Shadowsocks 服务端

使用 shadowsocks-libev 软件包来部署 Shadowsocks 服务端

https://github.com/shadowsocks/shadowsocks-libev

github 的 README.md 里面详细介绍了不同发行版的安装方法,其他发行版可以参考 README.md 方法安装

install

介绍 Redhat 系 系统 ( CentOS 7 / Fedora 27 x86_64 ) 下安装 shadowsocks-libev 安装方法

CentOS7

在 Fedora Project 的 copr 自动打包平台 上创建了 RedHat 系发行版 ( Fedora / CentOS ) yum 仓库:

https://copr.fedorainfracloud.org/coprs/outman/shadowsocks-libev/

编译好的 rpm 包位于:https://copr-be.cloud.fedoraproject.org/results/outman/shadowsocks-libev/epel-7-x86_64/

CentOS7 系统:

repo_url='https://copr.fedorainfracloud.org/coprs/outman/shadowsocks-libev/repo/epel-7/outman-shadowsocks-libev-epel-7.repo'
wget -c -nv -t5 -T5 "$repo_url" -O /etc/yum.repos.d/outman-shadowsocks-libev.repo
yum install -y epel-release
yum install -y libsodium shadowsocks-libev simple-obfs

Fedora 27 系统:

dnf copr enable -y outman/shadowsocks-libev
dnf install -y shadowsocks-libev simple-obfs

config

查看 shadowsocks-libev 包含的 配置文件相关命令

# rpm -ql shadowsocks-libev |egrep 'etc|bin|service'
/etc/shadowsocks-libev/config.json
/etc/sysconfig/shadowsocks-libev
/usr/bin/ss-local
/usr/bin/ss-manager
/usr/bin/ss-redir
/usr/bin/ss-server
/usr/bin/ss-tunnel
/usr/lib/systemd/system/shadowsocks-libev-local.service
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/shadowsocks-libev.service

修改默认配置文件:/etc/shadowsocks-libev/config.json

{
    "server":"45.67.89.10",
    "server_port": 12345,
    "local_port": 9090,
    "password": "V_V1_fuck.GFW",
    "method": "chacha20-ietf-poly1305",
    "timeout": 60,
    "fast_open": true,
    "reuse_port": false
}

设置 shadowsocks-libev 服务 开机自启动

# systemctl enable shadowsocks-libev
Created symlink from /etc/systemd/system/multi-user.target.wants/shadowsocks-libev.service
to /usr/lib/systemd/system/shadowsocks-libev.service.

启动 shadowsocks-libev 服务:

# systemctl start shadowsocks-libev

# systemctl status shadowsocks-libev
● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
   Loaded: loaded (/usr/lib/systemd/system/shadowsocks-libev.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2017-11-28 23:33:38 CST; 1s ago
     Docs: man:shadowsocks-libev(8)
 Main PID: 12566 (ss-server)
   CGroup: /system.slice/shadowsocks-libev.service
           └─12566 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -u

Nov 28 23:33:38 minion systemd[1]: Started Shadowsocks-libev Default Server Service.
Nov 28 23:33:38 minion systemd[1]: Starting Shadowsocks-libev Default Server Service...

确认服务 进程端口 :

# pgrep -af ss-server
2260 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -u

# netstat -lntup|grep ss-server
tcp    0    0    45.67.89.10:12345     0.0.0.0:*     LISTEN     2260/ss-server
udp    0    0    45.67.89.10:12345     0.0.0.0:*                2260/ss-server

security

AHEAD

https://shadowsocks.org/en/spec/AEAD-Ciphers.html

Alias Key Size Salt Size Nonce Size Tag Size
chacha20-ietf-poly1305 32 32 12 16
aes-256-gcm 32 32 12 16
aes-192-gcm 24 24 12 16
aes-128-gcm 16 16 12 16

为何 shadowsocks 要弃用一次性验证 (OTA) 2017-02-09

使用了 AEAD 算法的新协议能够解决上面描述的 Original/OTA 协议的所有问题, 可以有效防范 CCA 和中间人攻击,减少被主动探测的风险。 我能想到的唯一的缺点大概就是 性能 了,但是它又能影响多少呢?

shadowsocks-libev 加密方式评测 2017-02-10

https://gist.github.com/madeye/c046fc35e10a82154f4697fb316a7ac6

#!/bin/bash

method=$1

ss-tunnel -k test -m $method -l 8387 -L 127.0.0.1:8388 -s 127.0.0.1 -p 8389 &
ss_tunnel_pid=$!
ss-server -k test -m $method -s 127.0.0.1 -p 8389 &
ss_server_pid=$!

iperf -s -p 8388 &
iperf_pid=$!

