在自己的vps搭建dante-server配合gpass世界通或者tor翻墙(原创文章）

gpass的设置选项的“通道”有一个socks5加密通道选项。但是免费的socks5服务器很不好找，不是失效得快就是很快被gfw封锁。如果你有自己的vps,你可以在自己的vps上搭建socks5服务器。
dante-server是一款比较好用的socks5服务器软件。下面说下如何搭建dante-server。
如果你的vps是debian/ubuntu系统，则：

# apt-get install apt-spy -y

# apt-get update -y

# apt-get install dante-server -y

然后
mv /etc/danted.conf /etc/danted.conf.bak
nano /etc/danted.conf


内容如下：
logoutput: syslog

internal: eth0 port = 10812
internal: 127.0.0.1 port = 10812
external: eth0


method: username none


user.notprivileged: nobody
client pass {
        from: 192.168.0.0/0 port 1-65535 to: 0.0.0.0/0
}
client pass {
        from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}
client block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}
block {
  from: 0.0.0.0/0 to: 127.0.0.0/8
  log: connect error
}
pass {
  from: 192.168.0.0/0 to: 0.0.0.0/0
  protocol: tcp udp
}
pass {
  from: 127.0.0.0/8 to: 0.0.0.0/0
  protocol: tcp udp
}
block {
  from: 0.0.0.0/0 to: 0.0.0.0/0
  log: connect error
}

user.libwrap: nobody


然后保存更改。

然后运行/etc/init.d/danted start以启动dante-server.你可以把/etc/init.d/danted start添加到/etc/rc.local中。

验证dante-server是否安装成功-设置ff的socks5代理地址为yourdomain.com:1080,或your-vps-ip:1080,（建议把1080改为其他端口，以免被扫描工具扫到）然后访问ip138.com,如果页面显示你的vps的ip,则表明安装成功。

dante-server不会主动的释放已经占用的资源，用的 太频繁就会导致系统资源被占光,vps等于是死机了，只能重启vps。如果不重启vps,你在vps上建立的网站将无法访问，也无法登陆putty（打开 putty后，login as半天都不会显示。），用这台vps的ssh帐号即使能在myentunnel里登录，也无法翻墙。为了不让dante-server过快的用完系统资 源，有必要让dante-server每小时自动重启一次。此时就要祭出crontab了。在/etc/cron.hourly目录里新建一个 danted文件，编辑这个文件，在里面输入/etc/init.d/danted restart,保存编辑。然后把这个danted文件设为755属性。这样dante-server每小时就会自动重启一次，从而释放其占用的资源。


如果你的vps是centos/fedora 32bit系统，则：

# wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/miniupnpc-1.4-1.el5.rf.i386.rpm
# wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/dante-1.2.3-1.el5.rf.i386.rpm
# wget http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/dante-server-1.2.3-1.el5.rf.i386.rpm
# rpm -ivh miniupnpc-1.4-1.el5.rf.i386.rpm
# rpm -ivh dante-1.2.3-1.el5.rf.i386.rpm
# rpm -ivh dante-server-1.2.3-1.el5.rf.i386.rpm
(如果你的vps是centos/fedora 64bit系统，则把上面所有的i386改为x86_64)
然后修改dante-server的配置文件/etc/sockd.conf,修改的地方跟debian/ubuntu系统下的/etc/danted.conf要修改的地方几乎一样，只是/etc/danted.conf里的user.notprivileged在/etc/sockd.conf中变成了user.unprivileged。请对照着修改。
然后在putty.exe里运行/usr/sbin/sockd以启动dante-server, 这时会显示sockdexit(): truncate(/var/run/sockd.pid): No such file or directory (errno = 2)，这是因为sockd要在/var/run/里生成sockd.pid文件，但/var/run/目录没有写入权限，把它的权限改为777：
# chmod 777 /var/run/,然后运行/usr/sbin/sockd就正常了。
你可以把/usr/sbin/sockd添加到/etc/rc.local中。
验证dante-server是否安装成功-设置ff的socks5代理地址为yourdomain.com:1080,或your-vps-ip:1080（建议把1080改为其他端口，以免被扫描工具扫到）,然后访问ip138.com,如果页面显示你的vps的ip,则表明安装成功。
同debian系统下一样，在centos vps下，dante-server不 会主动的释放已经占用的资源，用的太频繁就会导致系统资源被占光，vps等于是死机了，只能重启vps。此时就要祭出crontab了。在/etc /cron.hourly目录里新建一个sockd文件，编辑这个文件，在里面输入/etc/init.d/sockd restart,保存编辑。然后把这个sockd文件设为755属性。这样dante-server每小时就会自动重启一次，从而释放其占用的资源。
然后启动gpass.exe,在gpass的设置选项的“通道”标签栏下，选择socks5加密通道,然后在下面的socks5服务器栏填写你的vps的ip或主机名，端口填1080（建议把1080改为其他端口，以免被扫描工具扫到），用户名和密码留空，点击下方的“启用”按钮。然后把浏览器的快捷方式拖放到gpass的上网程序窗口中。在gpass的上网程序窗口中，双击该浏览器的图标即可在打开的浏览器中，惬意的翻墙了。

