在自己的vps搭建dante-server配合gpass世界通或者tor翻墙(原创文章)

原文:http://briteming.blogspot.com/2011/11/vpsdante-servergpasstor.html

gpass的设置选项的“通道”有一个socks5加密通道选项。但是免费的socks5服务器很不好找,不是失效得快就是很快被gfw封锁。如果你有自己的vps,你可以在自己的vps上搭建socks5服务器。
dante-server是一款比较好用的socks5服务器软件。下面说下如何搭建dante-server。
如果你的vps是debian/ubuntu系统,则:

# apt-get install apt-spy -y

# apt-get update -y

# apt-get install dante-server -y

然后修改dante-server的配置文件/etc/danted.conf如下:

在#logoutput: stderr的下面一行添加:

logoutput: syslog

在# Alternatively, the interface name can be used instead of the address.的下面一行添加:
internal: eth0 port = 1080 建议把1080改为其他端口,以免被扫描工具扫到
internal: 127.0.0.1 port = 1080 建议把1080改为其他端口,以免被扫描工具扫到
external: eth0

取消# method: username none的注释。

取消# user.notprivileged: nobody的注释。
在user.notprivileged: nobody的下面添加:
client pass {
        from: 192.168.0.0/0 port 1-65535 to: 0.0.0.0/0
}

client pass {
        from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

block {
  from: 0.0.0.0/0 to: 127.0.0.0/8
  log: connect error
}

pass {
  from: 192.168.0.0/0 to: 0.0.0.0/0
  protocol: tcp udp
}

pass {
  from: 127.0.0.0/8 to: 0.0.0.0/0
  protocol: tcp udp
}

block {
  from: 0.0.0.0/0 to: 0.0.0.0/0
  log: connect error
}

修改# user.libwrap: libwrap为user.libwrap: nobody

然后保存更改。

然后运行/etc/init.d/danted start以启动dante-server.你可以把/etc/init.d/danted start添加到/etc/rc.local中。

验证dante-server是否安装成功-设置ff的socks5代理地址为yourdomain.com:1080,或your-vps-ip:1080,(建议把1080改为其他端口,以免被扫描工具扫到)然后访问ip138.com,如果页面显示你的vps的ip,则表明安装成功。

dante-server不 会主动的释放已经占用的资源,用的 太频繁就会导致系统资源被占光,vps等于是死机了,只能重启vps。如果不重启vps,你在vps上建立的网站将无法访问,也无法登陆putty(打开 putty后,login as半天都不会显示。),用这台vps的ssh帐号即使能在myentunnel里登录,也无法翻墙。为了不让dante-server过快的用完系统资 源,有必要让dante-server每小时自动重启一次。此时就要祭出crontab了。在/etc/cron.hourly目录里新建一个 danted文件,编辑这个文件,在里面输入/etc/init.d/danted restart,保存编辑。然后把这个danted文件设为755属性。这样dante-server每小时就会自动重启一次,从而释放其占用的资源。


如果你的vps是centos/fedora 32bit系统,则:

# wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/miniupnpc-1.4-1.el5.rf.i386.rpm
# wget
http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/dante-1.2.3-1.el5.rf.i386.rpm
# wget
http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/dante-server-1.2.3-1.el5.rf.i386.rpm
# rpm -ivh miniupnpc-1.4-1.el5.rf.i386.rpm
# rpm -ivh dante-1.2.3-1.el5.rf.i386.rpm
# rpm -ivh dante-server-1.2.3-1.el5.rf.i386.rpm

