2019-12-01发表2022-03-13更新学术 / gwd7 分钟读完 (大约978个字)0次访问

GWD 安装说明

其实就是用 v2ray+ws+tls+nginx 作透明网关，为了防止 dns 污染，使用了 doh 。项目地址 https://github.com/jacyl4/de_GWD

前期准备

DD 重装

wget --no-check-certificate -c http://moeclub.org/attachment/LinuxShell/InstallNET.sh
sed -i 's/8.8.8.8/1.1.1.1/g' InstallNET.sh
bash InstallNET.sh -d 10 -v amd64 -a \
-p zhelishimima \
--mirror "http://deb.debian.org/debian/debian" \
--ip-addr 10.170.0.14 \
--ip-mask 255.255.255.0 \
--ip-gate 10.170.0.1

Cloudcone DD 完成后，进 VNC 选择 grub 界面，按 e 后进入配置界面， ctrl+c 退出进入 grub 命令行，输入 exit 后正常进入系统，之后执行 ln -s /boot/grub/ /boot/grub2 即可正常重启。

安装 GWD

server

1	bash <(wget --no-check-certificate -qO- https://raw.githubusercontent.com/jacyl4/de_GWD/main/server)

client

Basic Edition (amd64&arm64)

1 2	apt install -y wget bash <(wget --no-check-certificate -qO- http://gwd.seso.icu:10290/client)

Docker nginx Edition (amd64)

1 2	apt install -y wget bash <(wget --no-check-certificate -qO- http://gwd.seso.icu:10290/client_do)

armbian 源

$ nano /etc/apt/sources.list

deb https://mirrors.ustc.edu.cn/debian/ buster main contrib non-free
deb-src https://mirrors.ustc.edu.cn/debian/ buster main contrib non-free
deb https://mirrors.ustc.edu.cn/debian/ buster-updates main contrib non-free
deb-src https://mirrors.ustc.edu.cn/debian/ buster-updates main contrib non-free
deb https://mirrors.ustc.edu.cn/debian-security/ buster/updates main contrib non-free
deb-src https://mirrors.ustc.edu.cn/debian-security/ buster/updates main contrib non-free

$ apt update && apt upgrade -y

其它说明

时间设置

1	date -s "15:00:00 2020-03-20"

客户端救机代码

systemctl stop v2dns
systemctl stop vtrui
systemctl stop iptables-proxy

cat > /etc/resolv.conf << EOF
nameserver 119.29.29.29
nameserver 119.28.28.28
nameserver 223.5.5.5
nameserver 223.6.6.6
EOF

IP 设置

/etc/network/interfaces
###########################
auto eth0
iface eth0 inet static
        address 192.168.2.121
        netmask 255.255.255.0
        gateway 192.168.2.2
###########################

/etc/resolv.conf
###########################
nameserver 127.0.0.1
nameserver 8.8.8.8
###########################

常用命令

1 2	# debian 查询版本 $ cat /etc/debian_version

vtrui-config

1	cat /opt/de_GWD/vtrui//config.json

{
  "dns": {
    "servers": [
      "localhost"
    ]
  },
  "inbounds": [
    {
      "port": 11810,
      "listen": "127.0.0.1",
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "id": "uuid",
            "level": 1
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "wsSettings": {
          "path": "/path"
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {}
    }
  ]
}

nginx-config

user  www-data www-data;
pid   /run/nginx.pid;

worker_processes auto;
worker_rlimit_nofile 100000;

events {
    worker_connections  100000;
    multi_accept on;
    use epoll;
}

http {
  include mime.types;
  default_type application/octet-stream;

  fastcgi_connect_timeout 300;
  fastcgi_send_timeout 300;
  fastcgi_read_timeout 300;
  fastcgi_buffer_size 64k;
  fastcgi_buffers 64 4k;
  fastcgi_busy_buffers_size 128k;
  fastcgi_temp_file_write_size 128k;
  fastcgi_intercept_errors on;

  server_tokens             off;
  sendfile                  on;
  tcp_nodelay               on;
  tcp_nopush                on;

  client_header_timeout     60;
  client_body_timeout       60;
  reset_timedout_connection on;
  types_hash_max_size       2048;

  gzip                      on;
  gzip_disable              "MSIE [1-6]\.";
  gzip_vary                 on;
  gzip_proxied              any;
  gzip_comp_level           4;
  gzip_min_length           256;
  gzip_buffers              16 8k;
  gzip_http_version         1.0;
  gzip_types    text/plain
                text/javascript
                text/css
                text/js
                text/xml
                text/x-component
                text/x-json
                font/opentype
                application/x-font-ttf
                application/javascript
                application/x-javascript
                application/x-web-app-manifest+json
                application/json
                application/atom+xml
                application/xml
                application/xml+rss
                application/xhtml+xml
                application/vnd.ms-fontobject
                image/svg+xml
                image/x-icon;

  brotli                    on;
  brotli_static             on;
  brotli_comp_level         6;
  brotli_buffers            16 8k;
  brotli_min_length         20;
  brotli_window             16m;
  brotli_types              *;

  access_log off;
  error_log off;
  log_not_found off;

  include /etc/nginx/conf.d/*.conf;
}

server {
  listen 80;
  server_name www.xxx.com;
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 quic reuseport;
  listen 443 ssl http2 fastopen=128 reuseport;
  server_name www.xxx.com;
  root /var/www/html;
  index index.php index.html index.htm;

  ssl_certificate /var/www/ssl/www.xxx.com.cer;
  ssl_certificate_key /var/www/ssl/www.xxx.com.key;

  add_header alt-svc 'quic=":443"; h3-27=":443"; h3-25=":443"; h3-T050=":443"; h3-Q050=":443"; h3-Q049=":443"; h3-Q048=":443"; h3-Q046=":443"; h3-Q043=":443"; ma=86400';
  ssl_dhparam /var/www/ssl/dhparam.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+ECDSA+AESGCM+AES128:EECDH+ECDSA+CHACHA20:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:EECDH+aRSA+AESGCM+AES128:EECDH+aRSA+CHACHA20:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 4k;

  ssl_early_data on;
  proxy_set_header Early-Data $ssl_early_data;

  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_stapling_file /var/www/ssl/ocsp.resp;
  
  add_header Referrer-Policy                    no-referrer;
  add_header X-Content-Type-Options             nosniff;
  add_header X-Download-Options                 noopen;
  add_header X-Frame-Options                    SAMEORIGIN;
  add_header X-Permitted-Cross-Domain-Policies  none;
  add_header X-Robots-Tag                       none;
  add_header X-XSS-Protection                   "1; mode=block";
  add_header Strict-Transport-Security          "max-age=63072000" always;

location ~ /\.(?!well-known).* {
  deny all;
}

location /dq {
  proxy_pass                http://127.0.0.1:port/dns-query;
  proxy_set_header          Host $host;
  proxy_set_header          X-Real-IP $remote_addr;
  proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_redirect            off;
  keepalive_requests        25600;
  keepalive_timeout         300 300;
  proxy_buffering           off;
  proxy_buffer_size         8k;
}

location /path {
  proxy_pass                http://127.0.0.1:port;
  proxy_http_version        1.1;
  proxy_set_header          Host $http_host;
  proxy_set_header          Upgrade "WebSocket";
  proxy_set_header          Connection "upgrade";
  proxy_set_header          X-Real-IP $remote_addr;
  proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_redirect            off;
  keepalive_requests        25600;
  keepalive_timeout         300 300;
  proxy_buffering           off;
  proxy_buffer_size         8k;
}
}