世界通下载
虽然有了vps,可以直接用ssh帐号翻墙。但是并不能说有了ssh,vpn就没搭建的必要了。同样,socks5代理的搭建也是有其意义和价值的。

当屏幕右下角的gpass图标变为绿色后， 就表明安全加密隧道建立成功。此时的gpass相当于一个代理服务器客户端，设置浏览器的http代理为127.0.0.1,端口为8000,即可翻墙。
( 设置浏览器的socks5代理为127.0.0.1,端口为8000,也可翻墙。这说明gpass既是http代理，也是socks5代理）

相关帖子：http://briteming.blogspot.com/2011/11/dantesocks5.html
-----------------------------------------------------

tor browser程序(下载地址-https://www.torproject.org/dist/torbrowser/tor-browser-2.2.37-1_en-US.exe).启动start tor browser.exe,在弹出的vidalia控制面板界面中，点击“设置中继服务器”-“网络”-勾选“我使用代理服务器连接到网络”-address栏填写你的vps的主机名或ip,端口填写你的dante server的端口,
type选择socks 5,然后点击“确定”。这样通过你建立的socks 5代理，即可很顺利的连接上tor网络，设置浏览器的socks代理为127.0.0.1:9050,从而用tor翻墙。
作者email:luckypoem#gmail.com
-------------------------

From Wiki

Jump to: navigation, search

When working on a private LAN with no direct internet access available, squid is normally used a proxy server for internet and ftp traffic. SSH or scp (or other traffic) however, will require a SOCKS server in order to reach the internet.
Dante socks server provides just that.

Contents [hide] 1 How to install dante socks server on debian (ubuntu is similar): 2 To configure Dante socks server: 3 Test Dante Socks Server 4 Other SOCKS Servers

How to install dante socks server on debian (ubuntu is similar,建议在ubuntu vps上安装。ubuntu vps的功能比debian强大多了。而且建议选择kvm架构的vps):

apt-get install dante-server ,得到的可执行文件为danted.

This installs dante onto your debian server. By default it will not start (it will try to start - but will fail saying "no internal interfaces are configured etc...").

To configure Dante socks server:

vi /etc/danted.conf

By default - most required lines will be uncommented. The following lines need to be inserted/ uncommented in danted.conf

#logoutput: stderr
logoutput: syslog
#the above line will send any logs to /var/log/syslog instead to a terminal

internal: 127.0.0.1 port = 10812

internal: eth0 port = 10812
external: eth0

method: username none
#the above puts no username or password. Access will instead be controlled via client ip address/range.
#if there is no username or password - then danted socks server needs to run as nobody, i.e.

