Pages

Tuesday, 31 May 2022

南太平洋岛国拒绝将自己的命运与北京联在一起

 

—01/06/2022

世界上最小的国家之一密克罗尼西亚刚刚让中国这个巨头遭受了让人难以置信的外交挫折。密克罗尼西亚同其他几个岛国一样,反对与中国达成有争议的安全协议

法国世界报在华记者勒梅特周二写道,印太地区是美国和中国之间的新的战场,北京尝试了一个大胆的举措:让南太平洋国家签署合作协议,从而将这些国家置于北京的轨道上。中国外交部长王毅目前正在进行为期十天的访问,访问这些人口比中国的小城市的人口还少的岛国。王毅是于5月26日启程的,将先后访问所罗门群岛、基里巴斯、萨摩亚、斐济、汤加、瓦努阿图、巴布亚新几内亚、以及东帝汶。此外,王毅还将对密克罗尼西亚进行“虚拟访问”,并与库克群岛和纽埃的外长进行视频会晤。其中,5月29日至30日对斐济的访问是王毅此行中最重要的一站。在斐济,王毅和所有同行举行了会议。北京的目标是缔结协议,加强各领域的合作,如经济、海底测绘、自然资源开发,尤其是治安力量和网络安全的培训。但是,密克罗尼西亚总统在5月份时给他的同行们写了一封信并敲响了警钟。他解释说,这一协议草案事先主要是由中国起草的,旨在用一面是中国、另一方面是南太平洋’的多边关系来取代当前的双边关系,并引导太平洋地区对中国忠诚。2021年夏天,密克罗尼西亚与美国签署了一项协议,允许华盛顿在密克罗尼西亚建立军事基地。尽管习近平主席周一发出了信息,但太平洋地区领导人表示,由于缺乏地区共识,他们不接受北京提出的“共同发展愿景”。除了密克罗尼西亚,巴布亚新几内亚和萨摩亚、以及因和台湾有外交关系而没有被邀请参加此次会议的帕劳,它们可能也反对中国的意图。所以,中国只能满足于达成一项涉及农业、气候变化和减少贫困的协议。不过,北京不承认失败,声称“讨论仍在继续”,并随后发表了一份有关自己与南太平洋关系的“立场文件”。这份文件包括15点“愿景”以及24项具体承诺。但这些都与安全无关。勒梅特指出,澳大利亚战略政策研究院(ASPI)的国家防御、战略和安全项目的主任迈克尔·舒布里奇说(Michael Shoebridge),“南太平洋岛屿对澳大利亚极为重要。中国有可能利用这些岛屿来扩展其军事力量,这对我国来说是巨大的战略挫折,是二战结束以来最严重的事态发展。”几年来,堪培拉一直担心中国在该地区获得更大的影响力,长期以来,这一地区被认为是和华盛顿及其当地盟友站在一起的。4月份,北京与所罗门群岛签署安全协议,允许中国警察和士兵可以在该群岛驻扎,就引发了第一波冲击。澳大利亚担心中国想在这个距离其东北海岸不到2000公里的国家建立军事基地。如何应对中国的野心呢?迈克尔·舒布里奇表示,“有人说澳大利亚应该给予更多的发展援助,但是,在2009年至2019年期间,澳大利亚向所罗门群岛提供的援助,是所罗门群岛拿到的总援助的65%,而中国的援助只占6%。问题在于,北京是为基础设施和建设项目提供资金,这更引人注目,另外,北京也向政治精英们提供资金。”澳大利亚新总理阿尔巴尼斯(Anthony Albanese)承诺将给这些岛屿再投入超过3.5亿欧元的资金,承诺让这些岛屿上的人更容易获得签证,支持打击非法捕鱼。最重要的是,阿尔巴尼斯承诺对抗全球变暖,对这些岛国来说,全球变暖是很大的生存威胁,可是,十多年以来,澳大利亚的保守派领导人对此几乎都是视而不见的。另外,澳大利亚新总理还立即派出了他的外交部长于5月26日星期四前往斐济。澳大利亚外长一再重复说,“我们希望就你们的优先事项与你们合作。我们希望作为太平洋大家庭的一员一起工作。” 

美国政府则于5月26日表示,斐济群岛已经加入拜登总统几天前访问日本期间所发起的印太经济框架,这一经济框架旨在对抗中国在该地区的经济野心

乌克兰:俄罗斯开始“抢劫”金属材料

 

 —31/05/2022

乌克兰南部重要港口马里乌波尔被俄军占领后,第一艘商船今天从那里出发,将数千吨金属板运往俄罗斯。乌克兰指控俄罗斯正在“抢劫”

据路透社消息,乌克兰顿涅茨克地区亲俄分离领导人5月31日表示,一艘商船离开马里乌波尔,正带着一批金属货物前往俄罗斯东部。这是俄军占领乌克兰马里乌波尔港以来首次有商船离开该港。自称是亲俄“顿涅茨克人民共和国”领导人的丹尼斯-普希林(Denis Pushilin)在电报群(Telegram)写道:今天,2500吨“热轧金属板”离开马里乌波尔港。“该船正驶向(俄罗斯城市)罗斯托夫”(Rostov-sur-le-Don)"。乌克兰人权监察员柳德米拉-杰尼索娃(Lyudmyla Denisova)在电报群谴责说,俄罗斯占领者在“盗窃”乌克兰的粮食后,现在开始“抢掠”金属了。本月早些时候,被围困在亚速(Azovstal)钢铁厂的2400多名乌克兰战士投降后,俄罗斯完全占领了马里乌波尔。上周,俄罗斯说该港口的水雷已被清除,再次向商业船只开放。上周五(5月27日),这批热轧金属板的所有者,乌克兰最大钢铁制造商“Metinvest”谴责俄罗斯这一“海盗”行为。该公司担心俄罗斯可能利用滞留在马里乌波尔的几艘船继续"偷窃和走私"属于该集团的金属产品。周六被问及在马里乌波尔港待运的金属产品是否属于Metinvest公司时,该公司发言人肯定地说:是的。"我们昨天说过,我们的金属在马里乌波尔港"。莫斯科夺取马里乌波尔后,完全控制了亚速海沿岸,并打通俄罗斯大陆和其2014年吞并的克里米亚之间的陆地通道

OpenProxy

OpenProxy is an open source http proxy stack that is a combination of Varnish Cache and Nginx.

Introduction

The main goal of the OpenProxy project is to create a high-performance open source http and https proxy server for production environments.

If you don't want to use both services at the same time, nothing prevents you from using the configurations only for a specific service.

Varnish Cache

Before using the Varnish Cache please read Introduction.

Varnish Cache is a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.

To increase your knowledge, read Varnish Documentation.

Varnish Cache with OpenProxy

The next step should be to read the Varnish Cache OpenProxy documentation.

Nginx

Before using the Nginx please read Beginner’s Guide.

Nginx (/ˌɛndʒɪnˈɛks/ EN-jin-EKS) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler.

To increase your knowledge, read Nginx Documentation.

Nginx with OpenProxy

The next step should be to read the Nginx OpenProxy documentation.

Installation

Remember to make a copy of the current configuration and all files/directories.

