電訊茶室 - Powered by Discuz! Board

標題: Openwrt v2ray server + tls1.3 + websocket + webserver + acme 入門篇 [打印本頁]

作者: tomleehk 時間: 2019-7-17 13:07 標題: Openwrt v2ray server + tls1.3 + websocket + webserver + acme 入門篇

本帖最後由 tomleehk 於 2020-4-6 13:32 編輯

Preparation
1. A router supported by openwrt with at least 32M ROM ( e.g. Newifi 3 D2 )
2. Openwrt stable release ( e.g 18.06.4, https://downloads.openwrt.org/releases/ )
3. WinSCP (download at https://winscp.net/eng/download.php )
4. OpenSSH ( e.g. https://github.com/PowerShell/Win32-OpenSSH/releases )
5. V2ray package ( e.g. https://github.com/kuoruan/openwrt-v2ray/releases )
6. DDNS registration ( e.g. www.dynu.com )
7. Valid certificate ( e.g. Let's encrypt, https://www.sslforfree.com/ )
8. Openwrt webserver package supporting websocket proxy (e.g. lighttpd )
9. Simple webpage source code (e.g. https://www.template.net/web-tem ... gin-form-templates/ )
9. V2ray client ( e.g. Kitsunebi )
10. Knowledge of V2ray ( e.g. https://www.v2ray.com/ )
11. Knowledge of UNIX/openwrt
12. Knowledge of webserver setup

Target
Router acts as https webserver with functioning webpage and valid certificate to deal with the GFW.
The v2ray server stays behind the webserver and uses the webserver's proxy function as cover-up.

作者: tomleehk 時間: 2019-7-17 13:10

本帖最後由 tomleehk 於 2019-7-26 16:31 編輯

Openwrt DDNS installation and configuration

In this example, www.dynu.com will be used as example
1) At https://www.dynu.com/en-US/ControlPanel/CreateAccount, register an account ( e.g. dynu_id/dynu_pwd as id/password)
2) At https://www.dynu.com/en-US/ControlPanel, select <DDNS Services>
3) At https://www.dynu.com/en-US/ControlPanel/DDNS, select <+Add>
4) At <Option 1: Use Our Domain Name>, register a host url for your router. e.g. testhost.ddnsfree.com and save your registration
5) Revisit  https://www.dynu.com/en-US/ControlPanel/DDNS and ensure your registration is successful.

Assume your router has been flashed with openwrt.
Use Windows browser to access 192.168.1.1. Openwrt luci will then show up and prompt you to setup a password for root. Follow accordingly and save your password for root.

Logout and login openwrt luci with root again.
System>>System
Timezone - Asia/Hong Kong
Click<<Save/Apply>>

At Windows DOS prompt, run ssh client
e.g. ssh root@192.168.1.1 to access openwrt command shell to install ddns package

opkg update <<ENTER>>
opkg install luci-app-ddns <<ENTER>>

After installation is complete, type
reboot -f  <<ENTER>>
to reboot router

After router reboots , use Windows browser to access 192.168.1.1 openwrt luci and login again.
Services >> Dynamic DNS
To add DDNS entry,
type dynu_ipv4, click <<Add>>, then
Basic Settings
DDNS Service provider [IPv4] - dynu.com
Lookup Hostname - testhost.ddnsfree.com
Domain - testhost.ddnsfree.com
Username - dynu_id
Password - dynu_pwd
Enabled - check
Click <<Save/Apply>>

Reboot router and verify
1) DDNS of testhost.ddnsfree.com can be updated with your router's WAN ip properly
2) Router time can be updated with local time

作者: tomleehk 時間: 2019-7-17 13:13

本帖最後由 tomleehk 於 2020-8-4 22:13 編輯

V2ray server installation and configuration

Download V2ray package(e.g. v2ray-core_4.20.0-1_mipsel_24kc.ipk) for your router at https://github.com/kuoruan/openwrt-v2ray/releases to PC.
Rename v2ray-core_4.20.0-1_mipsel_24kc.ipk to v2ray.ipk

Update on 4-Aug-2020:
You can also try the mini-versions, (e.g. v2ray-core-mini_4.26.0-2_mipsel_24kc.ipk) and enjoy the benefit of substantial reduction in package size. This mini version was also found working on Newifi 3 D2.

Run WINSCP to login router with
New Site
1) File protocol - SCP
2) Host Name - 192.168.1.1
3) Port Number - 22
4) User Name/Password - root / <root password>
You can use Save button to create a site profile for future re-use

After login, use WINSCP to upload v2ray.ipk to /tmp/tmp on the router. Ensure "Transfer mode" is binary at <Transfer Settings>

Run SSH client, e.g. ssh root@192.168.1.1 to access openwrt command shell.
cd /tmp/tmp  <<ENTER>>
opkg update <<ENTER>>
opkg install v2ray.ipk  <<ENTER>>

The v2ray package is rather huge and therefore be patient to wait for the linux command prompt to turn up again. Normally it will take 5 to 10 minutes to complete the installation.

After installation is complete, type
reboot -f  <<ENTER>>
to reboot router

Assume v2ray server uses the following parameters
1) port = 8443
2) protocol = vmess
3) uuid = c50bf28e-98cd-a351-b8d5-d60d56c376c7
4) network = ws
5) path = /vpath
6) host = testhost.ddnsfree.com

your v2ray.json file should have

{
"inbounds": [
{
"port": 8443,
"protocol": "vmess",
"allocate": {
"strategy": "always"
},
"settings": {
"clients": [
{
"id": "c50bf28e-98cd-a351-b8d5-d60d56c376c7",
"alterId": 64,
"security": "auto",
"level": 0
}
]
},
"streamSettings": {
"network":"ws",
"wsSettings": {
"connectionReuse": true,
"path": "/vpath",
"headers": {
"Host": "testhost.ddnsfree.com"
}
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
}
]
}

複製代碼

Use WINSCP to access the router and create the v2ray.json at /etc/config

Sample v2ray startup file

START=99
USE_PROCD=1
LimitNOFILE=1048576
LimitNPROC=512
start_service() {
mkdir /var/log/v2ray > /dev/null 2>&1
ulimit -n 99999
procd_open_instance
procd_set_param respawn
procd_set_param command /usr/bin/v2ray -config /etc/config/v2ray.json
procd_set_param file /etc/config/v2ray.json
procd_set_param stdout 1
procd_set_param stderr 1
procd_set_param pidfile /var/run/v2ray.pid
procd_close_instance
}