#method: pam
# if you choose to use pam instead - a valid username&password as required for sshing to the socks server is required.
#Note: not sure if proxy login details are sent in clear text.

#user.privileged: proxy
user.notprivileged: nobody

client pass {
        from: 192.168.0.0/0 port 1-65535 to: 0.0.0.0/0 (黑体字是我改的）
} 

client pass {
        from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

#Finally block other traffic
block {
  from: 0.0.0.0/0 to: 127.0.0.0/8
  log: connect error
}

pass {
  from: 192.168.0.0/0 to: 0.0.0.0/0 （黑体字是我改的）
  protocol: tcp udp
}

pass {
  from: 127.0.0.0/8 to: 0.0.0.0/0
  protocol: tcp udp
}

block {
  from: 0.0.0.0/0 to: 0.0.0.0/0
  log: connect error
}

Once the config is complete. Start/Restart dante socks server:

/etc/init.d/danted start (或者运行danted -f /etc/danted.conf -D)

If there is a problem with the config - it will tell you immediately on trying to start the danted daemon.

Test Dante Socks Server

netstat -n -a
#check to see if server is listening on 1080

Make sure the firewall is open. Add appropriate rule as on Iptables_Firewall. Test also with winscp or putty.

Other SOCKS Servers

Note that putty itself can provide a SOCKS 5 server!! (But putty needs to be able to connect to an external server/computer firstly!)
To configure socks to act as a socks v5 server:

Open Putty, Go to CONNECTION -> SSH -> TUNNELS
In the Source Port - put 1080
In the Destination Port - put 1080
Click on the Dynamic radio button for "Dynamic Port Forwarding"

Connect to an server with external access. Telnet localhost 1080 and it should connect.
Also note - SOCKS v5 can be setup using ssh on the command line.

ssh user@server.com -D 1080
# -D is for Dynamic Port Forwarding.

More info on Dante's Config at:
http://trekweb.com/~jasonb/articles/dante_tunnel.shtml
from http://wiki.kartbuilding.net/index.php/Dante_Socks_Server
-------------------------------------------------------------------

http://www.inet.no/dante

下载源码:
wget http://www.inet.no/dante/files/dante-1.4.2.tar.gz
tar zxvf dante-1.4.2.tar.gz
cd dante-1.4.2

./configure
make
make install

可执行文件为 /usr/local/sbin/sockd
添加一个新的用户sockd。为保证安全，将登录 shell 设置为 /bin/false
具体适用的配置文件如下：
sockd.conf :

## general configuration (taken from FAQ; <URL:http://www.inet.no/dante/FAQ>)
#连接到服务器上用的网卡，端口
internal: eth0 port = 1080
#从服务器连向外部的网卡
external: eth0
#验证方式，这里适用系统账户
method: username
user.privileged: root
user.notprivileged: sockd
#日志存放地点
logoutput: /var/log/sockd/sockd.log

## client access rules

client pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0 #internal network
        log: connect disconnect
}

## server operation access rules

#allow bind to ports greater than 1023
pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0 port gt 1023
        command: bind
        log: connect disconnect
}

#allow outgoing connections (tcp and udp)
pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: connect udpassociate
        log: connect disconnect
}

#allow replies to bind, and incoming udp packets
pass {
       from: 0.0.0.0/0 to: 0.0.0.0/0
       command: bindreply udpreply
       log: connect error
}

#log the rest
block {
       from: 0.0.0.0/0 to: 0.0.0.0/0
       log: connect error

dante不会主动的释放已经占用的资源，用的太频繁就会导致系统资源被占光，只能重启。为此，有一个笨拙（但有效）的解决方案。
在计划任务的 /etc/cron.daily 里添加一个文件，名字随便。比如，sockdkill,内容如下：

