socks5 over TLS proxy
tlstun implements socks proxy over TLS (both client and server).
Client part is expected to be run locally and used by local services as a
socks5 proxy. Client establishes TLS session to the server running on some
remote host that performs outgoing requests on behalf of requests made to
the client.
Client and server authenticate each other with certificates which can be
created with openssl or https://github.com/artyom/gencert
Usage example
Generate server and client side certificates, they can be signed by the same
CA and saved using PEM encoding into a single file. Certificate keys should
also be saved as a separate PEM-encoded files. With gencert tool from
https://github.com/artyom/gencert this can be done as:
gencert -hosts my.domain.tld
This produces five files in the current directory: client certificate + key
pair, another pair for the server and a certificate authority certificate.
Note that my.domain.tld should point to the host you plan running server
part of tlstun.
Now configure tlstun to run on the server that could be reached at
my.domain.tld like this:
tlstun server -addr=:9000 -ca=ca.pem \
-cert=server-cert.pem -key=server-key.pem
The client part is expected to be running locally (on a laptop/workstation,
etc.):
tlstun client -addr=127.0.0.1:1080 -ca=ca.pem \
-cert=client-cert.pem -key=client-key.pem \
my.domain.tld:9000
Client is now listening on localhost port 1080 and local software can be
configured to use this endpoint as a socks5 proxy.
Client may be configured to work with multiple servers:
tlstun client -addr=127.0.0.1:1080 -ca=ca.pem \
-cert=client-cert.pem -key=client-key.pem \
my.domain.tld:9000 other.domain.tld:9000
By default client will periodically evaluate all endpoints and prefer one
which replies first. This check may be disabled with -no-check flag.
Instead of listing endpoints directly, client may discover them from SRV DNS
records. If -discover=domain.tld flag is set, client ignores any endpoints
given on the command line and instead looks up SRV record
_tlstun._tcp.domain.tld, which must follow standard format to specify
host/port pairs.
HTTPS compatible mode
Server may be configured to automatically issue certificate from ACME
provider (currently is's Let's Encrypt). For this to work, server must be
exposed over port 443 and it also doubles as an https endpoint. By default
it replies with 404 Not Found, but can optionally be configured to serve
static files from file system directory:
tlstun server -addr=:443 -ca=ca.pem -acme \
-acme-domain=domain.tld -acme-email=you@domain.tld \
-acme-cache=/var/cache/acme \
-httproot=/var/www/domain.tld
Server may also be run with -dns-tls flag, which enables resolving via
DNS-over-TLS providers (currently Cloudflare and Quad9).
from https://github.com/artyom/tlstun
https://github.com/artyom/gencert(https://github.com/lu4p/genCert,仅供参考)
我的补充说明:
登陆linux vps.安装go环境,然后,
git clone https://github.com/artyom/gencert gencert-by-artyom
cd gencert-by-artyom
go install
($GOPATH/bin/里面就会生成可执行文件gencert)
cd ~
git clone https://github.com/artyom/tlstun tlstun-by-artyom
cd tlstun-by-artyom
go install
($GOPATH/bin/里面就会生成可执行文件tlstun)
mv /root/go1.16/go/gopath/bin/tlstun /root/go1.16/go/gopath/bin/tlstun-by-artyom
gencert -hosts mydomain.com
(先把mydomain.com添加A记录,指向服务器的公网ip. mydomain.com不一定要是顶级域名,子域名也可)
(在当前目录下,会生成5个文件:ca.pem,client-cert.pem ,client-key.pem ,server-cert.pem ,server-key.pem)
tlstun-by-artyom server -addr=:9000 -ca=ca.pem -cert=server-cert.pem -key=server-key.pem
此命令是运行在前台的。我们可以利用boa把该命令运行在后台上:
boa /root/go1.16/go/gopath/bin/tlstun-by-artyom server -addr=:9000 -ca=/root/tlstun-by-artyom/ca.pem -cert=/root/tlstun-by-artyom/server-cert.pem -key=/root/tlstun-by-artyom/server-key.pem && reboot
另外,生成证书/私匙时,不一定要针对域名生成,针对服务器的公网ip生成也可。所以,
mkdir /root/certs-for-tlstun-by-artyom
cd /root/certs-for-tlstun-by-artyom
gencert -hosts vps-public-ip
(在当前目录下,会生成5个文件:ca.pem,client-cert.pem ,client-key.pem ,server-cert.pem ,server-key.pem)
boa /root/go1.16/go/gopath/bin/tlstun-by-artyom server -addr=:9001 -ca=/root/certs-for-tlstun-by-artyom/ca.pem -cert=/root/certs-for-tlstun-by-artyom/server-cert.pem -key=/root/certs-for-tlstun-by-artyom/server-key.pem && reboot
服务器端搭建完成。
在本地机器mac上。安装go环境,然后,
git clone https://github.com/artyom/tlstun tlstun-by-artyom
cd tlstun-by-artyom
go install
($GOPATH/bin/里面就会生成可执行文件tlstun)
mv ~/go1.16.3/go/gopath/bin/tlstun ~/go1.16.3/go/gopath/bin/tlstun-by-artyom
把服务器上的/root/tlstun-by-artyom目录里的ca.pem,client-cert.pem ,client-key.pem下载到当前目录。
tlstun-by-artyom client -addr=127.0.0.1:1085 -ca=ca.pem -cert=client-cert.pem -key=client-key.pem mydomain.com:9000
不要关闭此终端,设置浏览器的socks proxy地址为127.0.0.1 ,端口为1085 ,浏览器即可翻墙。
另外, mkdir ~/certs-for-tlstun-by-artyomcd ~/certs-for-tlstun-by-artyom把服务器上的/root/certs-for-tlstun-by-artyom目录里的ca.pem,client-cert.pem ,client-key.pem下载到当前目录。
tlstun-by-artyom client -addr=127.0.0.1:1086 -ca=ca.pem -cert=client-cert.pem -key=client-key.pem vps-public-ip:9001
不要关闭此终端,设置浏览器的socks proxy地址为127.0.0.1 ,端口为1086 ,浏览器即可翻墙。
socks5 over TLS proxytlstun implements socks proxy over TLS (both client and server).
Client part is expected to be run locally and used by local services as a
socks5 proxy. Client establishes TLS session to the server running on some
remote host that performs outgoing requests on behalf of requests made to
the client.
Client and server authenticate each other with certificates which can be
created with openssl or https://github.com/artyom/gencert
Usage example
Generate server and client side certificates, they can be signed by the same
CA and saved using PEM encoding into a single file. Certificate keys should
also be saved as a separate PEM-encoded files. With gencert tool from
https://github.com/artyom/gencert this can be done as:
gencert -hosts my.domain.tld
This produces five files in the current directory: client certificate + key
pair, another pair for the server and a certificate authority certificate.
Note that my.domain.tld should point to the host you plan running server
part of tlstun.
Now configure tlstun to run on the server that could be reached at
my.domain.tld like this:
tlstun server -addr=:9000 -ca=ca.pem \
-cert=server-cert.pem -key=server-key.pem
The client part is expected to be running locally (on a laptop/workstation,
etc.):
tlstun client -addr=127.0.0.1:1080 -ca=ca.pem \
-cert=client-cert.pem -key=client-key.pem \
my.domain.tld:9000
Client is now listening on localhost port 1080 and local software can be
configured to use this endpoint as a socks5 proxy.
Client may be configured to work with multiple servers:
tlstun client -addr=127.0.0.1:1080 -ca=ca.pem \
-cert=client-cert.pem -key=client-key.pem \
my.domain.tld:9000 other.domain.tld:9000
By default client will periodically evaluate all endpoints and prefer one
which replies first. This check may be disabled with -no-check flag.
Instead of listing endpoints directly, client may discover them from SRV DNS
records. If -discover=domain.tld flag is set, client ignores any endpoints
given on the command line and instead looks up SRV record
_tlstun._tcp.domain.tld, which must follow standard format to specify
host/port pairs.