複製代碼

Use WINSCP to create the startup file v2ray (set attribute 755) at /etc/init.d/

At openwrt command shell, type
/etc/init.d/v2ray enable <<ENTER>>
/etc/init.d/v2ray start <<ENTER>>

作者: tomleehk 時間: 2019-7-17 13:24

本帖最後由 tomleehk 於 2021-10-2 00:12 編輯

Lighttpd/webpage installation and configuration

At openwrt command shell, type
opkg update <<ENTER>>
opkg install lighttpd-mod-openssl <<ENTER>>
opkg install lighttpd-mod-proxy <<ENTER>>
opkg install lighttpd-mod-redirect <<ENTER>>

After installation is complete, edit lighttpd configuration file (/etc/lighttpd/lighttpd.conf) with WINSCP

Note
1) Conflicting with luci (using port 80), default installation of lighttpd uses port 80 and therefore it may not be able to launch properly. To resolve, lighttpd server port MUST be changed to run at a port other than 80 (e.g. 8080).

2) Suppose using the attached simple webpage [attach]4403[/attach](index.html,css/style.css). Use WinSCP to create folders /www/webproj and /www/webproj/css. Copy index.html to /www/webproj and style.css to /www/webproj/css
Alternative download site for log-in.zip https://gofile.io/?c=8ejjcJ

3) Assume v2ray server configuration using path = "/vpath"

4) Assume the files ca_bundle.crt, server.crt and server.key are placed at  /www/ssl/,
at the same folder,
cat server.key server.crt  > lighttpd.pem <<ENTER>>
to generate the .pem file for lighttpd

Sample configuration file should have

server.modules = ("mod_openssl","mod_proxy","mod_redirect")
server.document-root = "/www/webproj/"
server.upload-dirs = ( "/tmp" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "http"
server.groupname = "www-data"
server.max-fds = 8192
server.max-connections = 4096
index-file.names = ( "index.php", "index.html",
"index.htm", "default.htm",
"index.lighttpd.html" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
### Options that are useful but not always necessary:
#server.chroot = "/"
server.port = 8080
#server.bind = "localhost"
#server.tag = "lighttpd"
#server.errorlog-use-syslog = "enable"
#server.network-backend = "write"
### Use IPv6 if available
#include_shell "/usr/share/lighttpd/use-ipv6.pl"
#dir-listing.encoding = "utf-8"
#server.dir-listing = "enable"
include "/etc/lighttpd/mime.conf"
include_shell "cat /etc/lighttpd/conf.d/*.conf"
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/www/ssl/lighttpd.pem"
ssl.ca-file = "/www/ssl/ca_bundle.crt"
ssl.openssl.ssl-conf-cmd = ("Ciphersuites" => "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
$HTTP["url"] =~ "^/vpath" {
$HTTP["host"] == "testhost.ddnsfree.com" {
proxy.header = ( "upgrade" => "enable")
proxy.server = ( "" => (("host" => "127.0.0.1","port" => 8443)))
}
else {
url.redirect = ( "" => "/" )
}
}

複製代碼

Note
1) Open port 443 at openwrt luci, Network >> Firewall >> Traffic Rules and create the rule to open port 443

作者: tomleehk 時間: 2019-7-17 13:26

本帖最後由 tomleehk 於 2019-9-28 22:46 編輯

V2ray client installation and configuration

Using Kitsunebi as illustration, client configuration should have
Address - testhost.ddnsfree.com
Port - 443
UUID - c50bf28e-98cd-a351-b8d5-d60d56c376c7
Alterid - 64
Security - auto
Network - ws
Path - /vpath
Host - testhost.ddnsfree.com
TLS - check

作者: tomleehk 時間: 2019-7-17 13:26

本帖最後由 tomleehk 於 2020-5-14 08:34 編輯

luci-app-acme installation and configuration

Be careful.. The latest version 2.8.3.1 (Nov 2019) acme was found with some problems to get the certificate. Some workaround is needed to make it work.

At openwrt command shell, type
opkg update <<ENTER>>
opkg install luci-app-acme <<ENTER>>
opkg install acme-dnsapi <<ENTER>>

The latest version 2.8.3.1 (Nov 2019) acme was found to install package wget-nossl which will make the api script stop working. After installation of luci-app-acme and acme-dnsapi, the following extra steps are needed as workaround.

opkg update
opkg remove --force-depends wget-nossl
opkg upgrade wget

複製代碼

Note - The below sample uses API approach.

Collect the API credentials from DDNS provider, e.g.
At https://www.dynu.com/en-US/ControlPanel/APICredentials
copy the credentials, e.g.
Client ID
39a7a033-c129-55b0-a013-b511150ace22
Secret
7hcYY7JSbSNa2RQcQh1fcJY5cp8YMg

At openwrt luci, Services>>ACME certs
State directory - /etc/acme
Account email - any email other than the default email, e.g. your email
Enabled - check
Use staging server - uncheck
Key length - 2048
Domain names - testhost.ddnsfree.com
DNS API - dns_dynu
DNS API credentials - Dynu_ClientId="39a7a033-c129-55b0-a013-b511150ace22"
Dynu_Secret="7hcYY7JSbSNa2RQcQh1fcJY5cp8YMg"

Click <<Save/Apply>>

Note
1) Check other supported DDNS providers at https://github.com/Neilpang/acme.sh/tree/master/dnsapi and corresponding credential parameters needed at https://github.com/Neilpang/acme.sh/wiki/dnsapi
2) The default account email MUST be changed, otherwise the acme script cannot work.
3) The key/certificate files will be saved at the folder /etc/acme/testhost.ddnsfree.com/

作者: tomleehk 時間: 2019-7-17 13:36

本帖最後由 tomleehk 於 2019-10-19 14:19 編輯

Enable Openwrt Hardware Flow offloading

If you are using MT7621 router, e.g. newifi 3 d2,
you can enable hardware flow offloading at Firewall>>General Settings to improve throughput/performance.

