Using Obfs4proxy to obfuscate your non-TOR proxy / 为Shadowsocks路由器增加Obfs4混淆

You probably need obfs4 in my country

Censorship is the most famous part of internet in China, they actively attack users with packet analysis and proxy detection, which sets a tech barrier to most people who want to access international websites without tech background

I am unsure that my proxy tunnel is detected and interfered, as it's unstable only on my router and only with one remote server (which works fine on my laptop)

But obfuscation now seems essential to a more secure and reliable (even faster in some cases) international connection, so I decided to write down my obfs4proxy solution (which seems a bit tricky to use with non-TOR proxies)

Hope you find this post useful

其实我也不知道有什么用

最近openwrt路由器上的ss libev开始出现频繁掉线,尤其是使用Vultr日本服务器的时候(但是目前只有这台路由器有问题,其他设备/用户都没有类似问题),更换服务器后情况好转。。于是我在替换了n多个ss libev版本并开issue然后成功被作者删除所有issue(issue确实清空了。。)之后,决定使用obfs4进行混淆

obfs4同样来自Tor项目,据说目前的反流量分析效果挺好,而且Peter Cai去年也写过obfs4的部署方法,所以我就去折腾了一番(完了貌似日本服务器好了点,美国服务器完全没问题)

考虑我没有发现多少关于部署obfs4的文章(也有照抄Peter博文不署名的。。),然后Peter写了博客之后相关的工具也更新了,所以就在这里把自己路由器加banana pi部署shadowsocks+obfs4+dns2socks(看不懂的话你可以不用看下去了)的完整代理方案记录下来,希望能帮到有需求的人

Prerequisites

  • A remote Linux proxy server / 可用的远程Linux服务器(这里使用Debian 9和Ubuntu 16.04测试通过)
  • Local openwrt router / 本地openwrt路由器(我用了极路由3)
  • A local device that runs obfs4proxy as client / 以及能够运行obfs4的设备一台(可以是你的电脑,我这里用了一直吃灰的banana pi)
  • You should know how to use Linux / Linux使用经验
  • Proxy already up and running fine / 在服务器和路由器都部署好的shadowsocks

How to make it work? / 怎样让Obfs4可以用于非TOR代理

We all know that if you run obfs4proxy, you will find no option for you to set up a obfs4 server/client as it just runs and doesn't provide a way to configure, so here we will use a script ptproxy / 直接运行obfs4proxy的话,你并不能对它做出配置,也就无法用于Shadowsocks的混淆,所以这里那你需要一个脚本ptproxy

Guide / 使用指导

Using the script / 使用ptproxy

  • git clone https://github.com/gumblex/ptproxy.git and cd to that directory / git clone https://github.com/gumblex/ptproxy.git然后cd到该目录
  • If you don't have aiosocks installed (I guess not), you need to install it first by pip3 install aiosocks, if you don't have pip3 or encountered any problem with pip, please install python3-setuptools and python3-pip / 先安装aiosocks,使用pip3 install aiosocks,如果还有问题,你需要确保你已经安装python3-setuptoolspython3-pip

Server side setup / 服务器端

  • Now run the script with a config file example.json, modifiy it for your own server (you may find instructions in its author's repo), and then ./ptproxy -s example.json, you will see something like 
"ptargs": "cert=9/+NhGX22kfVjJe91vxU5bVsr1eWJXrxtGbl5NTv3ua9bWSauJEhEx67Mb+MXJNpbsm5BA;

you will need it for your client side later (take it as a token) / 运行./ptproxy.py -s example.json(请参考作者repo里的配置文件说明来修改example.json),你应该会看到输出

"ptargs": "cert=9/+NhGX22kfVjJe91vxU5bVsr1eWJXrxtGbl5NTv3ua9bWSauJEhEx67Mb+MXJNpbsm5BA;

这样的东西,稍后配置客户端的时候你会用到它(可以理解成obfs4服务器的口令) - Make sure your client side is able to run ptproxy.py and obfs4proxy / 确保你的客户端设备可以运行ptproxy.pyobfs4proxy - My server side example.json / 我的服务器端配置:

{
    "role": "server",
    "state": ".",
    "local": "127.0.0.1:8080", # forward to this address (your destination proxy server) / 转发到此地址 (终点Shadowsocks服务器地址)
    "server": "0.0.0.0:23456", # listen on this address (for the client to connect to) / 监听此地址(客户端连接此地址)
    "ptexec": "obfs4proxy -logLevel=ERROR -enableLogging=true",
    "ptname": "obfs4",
    "ptargs": "cert=AAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;iat-mode=0",
    "ptserveropt": "",
    "ptproxy": ""
}
  • DO NOT include any comments (starts with #) / 不要复制评论内容(#开头)

Client side / 客户端

  • Modify your example.json and replace ptargs with the cert you get from the server (it's permanent until your server changes), then ./ptptoxy.py -c example.json / 修改example.json,用刚才得到的cert替换ptargs里的相应部分,然后./ptproxy.py -c example.json
  • Configure your proxy server to use obfs4 tunnel, by changing the target address:port to your obfs4 client's address:port / 配置你的Shadowsocks,只需要更改服务器地址:端口为obfs4的地址和端口即可
  • My client side example.json / 我的客户端配置:
{
    "role": "client",
    "state": ".",
    "local": "0.0.0.0:1090", # Listen on this address / 监听这里
    "server": "1.2.3.4:23456", # Remote server to connect to / 连接远程obfs4服务器
    "ptexec": "obfs4proxy -logLevel=ERROR -enableLogging=true",
    "ptname": "obfs4",
    "ptargs": "cert=thisIsYourCert;iat-mode=0", # fill in the cert / 把cert填好 
    "ptserveropt": "",
    "ptproxy": ""
}
  • DO NOT include any comments (starts with #) / 不要复制评论内容(#开头)

    to be continued...

Comments

comments powered by Disqus