yudeMacBook-Air:~ brite$ brew install stunnel
会显示:
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 2 taps (homebrew/cask and homebrew/core).
==> New Formulae
php@7.2
==> Updated Formulae
arcade-learning-environment opencv
astrometry-net opencv@2
aubio pandoc-crossref
elasticsearch pgweb
fx php
gnuradio php@5.6
graph-tool php@7.1
kibana phpunit
knot-resolver rust
kubernetes-helm scipy
logstash shibboleth-sp
nss stunnel
numpy urh
nwchem xml-security-c
openblas xml-tooling-c
==> Deleted Formulae
php@7.0
==> Migrating HOMEBREW_REPOSITORY (please wait)...
Error: /usr/local/Homebrew already exists.
Please remove it manually or uninstall and reinstall Homebrew into a new
location as the migration cannot be done automatically.
==> Installing dependencies for stunnel: openssl
==> Installing stunnel dependency: openssl
==> Downloading https://homebrew.bintray.com/bottles/openssl-1.0.2q.sierra.bottl
######################################################################## 100.0%
==> Pouring openssl-1.0.2q.sierra.bottle.tar.gz
==> Caveats
A CA file has been bootstrapped using certificates from the SystemRoots
keychain. To add additional certificates (e.g. the certificates added in
the System keychain), place .pem files in
/usr/local/etc/openssl/certs
and run
/usr/local/opt/openssl/bin/c_rehash
openssl is keg-only, which means it was not symlinked into /usr/local,
because Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries.
If you need to have openssl first in your PATH run:
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile
For compilers to find openssl you may need to set:
export LDFLAGS="-L/usr/local/opt/openssl/lib"
export CPPFLAGS="-I/usr/local/opt/openssl/include"
For pkg-config to find openssl you may need to set:
export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig"
==> Summary
🍺 /usr/local/Cellar/openssl/1.0.2q: 1,794 files, 12.3MB
==> Installing stunnel
==> Downloading https://homebrew.bintray.com/bottles/stunnel-5.50.sierra.bottle.
######################################################################## 100.0%
==> Pouring stunnel-5.50.sierra.bottle.tar.gz
==> Caveats
A bogus SSL server certificate has been installed to:
/usr/local/etc/stunnel/stunnel.pem
This certificate will be used by default unless a config file says otherwise!
Stunnel will refuse to load the sample configuration file if left unedited.
In your stunnel configuration, specify a SSL certificate with
the "cert =" option for each service.
==> Summary
🍺 /usr/local/Cellar/stunnel/5.50: 40 files, 651.4KB
==> Caveats
==> openssl
A CA file has been bootstrapped using certificates from the SystemRoots
keychain. To add additional certificates (e.g. the certificates added in
the System keychain), place .pem files in
/usr/local/etc/openssl/certs
and run
/usr/local/opt/openssl/bin/c_rehash
openssl is keg-only, which means it was not symlinked into /usr/local,
because Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries.
If you need to have openssl first in your PATH run:
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile
For compilers to find openssl you may need to set:
export LDFLAGS="-L/usr/local/opt/openssl/lib"
export CPPFLAGS="-I/usr/local/opt/openssl/include"
For pkg-config to find openssl you may need to set:
export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig"
==> stunnel
A bogus SSL server certificate has been installed to:
/usr/local/etc/stunnel/stunnel.pem
This certificate will be used by default unless a config file says otherwise!
Stunnel will refuse to load the sample configuration file if left unedited.
In your stunnel configuration, specify a SSL certificate with
the "cert =" option for each service.
yudeMacBook-Air:~ brite$
-------------
我的补充说明
上面安装stunnel后,
然后运行:
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.profile
echo 'export LDFLAGS="-L/usr/local/opt/openssl/lib"' >> ~/.profile
echo 'export CPPFLAGS="-I/usr/local/opt/openssl/include"' >> ~/.profile
echo 'export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig"' >> ~/.profile
source ~/.profile
cd /usr/local/etc/stunnel/
我的补充说明
上面安装stunnel后,
然后运行:
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.profile
echo 'export LDFLAGS="-L/usr/local/opt/openssl/lib"' >> ~/.profile
echo 'export CPPFLAGS="-I/usr/local/opt/openssl/include"' >> ~/.profile
echo 'export PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig"' >> ~/.profile
source ~/.profile
cd /usr/local/etc/stunnel/
yudeMacBook-Air:stunnel brite$ ls
stunnel.conf stunnel.conf-sample
stunnel.pem stunnel.conf-sample.default
yudeMacBook-Air:stunnel brite$ rm -rf stunnel.pem
(删除没用的stunnel.pem文件)
然后按此文https://briteming.blogspot.com/2017/06/lets-encryptsslcertbot.html替你的域名(yourdomain.com)申请免费证书。(当然yourdomain.com要先解析到你服务器的ip)
然后把服务器上的/etc/letsencrypt/live/yourdomain.com/fullchain.pem和/etc/letsencrypt/live/yourdomain.com/privkey.pem下载到mac机器上的/usr/local/etc/stunnel/里面。
yudeMacBook-Air:stunnel brite$ ls
fullchain.pem stunnel.conf-sample
privkey.pem stunnel.conf-sample.default
stunnel.conf
yudeMacBook-Air:stunnel brite$ nano stunnel.conf
yudeMacBook-Air:stunnel brite$ cat stunnel.conf
显示:
...