#!/bin/sh
#restart sockd everyday
sleep 60
DAY=`date +%Y%m%d`
cp /var/log/sockd/sockd.log /var/log/sockd/sockd.log.${DAY}
cd /var/log/sockd
gzip sockd.log.${DAY}
killall sockd 1>/dev/null 2>/dev/null
killall sockd 1>/dev/null 2>/dev/null
echo > /var/log/sockd/sockd.log
/etc/init.d/sockd start

然后每天会重启一次dante，更新系统日志。
-------------------------------------------------------------------------------------------------------------------------------------------------

Configuring a DANTE SOCKS Proxy

I have been using the Dante SOCKS v4 and v5 compatible proxy server for quite a few months now. A SOCKS proxy is a general purpose proxying daemon. It works great for tunneling things like HTTP and AOL IM through a trusted relay over a secure connection. The untrusted medium could be a wireless link or a corporate network with a draconian Web access policy. The SOCKS proxy provides the connection proxying mechanism and the tunnel (via OpenSSH) provides the security. It's possible you do not need to install and configure Dante. OpenSSH supports basic SOCKS emulation. For example, the following will setup a basic SOCKS proxy on localhost accessible via port 1080 and tunnel it securely to the target host, rebecca. From there, a connection is made in a fashion similar to what a real SOCKS proxy would do. jasonb@faith:~$ ssh -D 1080 rebecca If the above doesn't work for your application, you can read on for information on configuring and installing Dante, a complete SOCKS proxy solution. Obtaining and Configuring Dante Dante is a fully functional SOCKS proxy server and as such has many nobs. Fortunately, setting up a basic configuration that will allow tunneling of things like HTTP is relatively simple. If you're running Debian GNU/Linux, simply run: # apt-get update # apt-get install dante-server Thereafter, you can skip the source compilation step and move on to the configuration file. For non Debian users, obtain a copy of Dante. The most recently version is 1.1.14 as of this writing. Unpack the sourceball, browse the various documentation files, then run a configure similar to the following. jasonb@faith:~/src$ tar -zxvf dante-1.1.14.tar.gz ... jasonb@faith:~/src$ cd dante-1.1.14 jasonb@faith:~/src/dante-1.1.14$ jasonb@faith:~/src/dante-1.1.14$ ./configure \ --with-sockd-conf=/etc/danted.conf Configuring Dante 1.1.14: ... jasonb@faith:~/src/dante-1.1.14$ make -j2 ... jasonb@faith:~/src/dante-1.1.14$ su jasonb@faith:~/src/dante-1.1.14# make install ^D Once that's done, it's time to take a crack at the configuration file. It's expected to live in /etc/sockd.conf by default and /etc/danted.conf if you're using the Debian package or my configuration above. faith:/# cat /etc/danted.conf # See examples/sockd.conf for additional details First, logging is enabled via the syslog mechanism and internal and external addresses are bound. The internal bindings include a port specification. The external one, of course, does not. The external binding cannot be an interface for versions prior to 1.1.7, but that shouldn't be a problem as of this writing. If you have a static IP, that's fine, too. logoutput: syslog internal: eth1 port = 1080 internal: 127.0.0.1 port = 1080 external: 1.2.3.4 # or external: eth0 Next, we define some basic authentication items. Dante supports things like identd and PAM authentication, but I did not configure those. For this proxy's simple task I went without authentication. method: username none # Not using authentication, so unnecessary #user.privileged: proxy user.notprivileged: nobody Finally, we define the access controls for this daemon. They are checked against in the order they appear in the configuration file. It's important not to allow the world to access your proxy server, since bad things can happen. The first three directives control which IP ranges can speak to the server. The from: option is obviously the IP space the clients