sleep 3

iperf -c 127.0.0.1 -p 8387

kill $ss_tunnel_pid
kill $ss_server_pid
kill $iperf_pid

echo "Test Finished"

libev 版新加的加密算法会添加到 Python 版吗 #751 2017-02-15

gcm 应该比 cfb 快不少吧 cfb 的 encryption 是不能 并行处理 的 gcm 的可以

添加 sodium:aes-256-gcm 模式和 ocb 模式 #783 2017-03-06

sodium 的 aes-256-gcm 实现比 openssl 的快 ocb 的加密效率比 gcm 高

gcm 需要硬件支持吧?而且需要双端的硬件都支持

ARM 的 64 位的 CPU 都支持 gcm 了,除此以外就是 ocb 和 chach20-ietf-poly1305 速度快

sodium:aes-256-gcm 有检测的,sodium 的 gcm 只支持 硬解,所以速度是最快的

各个库的对应加密算法是可以混用的,也就是说服务器端可以配置成 sodium:aes-256-gcm,客户端用 aes-256-gcm 或者 mbedtls:aes-256-gcm。因为不同加密库在不同 cpu 下性能不一样,在支持 sodium:aes-256-gcm 的 CPU 下 sodium:aes-256-gcm 是最快的 openssl 的慢 30% 左右,mbedtls 的 gcm 最慢,可能只有 sodium 的一半速度。

在 ARM 设备下可能 mbedtls 快点,服务器端 intel cpu 不建议用 mbedtls

在 HTTPS 加密连接中使用 CHACHA20-POLY1305 加密方法

因为 ARM 的 CPU 是精简指令集,没有 AES 硬件加速

Add a benchmark utility? #1173 2017-02-02

img_AHEAD_speed_compare

chacha20 is actually using SSSE3 instructions on supported devices under the hood.

EDIT: And SSSE3 is ~2 years older than AES-NI, even my old computer supports this technology.

https://github.com/jedisct1/libsodium/tree/master/src/libsodium/crypto_stream/chacha20/dolbeau

Linux kernel uses AVX2 for implementing Chacha20

了解 ChaCha20 2016-10-02

ChaCha20-Poly1305 针对移动端设备大量使用的 ARM 芯片做了优化,能够充分利用 ARM 向量指令,在移动设备上加解密速度更快、更省电; 更加节省带宽 Poly1305 的输出是 16 字节,而 HMAC-SHA1 是 20 字节,可以节省 16% 的 overhead 消耗。

chacha20 和 chacha20-ietf 这两种加密方式有什么区别? #507 2016-01-05

好像是非 ietf 版本的加密方法 IV 长度不够 12

Deprecate stream ciphers with insufficient IV length #36 2017-02-04

Summary

For Shadowsocks deployment using stream ciphers, long-term key and randomly generated IV of insufficient length causes (key, IV) pair reuse with high probability, which allows Reused Key Attack. Adversaries can recover plaintext within reasonable budget constraint.

Proposal

  • Stream ciphers with IV length less than 12 bytes MUST be deprecated. Namely, bf-cfb, chacha20, and salsa20.
  • Users SHOULD choose stream ciphers with IV length of 16 or more bytes.
  • Users are RECOMMENDED to use the new AEAD ciphers.

https://shadowsocks.org/en/spec/Stream-Ciphers.html

Name Key Size IV Length
aes-128-ctr 16 16
aes-192-ctr 24 16
aes-256-ctr 32 16
aes-128-cfb 16 16
aes-192-cfb 24 16
aes-256-cfb 32 16
camellia-128-cfb 16 16
camellia-192-cfb 24 16
camellia-256-cfb 32 16
chacha20-ietf 32 12
bf-cfb 16 8
chacha20 32 8
salsa20 32 8
chacha20-ietf-poly1305 16 16

OTA

OTA 已经不安全,请使用 AHEAD 加密方式

为何 shadowsocks 要弃用一次性验证 (OTA) 2017-02-09

OTA 当初是为了给原版协议的 流加密 加上一个 认证 以增强安全性,殊不知这带来了更大的隐患,

这也是为什么 shadowsocks.org 要急急忙忙 弃用 OTA 的原因。

OTA 一次认证 特性:https://shadowsocks.org/en/spec/one-time-auth.html

One-time authentication (shortened as OTA) is a new experimental feature designed to improve the security against CCA. You should understand the protocol before reading this document.

By default, the server that supports OTA should run in the compatible mode. OTA is only applied if the client's request header has a flag set. However, if the server switch on OTA explicitly, all clients must switch on OTA, otherwise connections will be denied.

The authentication method is HMAC-SHA1 which has wide supports among all major platforms and fairly good speed.

Shadowsocks 各分支的安全性 2016-09-21

关于 ShadowsocksR 和 Shadowsocks 的安全性

Shadowsocks 通过加入 一次验证 提高了对抗 CCA 的安全性,各大 ports 已经陆续完成了支持。这里需要重申的是 Shadowsocks 的目标不是 100% bug-free 或 100% bullet-proof,而是保证连接轻量快速的同时让主流攻击手段的成本高到一般无法实施。

random port

shadowsocks 多端口随机

https://gist.github.com/suikatomoki/89b1221dab19f64ba2b3

远程 ss 服务端:

#ss-server 服务端(假设你的目前的服务端 ss 端口已经监听在 23 端口):
#-----------开始--------------
iptables -t nat -A PREROUTING -p tcp -m multiport --dport 81:1023 -j REDIRECT --to-ports 23
iptables -t nat -A PREROUTING -p udp -m multiport --dport 81:1023 -j REDIRECT --to-ports 23

#以下两条命令可选
service iptables save
service iptables restart
#-----------结束--------------

本地 openwrt 路由器:

#ss-redir 本地端(104.224.156.199 自行修改成自己服务器 ip):
#-----------开始--------------
iptables -t nat -I OUTPUT 1 -d 104.224.156.199 -p tcp --dport 23 -j DNAT --to-destination 104.224.156.199:81-1023 --random
iptables -t nat -I OUTPUT 1 -d 104.224.156.199 -p udp --dport 23 -j DNAT --to-destination 104.224.156.199:81-1023 --random

#以下两条命令可选
service iptables save
service iptables restart

#openwrt
#/etc/init.d/firewall restart
#-----------结束--------------

可使用 iptables -t nat -L -n --line-numbers 命令查看 nat 规则是否已经生效

network optimize

BBR

http://elrepo.org/tiki/tiki-index.php

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh https://www.elrepo.org/elrepo-release-7.0-4.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml

echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p
lsmod | grep bbr

How to Deploy Google BBR on CentOS 7

开启 TCP BBR 拥塞控制算法

Google BBR拥塞控制算法模型初探 2017-09-03

最后需要提示一点 TCP 拥塞控制算法是 数据的发送端决定发送窗口,因此在哪边部署,就对哪边发出的数据有效。如果是 下载,就应在 server 部署;如果是 上传,就应在 client 部署。

TCP Fast Open

https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks

查看系统支持的内核网络模

$ sysctl net.ipv4.tcp_available_congestion_control
net.ipv4.tcp_available_congestion_control = hybla cubic reno

net-speeder

对于海外高延时的 VPS 可以安装 net-speeder 来提速

https://github.com/snooda/net-speeder

net-speeder 作者写的原理介绍:

net-speeder 网速优化/加速器(适用于高延迟不稳定链路加速)

由于光速的局限性,延迟会比较高(即使光沿直线传播,太平洋一个往返也要一百多毫秒)。并且由于距离较远,途径路由跳数较多,并且网络拥堵的原因。经常会发生丢包的情况。

对于平时使用最广泛的 TCP 协议来讲,发送端发出包后,接收端会回复 ACK 表示自己收到了。用这种机制来保证可靠性。但对于高延迟链路来讲,如果每发送一个包都等待应答,那么大部分时间都在等待数据包到达,而链路则空置了。为此一般会采用滑动窗口技术。即在窗口满之前,发送端一直发送包,然后收到应答后将确认收到的包从窗口中移除。这样可以提高链路利用率。

TCP 还有一个特性则是拥塞控制。当发送端检测到链路发生丢包时,则会主动缩小窗口大小以减慢发送速度,避免拥塞。不过对于跳数较多的链路来讲,只要有一个路由不够稳定丢包,就会被发送端判断为拥塞,从而影响网络速度。

为了解决丢包问题,最简单粗暴的方法就是双倍发送,即同一份数据包发送两份。这样的话在服务器带宽充足情况下,丢包率会平方级降低。

这种方式下,直接优点是降低丢包率,直接缺点是耗费双倍流量。一些延伸影响是更容易触发快速恢复逻辑,避免了丢包时窗口缩减过快。一定程度也能提高网络速度。

最近比较忙,空闲时间做了一个最简单的程序,试用效果很好,在一台 VPS 上测试后发现,未开启时单线程下载、ssh 管道速度在十几 K 级别。开启后可以达到平均 300KB+ 的速度。效果非常明显。但对于 不加速就可以跑满带宽的类型 来讲(多线程下载),开启后反而由于多出来的无效流量,导致速度减半。所以对于多线程/高速链路,这个方案是不适合的。

目前版本是最简单的逻辑,未来会进行细化(主动触发快速恢复、快速重传等),降低流量浪费,提升加速效果。

目前程序起名 net-speeder 相对于修改协议栈来讲,由于后者需要重新升级编译内核,使用用户态程序部署更方便,稳定性更高,兼容性更好。缺点则是性能开销稍大和自由度有损失。总体比较起来,个人使用还是使用用户态程序更合适一些,特别是在虚拟机中使用(OpenVZ,LXC等虚拟机无法自己定制内核)。

install

安装方法参考 github 的 README.md 即可,编译完成后,放在 后台运行 即可:

# /root/net-speeder-master/net_speeder venet0 "ip" 2>&1 > /dev/null &

# pgrep -af 'net_speeder venet0'
31263 /root/net-speeder-master/net_speeder venet0 ip

crontab

net_speeder 程序运行一段时间会崩溃,所以写了个 crontab 自动检查启动:

$ cat /root/net-speeder-master/net_speeder.cron.sh

#!/bin/bash
/bin/pgrep -af 'net_speeder venet0' || /root/net-speeder-master/net_speeder venet0 "ip" 2>&1 > /dev/null &

crontab 任务每隔 15 分钟运行一次:

# crontab -l
MAILTO=''
*/15 * * * * bash /root/net-speeder-master/net_speeder.cron.sh

troubleshooting

ERROR: Failed to open DNS resolver socket

如果系统禁用 ipv6 但是 /etc/resolv.conf 还有 ipv6 的 DNS 地址会导致服务无法启动:

# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 2001:4860:4860::8844
nameserver 2001:4860:4860::8888

# ss-server -c config.json
 2016-12-28 01:47:39 INFO: using tcp fast open
 2016-12-28 01:47:39 INFO: initializing ciphers... chacha20-ietf-poly1305
 2016-12-28 01:47:39 ERROR: Failed to open DNS resolver socket