[attach]4459[/attach]

作者: tomleehk 時間: 2019-7-17 17:01

本帖最後由 tomleehk 於 2019-10-19 14:19 編輯

Automation

1) If you are familiar with Openwrt, you can use cron jobs and scripts to automate renewal of certificates for the webserver.
https://openwrt.org/docs/guide-user/base-system/cron

2) You can also use the package watchcat
   https://openwrt.org/packages/pkgdata/watchcat
   https://openwrt.org/packages/pkgdata/luci-app-watchcat
   to reboot your router and get a new WAN ip whenever your ip is blocked by GFW

3) You need to change the WAN port MAC address before your router can get a new WAN ip. Corresponding scripting and automation can be found via google.

4) You can also install email client package, e.g.msmtp, ssmtp to send your renewed WAN ip as email to your webmail. Even when DDNS is not working, you still can know your router IP from the Email. Corresponding scripting and automation can also be found via google.

... and possibly some other automations.
All up to your imagination...

作者: tomleehk 時間: 2019-7-30 21:58

本帖最後由 tomleehk 於 2019-10-19 14:06 編輯

Further work

To share the same port (e.g. 443) by V2ray, SSH, SS and Openconnect etc. with the help of proxy servers.

Reference :
HAProxy to Nginx (Web + V2Ray WebSocket) + OpenConnect + SSH + ShadowsocksR (TLS OBFS)
https://gist.github.com/techotak ... 2eb5da244b2be8590d9

Proved working in a stable manner with my devices. However, the trivial trade-off is speed/response.

拯救被墙的IP，CDN + v2ray，安全的科学上网方
https://blog.sprov.xyz/2019/03/11/cdn-v2ray-safe-proxy/

Openwrt v2ray server + tls + websocket + webserver + cert + cdn 保護篇
http://www.telecom-cafe.com/foru ... tid=7761&page=1

作者: tomleehk 時間: 2019-9-27 23:28

本帖最後由 tomleehk 於 2019-10-19 14:07 編輯

[OpenWrt]V2Ray定制构建

https://blog.iknet.top/post/v2ray-reduce-build.html
V2Ray这么一款爱国上网利器大家一定不陌生，苦在它是用Golang写的，编译出来的大小着实惊人。对于嵌入式设备来说，18M的它，几乎是没法放进小小的ROM。就算经过UPX压缩，也有6M的大小。

这时候，我们就可以通过定制自己的V2Ray来达到精简的目的了qwq

Custom build
https://github.com/kuoruan/openwrt-v2ray

作者: gameplayer 時間: 2019-10-2 11:04

本帖最後由 gameplayer 於 2019-10-2 11:06 編輯

Lighttpd/webpage installation and configuration

At openwrt command shell, type
opkg update
...
tomleehk 發表於 2019-7-17 13:24

CHING，請問
2) Use WinSCP to create folders /www/webproj and /www/webproj/css. Copy index.html to /www/webproj and style.css to /www/webproj/css

這兩個folders 系邊個目錄create?

作者: tomleehk 時間: 2019-10-2 12:22

本帖最後由 tomleehk 於 2019-10-2 15:25 編輯

CHING，請問
2) Use WinSCP to create folders /www/webproj and /www/webproj/css. Copy index.ht ...

這兩個folders 系邊個目錄create?

gameplayer 發表於 2019-10-2 11:04

喺最top嘅level, 你會見folder /www,
你只要喺 /www 下面 create folder webproj
再喺 /www/webproj create folder css

作者: gameplayer 時間: 2019-10-2 17:17

本帖最後由 gameplayer 於 2019-10-2 17:39 編輯

V2ray server installation and configuration

Download V2ray package(e.g. v2ray-core_4.20.0-1_mipsel_ ...
tomleehk 發表於 2019-7-17 13:13

root@OpenWrt:/etc/init.d# v2ray start
V2Ray 4.20.0 (V2Fly, a community-driven edition of V2Ray.) OpenWrt - Release 3
A unified platform for anti-censorship.
main: failed to load config: > v2ray.com/core/main/confloader/external: config file not readable > open : no such file or directory
[attach]4456[/attach]
CHING，打完v2ray start，出現main: failed to load config。邊到有配置不當？個v2ray.json 有問題？
去到這步，v2ray server 已啟動？可以連接？因為想知道這步之前的是否都正確，再配置下一步。

作者: gameplayer 時間: 2019-10-2 17:18

喺最top嘅level, 你會見folder /www,
你只要喺 /www 下面 create folder webproj
再喺 /www/webproj cre ...
tomleehk 發表於 2019-10-2 12:22

明白！

作者: gameplayer 時間: 2019-10-2 17:19

Lighttpd/webpage installation and configuration

At openwrt command shell, type
opkg update
...
tomleehk 發表於 2019-7-17 13:24

請問這三個檔案 ca_bundle.crt, server.crt and server.key 要系邊到搵到？

作者: tomleehk 時間: 2019-10-2 17:30

本帖最後由 tomleehk 於 2019-10-2 22:20 編輯

root@OpenWrt:/etc/init.d# v2ray start
V2Ray 4.20.0 (V2Fly, a community-driven edition of V2Ray.) O ...
gameplayer 發表於 2019-10-2 17:17

v2ray server 肯定未啟動

At openwrt command shell, type
/etc/init.d/v2ray enable <<ENTER>>
/etc/init.d/v2ray start <<ENTER>>

由 /etc 開始type哂全句

作者: tomleehk 時間: 2019-10-2 17:36

本帖最後由 tomleehk 於 2019-10-2 23:02 編輯

請問這三個檔案 ca_bundle.crt, server.crt and server.key 要系邊到搵到？
gameplayer 發表於 2019-10-2 17:19

Post #1

Preparation
....
7. Valid certificate ( e.g. Let's encrypt, https://www.sslforfree.com/ )
....

呢d cert/key 檔案喺你幫你個webserver 嘅 domain 事先申請同預備定

經 Let's encrypt, https://www.sslforfree.com/ 申請, 免費有效3個月, 可免費renew
但你要有webserver同network知識先

亦可以經其他付費途徑申請有效期耐一d嘅cert/key檔案

Reference
https://www.freecodecamp.org/news/free-https-c051ca570324/

建議你先多了解 unix/openwrt, webserver(e.g. certificate, ssl/tls, proxy 等等..)
否則之後步驟可能會比較吃力

亦可以先搞掂v2ray 部分,
再利用另一隻openwrt router去研究webserver+cert嘅相關技術
cert/key出了錯webserver啟動唔到就連唔到後面嘅v2ray server
掌握到webserver技術之後, 成功起到一個有cert嘅網站, 再合併v2ray喺同一隻router上面

作者: gameplayer 時間: 2019-10-3 00:13

v2ray server 肯定未啟動

At openwrt command shell, type
/etc/init.d/v2ray enable
/etc/init.d/v2r ...
tomleehk 發表於 2019-10-2 17:30

root@OpenWrt:~# /etc/init.d/v2ray enable
-ash: /etc/init.d/v2ray: not found
root@OpenWrt:~# /etc/init.d/v2ray start
-ash: /etc/init.d/v2ray: not found

打全句，出現 not found.