It's very simple - full directory sync:

rsync -avur --delete lib/nginx/ /etc/nginx/
rsync -avur --delete lib/varnish-cache/ /etc/varnish/

For leaving your configuration (not recommended) remove --delete rsync param.

Configuration

Initializing new domain

Varnish Cache

Added your domain definitions to default.vcl:

### BACKENDS DEFINITION
include "/etc/varnish/master/domains/your.domain/backends.vcl";

### DOMAINS DEFINITION
include "/etc/varnish/master/domains/your.domain/main.vcl";

Clone to your domain directory:

cd /etc/varnish/master/domains
cp -R example.com/ your.domain

and replace example.com to your domain name:

cd your.domain
sed -i 's/example.com/your.domain/g' *
sed -i 's/example_com/your_domain/g' *

Remember to adjust the configuration to your needs.

Nginx

Added your domain definitions to domains.conf:

cd /etc/nginx/master/
cat >> domains.conf << __EOF__
# Configuration for your.domain domain.
include                         /etc/nginx/master/_domains/your.domain/servers.conf;
include                         /etc/nginx/master/_domains/your.domain/backends.conf;
__EOF__

cd _domains
cp -R example.com/ your.domain

and replace example.com to your domain name:

cd domains/your.domain
sed -i 's/example.com/your.domain/g' *
sed -i 's/example_com/your_domain/g' *

Remember to adjust the configuration to your needs.

Aliases

Import aliases from lib/etc/skel/aliases to your shell init file and reload shell session with exec $SHELL -l.

Error pages

For example:

cd /usr/share/www/

git clone https://github.com/trimstray/http-error-pages && cd http-error-pages
./httpgen

Before init services

  • reinit systemd configuration: systemctl daemon-reload
  • adjust /etc/default/varnish

Maintenance

Varnish Cache
Show config params
varnishadm param.show
varnishadm param.show max_retries
Show boot configuration
varnishadm vcl.show boot
Compile new configuration
varnishadm vcl.load config_name /etc/varnish/default.vcl
Load new configuration
varnishadm vcl.use config_name
Show backend list
varnishadm backend.list
Drop objects from cache
varnishadm ban req.http.host == example.com
varnishadm ban "req.http.host == example.com && req.url == /backend.*"
Show backends health
varnishlog -g raw -i Backend_health
Show all requests (without filters)
varnishlog -g request
Show all requests and responses (raw format)
varnishlog -g raw
Show requests with specific Host header
varnishlog -g request -q "ReqHeader eq 'Host: example.com'" -i Begin,ReqMethod,ReqUrl,ReqHeader
Show requests with specific User-Agent header
varnishlog -g request -q "ReqHeader eq 'User-Agent: x-bypass'"
Show requests with HTTP 200 status
varnishlog -i BackendOpen,BereqURL -q "BerespStatus == 200"
Show requests with HTTP 503 status from backends
varnishlog -d -q 'RespStatus == 503' -g request
Show requests with Backend Fetch Error
varnishlog -b -q 'FetchError'

External resources

Varnish Cache
Base

  🔸 Varnish HTTP Cache Project
  🔸 Varnish Cache source code repository
  🔸 Varnish Dashboard
  🔸 Varnish 4.0 Template
  🔸 Varnish 5.0 Template
  🔸 Getting started with web app accelerator Varnish Cache

Cheatsheets

  🔸 Varnish Regexp
  🔸 VCL regular expression cheat sheet
  🔸 5 Basic Tips to Using Regular Expressions in Varnish
  🔸 Varnishlog: measure your Varnish cache performance

Performance & Hardening

  🔸 Protect your websites with Varnish rules
  🔸 Collection of Varnish Cache modules (vmods) by Varnish Software

Nginx
Base

  🔸 Nginx Project
  🔸 Nginx official read-only mirror
  🔸 Nginx boilerplate configs
  🔸 Awesome Nginx configuration template
  🔸 Nginx static analyzer
  🔸 A collection of resources covering Nginx and more

Cheatsheets

  🔸 Nginx Cheatsheet
  🔸 Nginx Quick Reference
  🔸 Nginx Cheatsheet by Mijdert Stuij

Performance & Hardening

  🔸 WAF for Nginx
  🔸 ModSecurity for Nginx
  🔸 How to Build a Tough NGINX Server in 15 Steps
  🔸 Top 25 Nginx Web Server Best Security Practices
  🔸 Strong SSL Security on Nginx
  🔸 Nginx Tuning For Best Performance by Denji
  🔸 Enable cross-origin resource sharing (CORS)

Comparison

  🔸 BBC Digital Media Distribution: How we improved throughput by 4x
  🔸 Web cache server performance benchmark: nuster vs nginx vs varnish vs squid

Performance Analyzers

  🔸 ngxtop

Log Analyzers

  🔸 GoAccess
  🔸 Graylog
  🔸 Logstash

Online tools

  🔸 Online tool to learn, build, & test Regular Expressions
  🔸 Online Regex Tester & Debugger
  🔸 SSL Server Test
  🔸 Strong ciphers for Apache, Nginx, Lighttpd and more
  🔸 Analyse the HTTP response headers by Security Headers
  🔸 Analyze your website by Mozilla Observatory

from  https://github.com/fo0nikens/OpenProxy

 

fget

 A fast download program.

一般下载工具,都是按顺序下载,且服务器给一个每个链接提供的流量是有限制的 而fget是建立多个链接,同时下载,最后合并成目标文件

  • usage
  -H value
        http headers
  -o string
        out put file name
  -proxy value
        proxys url eg: http://192.168.1.2:8080
  -ps int
        block size (default 10)
  -th int
        thread counts (default 10)
  -uri string
        download url
  • examples
  1. fget -uri http://xxxxx

  2. fget -uri http://xxxxx -H "Referer: http://test.com" -H "Cookies: xxxxx"

     from https://github.com/BrockChen/fget

Master-List-of-HTML5-JS-CSS-Resources


This list started out as a blog post, with the intent of sharing a list of HTML5, JavaScript, and CSS3 resources that I found very useful. Feel free to read the original article to see what links I deemed relevent in January of 2011.

The structure of this list has changed from a single file (which can still be found here), to a more organized, yet still simple, collection of files. This should make it a bit easier to organize, digest, and maintain (for those who would like to contribute).

I have also taken a more opinionated stance on what to include, and what to recommend to others, based upon my experiences in the field, and my consumption of a varied and vast number of articles on the subjects. Note that most of the resources listed herein are free and open source. There are exceptions, but for the most part, you can obtain all the knowledge and tools you need to become a crack front end designer or developer thanks to the hard work of others. Please consider donating to individuals or purchasing tools whenever possible to help support this thriving ecosystem.

The new list is now broken up into the following topics:

Core Technologies

Popular Topics

Articles & Resources, Updated Daily

NOTE: I am in the process of migrating the old list into these new categories, while adding/subtracting/reorganizing at the same time. While it is a work in progress, you will still find useful information. Keep in mind, you can always see the original list here.

from https://github.com/gloparco/Master-List-of-HTML5-JS-CSS-Resources

pi_tor_socks

 Web interface for Raspberry Pi

https://nova.ws/pi-tor-socks/

from https://github.com/novaws/pi_tor_socks

socks-manager


动态生成socks5 用户名和密码

使用gost配合redis实现socks5认证

https://github.com/yknext/gost

from https://github.com/yknext/socks-manager

Pshell

 ICMP/IP tunnel manager for Linux.

