在vps上搭建stunnel,在客户机器用chrome来翻墙的详细教程

2016/02/13
如果你有自己的vps,可在vps上搭建stunnel,用来翻墙。

如果你的vps是centos/fedora系统,则
# yum install stunnel -y
但是我在/etc/stunnel/里面并未发现stunnel.conf,这是因为没有缺省的conf文件的缘故。解决办法:
# yum install yum-utils -y
# repoquery --list stunnel (用此命令可得到stunnel软件包的文件列表)
显示如下内容:
/etc/stunnel
/usr/lib/libstunnel.so
/usr/sbin/stunnel
/usr/sbin/stunnel3
/usr/share/doc/stunnel-4.15
/usr/share/doc/stunnel-4.15/AUTHORS
/usr/share/doc/stunnel-4.15/BUGS
/usr/share/doc/stunnel-4.15/COPYING
/usr/share/doc/stunnel-4.15/COPYRIGHT.GPL
/usr/share/doc/stunnel-4.15/CREDITS
/usr/share/doc/stunnel-4.15/Certificate-Creation
/usr/share/doc/stunnel-4.15/ChangeLog
/usr/share/doc/stunnel-4.15/NEWS
/usr/share/doc/stunnel-4.15/PORTS
/usr/share/doc/stunnel-4.15/README
/usr/share/doc/stunnel-4.15/TODO
/usr/share/doc/stunnel-4.15/VNC_StunnelHOWTO.html
/usr/share/doc/stunnel-4.15/faq.stunnel-2.html
/usr/share/doc/stunnel-4.15/pop3-redirect.xinetd
/usr/share/doc/stunnel-4.15/sfinger.xinetd
/usr/share/doc/stunnel-4.15/stunnel-pop3s-client.conf
/usr/share/doc/stunnel-4.15/stunnel-sfinger.conf
/usr/share/doc/stunnel-4.15/stunnel.conf-sample
/usr/share/doc/stunnel-4.15/transproxy.txt
/usr/share/doc/stunnel-4.15/tworzenie_certyfikatow.html
/usr/share/man/fr/man8/stunnel.8.gz
/usr/share/man/man8/stunnel.8.gz
/usr/share/man/pl/man8/stunnel.8.gz
上面的/usr/share/doc/stunnel-4.15/stunnel.conf-sample即为stunnel.conf的样板文件。
# cp /usr/share/doc/stunnel-4.15/stunnel.conf-sample /etc/stunnel/stunnel.conf
等下我们要编辑stunnel.conf文件。
# cd /etc/stunnel
# openssl req -new -x509 -days 3650 -nodes -out public.crt -keyout private.key
运行上面这条命令后,在/etc/stunnel里会生成public.crt和private.key文件。
然后编辑stunnel.conf文件:
cert = /etc/stunnel/public.crt
key = /etc/stunnel/private.key
;chroot = /var/run/stunnel/ (说明:注释掉chroot = /var/run/stunnel/ 因为/var/run/stunnel并不存在,所以在其前面加;号。
pid = /tmp/stunnel.pid (说明:pid = 的值修改为/tmp/stunnel.pid或/opt/stunnel.pid)
;[ssmtp] (注释掉[ssmtp])
;accept  = 465(注释掉accept  = 465)
;connect = 25  (注释掉connect = 25)
[https]
accept  = 440 (注意这里的端口号不一定非要是443不可)
connect = tinyproxy的端口号8888

(附录:

安装轻量级的http proxy-tinyproxy

如果你的系统是debian/ubuntu,则
# apt-get install tinyproxy -y
配置文件在/etc/tinyproxy.conf

如果你的系统是centos/fedora,则
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
(http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm,如果你的系统为centos 7 x86_64位)
yum update
# yum install tinyproxy -y

配置文件在/etc/tinyproxy/tinyproxy.conf

然后编辑tinyproxy.conf,不要把Allow 127.0.0.1注释掉,Allow 127.0.0.1的意思是只允许同一台机器-localhost即vps访问这个tinyproxy拒绝互联网上的其他ip访问这个tiny proxy。“Port 8888 ”这行的8888可改为其他端口(4位数的。我改为5位数的,启动不了tinyproxy),这样安全些。
然后启动tinyproxy即可:
# tinyproxy )
然后重启stunnel服务:
# killall stunnel
# /usr/sbin/stunnel
然后回到本地机器,带参数--proxy-server=https://vps_ip:440 --ignore-certificate-errors启动chrome,即可在chrome中翻墙。

如果你的vps是debian/ubuntu系统,则
# apt-get install stunnel -y
这里的stunnel跟centos/fedora下的stunnel一样,是不能用/etc/init.d/stunnel start命令来启动的,因为/etc/init.d/下没有stunnel文件。
运行apt-get install stunnel -y时,显示:
...
正在添加系统用户"stunnel4" (UID 106)...
正在添加新组"stunnel4" (GID 110)...
正在将新用户"stunnel4" (UID 106)添加到组"stunnel4"...
无法创建主目录"/var/run/stunnel4"
SSL tunnels disabled, see /etc/default/stunnel4
root@AR:~# ls /var/run/
apache2 mount  shm      upstart-socket-bridge.pid
apache2.pid network  squid3.pid  upstart-udev-bridge.pid
container_type rsyslogd.pid  squid.pid   user
crond.pid saslauthd  sshd      utmp
crond.reboot screen  sshd.pid    xinetd.pid
lock sendmail  stunnel4
motd.dynamic sendsigs.omit.d  udev
(/var/run/stunnel4目录其实是存在的。)
root@AR:~# chown -R stunnel4:stunnel4 /var/run/stunnel4/
root@AR:~# nano /etc/default/stunnel4
(把/etc/default/stunnel4文件里的ENABLED的值改为1)
root@AR:~#