系统已经禁用 IPV6 :

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether x4:x1:x4:xa:6a:x0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever

修改 /etc/resolv.conf 配置文件,重启服务,测试恢复正常:

# cat /etc/resolv.conf
nameserver 8.8.8.8

# chattr +i /etc/resolv.conf

# ss-server -c config.json
 2016-12-28 01:51:28 INFO: using tcp fast open
 2016-12-28 01:51:28 INFO: initializing ciphers... chacha20-ietf-poly1305
 2016-12-28 01:51:28 INFO: tcp port reuse enabled
 2016-12-28 01:51:28 INFO: listening at 192.168.1.100:10000

libsodium

https://download.libsodium.org/doc/installation/

http://pkgs.fedoraproject.org/cgit/rpms/libsodium.git/tree/libsodium.spec

创建打包目录:

mkdir -pv ~/rpmbuild/{SPECS,SOURCES}

安装编译打包相关依赖包:https://github.com/shadowsocks/shadowsocks-libev

yum install -y epel-release
yum install -y rpm-build rpmdevtools gcc autoconf libtool automake make

spec_url=http://pkgs.fedoraproject.org/cgit/rpms/libsodium.git/plain/libsodium.spec
curl -sS $spec_url -o ~/rpmbuild/SPECS/libsodium.spec

# spectool -l -A -R ~/rpmbuild/SPECS/libsodium.spec
Source0: http://download.libsodium.org/libsodium/releases/libsodium-1.0.15.tar.gz

# spectool -g -A -R ~/rpmbuild/SPECS/libsodium.spec
Getting http://download.libsodium.org/libsodium/releases/libsodium-1.0.15.tar.gz
                               to /root/rpmbuild/SOURCES/libsodium-1.0.15.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   185  100   185    0     0    669      0 --:--:-- --:--:-- --:--:--   672
100 1822k  100 1822k    0     0   323k      0  0:00:05  0:00:05 --:--:--  366k


# time rpmbuild -bb --clean ~/rpmbuild/SPECS/libsodium.spec

## DO
real    2m11.577s
user    1m32.915s
sys     0m36.105s

shadowsocks-libev

https://copr-be.cloud.fedoraproject.org/results/outman/shadowsocks-libev/epel-7-$basearch/

https://copr-be.cloud.fedoraproject.org/results/outman/shadowsocks-libev/fedora-$releasever-$basearch/

https://github.com/shadowsocks/openwrt-shadowsocks/blob/master/Makefile

define Package/shadowsocks-libev/Default
    SECTION:=net
    CATEGORY:=Network
    TITLE:=Lightweight Secured Socks5 Proxy
    URL:=https://github.com/shadowsocks/shadowsocks-libev
    DEPENDS:=+zlib +libev +libcares +libpcre +libpthread +libsodium +libmbedtls
endef

CONFIGURE_ARGS += --disable-ssp --disable-documentation --disable-assert


# ./configure --help
`configure' configures shadowsocks-libev 3.1.0 to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking ...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root
                          [DATAROOTDIR/doc/shadowsocks-libev]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]

Program names:
  --program-prefix=PREFIX            prepend PREFIX to installed program names
  --program-suffix=SUFFIX            append SUFFIX to installed program names
  --program-transform-name=PROGRAM   run sed PROGRAM on installed program names

System types:
  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       cross-compile to build programs to run on HOST [BUILD]

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-dependency-tracking
                          do not reject slow dependency extractors
  --disable-dependency-tracking
                          speeds up one-time build
  --enable-silent-rules   less verbose build output (undo: "make V=1")
  --disable-silent-rules  verbose build output (undo: "make V=0")
  --enable-maintainer-mode
                          enable make rules and dependencies not useful (and
                          sometimes confusing) to the casual installer
  --enable-static[=PKGS]  build static libraries [default=no]
  --enable-shared[=PKGS]  build shared libraries [default=no]
  --enable-fast-install[=PKGS]
                          optimize for fast installation [default=yes]
  --disable-libtool-lock  avoid locking (might break parallel builds)
  --enable-system-shared-lib
                          build against shared libraries when possible
  --disable-documentation do not build documentation
  --disable-ssp           Do not compile with -fstack-protector
  --disable-assert        turn off assertions
  --enable-connmarktos    Enable saved connmark to IP TOS QoS feature

Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --with-pic[=PKGS]       try to use only PIC/non-PIC objects [default=use
                          both]
  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
  --with-sysroot=DIR Search for dependent libraries within DIR
                        (or the compiler's sysroot if not specified).
  --with-pcre=DIR         use a specific pcre library
  --with-mbedtls=DIR      mbed TLS base directory, or:
  --with-mbedtls-include=DIR
                          mbed TLS headers directory (without trailing
                          /mbedtls)
  --with-mbedtls-lib=DIR  mbed TLS library directory
  --with-sodium=DIR       The Sodium crypto library base directory, or:
  --with-sodium-include=DIR
                          The Sodium crypto library headers directory (without
                          trailing /sodium)
  --with-sodium-lib=DIR   The Sodium crypto library library directory
  --with-cares=DIR        The c-ares library base directory, or:
  --with-cares-include=DIR
                          The c-ares library headers directory (without
                          trailing /cares)
  --with-cares-lib=DIR    The c-ares library library directory