这是一个 ICMP/IP 隧道管理脚本,从服务器到本地的全部操作,都可以通过这个脚本完成,目前完美支持主流 Linux 发行版(能运行最新版本 Docker 即可)。

可以用来做什么

  • 内网穿透(从外网访问内网的主机,比如在家里访问学校内网的资源)
  • 绕过认证(绕过一般的网络认证,比如绕过学校网络认证,直接上网)
  • 网络代理(又一个翻墙姿势,比如服务端放在海外就可以翻墙了)

功能

  • 支持服务器自动部署并启动,服务端遇到意外可以自动重启。
  • 支持本地自动部署并启动,支持 ICMP/IP 双协议隧道。
  • 支持断线自动重连。
  • 提供直观的监视器,可以实时查看连接状态。
  • 支持指定网卡分享 socks5 代理给他人。
  • 支持 socks5 转发为 http 代理。
  • 支持 TCP-BBR 算法,极大提高网速(需要内核支持)。
  • 密码认证。
  • 自动更新脚本。

待添加/修复功能

  • 支持自动修复 http 代理并允许指定 http 端口。
  • 自动启用负载均衡。
  • TCP-BBR 算法自动启用。
  • 添加 DNS Tunnel 功能。
  • proxy.list 文件最后一行不是空行会执行失败
$ ./Pshell.sh -h
------------------------------------------------------------------------------
   ___ ____ __  __ ____   _____ ____    ____  _          _ _ 
  |_ _/ ___|  \/  |  _ \ / /_ _|  _ \  / ___|| |__   ___| | |
   | | |   | |\/| | |_) / / | || |_) | \___ \| '_ \ / _ \ | |
   | | |___| |  | |  __/ /  | ||  __/   ___) | | | |  __/ | |
  |___\____|_|  |_|_| /_/  |___|_|     |____/|_| |_|\___|_|_|
  Email: i@zuolan.me                 Blog: https://zuolan.me
  一个隧道部署与代理管理的脚本。不加参数直接运行脚本即可连接。
------------------------------------------------------------------------------
  可选参数         -  说明
------------------------------------------------------------------------------
  -d (driver)    -  指定网卡(enp3s0|wlp2s0|eth0|wlan0),默认全部。
  -e (edit)      -  编辑配置列表。
  -f (fast)      -  快速模式(切换为 IP 协议隧道,速度更快,安全性降低)。
  -h (help)      -  显示帮助信息。更详细说明请阅读 README 文件。
  -k (kill)      -  杀死 autossh 和 sshd 进程(当连接长时间中断时使用)。
  -l (local)     -  安装本地守护容器。
  -m (monitor)   -  查看代理与容器运行的情况。
  -n (net)       -  统计代理端口的流量(-n set/unset 开启/重置流量统计)。
  -p (port)      -  选择本地 HTTP 代理端口(默认配置/etc/privoxy/config)。
  -s (server)    -  安装服务器守护进程。
  -u (update)    -  检测版本以及更新脚本。
------------------------------------------------------------------------------

安装

第零步、ssh 免密码设置

在本地生成一对密钥(邮箱替换为你的邮箱):

ssh-keygen -t rsa -b 4096 -C "i@zuolan.me"

把公钥(id_rsa.pub)内容复制粘贴到服务器的 ~/.ssh/authorized_keys 文件中:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

第一步、服务器安装

执行 sudo ./Pshell.sh --server 即可自动安装并启动。服务器就一句话。

第二步、填写本地配置文件

现在回到本地,在运行脚本连接之前需要填写配置文件,模板如下。打开 proxy.list,然后按照下面的模板填写你的配置。

节点名称:容器名称:容器端口:Socks5端口:服务器IP:密码:密钥

例如:

广州:gz:8001:10001:123.45.67.89:pass1:~/.ssh/id_rsa.gz
香港:hk:8002:10002:123.45.67.89:pass1:~/.ssh/id_rsa.hk
青岛:qd:8003:10003:123.45.67.89:pass2:~/.ssh/id_rsa.qd
东京:to:8004:10004:123.45.67.89:password:~/.ssh/id_rsa.to

填完就可以进行下一步了,但如果你想更详细定义脚本变量可以在脚本头部中设置(不建议)。

第三步、本地电脑安装

执行 ./Pshell.sh --local 即可自动安装并运行。

使用

下面方法任选其一。

一、基于 SSH 的 Socks5 代理

1. ICMP 模式(限速150KB/s)

使用 ./Pshell.sh 直接运行脚本即为 ICMP 协议隧道,然后你可以使用配置文件中设置的 Socks5 端口(见安装步骤第二步)连接到外网。设置方法和普通 Socks5 端口使用一样。(例如 Google Chrome 中的插件 SwitchyOmega。)

2. IP 模式(不限速)

使用 ./Pshell.sh -f 即可启用 IP 协议的隧道,相比使用 ICMP 协议的隧道而言,IP 协议的隧道速度更快(有可能被云服务提供商误判为DDos攻击)。启用之后使用方式和 ICMP 模式一样,连接 Socks5 端口即可。

二、基于 IP 协议的端口映射

由于 SSH 的连接不是非常稳定,即便加了自动重连的方法还是会出现短暂的断网现象(自动重连大概要零点几秒),对于下载、游戏等过程有比较大影响,所以建议设置端口映射,由于 ICMP 协议速度不快,我就不写 ICMP 的端口映射了,用 ICMP 刷个网页基本不会感受到断网的情况。

由于脚本尚未完善,目前仅支持一台服务器的端口映射,如果你列表中有多台服务器,只会连接列表中的第一台服务器。

广州:gz:8001:10001:123.45.67.89:pass1:~/.ssh/id_rsa.gz为例,完成服务端和客户端的安装之后,在服务端启动一个代理(SS、SSR之类的你懂的软件),然后本地可以通过10.1.2.1这个地址连接到服务器的代理软件。

服务端完整示例:

# 安装 Pshell 服务端
$ ./Pshell.sh -s
# 安装 Shadowsocks 服务端
$ docker run -d --name ss -p 10001:10001 mritd/shadowsocks -s "-s 0.0.0.0 -p 10001 -k ss_password -m aes-256-cfb"

然后回到本地的电脑,安装好 Pshell 本地端之后(./Pshell.sh -l),打开 Shadowsocks 客户端,服务器地址为10.1.2.1,其他根据你的设置改变。

现在你可以使用 IP 协议稳定连接网络了。

扩展

一、Socks5 转 http

有些软件不支持 Socks5 代理协议,所以提供端口转换功。

使用 ./Pshell.sh -p <port> 可以指定其中一个 socks5 端口转换为 http 端口(转换后 http 协议代理端口为 8118)。

端口转换功能是保存起来的,不需要每次运行都指定它,除非你想重新指定转换的 socks5 端口。

二、分享 Socks5 端口

如果你想分享代理给他人用,可以使用 ./Pshell.sh -d <enp3s0> 参数指定网卡分享 Socks5 端口。

常用的网卡有 enp3s0|wlp2s0|eth0|wlan0 这些,使用 ifconfig 命令可以查看。

注意一点就是 Privoxy 的 8118 端口默认为仅 localhost 访问,如果需要他人访问,你还需要修改 localhost 为其他地址(例如 0.0.0.0),这样他人可以通过这个 http 端口访问外网。