HTTPS compatible mode
Server may be configured to automatically issue certificate from ACME
provider (currently is's Let's Encrypt). For this to work, server must be
exposed over port 443 and it also doubles as an https endpoint. By default
it replies with 404 Not Found, but can optionally be configured to serve
static files from file system directory:
tlstun server -addr=:443 -ca=ca.pem -acme \
-acme-domain=domain.tld -acme-email=you@domain.tld \
-acme-cache=/var/cache/acme \
-httproot=/var/www/domain.tld
Server may also be run with -dns-tls flag, which enables resolving via
DNS-over-TLS providers (currently Cloudflare and Quad9).
from https://github.com/artyom/tlstun
https://github.com/artyom/gencert(https://github.com/lu4p/genCert,仅供参考)
我的补充说明:
登陆linux vps.安装go环境,然后,
git clone https://github.com/artyom/gencert gencert-by-artyom
cd gencert-by-artyom
go install
($GOPATH/bin/里面就会生成可执行文件gencert)
cd ~
git clone https://github.com/artyom/tlstun tlstun-by-artyom
cd tlstun-by-artyom
go install
($GOPATH/bin/里面就会生成可执行文件tlstun)
mv /root/go1.16/go/gopath/bin/tlstun /root/go1.16/go/gopath/bin/tlstun-by-artyom
gencert -hosts mydomain.com
(先把mydomain.com添加A记录,指向服务器的公网ip. mydomain.com不一定要是顶级域名,子域名也可)
(在当前目录下,会生成5个文件:ca.pem,client-cert.pem ,client-key.pem ,server-cert.pem ,server-key.pem)
tlstun-by-artyom server -addr=:9000 -ca=ca.pem -cert=server-cert.pem -key=server-key.pem
此命令是运行在前台的。我们可以利用boa把该命令运行在后台上:
boa /root/go1.16/go/gopath/bin/tlstun-by-artyom server -addr=:9000 -ca=/root/tlstun-by-artyom/ca.pem -cert=/root/tlstun-by-artyom/server-cert.pem -key=/root/tlstun-by-artyom/server-key.pem && reboot
另外,生成证书/私匙时,不一定要针对域名生成,针对服务器的公网ip生成也可。所以,
mkdir /root/certs-for-tlstun-by-artyom
cd /root/certs-for-tlstun-by-artyom
gencert -hosts vps-public-ip
(在当前目录下,会生成5个文件:ca.pem,client-cert.pem ,client-key.pem ,server-cert.pem ,server-key.pem)
boa /root/go1.16/go/gopath/bin/tlstun-by-artyom server -addr=:9001 -ca=/root/certs-for-tlstun-by-artyom/ca.pem -cert=/root/certs-for-tlstun-by-artyom/server-cert.pem -key=/root/certs-for-tlstun-by-artyom/server-key.pem && reboot
服务器端搭建完成。
在本地机器mac上。安装go环境,然后,
git clone https://github.com/artyom/tlstun tlstun-by-artyom
cd tlstun-by-artyom
go install
($GOPATH/bin/里面就会生成可执行文件tlstun)
mv ~/go1.16.3/go/gopath/bin/tlstun ~/go1.16.3/go/gopath/bin/tlstun-by-artyom
把服务器上的/root/tlstun-by-artyom目录里的ca.pem,client-cert.pem ,client-key.pem下载到当前目录。
tlstun-by-artyom client -addr=127.0.0.1:1085 -ca=ca.pem -cert=client-cert.pem -key=client-key.pem mydomain.com:9000
不要关闭此终端,设置浏览器的socks proxy地址为127.0.0.1 ,端口为1085 ,浏览器即可翻墙。
另外, mkdir ~/certs-for-tlstun-by-artyomcd ~/certs-for-tlstun-by-artyom把服务器上的/root/certs-for-tlstun-by-artyom目录里的ca.pem,client-cert.pem ,client-key.pem下载到当前目录。
tlstun-by-artyom client -addr=127.0.0.1:1086 -ca=ca.pem -cert=client-cert.pem -key=client-key.pem vps-public-ip:9001
不要关闭此终端,设置浏览器的socks proxy地址为127.0.0.1 ,端口为1086 ,浏览器即可翻墙。