# ./configure --help|grep disable
      --cache-file=FILE   cache test results in FILE [disabled]
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --disable-dependency-tracking
  --disable-silent-rules  verbose build output (undo: "make V=0")
  --disable-libtool-lock  avoid locking (might break parallel builds)
  --disable-documentation do not build documentation
  --disable-ssp           Do not compile with -fstack-protector
  --disable-assert        turn off assertions

https://github.com/shadowsocks/shadowsocks-libev/blob/master/rpm/SPECS/shadowsocks-libev.spec.in

# egrep -i 'doc|man' rpm/SPECS/shadowsocks-libev.spec.in
BuildRequires:  make gcc pcre-devel asciidoc xmlto automake libtool mbedtls-devel libsodium-devel >= 1.0.4 libev-devel c-ares-devel
%doc %{_docdir}/shadowsocks-libev/*.html
%exclude %{_docdir}/shadowsocks-libev/ss-nat.html
%doc %{_mandir}/man*/*
%exclude %{_mandir}/man1/ss-nat.1.*

# egrep -i 'doc|man' rpm/SPECS/shadowsocks-libev.spec.in | sed -r -e '/_(doc|man)dir/d' -e 's/asciidoc xmlto //g'
BuildRequires:  make gcc pcre-devel automake libtool mbedtls-devel libsodium-devel >= 1.0.4 libev-devel c-ares-devel

# grep configure rpm/SPECS/shadowsocks-libev.spec.in|sed -e 's/$/ --disable-documentation/g'
%configure --enable-shared --enable-system-shared-lib --disable-documentation
%configure --enable-shared --disable-documentation

ss

real    0m50.383s
user    0m39.101s
sys     0m9.543s

sed -i -e '1 s/^/%global _enable_debug_package 0\n%global debug_package %{nil}\n/'

yum install gcc autoconf libtool automake make zlib-devel openssl-devel c-ares-devel

https://github.com/aa65535/openwrt-simple-obfs/blob/master/Makefile

define Package/simple-obfs/Default
    SECTION:=net
    CATEGORY:=Network
    TITLE:=Simple-obfs
    URL:=https://github.com/shadowsocks/simple-obfs
    DEPENDS:=+libev +libcares +libpthread +libsodium
endef

CONFIGURE_ARGS += --disable-ssp --disable-documentation --disable-assert

update

更新源码:

# git pull origin master
remote: Counting objects: 112, done.
remote: Compressing objects: 100% (38/38), done.
remote: Total 112 (delta 61), reused 99 (delta 61), pack-reused 13
Receiving objects: 100% (112/112), 118.16 KiB | 0 bytes/s, done.
Resolving deltas: 100% (61/61), completed with 15 local objects.
From https://github.com/shadowsocks/shadowsocks-libev
 * branch            master     -> FETCH_HEAD
First, rewinding head to replay your work on top of it...
Fast-forwarded master to 85a64ae8360759aa59ebe3061c092c9a2054d078.

# git log -3
commit 85a64ae8360759aa59ebe3061c092c9a2054d078
Author: Max Lv <[email protected]>
Date:   Mon Jan 15 17:25:03 2018 -0800

    Bump version

# git tag | tail -n 2
v3.1.1
v3.1.2

更新 tag :

# git pull --tags
From https://github.com/shadowsocks/shadowsocks-libev
 * [new tag]         v3.1.3     -> v3.1.3
Fetching tags only, you probably meant:
  git fetch --tags

# git tag | tail -n 2
v3.1.2
v3.1.3                  ## <-- 新 tag

打包:

# bash rpm/srcrpm.sh
INFO - GIT tag-commit: v3.1.3-0-g85a64ae ; RPM version-release: 3.1.3-1
removed ‘/root/ss/shadowsocks-libev/rpm/SRPMS/shadowsocks-libev-3.1.3-1.el7.centos.src.rpm’
removed ‘/root/ss/shadowsocks-libev/rpm/SOURCES/shadowsocks-libev-3.1.3-submodule-libbloom-7a9deb893fc1646c0b9186b50d46358379953d4b.tar’
removed ‘/root/ss/shadowsocks-libev/rpm/SOURCES/shadowsocks-libev-3.1.3-submodule-libcork-0220aa5a2d11b7484b4aa464024ba8b6942d646f.tar’
removed ‘/root/ss/shadowsocks-libev/rpm/SOURCES/shadowsocks-libev-3.1.3-submodule-libipset-3ea7fe30adf4b39b27d932e5a70a2ddce4adb508.tar’
removed ‘/root/ss/shadowsocks-libev/rpm/SOURCES/shadowsocks-libev-3.1.3.tar’
removed ‘/root/ss/shadowsocks-libev/rpm/SOURCES/shadowsocks-libev-3.1.3.tar.gz’
~/ss/shadowsocks-libev ~/ss/shadowsocks-libev
Entering 'libbloom'
Entering 'libcork'
Entering 'libipset'
~/ss/shadowsocks-libev
Wrote: /root/ss/shadowsocks-libev/rpm/SRPMS/shadowsocks-libev-3.1.3-1.el7.centos.src.rpm
Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.y3vrlo
+ umask 022
+ cd /root/ss/shadowsocks-libev/rpm/BUILD
+ rm -rf shadowsocks-libev-3.1.3
+ exit 0

openwrt 更新:

#src/gz openwrt_dist http://example.com/packages/LEDE/base/mips_24kc
#src/gz openwrt_dist_luci http://example.com/packages/LEDE/luci
src/gz openwrt_dist http://openwrt-dist.sourceforge.net/packages/LEDE/base/mips_24kc
src/gz openwrt_dist_luci http://openwrt-dist.sourceforge.net/packages/LEDE/luci

root@LEDE:~# opkg update
Downloading http://openwrt-dist.sourceforge.net/packages/LEDE/base/mips_24kc/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_dist
Downloading http://openwrt-dist.sourceforge.net/packages/LEDE/base/mips_24kc/Packages.sig
Signature check passed.
Downloading http://openwrt-dist.sourceforge.net/packages/LEDE/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_dist_luci
Downloading http://openwrt-dist.sourceforge.net/packages/LEDE/luci/Packages.sig
Signature check passed.
...

注意: 如果有依赖包更新 libsodium 需要手动指明 ( opkg 不会 自动更新依赖)

root@LEDE:~# opkg upgrade shadowsocks-libev
Upgrading shadowsocks-libev on root from 3.1.2-1 to 3.1.3-1...
Downloading http://openwrt-dist.sourceforge.net/packages/LEDE/base/mips_24kc/shadowsocks-libev_3.1.3-1_mips_24kc.ipk
Configuring shadowsocks-libev.

root@LEDE:~# /etc/init.d/shadowsocks restart
 2018-01-16 14:22:16 INFO: set MTU to 1492
 2018-01-16 14:22:16 INFO: using tcp fast open

root@LEDE:~# pgrep -lf ss
3152 ss-redir -c /var/etc/shadowsocks.cfg0a4a8f.json --fast-open -l 1234 --mtu 1492 -f /var/run/ss-redir-cfg0a4a8f.pid

shadowsocks-libev-server

# cat /etc/shadowsocks-libev/config.json
{
    "server":"45.67.89.10",
    "server_port":62123,
    "local_port":9090,
    "password":"fdafdafdafda",
    "timeout":600,
    "fast_open": true,
    "method":"chacha20-ietf-poly1305",
    "plugin":"obfs-server",
    "plugin_opts":"obfs=http;fast-open"
}

# systemctl start shadowsocks-libev

# systemctl status shadowsocks-libev
● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
   Loaded: loaded (/usr/lib/systemd/system/shadowsocks-libev.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-10-18 15:59:53 CST; 6s ago
     Docs: man:shadowsocks-libev(8)
 Main PID: 13796 (ss-server)
   CGroup: /system.slice/shadowsocks-libev.service
           ├─13796 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -u
           └─13800 obfs-server

systemd[1]: Started Shadowsocks-libev Default Server Service.
systemd[1]: Starting Shadowsocks-libev Default Server Service...
ss-server[13796]: 2017-10-18 15:59:53 [simple-obfs] INFO: using tcp fast open
ss-server[13796]: 2017-10-18 15:59:53 [simple-obfs] INFO: obfuscating enabled
ss-server[13796]: 2017-10-18 15:59:53 [simple-obfs] INFO: tcp port reuse enabled
ss-server[13796]: 2017-10-18 15:59:53 [simple-obfs] INFO: listening at 45.67.89.10:12345

# netstat -lntpu|egrep 'ss-|obfs'
tcp        0      0 45.67.89.10:12345    0.0.0.0:*        LISTEN      13800/obfs-server
tcp        0      0 127.0.0.1:58700      0.0.0.0:*        LISTEN      13796/ss-server
udp        0      0 45.67.89.10:12345    0.0.0.0:*                    13796/ss-server

root@LEDE:~# echo "net.ipv4.tcp_fastopen = 3" >> /etc/sysctl.conf

root@LEDE:~# sysctl -p

root@LEDE:~# uci changes
shadowsocks.cfg0a4a8f.plugin='obfs-local'
shadowsocks.cfg0a4a8f.plugin_opts='obfs=http;obfs-host=apple.com;fast-open'
shadowsocks.cfg0a4a8f.fast_open='1'
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.encrypt_method='chacha20-ietf-poly1305'
shadowsocks.cfg0a4a8f.plugin_opts='obfs=http;obfs-host=itunes.apple.com;fast-open'