三、重启 sshd 进程

在使用过程中可能会出现 sshd 进程崩溃的情况,这时候明明没有连接异常但死活连不上。

这个时候你可以使用 ./Pshell.sh -k 参数来杀死崩溃 sshd 进程并手动执行 ./Pshell.sh 重新启动 sshd 进程。

最后

使用 alias 指定脚本为特定命令即可更加方便启动。

其他功能自己发现(其实也没什么其他功能了),在脚本中可以看到全部可选参数。

frm   https://github.com/izuolan/Pshell

tawdemo-socks5-c


tawdemo-socks5-c为一个C语言编写的sock5代理工具DEMO,需要同时部署客户端和服务端。

本项目仅作研究linux底层网络通信学习使用。不具备生产特性,请勿用于生产环境。

ps: 个人并不是专业写C语言的,使用C语言只是为了加深对网络协议底层处理的了解,因此项目代码风格非常糟糕,请勿随意模仿,还请见谅

环境

系统:linux或mac

使用方式

1. 构建编译
git clone tawdemo-socks5-c
cd tawdemo-socks5-c
cmake .
make
2. 使用

客户端

./tawdemo-socks5-c -P [本地监听端口] -c -h [服务器地址] -p [服务器端口]

服务端

./tawdemo-socks5-c -P [本地监听端口] -s

版本信息

v1.0

初版,仅支持不设密码的sock5协议,仅支持TCP代理,客户端与服务端之间未做压缩/加密处理。只具备初步可用性。

frm  https://github.com/lyytaw/tawdemo-socks5-c

-----

socks5 server/client demo.

This repository implement a simple socks5 server and client according to rfc1928(partially), rfc1929

Only support TCP CONNECT currently.


from https://github.com/kumakichi/go-socks5 (估计server and client之间的连接也是未加密的。)

-----------------------------------------------------------

"客户端与服务端之间未做压缩/加密处理",搭配stunnel后,即可安全翻墙:

https://briteming.blogspot.com/2012/01/vpsstunnel.html 

Monday, 30 May 2022

习李内外危机难解 拜登逢百年机遇

 

习近平下,李克强上?中共政坛的变化让人眼花了乱,外国人看蒙了,连中共官场的干部也蒙了。习近平的一尊权威为何遭到挑战?失业率上升,社会不稳,政权不稳,中共元老出手,党内斗争加剧。两大极权衰落,百年未有之机遇就在眼前。拜登老而精明,美国不断出手,十面埋伏,步步进逼。美中俄三国大戏卷入全球各国。

习近平清零抗疫 李克强提振经济 官员两难

近一段时间来,习近平在电视报刊露脸的机会少了,李克强忽然大大露脸,四处救经济。一个强调清零不谈经济,一个强调经济不问清零,给人感觉中央两派唱对台戏。

彭博社5月26日报导说,负责在基层实施政策的中共官员不太确定到底该听谁的:习近平继续强调要坚决推动清零政策,而李克强则不断敦促他们提振经济。

5月25日,李克强召开十万干部大会,号称“全国稳住经济大盘电视电话会议”。报导说,李克强对经济发出“迄今为止最严厉的警告”,要求官员们要更好地平衡疫情控制和经济增长。

据中共官方媒体报导,第二天(26日),“国务院稳增长稳市场主体保就业专项督查组”已经出现在河南、山东、陕西、辽宁、江苏、安徽、湖北、湖南、四川、福建、浙江等省分,确保地方在5月31日前能推动落实相关政策。督察组还是部级领导担任组长的高规格小组。

如果中共疫情防控方式不变,许多地方处于严格的封控下,这些提振经济举措将如何实施呢?

有专家认为,李克强面临不可能完成的任务——在不能调整清零政策的同时要挽救经济。瑞银5月24日把中国全年GDP增长预期从4.2%下调至3%。

如果不是中国经济面临重大危机,不是党内权力斗争发生重大变化,习近平不会在二十大三连任之际,做出如此重大让步,让之前被自己压制的李克强突然如此活跃,让李克强出面召开十万干部大会,并部署督察组奔赴各省督察经济。

5月5日,习近平在中央政治局常委会上,还强调要毫不动摇地坚持“动态清零”,“坚决和一切歪曲、怀疑、否定中国防疫方针的言行做斗争”,但是没有提到如何减少对经济造成的损害。而同一天,李克强在国务院常务会议上,却大谈如何“帮扶外贸企业”。

李克强从上海封城以来,多次召开经济会议,从4月上旬至今至少有5次,呼吁稳住经济大盘,但基本不提“动态清零”。而习近平只顾“清零”,不提经济,中共两个最高的领导人,像两匹马拉着一辆车背道而驰。

年轻的失业大军何去何从

中共“清零”防疫自毁经济,老百姓深有痛感。国进民退,大型科企被中共整肃,纷纷裁员。

中小企业也难以生存。疫情封控导致商店关门,影院歇业,工厂停工,服务业停摆,学校放假;它困住了消费者,困住了工人,制造了物流混乱,甚至经济停摆。后果就是失业率飙升,社会不稳定。

主打年轻人市场的白酒品牌江小白被爆出裁员千人、杭州分公司裁40%,但江小白回应裁员可能只涉及一两百人。媒体报导称之为“裁员风波”。

白色家电龙头美的集团也卷入“裁员风波”。有网友发帖称,美的裁员比例高达50%。但美的集团人士说这是谣言。不过多名美的在职和离职员工对财新确认,最近一两个月中,公司不少人离职,涉及多个部门,但具体比例尚难以估计。

不管怎么说,中国失业率飙升已经遮掩不住。中共国家统计局5月16日公布数据显示,4月全国城镇调查失业率上升至6.1%,其中16到24岁的青年失业率达到18.2%,创历史新高。这还可能是缩水的数据。

2022届中国大学毕业生的数量高达空前的1076万。中国“智联招聘”5月发布的《2022大学生就业力调研报告》显示,到目前为止,男生的签约率22.2%,比上年的54.4%萎缩了几乎一半,女生的签约率是10.4%,更是只有上年的40.1%的几乎1/4

“小鹏汽车被曝毁约20余名应届生”的话题,近日就登上了微博热搜榜。北京4月份还发布了“北京市2022年高校毕业生到农村从事支农工作”,感觉像过去的“上山下乡”了。

城市失业人口大量增加,尤其是受过教育的年轻人找不到工作,他们对当局和社会的不满情绪急剧上升。

北京大学生频爆抗议 社会不稳上升

目前恰恰邻近六四纪念日,因为疫情封控,北京高校频频爆发学生抗议。

5月26日晚,天津大学的学生因不满当局的极端防疫而举行集会示威活动,并高喊口号:“打倒官僚主义!”紧邻的南开大学也出现抗议活动。

24日晚,北京师范大学学生在校内游行,获校方口头表示让步。

23日晚,中国政法大学也爆发抗议活动。次日校方发出通知,允许学生有条件申请离校。

15日晚,北京大学学生聚集在校园,集体抗议学校连夜建墙隔离。北大副校长陈宝剑到现场喊话,最后学生推翻了围墙。事件在网络上引起热议,但相关视频、话题很快被删除。

京津重地的大学近日频繁爆发学生抗议,可想而知,社会不满演化到何种程度。中共非常担心六四学生运动会重演。

习近平的“一尊”权威为何被动摇

2021年9月,英国商人沈栋在美国出版《红色赌盘:当今中国财富,权力,腐败和复仇的内幕故事》一书,书中大爆中共高层内斗、权贵捞金的内幕。书中提到作者夫妇与70~80年代担任过副总理的谷牧的孙子刘诗来曾经是邻居。沈栋和刘诗来谈起过六四运动。