如果CD 入去 /etc/init.d/，再打 v2ray enable

root@OpenWrt:/etc/init.d# v2ray enable
V2Ray 4.20.0 (V2Fly, a community-driven edition of V2Ray.) OpenWrt - Release 3
A unified platform for anti-censorship.
main: failed to load config: > v2ray.com/core/main/confloader/external: config file not readable > open : no such file or directory

作者: gameplayer 時間: 2019-10-3 00:15

Post #1

Preparation
....
7. Valid certificate ( e.g. Let's encrypt, )
....

呢d cert/key 檔案喺 ...
tomleehk 發表於 2019-10-2 17:36

我都打算先建好普通v2ray，之後再整其他。

作者: tomleehk 時間: 2019-10-3 00:58

本帖最後由 tomleehk 於 2019-10-3 08:06 編輯

root@OpenWrt:~# /etc/init.d/v2ray enable
-ash: /etc/init.d/v2ray: not found
root@OpenWrt:~# /et ...
gameplayer 發表於 2019-10-3 00:13

/etc/init.d/v2ray 呢個 startup file 不存在
或者未set 好attritube/permission 755

睇番post #3, 要人手用winscp去create 同 set attribute/permission 755

作者: gameplayer 時間: 2019-10-4 18:35

/etc/init.d/v2ray 呢個 startup file 不存在
或者未set 好attritube/permission 755

睇番post #3, 要人 ...
tomleehk 發表於 2019-10-3 00:58

多謝CHING解答，我再慢慢研究下。

作者: yiucsw 時間: 2019-12-13 10:25

买了Newif3. Config 一天後才知道樓主為什麼直接用openwrt. 而不用Pandrabox,LEAN....
enable V2ray :
echo 0xDEADBEEF > /etc/config/google_fu_mode
Memory full，write error!!! 又要重裝。

作者: tomleehk 時間: 2019-12-13 10:34

本帖最後由 tomleehk 於 2019-12-13 10:36 編輯

另一個主要原因喺要用openconnect
openconnect只有openwrt同linux有installation package

作者: yiucsw 時間: 2019-12-13 17:12

本帖最後由 yiucsw 於 2019-12-13 17:15 編輯

剛安裝完openwrt, V2ray 在 newwifi3. 在那個看到 UUID? Ubuntu 好像是直接顯示。
openwrt 是自己Generate？

作者: tomleehk 時間: 2019-12-13 18:06

本帖最後由 tomleehk 於 2019-12-13 19:23 編輯

openwrt 不會 generate v2ray UUID , 要 diy 個 UUID, 可以揾網頁去generate 個 UUID
印象中有luci package去作為v2ray.json UI, 不過我覺得唔啱用, 用manual方法去customize個 v2ray.json仲簡單好用
startup script 都要diy

作者: yiucsw 時間: 2019-12-13 19:23

本帖最後由 yiucsw 於 2019-12-13 19:26 編輯

同 gameplayer 遇到的問題是一樣：
root@OpenWrt:/etc/init.d# v2ray enable
V2Ray 4.21.3 (V2Fly, a community-driven edition of V2Ray.) OpenWrt - Release 1
A unified platform for anti-censorship.
main: failed to load config: > v2ray.com/core/main/confloader/external: config file not readable > open : no such file or directory
-------------------------------------------
加上-config parameter, 能運行，Default config file location 已經改變，不知道新位置在哪裡，是vpath?

root@OpenWrt:/# v2ray -config /etc/config/v2ray.json enable
V2Ray 4.21.3 (V2Fly, a community-driven edition of V2Ray.) OpenWrt - Release 1
A unified platform for anti-censorship.

是不是加 &
v2ray -config /etc/config/v2ray.json start &

作者: tomleehk 時間: 2019-12-13 19:26

本帖最後由 tomleehk 於 2019-12-13 20:08 編輯

詳見 Post #3

startup script file 都要diy, 同放喺適當folder同set適當attribute

Sample v2ray startup file
...
Use WINSCP to create the startup file v2ray (set attribute 755) at /etc/init.d/
...
At openwrt command shell, type
/etc/init.d/v2ray enable <<ENTER>>
/etc/init.d/v2ray start <<ENTER>>

作者: yiucsw 時間: 2019-12-14 09:01

本帖最後由 yiucsw 於 2019-12-14 09:09 編輯

謝謝，你的sample Start file 是正確的，不知道昨天為什麼不能用
/etc/init.d/v2ray enable

昨天是比較懶，加了link， default 在 /usr/bin/config.json
/etc/config# ln v2ray.json /usr/bin/config.json
# v2ray enable
V2Ray 4.21.3 (V2Fly, a community-driven edition of V2Ray.) OpenWrt - Release 1
A unified platform for anti-censorship.

問問到了這步能直接測試V2ray,還是要加Webserver。debug will be easier.

作者: tomleehk 時間: 2019-12-14 10:06

本帖最後由 tomleehk 於 2019-12-14 11:54 編輯

/etc/init.d/v2ray enable
喺 enable 開機時自動行/etc/init.d/v2ray呢嗰script, enable 咗一次就得
自己加了link唔知有乜結果,我未試過

另外可以開機後行
ps | grep "v2ray"
先check 吓 v2ray可唔可以開機後自動啟動,
v2ray.json或其他相關scripting有任何問題,都可能啟動唔到..