cert = /usr/local/etc/stunnel/fullchain.pem
key = /usr/local/etc/stunnel/privkey.pem
client = yes
[https]
accept = 127.0.0.1:10803
connect = vps-ip:440
...
yudeMacBook-Air:stunnel brite$ stunnel stunnel.conf
(这条命令stunnel stunnel.conf是运行在后台的,所以运行后,关闭该terminal窗口无妨。)
关于服务器端的搭建,详见https://briteming.blogspot.com/2012/01/vpsstunnel.html
然后设置你的浏览器的http代理为127.0.0.1,端口10803,浏览器即可翻墙。
(建议chrome+switchyomega或firefox+switchyomega下,设置http代理.如果直接在firefox下,设置http代理,是翻不了墙的,我也不知道为什么)
Mac OSX 上还可以使用 GoAgentX,附带的 Stunnel 功能可以转换 SSL proxy
--------------------------
(建议chrome+switchyomega或firefox+switchyomega下,设置http代理.如果直接在firefox下,设置http代理,是翻不了墙的,我也不知道为什么)
Mac OSX 上还可以使用 GoAgentX,附带的 Stunnel 功能可以转换 SSL proxy
--------------------------
Stunnel 加密隧道透明代理
考虑其他软件来替代一下家里路由器的v2ray,经过各种测试之后,stunnel的综合性能和稳定性还可以,于是用zerotier做了内网穿透,用stunnel来加密外网的socks5代理,再配合kumasocks配合来做透明代理。zerotier非必须,如果有公网IP的话可以做动态域名,然后做端口转发也可实现同样的功能。
先说下基本的使用环境:
nas上跑了docker、openwrt路由等,题外话:目前本站就运行在这个nas的debian docker上,通过外网反代,同样是用zerotier做内网穿透。
内网IP:172.16.22.2
通过zerotier推送了静态路由,家里的openwrt路由器可以直接访问这个内网IP。
在debian docker上安装stunnel4.
apt update && apt install stunnel4 -y生成证书
cd /etc/stunnel
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem创建配置文件,几个参数说明下,v2ray的socks5代理端口为本机1080,stunnel的连接端口为10800。
cat >/etc/stunnel/stunnel.conf <<eof
syslog=no
debug=7
output=/var/log/stunnel.log
pid=/var/run/stunnel.pid
cert=/etc/stunnel/stunnel.pem
key=/etc/stunnel/stunnel.pem
client=no
[socks5]
accept=10800
connect=127.0.0.1:1080
eof启动服务
/etc/init.d/stunnel4 restart服务器配置完毕,接下来是家里路由器的配置,路由器为openwrt系统,opkg官方源自带stunnel,所以也很简单了。
opkg update && opkg install stunnel将服务器的stunnel.pem传输到路由器相同目录下,再创建客户端配置文件。
cat >/etc/config/stunnel <<eof
config globals 'globals'
#option alt_config_file '/etc/stunnel/stunnel.conf'
option setuid 'nobody'
option setgid 'nogroup'
config service 'dummy'
option enabled '1'
option client '1'
option accept_host 'localhost'
option accept_port '10800'
list connect '172.16.22.2:10800'
eof/etc/init.d/stunnel enable
/etc/init.d/stunnel restart到这里stunnel的配置就基本结束了,本地的10800可以做为内网的socks5代理,再配合kumasocks就可以转换成透明代理。
相关帖子:
https://briteming.blogspot.com/2017/06/lets-encryptsslcertbot.html
https://briteming.blogspot.com/2012/01/vpsstunnel.html
No comments:
Post a Comment