刘说6月3日当军队进驻天安门的时候,当时十几岁的他和家人躲在北京市中心有警卫看守的四合院的房子里,他记得他的亲戚是多么害怕示威者真的会成功推翻共产党。6月3日晚上,刘的祖父谷牧把AK-47放在腿上,守在房子里。在外面,中共军队血腥屠杀抗议者并清理了天安门广场。谷牧是邓小平的盟友,原名刘家语,2009年病逝。

这个故事告诉我们,中共权贵多么害怕失去权力。亡党危机时时威胁着中共统治者,随着经济下滑,中共执政的合法性进一步消失。老干部们不干了,庞大的中共既得利益集团,必定干涉当前的执政者,所以才出现文章开头说的,习近平“一尊”权威动摇,李克强出面救经济。李克强出面未必是直接跟习近平对着干,或许是党内达成一定共识,习近平被迫让步,不管他是否情愿。可以想象,当前的危机导致中共内部乱成一团,改革开放的红利没了,中共垮了,权贵们的富贵也没了,甚至身家性命难保,所以党内元老和反对势力出面,横加干涉,要让“一尊”改弦易辙,否则不惜把他拉下马。权威比肩毛邓的习近平,这才肯让步

这个猜测可以从一个侧面得到印证。5月15日,中共中央办公厅印发《关于加强新时代离退休干部党的建设工作的意见》,要求离退休干部“不得妄议党中央大政方针,不得传播政治性的负面言论,不得参与非法社会组织活动”。过去是要求党员“不得妄议党中央大政方针”,现在破天荒要求退休老人也“不得妄议”。

布林肯“发起全面战略竞争或战争的宣言”

在习李为内政和内斗焦头烂额之际,外部的压力也急遽上升。美国国务卿布林肯5月26日发表对华政策演讲,指出中共对国际秩序构成最严峻的长期挑战,美国的战略是:“投资、结盟和竞争”,即进一步投资美国国内建设,巩固盟友体系以及在“实力基础上”同中国(中共)展开公开、公平的竞争。

美国对华政策过去说的是“竞争、对抗与合作”三分法,现在改为“投资、结盟和竞争”,重心落在“竞争”上。美国对内投资也好,对外结盟也好,目的是和中共竞争。按照中共专家的话说“大有调动全球力量推进对华竞争的架势”。

布林肯点名习近平和中国共产党,“在国内变得更加具有压制性,在国外变得更加咄咄逼人”。

布林肯说,“我们同中国共产党和中国政府有重大分歧。但这些分歧存在于政府和制度之间——不存在于人民之间。

布林肯还明确表态人权问题是普世价值,美国必须过问。

布林肯的讲话全文被中共全网删,中共大力放送官媒和网民对布林肯讲话的批评和谩骂。

中共外交部发言人汪文斌在例行记者会上反驳,称这篇演讲“实质是散布虚假信息,渲染中国(中共)威胁,干涉中国(中共)内政,抹黑中国(中共)内外政策”。

中共外交部发言人华春莹则在推特上连发11条推文反驳。

2021年3月拜登在就任总统后的首次新闻发布会上为中美竞争定调,“这是21世纪的民主与专制的较量”。

布林肯这次演讲中讲到,“但我们不能指望北京改弦更张。因此,我们将塑造北京所处的战略环境,以推进我们建设一个开放和包容的国际体系的愿景。”

美国如何塑造北京所处的战略环境?那就是十面埋伏,全球围堵中共

布林肯在讲话中历数美国为对抗中共所做的种种努力,并列举他们的盟友团队。虽然布林肯讲话被美国鹰派批评还不够强硬,但虚弱的中共已经感到压力山大了。

布林肯提到,拜登总统启动了美印在内的13国印太经济繁荣框架(Indo-Pacific Economic Framework for Prosperity)。

拜登出席了四方(Quad)国家领导人峰会——澳大利亚、日本、印度和美国,启动了新的印太海域意识伙伴关系,应对中共在海域的扩张。

拜登本月早些时候在白宫主持了美国-东盟峰会,还在印太和欧洲伙伴之间构筑桥梁,其中包括邀请亚洲盟国下月出席马德里举行的北约峰会。

布林肯提到被称为“AUKUS”的澳英美国三国新安全联盟,北约比以往任何时候都更加强大(因为俄乌战争)。

布林肯还列举二十国集团(G20),七国集团(G7)之间的合作,以及美国去年启动了美国-欧盟贸易和技术委员会(U.S.-EU Trade and Technology Council),主持召开了重振全世界民主的全球峰会。

等等这一切,都剑指中共。诚如华春莹反驳中说的那样,“布林肯演讲听起来更像是针对中国发起全面战略竞争或战争的宣言”

两大极权流年不利 拜登逢百年未有之机遇

为什么拜登敢于大打出手?因为今年国际局势发生了重大变化。中共的老大哥俄罗斯已经被美国联合欧盟,由乌克兰出面打残了。俄罗斯对美欧联盟不再构成主要威胁,在布林肯演讲中,中共是美国目前全球唯一的主要威胁。

中俄两大极权统治者今年犯下“颠覆性”错误,俄罗斯入侵乌克兰,却不堪一击。拜登抓住机会,亲自上阵攻击普京,美国大力拨款,武器弹药应给尽给,经济制裁前所未有,全球联合齐心协力,把俄罗斯打入第三世界国家。

如今中共清零封城,打压科技企业,战狼四处出击,自己把自己折腾得半死不活。党内反对派顺势而起,习近平权威遭到挑战;为保连任,习近平奋力反击,自顾不暇。

美国情报机构目光如炬,拜登老而精明,俄乌战争大局已定,对中共的外部包围圈已经形成,美国围堵中共再无顾忌

推倒“红墙”,让共产主义阵营解体,此时不出手更待何时?中共面临的生存危机,或许超出外界的想象。亡党恶梦不再是梦,而是步步紧逼的现实。

拜登身边的情报人员和智囊团应该已经看到了,百年未有之机遇来临。这一届政府虽然内政搞得不佳,但是两大极权政体更烂,如果顺势解除它们对全球的威胁,拜登政府将建立不世之功,名垂青史。

拜登趁机访问亚洲,将之前亲共的韩国拉入对抗中共的联盟,建立亚太经济框架,重组供应链,稳固亚洲小北约,巩固包围圈,并第三次“失言”说要武力保卫台湾。拜登亚洲行之前,还在白宫召集东盟会议,联合对抗中共。所以,美国在亚洲有日韩、东盟、台湾,南半球有澳洲、新西兰,大西洋有英国、欧盟等盟友,明火执仗,联合全球对抗中共

识时务者为俊杰。中共体制内的人,应该为了自己和家人留后路,寻出路,不要临时抱佛脚。海外正义媒体的话虽然忠言逆耳,但是关乎您的身家性命,不可不察。

linux桌面系统上的全局代理程序Sixtysocks


Building Sixtysocks

You will need the following packages:

Then run:

qmake
make

Quick start guide

This section is meant to help you quickly setup a transparent SOCKSv6 proxifier and a proxy.