要試connection嘅話喺openwrt開番v2ray.json裏面v2ray嘅listening port
唔一定要加webserver, webserver只喺cover-up

作者: yiucsw 時間: 2019-12-14 20:54

本帖最後由 yiucsw 於 2019-12-14 20:58 編輯

try V2ray, cannot start by init.d, but can started by vray &
do not know where to find the v2ray log. add echo test to v2ray and no echo inside start_service.
as test, v2ray and v2ray.config use the sample you provided and modified accordingly.
Reset the openwrt few times and just add the v2ray and v2ray.conf is still not working.
-test -config do not product any error.
v2ray -config can run and grep can find the pid.
v2ray client cannot access thru 8443 port.
在luci startup - 按restart : "/etc/init.d/v2ray start" action: Command failed

作者: tomleehk 時間: 2019-12-15 01:01

/etc/init.d/v2ray set 咗attribute 755未？

作者: yiucsw 時間: 2019-12-15 02:54

both chmod +x ; chmod 755, 都沒有效果。

作者: yiucsw 時間: 2019-12-15 04:28

本帖最後由 yiucsw 於 2019-12-15 05:05 編輯

用比較笨的方法, install luci-app-v2ray
1) before install luci-app-v2ray, rm dnsmasq, install dnsmasq-full
/etc/init.d/dnsmasq stop
opkg remove dnsmasq
opkg instlal dnsmasq-full

2) 安装rsyslog. 在system log 看的v2ray message
opkg install rsyslog
/etc/init.d/rsyslog enable
/etc/init.d/rsyslog start
安装后，所有的运行日志都可以直接在/var/log/messages中查看了

3) Install Luci-app-v2ray
opkg install luci-app-v2ray

4) 配置V2ray
[attach]4473[/attach]
Verify custom config 是否成功
[attach]4475[/attach]

5）firewall setting: Network - Firewall - Traffic rules - down to "Open ports on router"
[attach]4474[/attach]
reboot.

6) kitsunebi client
只能訪問192.168.1.1
下一步如何Config 。。。

作者: tomleehk 時間: 2019-12-15 10:05

本帖最後由 tomleehk 於 2019-12-16 12:24 編輯

留意 !!! 我d sample config 嘅 uuid只喺亂打, 實際使用未必work, 要generate新一個...唔好照抄

Online UUID Generator
https://www.uuidgenerator.net/

我無用luci-app-v2ray,
v2ray 喺 proxy 技術, 要試的話可用v2rayNg 或 kitsunebi 直接上網再連v2ray server

以我Post#3嘅v2ray server sample, v2rayNg 或 kitsunebi 設定如下
Address - <your v2ray server URL>
Port - 8443
UUID - <your v2ray UUID>
Alterid - 64
Security - auto
Network - ws
Path - /vpath
Host - <your v2ray server URL>
TLS - uncheck

client同server config要夾, 同我Post#5嘅client config sample比較, 你要改嘅喺
1) v2ray server URL
2) Port
3) v2ray UUID (要generate新一個...唔好照抄)
4) TLS 要 uncheck

例牌方法..client上網(唔好經v2ray server),啟動連接v2ray server後,用手機browser睇吓 whatismyipaddress.com 喺唔喺show v2ray server 嘅wan ip

我無用luci-app-v2ray, 但照睇ps | grep "v2ray"出到
/usr/bin/v2ray -config /etc/config/v2ray.json
v2ray開機後啟動到..

作者: yiucsw 時間: 2019-12-17 23:31

本帖最後由 yiucsw 於 2019-12-18 00:16 編輯

謝謝，這兩天嘗試 Routeros + 軟路由（NUC）官方openwrt + V2ray... 還是用你的Sample config. (testing environment)（主要是 2nd Newifi 沒到）

Routeros enable port forward
firewall filter
[attach]4478[/attach]
firewall NAT rule
[attach]4479[/attach]

ESXI 加 V2ray VM. Delete harddisk, add 官方openwrt VMDK, add network adapter.
[attach]4476[/attach]
找不到對應的ethx 最簡單是兩張都是 internal network, 到LUCI 192.168.1.1 再改。

建議ESXI 加Windows VM. disable internal network adapter 再enable, openwrt 便能DHCP新IP。
[attach]4477[/attach]

作者: yiucsw 時間: 2019-12-17 23:34

本帖最後由 yiucsw 於 2020-1-14 20:23 編輯

V2ray x86 side
V2ray ipk 下載：
https://github.com/kuoruan/openwrt-v2ray/releases
選 v2ray-core_4.21.3-1_x86_64.ipk
upload to openwrt and install

安裝 luci for V2ray
https://github.com/kuoruan/luci-app-v2ray
wget -O kuoruan-public.key http://openwrt.kuoruan.net/packages/public.key
opkg-key add kuoruan-public.key
echo "src/gz kuoruan_universal http://openwrt.kuoruan.net/packages/releases/all"
>> /etc/opkg/customfeeds.conf
opkg update
在 LUCI software 安裝 luci-app-V2ray
[attach]4480[/attach]

作者: yiucsw 時間: 2019-12-18 00:27

本帖最後由 yiucsw 於 2019-12-20 13:05 編輯

[attach]4484[/attach]Config V2ray sample
inbound - add
[attach]4482[/attach]

inbound detail, copy sample to different area
[attach]4483[/attach]
outbount - add
[attach]4484[/attach]

outbound detail, select options
[attach]4485[/attach]

select the inbound and outbound sample
[attach]4486[/attach]

作者: yiucsw 時間: 2019-12-18 01:06

本帖最後由 yiucsw 於 2019-12-20 13:06 編輯

結果：
Android 上Run Kitsunebi (v2ray client)
[attach]4487[/attach]
能access 1st Mikrotik Router.
[attach]4488[/attach]

WhatismyIP 能找到 routeros 的 public IP。

作者: tomleehk 時間: 2019-12-18 02:23

本帖最後由 tomleehk 於 2019-12-18 03:01 編輯

Routeros 我無研究, 照睇設定都唔少..
不過只要client連接server啟動後, whatismyIP出到 routeros 的 public IP, 即喺初步掂咗

不過我sample嘅uuid只喺亂打, 真喺會work

作者: yiucsw 時間: 2019-12-18 10:48

本帖最後由 yiucsw 於 2019-12-18 10:49 編輯

不想在手機,電腦上安裝V2ray,是否能在中國的Newifi 3 做透明代理。有沒有sample config？
現在研究websocket proxy，是支持 protocol ws? tls?
在Godaddy ip 更新，還是找其他domain park 還是用openwrt 的Godaddy script?
已有Let's encrypt certification.

