## On June 2nd 2019, in an effort to make people forget June 4th.
## The GFW done a mass blocking of IP’s of international servers.
## This only drew attention. The Streisand effect.
##
## So, to get around the block, you need.
##
## — a Website name, example.com (free) Goto https://freenom.com/
## — install a website on your VPS, e.g. nginx (VPS cost 2 USD)
## — use a CDN e.g. cloudflare.com or amazon (free)
## — install proxy v2ray+websocket
##
##
## That is it ! works
## And is actually faster than earlier direct connections
## Thank you GFW……
##
## Solution is working,
## Need to write it up, work in progress
## Reference guides
## https://docs.unixfy.me/books/tutorials/chapter/vpn-tutorials
## https://shenzhensuzy.wordpress.com/2018/11/28/v2ray-over-websocket-with-nginx-tls-plus-cdn/
1) a Website name, example.com
Goto https://freenom.com/
take out a free domain name, for 12 months.
e.g. mywebsite.com
When you have your cloudflare.com account
use the nameserver of cloudflare for DNS
TIP: When you visit this page, don’t use
a VPN, because at the end it will say sorry “technical error”
2) Create an account
https://www.cloudflare.com
point your domain name to the IP of your VPS
Also copy the nameserver, and update freenom.com
so it knows to use cloudflare.com
3) On your VPS install nginx
apt install nginx
4) At this stage its important that your website
is live, and accessible from China via CDN, http , not https at the moment.
http://mywebsite.com
You can edit the site to put some content. /var/www/html/ or /usr/share/nginx/html
Don’t go forward until it’s live, and accessible from China via CDN.
5) Set the server_name in /etc/nginx/sites-available/default to domain name of server.
nano /etc/nginx/sites-available/default
// Change from
server_name _;
// to
server_name mywebsite.com;
6) The next step changes depending on OS, Its installing certbot to make
your site become HTTPS. For Ubuntu 18.04 and Debian 9 its
apt install python-certbot-nginx
Get a certificate. Make sure to select yes for redirect.
certbot --nginx
For other OS see https://certbot.eff.org/all-instructions.
Add reverse proxy, between server name, and first location block
nano /etc/nginx/sites-available/default
server_name mywebsite.com;
// start of new code
location /websocket/ {
proxy_redirect off;
proxy_pass http://127.0.0.1:8388;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_set_header Host $http_host;
}
// end of new code
location / {
Reload nginx
nginx -s reload
7)Install V2Ray
bash <(curl -L -s https://install.direct/go.sh)
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
EDIT: need to install workaround for environment variable
Fixed the problem
https://github.com/v2fly/v2ray-core/discussions/1514
nano /etc/systemd/system/v2ray.service
# Add this line at the end of the [Service] item:
EnvironmentFile=/root/v2_env
nano /root/v2_env
# Write the following on the v2_env file:
V2RAY_VMESS_AEAD_FORCED=false
———————————————–
TIP: must install V2ray as root, You cannot do it with sudo.
Do the following if you are not root.
# Set root password
sudo passwd
# log in as root, and enter password you just created
su –
bash <(curl -L -s https://install.direct/go.sh)
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)
———————————————–
// Replace /etc/v2ray/config.json with the following
{
"inbounds": [
{
"port": 8388,
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "bd5465fb-e3c9-475f-8088-2f63bcc67375",
"level": 1,
"alterId": 64
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/websocket/"
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
},
{
"protocol": "blackhole",
"settings": {},
"tag": "blocked"
}
],
"routing": {
"rules": [
{
"type": "field",
"ip": [
"geoip:private"
],
"outboundTag": "blocked"
}
]
},
"dns": {
"hosts": {},
"servers": [
"9.9.9.9",
"1.1.1.1",
"8.8.8.8",
"1.0.0.1",
"114.114.114.114",
"localhost"
]
}
}
# You should at least change ID
# get a new ID from https://www.uuidgenerator.net/
# If you change “path”, make sure you change it on client side as well.
# must be the same.
# Start v2ray
# This is where the problems are, make sure it started
systemctl enable v2ray; systemctl start v2ray
service v2ray status
# For windows, use command line
# download https://github.com/v2ray/v2ray-core/releases
#
# Run from windows command line
v2ray.exe -config windowsconfig.json
# or run from shortcut
cmd v2ray.exe -config windowsconfig.json
# Here is a working client script for windows
// Config file of V2Ray. This file follows standard JSON format, with comments support.
// Uncomment entries below to satisfy your needs. Also read our manual for more detail at
// https://www.v2ray.com/
{
"log": {
// By default, V2Ray writes access log to stdout.
// "access": "/path/to/access/log/file",
// By default, V2Ray write error log to stdout.