Creating a certificate DB

If you don't want to run SOCKS on top of TLS, you can skip this section.

Start off by creating a self-signed certificate (you must provide a non-empty CN):

openssl req -x509 -newkey rsa:4096 -keyout socks.key -out socks.crt -days 365

Next, create the database:

certutil -N -d /path/to/database

Add the certificate:

certutil -A -a -n socks -i socks.crt -t "cCu,," -d /path/to/database

Finally, convert the key to PKCS12 format and add it to the DB:

openssl pkcs12 -export -out socks.pfx -inkey socks.key -in socks.crt -certfile socks.crt
pk12util -i socks.pfx -d /path/to/database

Setting up proxification rules

You'll need to get iptables to redirect the traffic that must be proxified to the proxifier. In this example, all TCP traffic created by the user proxyme will be redirected to the local port 12345.

iptables -t nat    -N SIXTYSOCKS
iptables -t mangle -N SIXTYSOCKS
iptables -t mangle -N SIXTYSOCKS_MARK

iptables -t nat -A SIXTYSOCKS -p tcp -m owner --uid-owner proxyme -j REDIRECT --to-ports 12345

iptables -t nat    -A OUTPUT     -p tcp -j SIXTYSOCKS
iptables -t mangle -A PREROUTING        -j SIXTYSOCKS
iptables -t mangle -A OUTPUT            -j SIXTYSOCKS_MARK

The proxifier

Run the proxy and proxifier as follows:

./sixtysocks -m proxy -t <proxy port> -C /path/to/database -n socks
./sixtysocks -m proxify -l 12345 -s <proxy IP> -p <proxy port> -C /path/to/database -S <proxy CN>

If you don't need TLS, use these commands instead:

./sixtysocks -m proxy -l <proxy port>
./sixtysocks -m proxify -l 12345 -s <proxy IP> -p <proxy port>

Optionally, you can also require authentication by supplying both the proxifier and proxy with a username and a password. Just append the following arguments:

-U username -P password

DNS (optional)

Optionally, you can install Dnsmasq (or some other local DNS proxy). Sixtysocks will redirect all requests to 0.0.0.0:53 to 127.0.0.1:53.

from https://github.com/45G/sixtysocks

netfilter-spooftcp


A lightweight kernel module/iptables extension for sending spoofed TCP packets。
This is a kernel-space, partial implementation of this paper

Build

Prerequisites:

  • kernel headers
  • xtables headers

Kernel Module

$ make
# insmod xt_SPOOFTCP.ko

iptables Extension

Copy libxt_SPOOFTCP.so to iptables library folder, say /lib/xtables.
Run iptables -j SPOOFTCP --help and see if it prints the help message of this module.

Usage

ip6tables -t mangle -A POSTROUTING -d 2001:db8::/64 -p tcp --dport 80 --syn -j SPOOFTCP --tcp-flags SYN,ACK

This will sent a spoofed SYN,ACK packet prior to the matched (original) SYN packet.
There are mechanisms to prevent the spoofed packets from being tracked by nf_conntrack or being matched by another SPOOFTCP rule.

Known issue

Incompatible with SNAT because the spoofed packets bypass nf_conntrack.

Use either one of the workarounds below:

  1. Use --masq parameter. It re-implements MASQUERADE statelessly, but it won't work in case of port changes or custom SNAT rules.
  2. Patch the kernel to add a chain in raw table. The chain is hooked after SNAT. Tested on kernel 4.14 and 4.19

from https://github.com/hippocampi/netfilter-spooftcp

 

VPN-Launchpad

 Build VPN server on AWS EC2 with QR code support. Build SOCKS/HTTP/DNS proxy locally. Support Ubuntu, OSX and Debian variants like Raspbian.

EC2 VPN server builder with multiple VPN support including L2TP, Shadowsocks, V2ray, Brook and Trojan.

Works in Ubuntu(Xenial and above), Mac OSX(Yosemite and above) and Debian(Buster and above) variants including Raspbian. Running in Windows with dind (Docker in docker) container is possible, but not yet verified.

docker-build

How it works

Command vlp creates EC2 instance with VPN services installed out of box. Command lproxy creates proxy (SOCKS/HTTP/DNS) container running locally on your PC, Mac or Raspberry Pi, which tunneling all traffic through the VPN server on EC2. AWS account ID/key are necessary.

Quick start on Ubuntu / Debian(Buster) / Raspbian

1. Dependencies installation

$ sudo apt-get update; sudo apt-get install docker.io git dnsutils curl whois
...
$ sudo usermod -aG docker `whoami`; exit

Note: It is necessary to log out current session and back to get docker group setting take effect.

Note: For Raspberry Pi users, please update to Raspbian Buster before Docker installation as Docker version earlier than 18.09 is not supported any more.

2. Initialize AWS credential and VPN server region

$ git clone --recurse-submodules https://github.com/samuelhbne/vpn-launchpad.git
$ cd vpn-launchpad
$ ./vlp init
AWS Access Key ID [None]: INPUT-YOUR-AWS-ID-HERE
AWS Secret Access Key [None]: INPUT-YOUR-AWS-KEY-HERE
Default region name [ap-northeast-1]:
Default output format [json]:
Done.
$

Note: './vlp init' need to download docker image(about 100MB) during the 1st time execution. However hub.docker.com might be 'throttled' mysteriously in certain country. Please try './vlp --from-src init' instead to build the docker image from source in case './vlp init' stuck on downloading over 10 minutes without progress.

3. Build VPN server on AWS

$ ./vlp build --without-random --with-sslibev
...
Shadowsocks-URI: ss://YWVzLTI1Ni1nY206U1NTTElCRVYtUEFTUw==@13.231.224.253:28388#VLP-shadowsocks
...
Scan QR code above from Shadowsocks compatible mobile app to connect your mobile phone/tablet.
Done.
$

QR code example

4. Connect from your mobile phone

Scan the QR code generated above from Shadowsocks compatible mobile app (Shadowrocket for iOS or Shadowsocks for Android etc.) to connect your mobile phone/tablet and enjoy.

5. Build local proxy on Ubuntu / Debian(Buster) / Raspbian [optional]

Please jump to step 8 if PC/Mac browser connection is not your goal.

$ ./lproxy build v2ray
...
Setting up local proxy daemon...
Done.

Starting up local proxy daemon...
Done.

Wait 15s for local proxy initialisation...
Done.

Local proxy is running.

VPN sever address: 13.231.224.253

Checking SOCKS5 proxy on 127.0.0.1:1080 TCP ...
curl -sSx socks5h://127.0.0.1:1080 http://ifconfig.co
13.231.224.253
SOCKS5 proxy check passed.

Checking HTTP proxy on 127.0.0.1:8123 TCP ...
curl -sSx http://127.0.0.1:8123 http://ifconfig.co
13.231.224.253
HTTP proxy check passed.