live in. The to: option is one of the IPs the proxy server is bound to that the given IP range can speak to. In this instance, I set it to correspond with all addresses Dante is listening on. The last of the three drops any requests that don't match either of the first two directives. client pass { from: 192.168.0.0/16 port 1-65535 to: 0.0.0.0/0 } client pass { from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0 } client block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } These next four directives control who can speak to what. Requests from anywhere to the loopback addresses are dropped. Next, connections from the loopback addresses and 192.168.0.0/16 are allowed to speak to anyone using either the tcp or udp protocols. Finally, all other requests are dropped. block { from: 0.0.0.0/0 to: 127.0.0.0/8 log: connect error } pass { from: 192.168.0.0/16 to: 0.0.0.0/0 protocol: tcp udp } pass { from: 127.0.0.0/8 to: 0.0.0.0/0 protocol: tcp udp } block { from: 0.0.0.0/0 to: 0.0.0.0/0 log: connect error } Now you can fire up Dante. faith:# sockd -V (or the danted binary on Debian) faith:# sockd -d That will start Dante in debugging mode. Start your favourite Web browser and tell it to use a SOCKS proxy server. Don't accidently use an HTTP proxy, because that won't work. Visit a working URI and see if it loads. If it does, you're good to go. If not, check /var/log for useful clues. Dante will complain if something isn't working correctly, like it isn't able to bind to a port or it's denying you access. Handling that Dynamic IP Issue It's always fun to hit your tunnel one morning only to find it's gone. After a little digging, you notice it's because your broadband modem dropped your IP when you weren't looking and left your Dante configuration high and dry. Well, it need not be that way. Recent versions of Dante support using an interface for the external: directive, so this should no longer be necessary. If you can't upgrade to v1.1.7 or newer, you can use the script below to change your external IP address for you. I run this script whenever my IP changes. I used to run it out of /etc/ppp/ip-up.d, but now I use it in conjunction with the pump DHCP client's script option. It uses the Debian init.d script. Your startup script might vary. The important part is the Perl snippet that alters the configuration file in place. You will need a copy of the iproute package installed on your machine to use the ip command. (apt-get install iproute on Debian, of course.) #!/bin/bash set +x # Script to screw Danted's head on straight after an IP change IF=eth0 PERL=/usr/bin/perl DANTED=/etc/danted.conf IP=$(/sbin/ip addr show $IF | grep inet |\ awk '{ print $2 }' | awk -F\/ '{ print $1 }') $PERL -0777 -pi -e "s/^external.*/external: $IP/gm" $DANTED # HUPing Danted won't rebind it to a new static address #kill -SIGHUP `pidof -s /usr/sbin/danted` /etc/init.d/danted stop > /dev/null sleep 1 /etc/init.d/danted start > /dev/null Getting Your Tunnel Ready Now, it's fun time. With OpenSSH, you can securely tunnel your SOCKS connection to the server running Dante, preventing anyone in between your client and your server from intercepting your session. Assuming you have OpenSSH installed and configured on both the client and the server running Dante, the following should do the trick. jasonb@faith:~$ ssh -L 1080:localhost:1080 rebecca If you do not have Dante listening on 127.0.0.1, you will need to substitute in an address or hostname that it is listening on. The last argument is, of course, the actual machine running OpenSSH you're connecting to. It need not be the machine running Dante, but it likely will be. For more fun with OpenSSH tunneling you can read my VNC over SSH article. Links and Useful Resources Extremely outdated information on configuring NEC's SOCKS proxy The Dante proxy server FROM http://blog.edseek.com/~jasonb/articles/dante_tunnel.shtml