作者: tomleehk 時間: 2019-12-18 12:15

本帖最後由 tomleehk 於 2019-12-19 10:16 編輯

openwrt v2ray client 我無需求, 過往亦無試過..
只知最少包兩部分,
1) firewall ip tables rules, 可以參考
https://github.com/felix-fly/v2ray-openwrt
https://toutyrater.github.io/app/transparent_proxy.html

2) v2ray config, 可以參考
https://toutyrater.github.io/app/transparent_proxy.html

有會員呢方面有更多實戰經驗, 可以參考
http://www.telecom-cafe.com/foru ... &extra=page%3D1

睇番https://github.com/Neilpang/acme.sh/tree/master/dnsapi
openwrt acme package 可support godaddy script,
可以參考
http://www.telecom-cafe.com/foru ... =7749&pid=47347
用 openwrt acme package + godaddy api script

我唔怕麻煩， prefer免費，
但人人要求唔同，俾錢嘅當然簡單d。

作者: yiucsw 時間: 2019-12-18 16:52

error log from httpd:
2019-12-18 08:14:00: (server.c.1441) WARNING: unknown config-key: url.redirect (ignored) .
openwrt system.log 沒有什麼信息。
如何 debug?

作者: tomleehk 時間: 2019-12-18 18:06

本帖最後由 tomleehk 於 2019-12-18 21:56 編輯

error log from httpd:
2019-12-18 08:14:00: (server.c.1441) WARNING: unknown config-key: url.redirec ...
yiucsw 發表於 2019-12-18 16:52

google.. keyword:WARNING: unknown config-key: url.redirect (ignored)
有解釋
http://www.voidcn.com/article/p-xlcoesga-bku.html

我嘅 Post #4. lighttpd sample config file, 同 opkg installation step 之前有錯誤而家已修正
要多install一個package
opkg install lighttpd-mod-redirect <<ENTER>>

作者: yiucsw 時間: 2019-12-19 01:08

本帖最後由 yiucsw 於 2019-12-19 01:14 編輯

其實想用Candy，但要軟路由才有力去推。
install lighttpd from luci-system-software. select three module.
[attach]4490[/attach]
luci-system-startup 按 enable 按 start lighttpd。按 restart, 當改完 config file.
[attach]4491[/attach]

SSLforfree 下載 ca_bundle.crt, certificate.crt, private.key.
lighttpd.pem file 是 cat private.key certificate.crt.crt > lighttpd.pem
vi lighttpd.pem 加一個return 分開 key 同 crt。
[attach]4492[/attach]

作者: yiucsw 時間: 2019-12-19 01:26

openwrt Firewall, 開 8080 (website)，開443(v2ray).
[attach]4493[/attach]

到網站。Fake 的信息
[attach]4494[/attach]

p.s.
在ROS 上 port forward 到 openwrt VM. port 8080 到 80，port 443 到 443.

網上的其他 lighttpd Redirect, Fake youku 請求。
https://th0masxu.gq/index.php/archives/300

作者: yiucsw 時間: 2019-12-19 01:41

本帖最後由 yiucsw 於 2019-12-19 14:33 編輯

sslforfree: 我是手工DNS Verification.
https://www.sslforfree.com
Domain 是 *.dynu.net (我是Godaddy 的 Domain). 但用Dynu.net access V2ray 也沒有報錯。
[attach]4495[/attach]
DNS challenge 是兩個Record : 1個 CNAME ; 一個 TXT。
[attach]4496[/attach]

作者: tomleehk 時間: 2019-12-19 10:08

本帖最後由 tomleehk 於 2019-12-19 10:40 編輯

行https://<your webserver URL>見到你個Log-in網頁就代表webserver+cert成功
webserver config 或者cert有問題嘅話, 個webserver都啟動唔到

用邊一隻webserver其實無乜大問題, 只要有proxy功能同相關proxy config做啱就得, 我用lighttpd因為佢個loading比較細, 反正都只喺攞嚟做cover-up, webserver其他功能有幾powerful都用唔到

作者: yiucsw 時間: 2019-12-20 12:27

本帖最後由 yiucsw 於 2020-1-14 20:28 編輯

中國客戶端  -》香港服務器

CN wifi -> newifi3客户端 -> internet -> ROS(newifi3/openwrt) ESXI VM.
不想在手机/电脑上安装V2ray client, 不改Server config.
测试基本v2ray ws; no TLS; no tproxy
在新的Newifi3 上已有老毛子的 Firmware.
[attach]4497[/attach]
v2ray_script 加两句。（主要是用来debug.) (不加两句要delete V2ray_config 的log statememt)
[attach]4498[/attach]
rm /var/log/v2ray/error.log > /dev/null 2>&1
mkdir /var/log/v2ray > /dev/null 2>&1

以下是 v2ray_config_script copy and paste。主要是拷贝的 websocket 客户端： https://toutyrater.github.io/advanced/wss_and_web.html
{
  "log" : {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
  },
  "inbounds": [
{
   "port": 1080,
   "listen": "0.0.0.0",
   "protocol": "socks",
   "sniffing": {
      "enabled": true,
      "destOverride": ["http", "tls"]
   },
   "settings": {
      "auth": "noauth",
      "udp": false
   }
}
  ],
  "outbounds": [
{
   "protocol": "vmess",
   "settings": {
      "vnext": [
      {
         "address": "youry2rayserver.dynu.net",
         "port": 8443,
         "users": [
            {
            "id": "c50bf28e-98cd-a351-b8d5-d60d56c376c7",
            "alterId": 64
            }
         ]
      }
      ]
   },
   "streamSettings": {
      "network": "ws",
      "wsSettings": {
      "path": "/vpath"
      }
   }
}
  ]
}

按中間的Button “应用本页面设置”
在左边高级设置-系统日志，V2ray 是否能启动，有下面两句

【v2ray】: 启动成功 V2Ray 4.21.3 (V2Fly, a community-driven edition of V2Ray.) Custom
【v2ray】: 守护进程启动

作者: yiucsw 時間: 2019-12-20 12:37

本帖最後由 yiucsw 於 2019-12-20 12:58 編輯

debug:
SSH 到newifi3.
cd /var/log/v2ray

curl -x socks5://127.0.0.1:1080 google.com
[attach]4499[/attach]
curl -x socks5://127.0.0.1:1080 ifconfig.co
你server 的 public IP address.

在access.log 底部有
tcp:127.0.0.1:20152 accepted tcp:172.217.26.142:80
tcp:127.0.0.1:20150 accepted tcp:104.31.191.10:80

那Newifi3 v2ray 客户端/client 已连接到 Openwrt v2 ray 服务器/server.