Checking DNS server on 127.0.0.1:65353 UDP ...
dig +short @127.0.0.1 -p 65353 twitter.com
104.244.42.1
104.244.42.193
Checking 104.244.42.1 IP owner ...
docker exec -it proxy-sslibev whois 104.244.42.1|grep OrgId
OrgId:          TWITT
DNS server check passed.

Done.
$

Note: './lproxy build' need to download docker image(about 90MB) during the 1st time execution. However hub.docker.com might be 'throttled' mysteriously in certain country. Please try './lproxy build --from-src' instead to build the docker image from source in case './lproxy build' stuck on downloading over 10 minutes without progress.

6. Browser configuration [optional]

Now modify connnection settings for Firefox, Safari or Chrome according to the proxy port settings given above.

7. Stop and remove local proxy container from Pi box after surfing [optional]

$ ./lproxy purge
Local proxy found. Purging...
Done.
$

8. Terminate VPN server instance from AWS after surfing

$ ./vlp purge
...
Waiting Instance shutdown...
Done.

Removing Security Group of vlp-bionic...
Security Group Removed.

Deleting SSH Key-Pair of vlp-bionic...
Done.
$

Note: Terminating VPN server instance from AWS after surfing is always recommended. It removes the potential trails from cloud to protect your privacy as well as reduces the cost for AWS service hiring in case you are not AWS free tier user.

Quick tour for getting AWS account ID and key

  1. Create an new AWS free account here if you don't have. I'm not affiliate.
  2. Login into AWS IAM console with your account.
  3. Click "User" from left side then click "Add user" button on the top
  4. Input the "User name" and tick "Programmatic access" box below
  5. Click "Next: Permissions" button
  6. Click "Create group" button
  7. Fill "Group name" with "vlpadmin" and tick "AmazonEC2FullAccess" selection box which on the top of the policy list
  8. Click "Create group" blue button at the bottom right of the page.
  9. Tick the "vlpadmin" selection box in "Add user to group" page
  10. Click "Next: Tags", click "Next: Review" then click "Create user" button
  11. Click "Show" link
  12. Now you get the "Access key ID" and "Secret access key" that necessary for vpn-launchpad running

Follow the official AWS doc page for more details

Full command Usage

VPN server management

$ ./vlp
vlp [--from-src] <command> [options]
  --from-src            -- Build dependency container from source rather than docker image downloading
    init                -- Init aws account credential.
    build               -- Build VPN server.
      --from-src        -- Build VPN server from source rather than docker image downloading
      --with-brook      -- Build VPN server with Brook services installed
      --with-l2tp       -- Build VPN server with L2TP services installed
      --with-v2ray      -- Build VPN server with V2Ray services installed
      --with-trojan     -- Build VPN server with Trojan services installed
      --with-sslibev    -- Build VPN server with Shadowsocks services installed
      --with-random     -- Build VPN server with VPN passwords randomisation.
      --without-random  -- Build VPN server without VPN passwords randomisation.
    status              -- Check VPN server status.
      --with-qrcode     -- Print Shadowsocks and V2Ray connection QR Code.
    purge               -- Destory VPN server instance.
    random              -- Randomise VPN passwords.
    ssh                 -- SSH login into VPN server instance.

Local proxy management

$ ./lproxy
lproxy <command> [options]
  build            -- Build local proxy container.
    --from-src     -- Build local proxy container from source rather than docker image downloading.
      brook        -- Build local proxy container that connect to VPN server via Brook connector
      sslibev      -- Build local proxy container that connect to VPN server via Shadowsocks connector
      trojan       -- Build local proxy container that connect to VPN server via Trojan connector
      v2ray        -- Build local proxy container that connect to VPN server via V2ray connector
  status           -- Check local proxy container status.
  purge            -- Destory local proxy container.

Note: Please build VPN server before local proxy building.

Note: Component depency fetching from golang.org is necessary during the progress of building v2ray/brook with '--from-src' switch. However, golang.org access might be blocked in cetain country hence lead to the consequent building failure. Please remove '--from-src' switch (which means build from docker hub images fetching) if that is your case.

VPN server configuration

Password, encryption method and listening port configuration for Shadowsocks server

$ cat server-sslibev/server-sslibev.env
SGTCP="28388"
SGUDP="28388"
SSPORT="28388"
SSPASS="SSSLIBEV-PASS"
SSMTHD="aes-256-gcm"
$

NOTE: Please ensure SGTCP/SGUDP and SSPORT are the same value to guarantee that AWS enabled the specific TCP/UDP port for incoming connection which server-sslibev service listened.

NOTE: Please run './vlp purge; ./vlp build' to get the new Shadowsocks server configuration applied.

Credits to shadowsocks-libev

UUID, V2RAYAID, V2RAYLEVEL configuration for V2Ray server

$ cat server-v2ray/server-v2ray.env
SGTCP="10086"
V2RAYPORT="10086"
V2RAYUUID="2633f6b5-0032-4f9e-ae1d-c21d9010cd27"
V2RAYLEVEL="1"
V2RAYAID="64"
$

NOTE: Please ensure SGTCP/SGUDP and V2RAYPORT are the same value to guarantee that AWS enabled the specific TCP/UDP port for incoming connection which server-v2ray service listened.

NOTE: Please run './vlp purge; ./vlp build' to get the new V2Ray server configuration applied.

Credits to V2Ray

Fake domain, Duckdns domain, Duckdns token, Trojan password configuration for Trojan server

$ cat server-trojan/server-trojan.env
SGTCP="443:8443"
TRJPORT="443"
TRJPASS="TROJAN_PASSWORD"
TRJFAKEDOMAIN="www.microsoft.com"
DUCKDNSTOKEN="6ad424a4-1cc3-4cf7-87ec-0f61ce2c9416"
DUCKDNSDOMAIN="myduckdomain"
DUCKSUBDOMAINS="wildcard"
$

NOTE: You need to register a free domain name on duckdns.org first.

NOTE: Please replace DUCKDNSTOKEN with the token obtained from the top of your duckdns.org home page after login.

NOTE: Please replace DUCKDNSDOMAIN with the domain name you registered on duckdns.org.

NOTE: Please run './vlp purge; ./vlp build' to get the new Trojan server configuration applied.

Credits to Trojan

Username, password and pre-shared secret configuration for Softether L2TP server

$ cat server-softether/server-softether.env
...
PSK=YOUR-SHARED-SECRET
USERS=user0:pass0;user1:pass1;
...
$

NOTE: Please run './vlp purge && ./vlp build' to get the new L2TP server configuration applied.

Credits to Tomohisa Kusano and SoftEtherVPN

Local proxy configuration

SOCKS/HTTP/DNS port for local proxy

$ cat proxy-sslibev/proxy-sslibev.env
SOCKSPORT="1080"
HTTPPORT="8123"
DNSPORT="65353"
$

NOTE: Please run './lproxy build' to get the new Shadowsocks client configuration applied.

Credits to shadowsocks-libev

Before running

Docker installation is necessary for running vlp and lproxy. curl and dig will be used by 'lproxy status' for connection test and diagnosis but not compulsory.