(如果你的vps是centos/fedora 64bit系统,则把上面所有的i386改为x86_64)
然后修改dante-server的配置文件/etc/sockd.conf,修改的地方跟debian/ubuntu系统下的/etc/danted.conf要修改的地方几乎一样,只是/etc/danted.conf里的user.notprivileged在/etc/sockd.conf中变成了user.unprivileged。请对照着修改。
然后在putty.exe里运行/usr/sbin/sockd以启动dante-server, 这时会显示sockdexit(): truncate(/var/run/sockd.pid): No such file or directory (errno = 2),这是因为sockd要在/var/run/里生成sockd.pid文件,但/var/run/目录没有写入权限,把它的权限改为777:
# chmod 777 /var/run/,然后运行/usr/sbin/sockd就正常了。
你可以把/usr/sbin/sockd添加到/etc/rc.local中。
验证dante-server是否安装成功-设置ff的socks5代理地址为yourdomain.com:1080,或your-vps-ip:1080(建议把1080改为其他端口,以免被扫描工具扫到),然后访问ip138.com,如果页面显示你的vps的ip,则表明安装成功。
同debian系统下一样,在centos vps下,dante-server不 会主动的释放已经占用的资源,用的太频繁就会导致系统资源被占光,vps等于是死机了,只能重启vps。此时就要祭出crontab了。在/etc /cron.hourly目录里新建一个sockd文件,编辑这个文件,在里面输入/etc/init.d/sockd restart,保存编辑。然后把这个sockd文件设为755属性。这样dante-server每小时就会自动重启一次,从而释放其占用的资源。
然后启动gpass.exe,在gpass的设置选项的“通道”标签栏下,选择socks5加密通道,然后在下面的socks5服务器栏填写你的vps的ip或主机名,端口填1080(建议把1080改为其他端口,以免被扫描工具扫到),用户名和密码留空,点击下方的“启用”按钮。然后把浏览器的快捷方式拖放到gpass的上网程序窗口中。gpass的上网程序窗口中,双击该浏览器的图标即可在打开的浏览器中,惬意的翻墙了。
建议使用k-meleon浏览器(http://k-meleon.org/download/)。我搭配ie或chrome使用时,ie或chrome容易停止响应。
世界通下载
虽然有了vps,可以直接用ssh帐号翻墙。但是并不能说有了ssh,vpn就没搭建的必要了。同样,socks5代理的搭建也是有其意义和价值的。

---------------------------------------------------------------------------------------------------------------------
在新版的tor vidalia 程序中,点击“设置中继服务器”-“网络”-勾选“我使用代理服务器连接到网络”-address栏填写你的vps的主机名或ip,端口填写你的dante server的端口,
type选择socks 5,然后点击“确定”。这样通过你建立的socks 5代理,即可很顺利的连接上tor网络,设置浏览器的socks代理为127.0.0.1:9050,从而用tor翻墙。
作者email:luckypoem#gmail.com
-------------------------------------------------------------------------------------------------

From Wiki

Jump to: navigation, search
When working on a private LAN with no direct internet access available, squid is normally used a proxy server for internet and ftp traffic. SSH or scp (or other traffic) however, will require a SOCKS server in order to reach the internet.
Dante socks server provides just that.

Contents

[hide]

How to install dante socks server on debian (ubuntu is similar):

apt-get install dante-server
This installs dante onto your debian server. By default it will not start (it will try to start - but will fail saying "no internal interfaces are configured etc...").

To configure Dante socks server:

vi /etc/danted.conf
By default - most required lines will be uncommented. The following lines need to be inserted/ uncommented in danted.conf
#logoutput: stderr
logoutput: syslog
#the above line will send any logs to /var/log/syslog instead to a terminal

internal: eth0 port = 1080
internal: 127.0.0.1 port = 1080
external: eth0

method: username none
#the above puts no username or password. Access will instead be controlled via client ip address/range.
#if there is no username or password - then danted socks server needs to run as nobody, i.e.

#method: pam
# if you choose to use pam instead - a valid username&password as required for sshing to the socks server is required.
#Note: not sure if proxy login details are sent in clear text.

#user.privileged: proxy
user.notprivileged: nobody

client pass {
from: 192.168.0.0/0 port 1-65535 to: 0.0.0.0/0 (黑体字是我改的)
}

client pass {
from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}

#Finally block other traffic
block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
}

pass {
from: 192.168.0.0/0 to: 0.0.0.0/0 (黑体字是我改的)
protocol: tcp udp
}

pass {
from: 127.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}

block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}

Once the config is complete. Start/Restart dante socks server:
/etc/init.d/danted start
If there is a problem with the config - it will tell you immediately on trying to start the danted daemon.

Test Dante Socks Server

netstat -n -a
#check to see if server is listening on 1080
Make sure the firewall is open. Add appropriate rule as on Iptables_Firewall. Test also with winscp or putty.

Other SOCKS Servers

Note that putty itself can provide a SOCKS 5 server!! (But putty needs to be able to connect to an external server/computer firstly!)
To configure socks to act as a socks v5 server:
Open Putty, Go to CONNECTION -> SSH -> TUNNELS
In the Source Port - put 1080
In the Destination Port - put 1080
Click on the Dynamic radio button for "Dynamic Port Forwarding"
Connect to an server with external access. Telnet localhost 1080 and it should connect.
Also note - SOCKS v5 can be setup using ssh on the command line.
ssh user@server.com -D 1080
# -D is for Dynamic Port Forwarding.