root@LEDE:~# uci show shadowsocks
shadowsocks.@general[0]=general
shadowsocks.@general[0].startup_delay='0'
shadowsocks.@transparent_proxy[0]=transparent_proxy
shadowsocks.@transparent_proxy[0].udp_relay_server='nil'
shadowsocks.@transparent_proxy[0].local_port='1234'
shadowsocks.@transparent_proxy[0].main_server='cfg0a4a8f'
shadowsocks.@transparent_proxy[0].mtu='1492'
shadowsocks.@socks5_proxy[0]=socks5_proxy
shadowsocks.@socks5_proxy[0].local_port='1080'
shadowsocks.@socks5_proxy[0].server='cfg0a4a8f'
shadowsocks.@socks5_proxy[0].mtu='1492'
shadowsocks.@port_forward[0]=port_forward
shadowsocks.@port_forward[0].server='nil'
shadowsocks.@port_forward[0].local_port='5300'
shadowsocks.@port_forward[0].destination='8.8.4.4:53'
shadowsocks.@port_forward[0].mtu='1492'
shadowsocks.@servers[0]=servers
shadowsocks.@servers[0].alias='sample'
shadowsocks.@servers[0].timeout='60'
shadowsocks.@servers[0].server_port='12345'
shadowsocks.@servers[0].password='YOUR_PASS'
shadowsocks.@servers[0].plugin='obfs-local'
shadowsocks.@servers[0].fast_open='1'
shadowsocks.@servers[0].server='45.67.89.10'
shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'
shadowsocks.@servers[0].plugin_opts='obfs=http;obfs-host=itunes.apple.com;fast-open'
shadowsocks.@access_control[0]=access_control
shadowsocks.@access_control[0].self_proxy='1'
shadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
shadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.txt'

root@LEDE:~# cat /etc/config/shadowsocks

config general
    option startup_delay '0'

config transparent_proxy
    option udp_relay_server 'nil'
    option local_port '1234'
    option main_server 'cfg0a4a8f'
    option mtu '1492'

config socks5_proxy
    option local_port '1080'
    list server 'cfg0a4a8f'
    option mtu '1492'

config port_forward
    list server 'nil'
    option local_port '5300'
    option destination '8.8.4.4:53'
    option mtu '1492'

config servers
    option alias 'sample'
    option timeout '60'
    option server_port '12345'
    option password 'YOUR_PASS'
    option plugin 'obfs-local'
    option fast_open '1'
    option server '45.67.89.10'
    option encrypt_method 'chacha20-ietf-poly1305'
    option plugin_opts 'obfs=http;obfs-host=itunes.apple.com;fast-open'

config access_control
    option self_proxy '1'
    option lan_target 'SS_SPEC_WAN_AC'
    option wan_bp_list '/etc/chinadns_chnroute.txt'

root@LEDE:~# uci commit
root@LEDE:~# /etc/init.d/shadowsocks restart
 2017-10-18 08:33:12 INFO: set MTU to 1492
 2017-10-18 08:33:12 INFO: plugin "obfs-local" enabled
 2017-10-18 08:33:12 INFO: using tcp fast open
 2017-10-18 08:33:13 INFO: set MTU to 1492
 2017-10-18 08:33:13 INFO: plugin "obfs-local" enabled

三种方法实现移动端 HTTPS 加速和省电 2015-12-18

去年 Google 就已经在移动端做了 HTTPS 的性能加速,为 Android 平台的 Chrome 浏览器增加了一个新的 TLS 加密套件:ChaCha20-Poly1305 这是专门为 移动设备 推出的加密套件

常见的流式加密算法有 RC4ChaCha20-Poly1305
常见的分组加密算法有 AES-CBCAES-GCM

RC4 由于存在严重安全漏洞,已经基本不再使用;AES-CBC 容易遭受 BEAST 和 LUCKY13 攻击,使用也逐渐减少;AES-GCM 是它们的安全替代,AES-GCM 也是目前最为流行的对称加密算法。

安全风险可参看 ssllabs 上的相关文章:https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

更加节省带宽 Poly1305 的输出是 16 字节,而 HMAC-SHA1 是 20 字节,可以节省 16% 的 overhead 消耗

如今我这样科学上网 | 技能+1 2017-07-03

AEAD 加密方式

aes-128-gcm
aes-192-gcm
aes-256-gcm
chacha20-ietf-poly1305

混淆域名

cloudfront.com
itunes.apple.com
is1.mzstatic.com
i1.hdslb.com
ajax.microsoft.com
apps.bdimg.com
atanx.alicdn.com
api.weibo.com

https://github.com/shadowsocks/shadowsocks/issues/783

sodium 的 gcm 只支持硬解,所以速度是最快的

ARM 64 位的 CPU 都支持 gcm 了,除此以外就是 ocbchach20-ietf-poly1305 速度快了

https://en.wikipedia.org/wiki/OCB_mode#Attacks

CPU 支持不代表就用对应指令集写了对应的优化代码

sodium: aes-256-gcm 有检测的 sodium 的 gcm 只支持硬解,所以速度是最快的

ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)

https://www.ietf.org/proceedings/88/slides/slides-88-tls-1.pdf

增加 v 参数打印 simple-obfs 详细日志:

{
    "server":"45.67.89.10",
    "server_port":12345,
    "local_port":9090,
    "password":"fdafdafda",
    "timeout":600,
    "fast_open": true,
    "method":"chacha20-ietf-poly1305",
    "plugin":"obfs-server",
    "plugin_opts":"obfs=tls;fast-open;t=3600;v"
}

