手动搭建VPN服务 - woioeow's blog

vless-reality协议，sing-box代理管理器

安装软件#

1
apt update && apt install htop vim ufw fail2ban curl sudo traceroute mtr-tiny chrony unattended-upgrades neofetch translate-shell bsdmainutils tcpdump -y

sing-box安装#

1
sudo mkdir -p /etc/apt/keyrings &&
2
   sudo curl -fsSL https://sing-box.app/gpg.key -o /etc/apt/keyrings/sagernet.asc &&
3
   sudo chmod a+r /etc/apt/keyrings/sagernet.asc &&
4
   echo '
5
Types: deb
6
URIs: https://deb.sagernet.org/
7
Suites: *
8
Components: *
9
Enabled: yes
10
Signed-By: /etc/apt/keyrings/sagernet.asc
11
' | sudo tee /etc/apt/sources.list.d/sagernet.sources &&
12
   sudo apt-get update &&
13
   sudo apt-get install sing-box
14
sudo systemctl enable sing-box

配置信息#

1
{
2
  "log": {
3
    "level": "warn",
4
    "timestamp": true
5
  },
6
  "inbounds": [
7
    {
8
      "type": "vless",
9
      "tag": "in-vless-reality",
10
      "listen": "0.0.0.0",
11
      "listen_port": 随机端口,
12

13
      "reuse_addr": true,
14
      "tcp_fast_open": true,
15

16
      "users": [
17
        {
18
          "name": "client",
19
          "uuid": "你的uuid",
20
          "flow": "xtls-rprx-vision"
21
        }
22
      ],
23
      "tls": {
24
        "enabled": true,
25
        "server_name": "www.cloudflare.com",
26
        "alpn": ["h2", "http/1.1"],
27
        "reality": {
28
          "enabled": true,
29
          "handshake": {
30
            "server": "www.cloudflare.com",
31
            "server_port": 443
32
          },
33
          "private_key": "你的私钥",
34
          "short_id": ["你的short-id"]
35
        }
36
      }
37
    },
38
    {
39
      "type": "hysteria2",
40
      "tag": "in-hysteria2",
41
      "listen": "::",
42
      "listen_port": 随机端口,
43
      "sniff": true,
44
      "sniff_override_destination": true,
45
      "domain_strategy": "prefer_ipv6",
46
      "up_mbps": 500,
47
      "down_mbps": 500,
48
      "obfs": {
49
        "type": "salamander",
50
        "password": "混淆密码"
51
      },
52
      "users": [
53
        {
54
          "name": "client",
55
          "password": "认证密码"
56
        }
57
      ],
58
      "tls": {
59
        "enabled": true,
60
        "alpn": ["h3"],
61
        "certificate_path": "/home/thunder/proxy/src/cert.pem",
62
        "key_path": "/home/thunder/proxy/src/key.pem"
63
      }
64
    }
65
  ],
66
  "dns": {
67
    "servers": [
68
      { "type": "local", "tag": "local" },
69
      { "type": "https", "tag": "cf", "server": "1.1.1.1" }
70
    ],
71
    "strategy": "prefer_ipv6",
72
    "final": "local",
73
    "cache_capacity": 4096
74
  },
75
  "outbounds": [
76
    { "type": "direct", "tag": "direct" }
77
  ],
78
  "route": {
79
    "default_domain_resolver": {
80
      "server": "local",
81
      "strategy": "prefer_ipv6"
82
    },
83
    "rules": [
84
      { "ip_is_private": true, "action": "reject" },
85
      { "protocol": "bittorrent", "action": "reject" }
86
    ],
87
    "final": "direct"
88
  }
89
}

启动服务#

1
sudo sing-box check -c /etc/sing-box/config.json # 检查语法
2
sudo systemctl enable sing-box # 设置开机自启
3
sudo systemctl status sing-box # 查看服务状态
4
sudo systemctl restart sing-box # 重启服务