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

Socks5代理服务器程序dante的一键安装包（已测试兼容Debian/Centos)

功能特点

1. 采用Danted最新稳定版本 1.4.0 编译安装。
2. 自动识别系统IP（默认排除192.168.0.*， 10.0.0.*,127.0.0.*）,检测多Ip时，进行交互式选择Ip配置（直接回车则全部配置）。
3. 采用Pam用户认证，认证不需要添加系统用户（默认添加进程用户sock），删除、添加用户方便，安全。
4. sock5 运行状态查看。
5. 系统启动后自动加载。
6. 认证方式可选： 无用户名密码，系统用户名密码，Pam用户名密码
7. 完美支持Centos/Debian,自动识别系统进行安装配置。
8. 自定义对连接客户端认证方式，支持设置某些IP/IP段无需认证即可连接。

安装用说明

wget --no-check-certificate https://raw.github.com/Lozy/danted/master/install.sh -O install.sh
2. [可选] 修改 默认参数：

1. DEFAULT_PORT 为默认端口
2. DEFAULT_USER PAM用户名
3. DEFAULT_PAWD PAM用户对应密码
4. MASTER_IP 为免认证白名单（域名，IP可选： 如默认的buyvm.info 或者具体Ip 8.8.8.8/32 ）

3. 修改后，执行
bash install.sh
4. 若运行结束后显示 Dante Server Install Successfuly! 则表明成功。
若显示 Dante Server Install Failed! 则表明安装失败，求留言反馈操作系统+具体问题。

安装后使用说明

1. 命令参数 /etc/init.d/danted {start|stop|restart|status|add|del}
2. 重启sock5 /etc/init.d/danted restart 或者 service danted restart
3. 关闭sock5 /etc/init.d/danted stop 或者 service danted stop
4. 开启sock5 /etc/init.d/danted start 或者 service danted start
5. 查看sock5状态 /etc/init.d/danted status 或者 service danted status
6. 添加SOCK5 PAM用户/修改密码 /etc/init.d/danted add 用户名 密码
7. 删除SOCK5 PAM用户 /etc/init.d/danted del 用户名
8. 配置文件路径/etc/danted/conf/
9. 日志记录路径 /var/log/danted.*.log
10. danted 帮助命令 danted --help

使用注意事项

1. 绝大部分浏览器（除了Opera）都不支持带密码认证的Socks5，所以使用电脑需要安装proxifier/proxycap 等软件做验证处理。
2. 如果是固定IP/Ip 段 可以修改配置文件，设置白名单访问。
进入 /etc/danted/conf/ 找到配置文件
修改 第一个client pass {} 模块下的 from: Master_IP/32 to: 0.0.0.0/0 . 把 Master_IP/32 修改为需要使用代理的Ip段/IP地址 如 114.114.114.0/24 或者 5.5.5.5/32 . 多个访问源，请复制多个 client pass {} 模块。重启Danted 进程 service danted restart

更详细WIKI说明 https://github.com/Lozy/danted/blob/master/README.md
项目托管地址 https://github.com/Lozy/danted

－－－－－－－－－－－－－－－－－－－－－－－－－

socks5 server（ss5)的安装配置

我没有用编译安装，直接使用rpm安装，这个可以自选。

1	wget ftp://ftp.sunet.se/pub/Linux/distributions/fedora/linux/releases/15/Everything/x86_64/os/Packages/ss5-3.6.4-6.fc15.x86_64.rpm

编辑配置文件，这个文件功能很强大，具体的可以百度，我这里用不到那么复杂，所以只更改以下

1	vim /etc/opt/ss5/ss5.conf

将

1	auth    0.0.0.0/0               -               -

改为

1	auth    0.0.0.0/0               -               u

1

<br>

将

1	permit -        0.0.0.0/0       -       0.0.0.0/0       -       -       -       -       -

改为

1	permit u        0.0.0.0/0       -       0.0.0.0/0       -       -       -       -       -

编辑/etc/opt/ss5/ss5.passwd设置用户名 密码 

1 2	vim /etc/opt/ss5/ss5.passwd user 123321

保存退出。

默认端口是1080

如果想改的话在vim /etc/rc.d/init.d/ss5

或者 /usr/sbin/ss5 -b  ip：端口  启动

这里我使用默认端口

1	server ss5 start

然后netstat -anp看看端口

1 2	netstat -anp tcp        0      0 0.0.0.0:1080                0.0.0.0:*                   LISTEN      26955/ss5

－－－－－－－－－－－－－－－－

相关帖子：http://briteming.blogspot.jp/2011/11/dantesocks5.html
http://www.inet.no/dante/doc/faq.html