More info on Dante's Config at:
http://trekweb.com/~jasonb/articles/dante_tunnel.shtml
from http://wiki.kartbuilding.net/index.php/Dante_Socks_Server
----------------------------------------------------------------------
下载dante
http://www.inet.no/dante/
下载源码, 解压之
./configure
make
make install
默认安装到 /usr/local/
可执行文件为 /usr/local/sbin/sockd
添加一个新的用户sockd。为保证安全,将登录 shell 设置为 /bin/false
具体适用的配置文件如下:
sockd.conf :
## general configuration (taken from FAQ; <URL:http://www.inet.no/dante/FAQ>)
#连接到服务器上用的网卡,端口
internal: eth0 port = 1080
#从服务器连向外部的网卡
external: eth0
#验证方式,这里适用系统账户
method: username
user.privileged: root
user.notprivileged: sockd
#日志存放地点
logoutput: /var/log/sockd/sockd.log

## client access rules

client pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0 #internal network
        log: connect disconnect
}

## server operation access rules

#allow bind to ports greater than 1023
pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0 port gt 1023
        command: bind
        log: connect disconnect
}

#allow outgoing connections (tcp and udp)
pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: connect udpassociate
        log: connect disconnect
}

#allow replies to bind, and incoming udp packets
pass {
       from: 0.0.0.0/0 to: 0.0.0.0/0
       command: bindreply udpreply
       log: connect error
}

#log the rest
block {
       from: 0.0.0.0/0 to: 0.0.0.0/0
       log: connect error
dante不会主动的释放已经占用的资源,用的太频繁就会导致系统资源被占光,只能重启。为此,有一个笨拙(但有效)的解决方案。
在计划任务的 /etc/cron.daily 里添加一个文件,名字随便。比如,sockdkill,内容如下:
#!/bin/sh
#restart sockd everyday
sleep 60
DAY=`date +%Y%m%d`
cp /var/log/sockd/sockd.log /var/log/sockd/sockd.log.${DAY}
cd /var/log/sockd
gzip sockd.log.${DAY}
killall sockd 1>/dev/null 2>/dev/null
killall sockd 1>/dev/null 2>/dev/null
echo > /var/log/sockd/sockd.log
/etc/init.d/sockd start
然后每天会重启一次dante,更新系统日志。
-------------------------------------------------------------------------------------------------------------------------------------------------
Configuring a DANTE SOCKS Proxy
I have been using the Dante SOCKS v4 and v5 compatible proxy server for quite a few months now. A SOCKS proxy is a general purpose proxying daemon. It works great for tunneling things like HTTP and AOL IM through a trusted relay over a secure connection. The untrusted medium could be a wireless link or a corporate network with a draconian Web access policy. The SOCKS proxy provides the connection proxying mechanism and the tunnel (via OpenSSH) provides the security.
It's possible you do not need to install and configure Dante. OpenSSH supports basic SOCKS emulation. For example, the following will setup a basic SOCKS proxy on localhost accessible via port 1080 and tunnel it securely to the target host, rebecca. From there, a connection is made in a fashion similar to what a real SOCKS proxy would do.

jasonb@faith:~$ ssh -D 1080 rebecca
If the above doesn't work for your application, you can read on for information on configuring and installing Dante, a complete SOCKS proxy solution. Obtaining and Configuring Dante
Dante is a fully functional SOCKS proxy server and as such has many nobs. Fortunately, setting up a basic configuration that will allow tunneling of things like HTTP is relatively simple.
If you're running Debian GNU/Linux, simply run:
# apt-get update
# apt-get install dante-server
Thereafter, you can skip the source compilation step and move on to the configuration file. For non Debian users, obtain a copy of Dante. The most recently version is 1.1.14 as of this writing. Unpack the sourceball, browse the various documentation files, then run a configure similar to the following.
jasonb@faith:~/src$ tar -zxvf dante-1.1.14.tar.gz
...
jasonb@faith:~/src$ cd dante-1.1.14
jasonb@faith:~/src/dante-1.1.14$
jasonb@faith:~/src/dante-1.1.14$ ./configure \
--with-sockd-conf=/etc/danted.conf
Configuring Dante 1.1.14:
...
jasonb@faith:~/src/dante-1.1.14$ make -j2
...
jasonb@faith:~/src/dante-1.1.14$ su
jasonb@faith:~/src/dante-1.1.14# make install
^D
Once that's done, it's time to take a crack at the configuration file. It's expected to live in /etc/sockd.conf by default and /etc/danted.conf if you're using the Debian package or my configuration above.
faith:/# cat /etc/danted.conf