Dependencies installation for Ubuntu / Debian(Buster) / Raspbian

$ sudo apt-get update; sudo apt-get install docker.io git dnsutils curl whois
...
$ sudo usermod -aG docker `whoami`; exit

Docker installation for Mac OSX

https://store.docker.com/editions/community/docker-ce-desktop-mac

Connect to the VPN server via Shadowsocks/V2Ray/Trojan protocol from mobile devices

Both "vlp build" and "vlp status --with-qrcode" spit QR codes (for Shadowsocks, V2Ray and Trojan) to facilitate the connection from mobile devices via QR supported app like Shadowrocket for iOS, or Shadowsocks, v2rayNG and Igniter (QR code scanning is unavailable so far) for Android. Simply scanning the QR code from these apps will create a new connection entry. Connect to it and Enjoy. QR code example

All credits to qrcode-terminal

Connect to the VPN server via L2TP

https://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server

Cleaning Before upgrading

Image/container names may changed after upgrading. Please do the following before upgrading:

  1. purge VPN server(s) and local proxy container you previously created via 'vlp' and 'lproxy';
  2. Stop and remove existing vpnlaunchpad and lproxy containers;
  3. Remove existing vpnlaunchpad and lproxy images.

Please follow the instructions here to do the cleaning:

$ ./vlp purge
...
$ ./lproxy purge
...
$ docker stop `docker ps -a|grep samuelhbne|awk '{print $1}'`
$ docker rm `docker ps -a|grep samuelhbne|awk '{print $1}'`
$ docker rmi `docker images |grep samuelhbne|awk '{print $3}'`

Running in dind (Docker in Docker) container

It is possible to run vpn-launchpad in dind container if Ubuntu is not your option. The following instructions will start a dind container with necessary local proxy port mappings, install package dependencies inside the container, create a non-root user with docker service access, and start vlp/lproxy consiquently.

$ docker run --privileged --name vlpdind -p 1080:1080 -p 8123:8123 -p 65353:65353 -d docker:stable-dind
$ docker exec -it vlpdind sh
/ # apk add bash shadow git curl bind-tools whois
/ # adduser -s /bin/bash -D vlp
/ # usermod -aG root vlp
/ # su - vlp
72d645e47cb2:~$ git clone https://github.com/samuelhbne/vpn-launchpad
72d645e47cb2:~$ cd vpn-launchpad/
72d645e47cb2:~/vpn-launchpad$ ./vlp init
72d645e47cb2:~/vpn-launchpad$ ./vlp build --without-random --with-v2ray
72d645e47cb2:~/vpn-launchpad$ ./lproxy build v2ray
...

FAQ

Frequently Asked Questions

from https://github.com/samuelhbne/vpn-launchpad

 

iphone-socks-proxy

 

SOCKS - SOCKS Proxy for iPhone
 #  Copyright (C) 2009 Ehud Ben-Reuven
 #  udi@benreuven.com
 

This is an iPhone App that is a SOCS Proxy. It allows you to connect your laptop to the
Internet through the iPhone's 3G/Edge connection (tethering.)
If you want to install the application on your iPhone you will have to build and install
the App from the the supplied code.
 * Pay Apple for iPhone development program
 * get a development certificat from Apple's developers portal
 * download the entire source code to a Mac
 * double click SOCKS.xcodeproj
 * in the left panel select Targers and then select SOCKS
 * press the "i" Info button on the top
 * select Properties tab
 * In the Identifier field change "symfi" to your company name
 * connect an iPhone using a cable
 * click Build and Debug
  

In order for this to work you need to follow few steps
Instructions for Mac:
 * On your laptop start an add-hoc Wi-Fi network:
  * System Preferences->Network
  * select AirPort
  * click on Network Name and select Create Network
  * in Name enter "mywifi", press OK, press Apply
 * Connect you iPhone to the add-hoc wifi network:
  * Settings->Wi-Fi
  * select "mywifi"
 * Run this SOCKS App on your iPhone
 * In the SOCS Proxy tab press Start
 * configure your laptop to use SOCKS:
  * System Preferences->Network->Advanced...->Proxies
  * select SOCKS proxy
  * in the SOCKS Proxy Server field enter the address and port that appear on your iPhone screen
  * press OK
  * press Apply
from https://github.com/halogenica/iphone-socks-proxy 
-----
SOCKS server for iOS. Handy for defeating tethering speed limits, among other uses. 

SOCKS5 server for iOS

This app implements a very simple SOCKS5 server for iOS. You can use it to increase your tethering speeds when they are artificially limited; other uses are possible.

It is not distributed via the App Store because it'd probably get rejected.

Usage is simple: download this repo, git submodule update, and then build & deploy from XCode. Then set your system/browser SOCKS5 proxy to whatever it says on the screen (e.g. 172.20.10.1:4884) and away you go.

UPDATE: Because sideloading apps is a pain, I recommend using nneonneo/iOS-SOCKS-Server instead; it's a Python script that can be easily loaded into Pythonista for iOS and used forever without sideloading restrictions.

from https://github.com/nneonneo/socks5-ios

-----

SOCKS proxy server for iOS designed for Pythonista .

What

A simple SOCKS proxy designed to run on Pythonista on iOS, letting you fake-tether your devices to a phone.

Installation

  • Install Pythonista from the App Store. It's a paid app, but it's worth every penny if you are a power user.
  • Download the code from GitHub.
  • Open the Files app, navigate to Downloads, and tap on the zip file to uncompress it.
  • Move the resulting iOS-SOCKS-Server folder to the Pythonista iCloud directory
  • Open Pythonista, navigate to iCloud, iOS-SOCKS-Server and open the socks5.py script.
  • Optionally, you can tap on the wrench and select Shortcuts... to add the script to your home screen.

Running

  • Connect your devices to the same WiFi network as your phone. If there's no suitable network, you can create a computer-to-computer (ad-hoc) network using your laptop and connect to it with your phone.
  • Open the home screen shortcut (if you made one), or open the socks5.py script in Pythonista and hit Run.
  • Point your devices at the SOCKS proxy listed (on port 9876), or point them at the PAC (proxy autoconfiguration) URL if they don't support setting a SOCKS proxy (e.g. other iOS devices).

Why

Recently, while travelling in China, I found out that Google Fi doesn't support tethering on iOS (I guess it's a feature they want to keep Android-exclusive or something?). Since my phone has a nice, fast, unblocked connection, I wanted to let my computer access it too.

I previously wrote Socks5-iOS for doing exactly this, but it turned out to be quite cumbersome to deploy and modify. Plus, the app expires frequently (if you don't have an iOS developer account), which makes it annoying if you need it in a pinch. Enter Pythonista - an App Store app which puts a complete Python interpreter on iOS.

This script can be used to implement a functional alternative to tethering, which I refer to fake-tethering. Fake-tethering has some substantial advantages over standard iOS tethering. It works even when carriers ban tethering, and it bypasses limits set on tethering speed since all connections originate from the phone.

While it's easiest to use this with websites, it's actually possible to tunnel any TCP connection over a SOCKS proxy. For example, here's how you would proxy an SSH connection:

ssh -o ProxyCommand='nc -X 5 -x <IP>:9876 %h %p' user@host

Troubleshooting

Doesn't work with an ad-hoc network on macOS

macOS appears to incorrectly assess the Internet as unreachable with an ad-hoc network, even if a proxy is configured. A workaround for this, tested on macOS 10.14, is described under issue #1.

from https://github.com/nneonneo/ios-socks-server