订阅格式#

vless-reality订阅格式

1
vless://UUID@服务器域名或IP:端口?type=tcp&encryption=none&security=reality&flow=xtls-rprx-vision&sni=伪装域名&fp=chrome&pbk=PUBLIC_KEY&sid=SHORT_ID#节点名字

hysteria2 订阅格式

1
hysteria2://认证密码@服务器域名或IP:端口/?insecure=1&obfs=salamander&obfs-password=混淆密码#节点名字

生成相关密钥#

sing-box公/私钥#

1
sudo sing-box generate reality-keypair

UUID#

1
cat /proc/sys/kernel/random/uuid

short-id#

1
openssl rand -hex 8

强密码#

普通用户可用

1
openssl rand -base64 12

随机端口#

1
shuf -i 1024-65535 -n 1

生成hy2所需的证书#

不添加hy2不用弄

mkdir -p ~/proxy/src 用于存储密钥的目录

cd ~/proxy/src 进入这个目录

openssl genpkey -algorithm ED25519 -out key.pem 生成私钥

openssl req -new -key key.pem -out cert.csr 私钥生成证书请求 cert.csr，会提示

国家输入CN，省输入Sichuan，城市输入Chengdu，公司随便写，空一个回车，填写域名，后面的直接回车，不用填

openssl x509 -req -in cert.csr -signkey key.pem -out cert.pem -days 3650 私钥 key.pem 和证书请求 cert.csr 生成一个数字证书

创建VPN订阅站点#

把80/443端口打开

1
sudo ufw allow 80/tcp
2
sudo ufw allow 443/tcp
3
sudo ufw reload

安装Docker

1
sudo apt update
2
sudo apt install -y ca-certificates curl gnupg
3

4
sudo install -m 0755 -d /etc/apt/keyrings
5
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
6
sudo chmod a+r /etc/apt/keyrings/docker.gpg
7

8
echo \
9
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
10
$(. /etc/os-release && echo $VERSION_CODENAME) stable" | \
11
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
12

13
sudo apt update
14
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
15
sudo systemctl enable --now docker

创建Compose.yaml文件

1
mkdir ~/.vpn_rss && cd ~/.vpn_rss
2

3
vim compose.yaml
4

5
# 输入以下内容
6
services:
7
  redis:
8
    image: redis:7-alpine
9
    command: ["redis-server", "--save", "60", "1", "--loglevel", "warning"]
10
    restart: unless-stopped
11
    volumes:
12
      - redis_data:/data
13
    networks:
14
      - internal
15

16
  myurls:
17
    image: careywong/myurls:latest
18
    restart: unless-stopped
19
    depends_on:
20
      - redis
21
    networks:
22
      - internal
23
    ports:
24
      - "127.0.0.1:8080:8080"
25
    command:
26
      - "-conn"
27
      - "redis:6379"
28
      - "-password"
29
      - ""
30
      - "-domain"
31
      - "s.357561.xyz"
32
      - "-port"
33
      - "8080"
34
      - "-proto"
35
      - "https"
36

37
  subconv:
38
    image: aethersailor/subconverter-extended:latest
39
    restart: unless-stopped
40
    networks:
41
      - internal
42
    ports:
43
      - "127.0.0.1:25500:25500"
44

45
networks:
46
  internal:
47
    driver: bridge
48

49
volumes:
50
  redis_data:

启动dockersudo docker compose up -d

查看sudo docker ps

安装nginx

1
sudo apt install -y nginx certbot python3-certbot-nginx

创建目录

1
sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge

创建nginx substack.conf配置文件

1
cd /etc/nginx/sites-available/
2
sudo vim substack.conf
3
# 输入以下内容
4
server {
5
  listen 80;
6
  listen [::]:80;
7
  server_name api.357561.xyz;
8

9
  location ^~ /.well-known/acme-challenge/ {
10
    root /var/www/letsencrypt;
11
    try_files $uri =404;
12
  }
13

