preferred, TCP is fallback only if UDP fails.) If a firewall blocks or interferes with both paths, nothing will work.

More Information

The Github project wiki hosts technical FAQs, operating system specific guides, and other detailed information.

公共網絡【Public Networks】

The World Was Flat

In the beginning, the Internet had a flat address space. Almost any system online could connect to any other. Want to send me a file? Here, FTP it to my computer. Here's my IP address.
When the network opened to the public, operating systems and applications proved too insecure and unreliable to weather the exposure. Firewalls were put in place, a mitigation strategy that seems to have become permanent. This helped protect insecure services from abuse, but also made formerly trivial operations very difficult. Want to send me a file? Hmm... let's see. Can you open a port? Got a Dropbox account? Too big? Make a torrent? Oops, my firewall doesn't allow torrents. Mail me a USB stick?
Security has improved dramatically since those days, but most users and IT department still prefer to have firewall barriers in place. Programmers continue to write insecure code, operating systems continue to have poor service and app isolation, and users continue to engage in bad security practices like unprotected drive sharing and the use of easily guessable passwords.

Back to the Future

But you're adventurous. You have an up-to-date system. You know how to configure things correctly.
ZeroTier One creates virtual networks that span physical boundaries, including firewalls. Most users will want these to be private gated communities, but they can also be open. In the control panel you'll notice a check box labeled "private" for each network. It's checked by default. Un-check this box and you've created a public network. Anyone can now join. All they need is the network's 16-digit ID.
You can also join Earth. It's exactly what it sounds like: a virtual coffee shop WiFi network for the entire planet. Just join 8056c2e21c000001 and you're there.
It's a network with no tiers. Now you know where ZeroTier's name originated. It was the pain of collaboration on the firewall-studded locked-down Internet that inspired the development of this app.

Disclaimer

Security is your responsibility!
There's nothing special about ZeroTier public LANs. When you connect at a hotel, coffee shop, university, airport, or conference center, you are also joining an untrusted network. Securing your system is always a good idea.
Make sure your operating system is up to date. Turn off remote services that you don't need running and make sure any that are open are protected by strong passwords (unless you actually want them open to the world). Most operating systems have local firewalls as well, and these can help protect you from unwittingly sharing things you don't want open.
If none of that makes sense to you, we recommend learning a bit about security and how to configure network services before experimenting with these networks.

Funding Internet Freedom!

Written By Guests Zhen on 2014/07/02 | 2.7.14

Funding Internet Freedom!




Hello Lantern friends,

Lantern needs your help!  We just launched a fundraising campaign on Indiegogo to raise 70K to match a large grant that covers our server, development and outreach costs. Please give if you can and help us spread the word by sharing this email with your friends.
 

We also want you to be the first to know that our next release is almost ready and it’s a big one. The new version will allow users to download Lantern without an invitation and proxy traffic without friends. These changes exponentially increase access for users in censored countries. There are some other exciting features so stay tuned.

Over quarter of the world’s population lives subject to online censorship. We can change that right now with your help. Thanks for making a difference by supporting Lantern.

-Team Lantern

GoGo Tester 2 正式版发布,能够帮你找出那些适合你的,能用而且好用的IP!解決GoAgent红字黄字問題!

Written By Guests Zhen on 2014/06/23 | 23.6.14

推荐一个很好用的扫描google ip是否被封的软件gogo-tester(GGC IP测试器 ),官网https://code.google.com/p/gogo-tester/

下载地址:

DropBox: https://www.dropbox.com/sh/ne7hyc900t8spq0/AACSe-g951pBrg0FD6-Z4FNaa
Baidu Pan: http://pan.baidu.com/s/1jG40o1w

标准测试就是检测ip是否可用,一般ok,就能在阿根廷里用 (google ip自己找)


代理测试就是用阿根廷测试,需要把软件放到阿根廷同级目录,gogo-tester2.1-11 仅支持在goagent3.18下测试。

使用goagent的建议:如果你用的不是goagent3.18以上的版本,你 iplist里的ip尽量要多,不要和别人重复,分散流量可以防止ip过快失效(猜测)

诺顿杀毒报【WS.Reputation.1】,其实不是报毒,而是诺顿不认识,具体可以看这里:http://bbs.kafan.cn/thread-1204673-1-1.html

我发现还有人在自己找IP测试,不过我要告诉你,程序内置103+万IP,【随机测试】一下,IP就可到手。

程序无法运行的请先安装 .NET Frameworks 3.5 :http://www.microsoft.com/zh-cn/download/details.aspx?id=22

  • 请耐心阅读完下列几条信息:

    1. 喜欢手工测试IP或者对本工具安全性有疑问的同学请忽略本工具。
    2. 经测试发现本工具在以100线程随机100个IP结束的时候空连接数会达到2500+的程度,所以扫描导致断流的同学请将线程数设到5以下,这样空连接数就不会突破天际了。
    3. XP用户请将最大半开连接数设到最大值1024。
    4. 扫描出来的IP经常被重置的同学请将线程数设为1或者2,然后可以喝个茶放松一下。
    5. 1e100.net就是谷歌,大家不要奇怪为什么会有连到这个域名的连接。
    6. 请不要在信号很差的无线网络环境下或者网络繁忙的时候使用本工具,因为本工具在测试时网络并发很大。
    7. 本工具内部对SSL证书的接收机制会导致某些软件,比如360,再比如360,还有360,报告一些不好的内容,请忽略。
    8. 推荐使用【随机测试】,这样做得到的IP段会比较分散,而且得到的IP段很广,除非IP段全被封锁,否则极难失效。另外,现在不推荐【随机测试】后再进行【标准测试】。
    9. 不要重复扫描结果,这会导致IP被重置,增加结果的不准确性。或者说,这样做是在作死。
    10. IP被封或者说重置是很常见事情,一般被重置的IP在几分钟后会恢复。所以GoAgent的good ip和bad ip的数量才会一直变动。
    11. 现在封锁比较严,所以请多弄些IP以便其它IP在被重置之后可以用到,一般推荐扫描100个出来就可以了。
    12. 不要放置过多的IP在配置文件中,这会让GoAgent负担很大,unknow ip数量庞大就是这个原因。
    13. 本工具因为是多线程网络操作,所以在扫描的时候可能触发大量的IP重置,这个不要紧,等一段时间这些IP就会恢复,你可以正常使用这些IP。
    14. 不同网络供应商对IP的重置策略不一样,像我在使用的移动宽带,大部分时间不会重置IP,偶尔重置几个,good ip数量会维持在一个很高的水平。电信和网通对政策的执行很严格,所以频繁重置IP,good ip和bad ip的波动幅度很大,但只要能够正常上网(偶尔出现黄字很正常,因为ip刚好被重置了),并且网络不卡,那么可以不用理会。联通没用过,不予评论,请自行体会。
    15. 扫描结果请自用,公布IP会导致被公布的IP的使用人数激增,那么这些IP被封的概率和频率都会变大。
    16. 对IP要求较高的同学请先确定网络是否通畅,然后调低【测试时间】再测试。
    17. 配置或网络不好的电脑请调低【最大线程】,一般首个可用IP会在一分钟内出现。
    18. 嫌测试慢而且电脑配置和网络都给力的同学,可以把【最大线程】调到100。
以上。

项目Git地址:

推荐使用随机测试,并直接应用结果

  • 06/22/2014 - 2.2-2
    1. 增加几千IP
  • 06/22/2014 - 2.2-1
    1. 增加几百IP
    2. 最大线程最大可设1000,炸鸡慎用
  • 06/19/2014 - 2.2-0
    1. 鉴于现在标准测试的准确率已经够高,所以取消代理测试
    2. 整理IP段,找回了之前因为疏忽丢掉的30+万IP
    3. Ping最大延时回来了。
  • 06/16/2014 - 2.1-13
    1. 加长GA启动等待时间,可能修复代理测试全部失败的问题
    2. IP池增加量非Google代理IP数量
  • 06/15/2014 - 2.1-11
    1. 右键菜单添加【应用】【到用户配置文件】
  • 06/15/2014 - 2.1-10
    1. 修正一个无法关闭的BUG
  • 06/15/2014 - 2.1-9
    1. 修正一个无法停止测试的BUG
  • 06/15/2014 - 2.1-8
    1. 修正Ping的时间
    2. 增加IP池IP数量
  • 06/15/2014 - 2.1-7
    1. 增加IP池IP数量
  • 06/14/2014 - 2.1-6
    1. 修正一个随机测试无法停止的小bug
  • 06/14/2014 - 2.1-5
    1. 自带100万的IP池
    2. 增加随机测试,可以指定需要的可用IP数量
    3. 默认线程增加到40
  • 06/14/2014 - 2.1-1
    1. 修正代理测试时的文件复制问题
    2. 与停止代理测试时进度条不为0的问题
  • 06/14/2014 - 2.1-0
    1. 操作菜单右击表格
    2. 标准测试和代理测试现在能识别服务器是不是谷歌的
    3. 扫描发送的数据复杂了一点,但估计对GFW没多大混淆用
    4. GoAgent代理测试现在不弹窗了,请尽量用GoAgent代理测试测试IP
    5. GoAgent代理测试采用独立的进程和端口,你可以开着Goagent上着网等结果
  • 06/11/2014 - 17
    1. 修复一个tcping 延时方面的错误
  • 06/11/2014 - 16
    1. 代理测试增加对proxy.user.ini的兼容。
    2. 应用到配置文件时优先选择proxy.user.ini。
  • 06/11/2014 - 15
    1. 现在Ping默认取消
    2. 增加了一个我设计的高品质图标,所以程序体积变大很多
    3. 【GoAgent测试】改名【代理测试】,优化了测试逻辑,现在按照443或80的速度顺序测试,修复了一个测试时卡死或者黄字的bug
    4. 修复一个tcp超时的bug
  • 06/10/2014 - 14
    1. 微调界面
    2. 允许设置是否自动开始测试
    3. 一个IP段添加错误的bug
  • 06/10/2014 - 13
    1. 修复一些bug
  • 06/10/2014 - 8
    1. 增加一种超快的检测方法

 
Creative Commons License
翻牆網 ATGFW.ORG 收集整理。