作者: yiucsw 時間: 2019-12-20 12:51

本帖最後由 yiucsw 於 2019-12-20 14:39 編輯

Shortcut solution:
newifi3 的 wifi 用户如何利用 v2ray client。
Firefox 加 Socks.
加 127.0.0.1 失败，不能上网 (access log 没有 entry)
[attach]4500[/attach]

加 192.168.123.1 (newwifi default IP 地址，要改), better. access log has entry.
[attach]4501[/attach]

client V2ray config 改 listen.
   "port": 1080,
   "listen": "127.0.0.1",
到

   "port": 1080,
   "listen": "0.0.0.0",

最后的change 有点Try and error. any suggestion?

作者: tomleehk 時間: 2019-12-20 14:13

個人覺得唔用iptables 改default udp/tcp route未必work
睇吓其他cHing有無建議

作者: yiucsw 時間: 2019-12-20 14:47

本帖最後由 yiucsw 於 2019-12-27 10:19 編輯

比较慢，还是基础篇，还没有做透明代理, 所以没有iptable.
在Newifi wifi client, 已能用 Esxi openwrt 的V2ray server 上网.

DNS：

DNS, 原本copy and paste V2ray DNS statement, 看到 V2ray 同 Chinadns 好像能连接，看看能不能用。

作者: yiucsw 時間: 2019-12-20 19:27

本帖最後由 yiucsw 於 2019-12-20 19:51 編輯

Newifi3 客户端加Route +Mux, 好像开youtube 加快了:

{
  "log" : {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
  },
  "inbounds": [
{
   "port": 1080,
   "listen": "0.0.0.0",
   "protocol": "socks",
   "sniffing": {
      "enabled": true,
      "destOverride": ["http", "tls"]
   },
   "settings": {
      "auth": "noauth",
      "udp": false
   }
}
  ],
  "outbounds": [
{
   "protocol": "vmess",
   "settings": {
      "vnext": [
      {
         "address": "yourv2rayserver.dynu.net",
         "port": 8443,
         "users": [
            {
            "id": "c50bf28e-98cd-a351-b8d5-d60d56c376c7",
            "alterId": 64
            }
         ]
      }
      ]
   },
   "streamSettings": {
      "network": "ws",
      "wsSettings": {
      "path": "/vpath"
      }
   },
   "mux": {"enabled": true}
},
{
   "protocol": "freedom",
   "settings": {},
   "tag": "direct" //如果要使用路由，这个 tag 是一定要有的，在这里 direct 就是 freedom 的一个标号，在路由中说 direct V2Ray 就知道是这里的 freedom 了
}
  ],
  "routing": {
"domainStrategy": "IPOnDemand",
"rules": [
   {
      "type": "field",
      "outboundTag": "direct",
      "domain": ["geosite:cn"] // 中国大陆主流网站的域名
   },
   {
      "type": "field",
      "outboundTag": "direct",
      "ip": [
      "geoip:cn", // 中国大陆的 IP
      "geoip:private" // 私有地址 IP，如路由器等
      ]
   }
]
  }
}

作者: tomleehk 時間: 2019-12-20 20:39

本帖最後由 tomleehk 於 2020-1-4 22:50 編輯

Openwrt V2ray 透明代理 tls + ws (實踐編)
http://www.telecom-cafe.com/forum/viewthread.php?tid=7789

作者: yiucsw 時間: 2019-12-20 20:44

本帖最後由 yiucsw 於 2019-12-20 21:15 編輯

刚加上TLS后失败了。有什么建议？MUX / TLS 只能选一种，开两种手机上打开 youtube 慢的要死。
在手机 kitsunebi TLS 能打开google.com
newifi3 上不能打开国外网站。。。

client json 加 "security": "tls",

> v2ray.com/core/common/retry: [v2ray.com/core/transport/internet/websocket: failed to dial WebSocket > v2ray.com/core/transport/internet/websocket: failed to dial to (wss://mydomain.com/vpath): 301 Moved Permanently > websocket: bad handshake] > v2ray.com/core/common/retry: all retry attempts failed

{
  "log" : {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
  },
  "inbounds": [
{
   "port": 1080,
   "listen": "0.0.0.0",
   "protocol": "socks",
   "sniffing": {
      "enabled": true,
      "destOverride": ["http", "tls"]
   },
   "settings": {
      "auth": "noauth",
      "udp": false
   }
}
  ],
  "outbounds": [
{
   "protocol": "vmess",
   "settings": {
      "vnext": [
      {
         "address": "mydomain.com",
         "port": 443,
         "users": [
            {
            "id": "c50bf28e-98cd-a351-b8d5-d60d56c376c7",
            "alterId": 64
            }
         ]
      }
      ]
   },
   "streamSettings": {
      "network": "ws",
      "security": "tls",
      "wsSettings": {
      "path": "/vpath"
      }
   },
   "mux": {"enabled": true}
},
{
   "protocol": "freedom",
   "settings": {},
   "tag": "direct" //如果要使用路由，这个 tag 是一定要有的，在这里 direct 就是 freedom 的一个标号，在路由中说 direct V2Ray 就知道是这里的 freedom 了
}
  ],
  "routing": {
"domainStrategy": "IPOnDemand",
"rules": [
   {
      "type": "field",
      "outboundTag": "direct",
      "domain": ["geosite:cn"] // 中国大陆主流网站的域名
   },
   {
      "type": "field",
      "outboundTag": "direct",
      "ip": [
      "geoip:cn", // 中国大陆的 IP
      "geoip:private" // 私有地址 IP，如路由器等
      ]
   }
]
  }
}

作者: tomleehk 時間: 2019-12-21 05:33

...
"streamSettings": {
      "network": "ws",
      "security": "tls",
      "tlsSettings": {"allowInsecure": true,"serverName": "your server url"},
      "wsSettings": {
      "path": "/vpath"
      }
...

