Total Pageviews

Wednesday, 21 July 2021

利用CRedir+后端的socks proxy(或http proxy)翻墙

 encrypted port redirector. creates encrypted tunnel between 2 TCP endpoints.

This is a port redirector program like the well-known redir, but with crypto added. it uses tweetnacls public key, signing and streamcipher primitives.

it's similar to SSL/TLS, but without a central government^w authority that has full power over your crypto keys. instead, you generate your own keys using the credir-keygen tool.

in order to use an encrypted tunnel, one side uses credir in client mode, the other in server mode. each side listens on a dedicated port, which does TCP forwarding to the other side.

example:

server A with IP 10.1.1.1 provides a tinyproxy HTTP proxy service on its localhost interface, listening on port 8888. we'll create a listening service on 0.0.0.0:8889 which decrypts and tunnels incoming connections to tinyproxy.

client B with IP 10.0.0.2 wants to use that proxy, and have a port 8080 open on its own localhost interface, which proxy-aware applications then can connect to (for example curl). for the proxy-using application, it looks as if tinyproxy would listen on its own localhost:8080, yet the connection is tunneled over an encrypted link to server A.

the client generates a keypair with credir-keygen ~/.credir/MYKEY, the server with credir-keygen -s ~/.credir/MYKEY,

on client B, execute cat ~/.credir/MYKEY.pub. it prints the public key encoded in hex. for this example, we assume it is 01020304.

do the same on server A to get its public key. for this example, we assume it is abcdef00

on server A (inside e.g. a screen session), the following command is used:

credir -k ~/.credir/MYKEY -a 01020304 -i 0.0.0.0 -p 8889 127.0.0.1:8888

on client B:

credir -c -k ~/.credir/MYKEY -a abcdef00 -i 127.0.0.1 -p 8080 10.1.1.1:8889

implementation

credir is very lightweight, and very light on resources too:

For every client, a thread with a stack size of 8KB is spawned. the main process basically doesn't consume any resources at all.

The only limits are the amount of file descriptors and the RAM.

It's also designed to be robust: it handles resource exhaustion gracefully by simply denying new connections, instead of calling abort() as most other programs do these days.

Another plus is ease-of-use: no config file necessary, everything can be done from the command line.

cryptographic details:

upon connect, the server presents its public signing key, an ephemeral public ecc key signed with the signing key, a random nonce and a random challenge. the client encrypts the challenge and a random session key with its secret key (and the server's ephemeral pubkey, after checking the signature is correct) and sends it back together with its own pubkey. the server checks whether the public key is authorized, then decrypts the data with its own ephemeral secret key and the client's public key. if the challenge matches, the client has successfully proven its authencity, and from here on every packet sent back and forth will be encrypted using an increasing nonce, and the session key using a stream cipher. this means the handshake consists of only of one package from each side, which is rather efficient.

command line options

credir -k key -a authkeys [-c -i listenip -p port -t timeout -b bindaddr] ip:port

all arguments except -k and -a are optional.

for client mode, -c needs to be specified.

a single or a list of hex-encoded, colon-separated authorized public keys need to be supplied using -a. this assures on the client side that the server isn't mitm'd, an on the server side that only known clients can use the service.

if -c is given (clientmode), outgoing connections to ip/port will be encrypted.

if -c isn't given (servermode), incoming connections will be decrypted and forwarded.

-k takes the filename prefix of a public key pair generated with credir-keygen e.g. foo, if a file foo.priv and foo.pub were generated

by default listenip is 0.0.0.0 and port 1080.

option -b specifies the default ip outgoing connections are bound to.

the -t timeout is specified in seconds, default: 0. if timeout is set to 0, block until the OS cancels the conn. attempt.

all incoming connections will be redirected to ip:port.

build options

if the macro HAVE_GETRANDOM is specified at build time, linux' getrandom() syscall will be used instead of opening /dev/urandom. this saves a number of syscalls everytime entropy is needed, and it makes it possible to use the program in a chroot without /dev mounted. in case you want to use a chroot you should also request a static build using LDFLAGS=-static.

example:

CFLAGS=-DHAVE_GETRANDOM LDFLAGS=-static make

if the option USE_SODIUM is set to 1, libsodium will be used instead of the embedded tweetnacl library. this will result in a faster binary (producing less CPU load), but will also result in a bigger binary size if statically compiled.

example:

make USE_SODIUM=1
from https://codeberg.org/rofl0r/credir
(https://codeberg.org/rofl0r/credir/wiki)
-----
https://github.com/tinyproxy/tinyproxy/issues/162#issuecomment-801349943 ,rofl0r says:
"it should be possible to use stunnel in front of tinyproxy to make it https. though i dont know many programs that support https proxies. it might be a better workaround to use an encrypted port redirection(tunnel) configured such that e.g. 127.0.0.1:8000(cr client) -> a.b.c.d:8000(cr server) -> 127.0.0.1:8888(tinyproxy)."
所以,CRedir类似于stunnel.
-----
我的补充说明
登录Linux vps.
git clone https://codeberg.org/rofl0r/credir
cd credir
make credir credir-keygen
(会在当前目录下,生成可执行文件credir和credir-keygen)
./credir-keygen -s SERVER
(会在当前目录下,生成SERVER.pub文件和SERVER.priv文件)
然后,来到本地机器mac.
git clone https://codeberg.org/rofl0r/credir
cd credir
make credir credir-keygen
(会在当前目录下,生成可执行文件credir和credir-keygen)
./credir-keygen CLIENT
(会在当前目录下,生成CLIENT.pub文件和CLIENT.priv文件)
cat CLIENT.pub
然后,回到Linux vps里面的credir目录。
./credir -a 客户机器上的CLIENT.pub文件的内容 -k SERVER -i 0.0.0.0 -p 8889 127.0.0.1:3678
(这里,127.0.0.1:3678是服务器上所搭建的某个socks代理服务器程序或http代理服务器程序的监听
地址。比如microsocks:https://briteming.blogspot.com/2018/05/socks5-microsocks.html)
此命令./credir -a 客户机器上的CLIENT.pub文件的内容 -k SERVER -i 0.0.0.0 -p 8889 127.0.0.1:3678是运行在前台的,我们可以终止它,然后用systemd把它运行为service:
nano /etc/systemd/system/credir.service
内容为:

[Unit]

After=network.target


[Service]

WorkingDirectory=/root/credir/

ExecStart=/root/credir/credir -a 客户机器上的CLIENT.pub文件的内容 -k SERVER -i 0.0.0.0 -p 8889 127.0.0.1:3678

Restart=always


[Install]

WantedBy=multi-user.target


然后,

systemctl start credir

systemctl enable credir


服务器端搭建完成。



然后,回到本地机器mac的credir目录。

./credir -a 服务器上的SERVER.pub文件的内容 -c -k CLIENT -i 127.0.0.1 -p 7070 vps-public-ip:8889


不要关闭此终端,然后设置浏览器的socks5代理服务器地址为127.0.0.1 ,端口为7070 ,浏览器即可翻墙。


上面,服务器上的后端程序如果是http proxy app,则浏览器的代理服务器类型相应的要选择

http代理服务器.


如果什么时候翻墙不流畅了,重新运行客户端命令即可。


项目地址:https://codeberg.org/rofl0r/credir

https://codeberg.org/rofl0r/credir/wiki

https://codeberg.org/rofl0r/credir/issues/1

No comments:

Post a Comment