14
  location / { return 200 "ok\n"; }
15
}
16

17
server {
18
  listen 80;
19
  listen [::]:80;
20
  server_name s.357561.xyz;
21

22
  location ^~ /.well-known/acme-challenge/ {
23
    root /var/www/letsencrypt;
24
    try_files $uri =404;
25
  }
26

27
  location / { return 200 "ok\n"; }
28
}

载入sudo nginx -t

签发证书

1
# 需要先将api和s两个子域名指向本机IP，不要开小黄云
2
sudo certbot --nginx -d api.357561.xyz -d s.357561.xyz

替换substack.conf配置文件为以下内容

1
server {
2
    listen 80;
3
    listen [::]:80;
4
    server_name api.357561.xyz;
5

6
    location ^~ /.well-known/acme-challenge/ {
7
        root /var/www/letsencrypt;
8
        try_files $uri =404;
9
    }
10

11
    location / {
12
        return 301 https://$host$request_uri;
13
    }
14
}
15

16
server {
17
    listen 443 ssl http2;
18
    listen [::]:443 ssl http2;
19
    server_name api.357561.xyz;
20

21
    ssl_certificate     /etc/letsencrypt/live/api.357561.xyz/fullchain.pem;
22
    ssl_certificate_key /etc/letsencrypt/live/api.357561.xyz/privkey.pem;
23
    include /etc/letsencrypt/options-ssl-nginx.conf;
24
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
25

26
    location / {
27
        proxy_pass http://127.0.0.1:25500;
28
        proxy_set_header Host $host;
29
        proxy_set_header X-Real-IP $remote_addr;
30
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
31
        proxy_set_header X-Forwarded-Proto $scheme;
32
    }
33

34
    location /sub {
35
        add_header Cache-Control "no-store";
36
        proxy_pass http://127.0.0.1:25500;
37
        proxy_set_header Host $host;
38
        proxy_set_header X-Real-IP $remote_addr;
39
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
40
        proxy_set_header X-Forwarded-Proto $scheme;
41
    }
42
}
43

44
server {
45
    listen 80;
46
    listen [::]:80;
47
    server_name s.357561.xyz;
48

49
    location ^~ /.well-known/acme-challenge/ {
50
        root /var/www/letsencrypt;
51
        try_files $uri =404;
52
    }
53

54
    location / {
55
        return 301 https://$host$request_uri;
56
    }
57
}
58

59
server {
60
    listen 443 ssl http2;
61
    listen [::]:443 ssl http2;
62
    server_name s.357561.xyz;
63

64
    ssl_certificate     /etc/letsencrypt/live/api.357561.xyz/fullchain.pem;
65
    ssl_certificate_key /etc/letsencrypt/live/api.357561.xyz/privkey.pem;
66
    include /etc/letsencrypt/options-ssl-nginx.conf;
67
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
68

69
    location = /short {
70
        add_header Access-Control-Allow-Origin * always;
71
        add_header Access-Control-Allow-Methods "GET,POST,OPTIONS" always;
72
        add_header Access-Control-Allow-Headers "Content-Type" always;
73
        if ($request_method = OPTIONS) { return 204; }
74

75
        proxy_pass http://127.0.0.1:8080;
76
        proxy_set_header Host $host;
77
        proxy_set_header X-Real-IP $remote_addr;
78
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
79
        proxy_set_header X-Forwarded-Proto $scheme;
80
    }
81

82
    location / {
83
        proxy_pass http://127.0.0.1:8080;
84
        proxy_set_header Host $host;
85
        proxy_set_header X-Real-IP $remote_addr;
86
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
87
        proxy_set_header X-Forwarded-Proto $scheme;
88
    }
89
}

sudo ln -s /etc/nginx/sites-available/substack.conf /etc/nginx/sites-enabled/启用文件

sudo rm -f /etc/nginx/sites-enabled/default禁用默认配置文件

sudo nginx -t && sudo systemctl reload nginx重载nginx服务