作者: yiucsw 時間: 2019-12-21 12:39

本帖最後由 yiucsw 於 2019-12-21 12:53 編輯

谢谢改正了。 Enable TLS 是不成功的問題。
在v2ray log 內, error message. 301 Move Permanently.
发现是lighttpd conf 內弄錯。 (andriod 的 v2ray client 沒有問題，只是PC 端不成）

原因：原本用 v2ray.dynu.com。 TLS 要用Goddy 的domain. SSL 看到我用v2ray.dynu.com，有Certification error. 改了v2ray 的Server 名字，SSL 過了 Certification check. Android 端能上V2ray, 所以沒有想是lighttpd 的問題。。

lighttpd config :
  $HTTP["host"] == "v2ray.myserver.com"

現在 client 的 v2ray config. tls + ws
{
  "log" : {
"access": "/var/log/v2ray-access.log",
"error": "/var/log/v2ray-error.log",
"loglevel": "warning"
  },
  "inbounds": [
{
   "port": 1080,
   "listen": "0.0.0.0",
   "protocol": "socks",
   "sniffing": {
      "enabled": true,
      "destOverride": ["http", "tls"]
   },
   "settings": {
      "auth": "noauth",
      "udp": false
   }
}
  ],
  "outbounds": [
{
   "protocol": "vmess",
   "settings": {
      "vnext": [
      {
         "address": "v2ray.myserver.com",
         "port": 443,
         "users": [
            {
            "id": "c50bf28e-98cd-a351-b8d5-d60d56c376c7",
            "alterId": 64
            }
         ]
      }
      ]
   },
   "streamSettings": {
      "network": "ws",
      "security": "tls",
      "tlsSettings": {
      "allowInsecure": true,
      "serverName": "v2ray.myserver.com"},
      "wsSettings": {
      "path": "/vpath"
      }
   },
   "mux": {"enabled": true}
},
{
   "protocol": "freedom",
   "settings": {},
   "tag": "direct" //如果要使用路由，这个 tag 是一定要有的，在这里 direct 就是 freedom 的一个标号，在路由中说 direct V2Ray 就知道是这里的 freedom 了
}
  ],
  "routing": {
"domainStrategy": "IPOnDemand",
"rules": [
   {
      "type": "field",
      "outboundTag": "direct",
      "domain": ["geosite:cn"] // 中国大陆主流网站的域名
   },
   {
      "type": "field",
      "outboundTag": "direct",
      "ip": [
      "geoip:cn", // 中国大陆的 IP
      "geoip:private" // 私有地址 IP，如路由器等
      ]
   }
]
  }
}

Startup  (match server side log's location.)
rm /var/log/v2ray-error.log > /dev/null 2>&1
rm /var/log/v2ray-access.log > /dev/null 2>&1

現在 Server v2ray log 有error message，大概 7 second 一次
rejected  v2ray.com/core/proxy/vmess/encoding: failed to read request header > websocket: close 1000 (normal)

作者: yiucsw 時間: 2019-12-21 13:07

本帖最後由 yiucsw 於 2020-1-1 19:30 編輯

share port.
因為openconnect, V2ray + TLS 在同一個 Esxi. 所以想如何share port?
haproxy. Haproxy 好像不簡單？有沒有Sample config? Performance 如何？

因為 HKBN 有2個 public ip, Router1 port forward 443 到 Router2 4443，再port foward Openconnect 443.
Routeros 比較認識：
1) Router2. (routeros 在 Esxi 前端）同普通port forward 一樣，port forward 4443 到 openconnect 443.
IP firewall NAT
1 add action=dst-nat chain=dstnat dst-port=4443 in-interface=wan protocol=tcp to-addresses=192.168.x.50 to-ports=443
2 add action=dst-nat chain=dstnat dst-port=4443 in-interface=wan protocol=udp to-addresses=192.168.x.50 to-ports=443

2) Router1. (non-Esxi router)
IP firewall NAT
1 chain=dstnat action=dst-nat to-addresses=router2's public ip to-ports=4443
   protocol=tcp in-interface=wan dst-port=443
2 chain=dstnat action=dst-nat to-addresses=router2's public ip to-ports=4443
   protocol=udp in-interface=wan dst-port=443

比較麻煩是 Router1 ip firewall to-address 將Domain-name 變成 IP address.
要 scheduler 來check ip change

Location HK. Android - Prepaid card 3 Mobile Data 數據有點浮動. Low Speed, Port forward 沒有太多影響。
no openconnect:    : ping 19ms, down 23.2Mbps up 10.1Mbps.
With port forward    :ping 38ms, down 15.2 Mbps up 3.99 Mbps
Without port forward :ping 55ms, down 13.0 Mbps up 3.77 Mbps

作者: yiucsw 時間: 2020-1-13 10:22

本帖最後由 yiucsw 於 2020-1-13 10:24 編輯

回復 4# tomleehk

環境在： lighttpd 在二級路由，測試是內網進行。v2ray Data 是從 2nd HKBN public IP port forward。
請教，對比在Modproxy 最底範例，沒有以下這句，有什麼作用，可以刪除嗎，security 的影響？
$HTTP["host"] == "testhost.ddnsfree.com"
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModProxy

----------------------------------------------
請幫忙：加一網頁，將Dynu API client id 同密碼寫到 Environment Virable.
主要目的是 remote manage Docker by Portainer，Run ACME on docker。 currently run ACME on ARMBIAN host。
Give up Godaddy，mobile phone is resetted by accident，godaddy need strict policy to reset 2nd authentication。

作者: yiucsw 時間: 2020-1-13 10:49

在找share 443 port, ocserv with lighttpd。
能 traffic route to ocserv server？
https://ocserv.gitlab.io/www/recipes-ocserv-multihost.html

作者: tomleehk 時間: 2020-1-13 13:21

本帖最後由 tomleehk 於 2020-1-13 14:12 編輯

回復 59# yiucsw

client 只送出正確path 不會送至v2ray server
確保client 送出正確host header + path 才送至v2ray server
check host header並唔喺必要嘅, 好處喺俾只喺check path多一層checking, 多一層保障

作者: tomleehk 時間: 2020-1-13 13:25

本帖最後由 tomleehk 於 2020-1-13 13:33 編輯

回復 60# yiucsw

lighttpd我嘅實試只能用proxy 間接share v2ray 同 webserver 共用443 port
lighttpd印象中實試用proxy不能share ocserv 共用443 port , 睇吓有無其他會員試到work

作者: yiucsw 時間: 2020-1-15 09:18

from official lighttpd website, 要HAPROXY/SNIPROXY
1) HKBN has two public IP. 2) In case failure, still can access by an backup device.
3) Add another V2ray server can offline traffic.
No matter N1/T1 is about $100/$200, 不用浪費時間在 HAPROXY。(SNIPROXY 沒有Docker）

剛Place order to buy a T1.. (N1 should be better)

歡迎光臨電訊茶室 (http://www.telecom-cafe.com/forum/)