// “error”: “/path/to/error/log/file”,
// Log level, one of “debug”, “info”, “warning”, “error”, “none”
“loglevel”: “warning”
},
// List of inbound proxy configurations.
“inbounds”: [{
// Port to listen on. You may need root access if the value is less than 1024.
“port”: 1180,
// IP address to listen on. Change to “0.0.0.0” to listen on all network interfaces.
“listen”: “127.0.0.1”,
// Tag of the inbound proxy. May be used for routing.
“tag”: “socks-inbound”,
// Protocol name of inbound proxy.
“protocol”: “socks”,
// Settings of the protocol. Varies based on protocol.
“settings”: {
“auth”: “noauth”,
“udp”: false,
“ip”: “127.0.0.1”
},
// Enable sniffing on TCP connection.
“sniffing”: {
“enabled”: true,
// Target domain will be overriden to the one carried by the connection, if the connection is HTTP or HTTPS.
“destOverride”: [“http”, “tls”]
}
}],
// List of outbound proxy configurations.
“outbounds”: [{
“protocol”: “vmess”,
“settings”: {
“vnext”: [
{
“address”: “mywebsite.com”,
“port”: 443,
“users”: [
{
“id”: “bd5465fb-e3c9-475f-8088-2f63bcc67375”,
“level”: 1,
“alterId”: 64,
“security”: “auto”
}
]
}
]
},
“streamSettings”: {
“network”: “ws”,
“wsSettings”: {
“path”: “/websocket/”
},
“security”: “tls”,
“tlsSettings”: {
// “serverName”: “mywebsite.com”,
“allowInsecure”: false
}
}
},
{
// Protocol name of the outbound proxy.
“protocol”: “freedom”,
// Settings of the protocol. Varies based on protocol.
“settings”: {},
// Tag of the outbound. May be used for routing.
“tag”: “direct”
},{
“protocol”: “blackhole”,
“settings”: {},
“tag”: “blocked”
}],
// Transport is for global transport settings. If you have multiple transports with same settings
// (say mKCP), you may put it here, instead of in each individual inbound/outbounds.
//”transport”: {},
// Routing controls how traffic from inbounds are sent to outbounds.
“routing”: {
“domainStrategy”: “IPOnDemand”,
“rules”:[
{
// Blocks access to private IPs. Remove this if you want to access your router.
“type”: “field”,
“ip”: [“geoip:private”],
“outboundTag”: “blocked”
},
{
// Blocks major ads.
“type”: “field”,
“domain”: [“geosite:category-ads”],
“outboundTag”: “blocked”
}
]
},
// Dns settings for domain resolution.
“dns”: {
// Static hosts, similar to hosts file.
“hosts”: {
// Match v2ray.com to another domain on CloudFlare. This domain will be used when querying IPs for v2ray.com.
“domain:v2ray.com”: “www.vicemc.net”,
// The following settings help to eliminate DNS poisoning in mainland China.
// It is safe to comment these out if this is not the case for you.
“domain:github.io”: “pages.github.com”,
“domain:wikipedia.org”: “www.wikimedia.org”,
“domain:shadowsocks.org”: “electronicsrealm.com”
},
“servers”: [
“1.1.1.1”,
{
“address”: “114.114.114.114”,
“port”: 53,
// List of domains that use this DNS first.
“domains”: [
“geosite:cn”
]
},
“8.8.8.8”,
“localhost”
]
},
// Policy controls some internal behavior of how V2Ray handles connections.
// It may be on connection level by user levels in ‘levels’, or global settings in ‘system.’
“policy”: {
// Connection policys by user levels
“levels”: {
“0”: {
“uplinkOnly”: 0,
“downlinkOnly”: 0
}
},
“system”: {
“statsInboundUplink”: false,
“statsInboundDownlink”: false
}
},
// Stats enables internal stats counter.
// This setting can be used together with Policy and Api.
//”stats”:{},
// Api enables gRPC APIs for external programs to communicate with V2Ray instance.
//”api”: {
//”tag”: “api”,
//”services”: [
// “HandlerService”,
// “LoggerService”,
// “StatsService”
//]
//},
// You may add other entries to the configuration, but they will not be recognized by V2Ray.
“other”: {}
}
============================================================================
EDIT 2023: On old system Debian 8, cannot install certbot, So instead use self signed certificates to make it HTTPS, the certs are called snakeoil ! Love the name.
# Lazy guide using self signed SSL certs instead of certbot
apt-get install ssl-cert
# The certificate and key can be regenerated manually with
# the following command (needs root privileges ie sudo):
make-ssl-cert generate-default-snakeoil –force-overwrite
===================================
Just remove the #
nano /etc/nginx/sites-available/default
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
#
# Self signed certs generated by the ssl-cert package
# Don’t use them in a production server!
#
include snippets/snakeoil.conf;
Using openVZ host for personal VPN out of China 