# See examples/sockd.conf for additional details
First, logging is enabled via the syslog mechanism and internal and external addresses are bound. The internal bindings include a port specification. The external one, of course, does not. The external binding cannot be an interface for versions prior to 1.1.7, but that shouldn't be a problem as of this writing. If you have a static IP, that's fine, too.
logoutput: syslog

internal: eth1 port = 1080
internal: 127.0.0.1 port = 1080
external: 1.2.3.4
# or
external: eth0
Next, we define some basic authentication items. Dante supports things like identd and PAM authentication, but I did not configure those. For this proxy's simple task I went without authentication.
method: username none

# Not using authentication, so unnecessary
#user.privileged: proxy

user.notprivileged: nobody
Finally, we define the access controls for this daemon. They are checked against in the order they appear in the configuration file. It's important not to allow the world to access your proxy server, since bad things can happen.
The first three directives control which IP ranges can speak to the server. The from: option is obviously the IP space the clients live in. The to: option is one of the IPs the proxy server is bound to that the given IP range can speak to. In this instance, I set it to correspond with all addresses Dante is listening on. The last of the three drops any requests that don't match either of the first two directives.
client pass {
from: 192.168.0.0/16 port 1-65535 to: 0.0.0.0/0
}

client pass {
from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
These next four directives control who can speak to what. Requests from anywhere to the loopback addresses are dropped. Next, connections from the loopback addresses and 192.168.0.0/16 are allowed to speak to anyone using either the tcp or udp protocols. Finally, all other requests are dropped.
block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
}

pass {
from: 192.168.0.0/16 to: 0.0.0.0/0
protocol: tcp udp
}

pass {
from: 127.0.0.0/8 to: 0.0.0.0/0
protocol: tcp udp
}

block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
Now you can fire up Dante.
 faith:# sockd -V (or the danted binary on Debian)
faith:# sockd -d
That will start Dante in debugging mode. Start your favourite Web browser and tell it to use a SOCKS proxy server. Don't accidently use an HTTP proxy, because that won't work. Visit a working URI and see if it loads. If it does, you're good to go. If not, check /var/log for useful clues. Dante will complain if something isn't working correctly, like it isn't able to bind to a port or it's denying you access.
Handling that Dynamic IP Issue
It's always fun to hit your tunnel one morning only to find it's gone. After a little digging, you notice it's because your broadband modem dropped your IP when you weren't looking and left your Dante configuration high and dry. Well, it need not be that way. Recent versions of Dante support using an interface for the external: directive, so this should no longer be necessary. If you can't upgrade to v1.1.7 or newer, you can use the script below to change your external IP address for you.
I run this script whenever my IP changes. I used to run it out of /etc/ppp/ip-up.d, but now I use it in conjunction with the pump DHCP client's script option. It uses the Debian init.d script. Your startup script might vary. The important part is the Perl snippet that alters the configuration file in place. You will need a copy of the iproute package installed on your machine to use the ip command. (apt-get install iproute on Debian, of course.)
#!/bin/bash
set +x
# Script to screw Danted's head on straight after an IP change

IF=eth0
PERL=/usr/bin/perl
DANTED=/etc/danted.conf

IP=$(/sbin/ip addr show $IF | grep inet |\
awk '{ print $2 }' | awk -F\/ '{ print $1 }')

$PERL -0777 -pi -e "s/^external.*/external: $IP/gm" $DANTED

# HUPing Danted won't rebind it to a new static address
#kill -SIGHUP `pidof -s /usr/sbin/danted`

/etc/init.d/danted stop > /dev/null
sleep 1
/etc/init.d/danted start > /dev/null
Getting Your Tunnel Ready Now, it's fun time. With OpenSSH, you can securely tunnel your SOCKS connection to the server running Dante, preventing anyone in between your client and your server from intercepting your session. Assuming you have OpenSSH installed and configured on both the client and the server running Dante, the following should do the trick.
jasonb@faith:~$ ssh -L 1080:localhost:1080 rebecca
If you do not have Dante listening on 127.0.0.1, you will need to substitute in an address or hostname that it is listening on. The last argument is, of course, the actual machine running OpenSSH you're connecting to. It need not be the machine running Dante, but it likely will be. For more fun with OpenSSH tunneling you can read my VNC over SSH article. Links and Useful Resources
FROM http://blog.edseek.com/~jasonb/articles/dante_tunnel.shtml
  • Extremely outdated information on configuring NEC's SOCKS proxy
  • The Dante proxy server

发表评论