# find / -name stunnel (查找stunnel,显示:

/usr/share/doc/stunnel
/usr/lib/stunnel
/usr/bin/stunnel
/etc/stunnel )
stunnel的执行文件为/usr/bin/stunnel
# /usr/bin/stunnel
会有如下错误提示:
2011.05.22 16:01:15 LOG7[2027:3074864816]: Snagged 64 random bytes from /root/.rnd
2011.05.22 16:01:15 LOG7[2027:3074864816]: Wrote 1024 new random bytes to /root/.rnd
2011.05.22 16:01:15 LOG7[2027:3074864816]: RAND_status claims sufficient entropy for the PRNG
2011.05.22 16:01:15 LOG7[2027:3074864816]: PRNG seeded successfully
2011.05.22 16:01:15 LOG7[2027:3074864816]: Certificate: /etc/stunnel/stunnel.pem
2011.05.22 16:01:15 LOG7[2027:3074864816]: Certificate loaded
2011.05.22 16:01:15 LOG7[2027:3074864816]: Key file: /etc/stunnel/stunnel.pem
2011.05.22 16:01:15 LOG7[2027:3074864816]: Private key loaded
2011.05.22 16:01:15 LOG7[2027:3074864816]: SSL context initialized for service stunnel
inetd mode must define a remote host or an executable "
# nano /usr/bin/stunnel (打开/usr/bin/stunnel文件查看一下,里面有显示$stunnel_bin='usr/bin/stunnel4';
于是知道stunnel的真正的执行文件为/usr/bin/stunnel4而不是/usr/bin/stunnel
/usr/bin/stunnel4
find / -name stunnel4 (显示:
root@AR:~# find / -name stunnel4
/var/log/stunnel4
/var/lib/stunnel4
/etc/init.d/stunnel4
/etc/default/stunnel4
/etc/logrotate.d/stunnel4
/usr/bin/stunnel4
/usr/share/doc/stunnel4
/usr/share/lintian/overrides/stunnel4
/usr/share/doc-base/stunnel4
/run/stunnel4
root@AR:~# )
# cd /usr/share/doc/stunnel4/examples/ (进入后,会发现里面有stunnel.conf-sample文件,stunnel.conf-sample就是stunnel.conf的样板文件。)
# cp /usr/share/doc/stunnel4/examples/stunnel.conf-sample /etc/stunnel/stunnel.conf
# cd /etc/stunnel/
# openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
这里生成的cert文件和key文件都是stunnel.pem,二者合而为一了。运行上面这条命令后,在/etc/stunnel/里会生成stunnel.pem文件。
然后编辑stunnel.conf文件:
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid
;[ssmtp] (注释掉[ssmtp])
;accept  = 465(注释掉accept  = 465)
;connect = 25  (注释掉connect = 25)
[https]
accept  = 440 (注意这里的端口号不一定非要是443不可)
connect = tinyproxy的端口号8888
然后重启stunnel服务:
# killall stunnel4
# /usr/bin/stunnel4
然后回到本地机器,带参数--proxy-server=https://vps_ip:440 --ignore-certificate-errors启动chrome,即可在chrome中翻墙。

chrome支持https proxy的功能极大的方便了天朝网民!

如果你的客户机器为mac,则在终端里运行open "/applications/Google Chrome.app/" --args --proxy-server=https://vps_ip:440 --ignore-certificate-errors即可。
你可把open "/applications/Google Chrome.app/" --args --proxy-server=https://vps_ip:440 --ignore-certificate-errors保存为start-chrome-stunnel.sh,
赋予start-chrome-stunnel.sh可执行权限:
chmod 755 start-chrome-stunnel.sh
以后,想要用chrome翻墙时,运行./start-chrome-stunnel.sh即可。


如果你的vps系统为centos7,还需运行
systemctl mask firewalld
systemctl stop firewalld
这样操作后即可。意思是屏蔽和终止firewalld服务。我的vps系统为centos7,我搭建好stunnel和tinyproxy后,在自己的本地机器里用带参数启动的chrome就是翻墙不成功。
后来想起可能是firewalld 惹的祸,运行以上2条命令后,就解决问题了。


vps上的backend(即stunnel.conf中connect的值)当然也可使用squid,不过不能是加密的squid.如果你的vps上已经编译了一个加密的squid,那么你就需要另行编译一个普通的squid,然后即可用这个普通的squid作为stunnel的backend.这个普通的squid的配置文件squid.conf无需做任何修改。当然如果你愿意的话,也可修改其默认的3128端口为其他端口。
tar zxvf squid-3.5.13.tar.gz
cd squid-3.5.13
./configure --prefix=/usr/local/squid-3.5.13
make
make install
squid的可执行文件为/usr/local/squid-3.5.13/sbin/squid,运行/usr/local/squid-3.5.13/sbin/squid, squid就启动了。
在stunnel.conf中,
...
[https]
accept = 440
connect = 3128

来源:翻墙论坛 briteming


Related Posts