ss-server: 2017-10-19 15:38:02 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:20 [simple-obfs] INFO: remote_recv close the connection
ss-server: 2017-10-19 15:38:20 [simple-obfs] INFO: current remote connection: 16
ss-server: 2017-10-19 15:38:20 [simple-obfs] INFO: current server connection: 16
ss-server: 2017-10-19 15:38:24 [simple-obfs] INFO: accept a connection
ss-server: 2017-10-19 15:38:24 [simple-obfs] INFO: connect to 127.0.0.1:58591
ss-server: 2017-10-19 15:38:24 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: accept a connection
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: connect to 127.0.0.1:58591
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: server_recv close the connection
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: current remote connection: 17
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: current server connection: 17
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: accept a connection
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: connect to 127.0.0.1:58591
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: accept a connection
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: connect to 127.0.0.1:58591
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:26 [simple-obfs] INFO: server_recv close the connection
ss-server: 2017-10-19 15:38:26 [simple-obfs] INFO: current remote connection: 18
ss-server: 2017-10-19 15:38:26 [simple-obfs] INFO: current server connection: 18
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: accept a connection
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: connect to 127.0.0.1:58591
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: server_recv close the connection
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: current remote connection: 18
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: current server connection: 18
ss-server: 2017-10-19 15:38:32 [simple-obfs] INFO: remote_recv close the connection
ss-server: 2017-10-19 15:38:32 [simple-obfs] INFO: current remote connection: 17
ss-server: 2017-10-19 15:38:32 [simple-obfs] INFO: current server connection: 17

https://github.com/shadowsocks/shadowsocks-libev/issues/1575

Server:

{
    "server":"0.0.0.0",
    "server_port":8388,
    "local_port":1080,
    "password":"xxxxxxxx",
    "timeout":60,
    "method":"aes-128-gcm",
    "reuse_port": true,
    "fast_open": true,
    "nameserver": "8.8.8.8",
    "mode": "tcp_and_udp",
    "plugin":"obfs-server",
    "plugin_opt":"obfs=http"
}

Client:

{
    "server": "xx.xx.xx.xxx",
    "server_port": 8388,
    "password": "xxxxxxxx",
    "method": "aes-128-gcm",
    "local_address": "0.0.0.0",
    "plugin": "obfs-local",
    "plugin_opts": "obfs=http;obfs-host=www.bing.com",
    "timeout": 60,
    "reuse_port": true
}

https://anonscm.debian.org/cgit/collab-maint/simple-obfs.git/tree/debian/config.json

{
    "server":"127.0.0.1",
    "server_port":8388,
    "local_port":1080,
    "password":"barfoo!",
    "timeout":60,
    "method":"chacha20-ietf-poly1305",
    "mode":"tcp_and_udp",
    "fast_open":true,
    "plugin":"obfs-server",
    "plugin_opts":"obfs=tls;failover=127.0.0.1:8443;fast-open"
}

with web server add the options to your server's configuration file. Set shadowsocks server port to 443 ( tls mode) or 80 ( http mode).

"plugin_opts": "obfs=tls;failover=<your-domain-or-IP>:<port-that-web-server-listens-to>",

https://github.com/Old-Pussy/ss-obfs-ibm/blob/master/ss-obfs.sh

ss-server -p $1 -k $2 -m $3 --plugin obfs-server --plugin-opts "obfs=tls;failover=127.0.0.1:443"

http://blog.jejer.net/2013/01/openwrt-for-wr720n.html

USB Storage http://wiki.openwrt.org/doc/howto/usb.storage
extroot http://wiki.openwrt.org/doc/howto/extroot
3G http://wiki.openwrt.org/doc/recipes/3gdongle

https://forum.lede-project.org/t/simple-adblock-fast-lean-and-fully-uci-luci-configurable-adblocking/

https://github.com/stangri/openwrt-packages/blob/simple-adblock/net/simple-adblock/files/README.md

This service provides lightweight and very fast dnsmasq based ad blocking.

路由器实现自动翻墙 2017-05-14

https://leamtrop.com/2017/05/14/shadowsocks-proxy-on-lede/

https://simimg.com/page/news

为何需要 rng 和虚拟化 virtio-rng

随机数生成器 (Random Number Generator, RNG) 是生成伪随机数的机制。伪随机数字可以用于生成 SSH key,进程随机 PID,TCP 序列号 以及 UUID 等。使用加密(文件系统,邮件等等)需要大量的伪随机数。

要允许应用程序获得伪随机数,至少有 2 个内核块设备:

  • /dev/urandom 提供标准质量的随机数,不管是否有熵都可以工作:当需要大量的随机数的时候,随机性质量会下降(这是因为 /dev/urandom 设备是一个 不中断源,重用内核熵池,所以提供的是无限的 伪随机数)。

  • /dev/random 提供高质量随机数,但是缺乏熵的时候会停止工作:在 Linux 内核保留了一个 4KB 的熵池(entropy pool)(这个熵池的大小见 /proc/sys/kernel/random/poolsize );当这个 pool 空的时候,内核阻塞。

为了得到优质的伪随机数,需要一些熵 (entropy) 这个熵是由操作系统搜集的随机性因素:

  • 键盘实践,网络流量,鼠标移动,中断,ide 计时等内部源
  • 在 Intel IvyBridge 和 Haswell 处理器提供的 RDRAND 这种特定处理器指令
  • 通过 virtio-rng 半虚拟化设备实现虚拟机随机设备(参考 Red Hat 文档)
  • 独立的、外部、物理设备( 称为 TPM 即 Trusted Platform Module )

Red Hat Enterprise Linux Virtual Machines: Access to Random Numbers Made Easy 2015-03-09

https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks

网络防火墙及端口相关问题

img_battlenet_port