使用dante-server和stunnel搭建socks代理服务器

2013.12.04/2016.08.30发布于笔记暂无评论/目录

总结在Ubuntu上使用Dante和Stunnel搭建socks代理服务器的过程,以供日后查询。

dante-server是一个免费的socks代理服务器,stunnel可以使用openssl对通信数据进行加密,相关程序的版本为

  • Ubuntu: 16.04 x86_64
  • dante-server: v1.4.1
  • stunnel: 5.30

安装和配置dante-server

安装dante-server

apt-get install dante-server

配置dante-server

仓库里的 dante-server 包已经太老了,这里直接从官网下载源码编译安装:

apt-get install build-essential libpam0g-dev libwrap0-dev

wget https://www.inet.no/dante/files/dante-1.4.1.tar.gz
[ "$(md5sum dante-1.4.1.tar.gz | cut -d ' ' -f 1)" = "68c2ce12119e12cea11a90c7a80efa8f" ] \
    || echo invalid dante source

tar xvf dante-1.4.1.tar.gz
cd dante-1.4.1
./configure
make
make install

安装完成后,dante-server 会被安装到 /usr/local/sbin/sockd,这里借用了 Ubuntu dante-server 包里的 init 脚本来管理服务,配置文件在 /etc/danted.conf,配置说明

  1. 仅在本地(localhost)监听1999端口,端口可任意选(注意使用netstat -nap | grep 1999查看端口是否被占用)。
  2. 不写日志文件(dante-server会写超多日志)。
  3. method设置为none表示没有登录验证。

完整的配置文件 /etc/danted.conf 如下

#logoutput: /var/log/danted.log
logoutput: stderr
# listen locally
internal: 127.0.0.1 port = 1999
#internal: eth0 port = 1999
external: eth0

socksmethod: none
#socksmethod: pam.username

user.privileged: root
user.notprivileged: nobody
user.libwrap: nobody

timeout.connect: 30
timeout.io: 86400

client pass {
    from: 127.0.0.0/8 port 1-65535 to: 0.0.0.0/0
}

client block {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect error
}

socks pass {
    from: 127.0.0.0/8 to: 0.0.0.0/0
    protocol: tcp udp
}

socks block {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect error
}

socks block {
    from: 0.0.0.0/0 to: 127.0.0.0/8
    log: connect error
}

init 脚本 /etc/init.d/danted 如下:

#! /bin/sh
### BEGIN INIT INFO
# Provides:          danted
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SOCKS (v4 and v5) proxy daemon (danted)
### END INIT INFO
#
# dante SOCKS server init.d file. Based on /etc/init.d/skeleton:
# Version:      @(#)skeleton  1.8  03-Mar-1998  miquels@cistron.nl

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/sbin/sockd
NAME=danted
DESC="Dante SOCKS daemon"
PIDFILE=/var/run/$NAME.pid
CONFFILE=/etc/$NAME.conf

test -f $DAEMON || exit 0

set -e

# This function makes sure that the Dante server can write to the pid-file.
touch_pidfile ()
{
  if [ -r $CONFFILE ]; then
    uid="`sed -n -e 's/[[:space:]]//g' -e 's/#.*//' -e '/^user\.privileged/{s/[^:]*://p;q;}' $CONFFILE`"
    if [ -n "$uid" ]; then
      touch $PIDFILE
      chown $uid $PIDFILE
    fi
  fi
}

case "$1" in
  start)
        if ! egrep -cve '^ *(#|$)' \
            -e '^(logoutput|user\.((not)?privileged|libwrap)):' \
            $CONFFILE > /dev/null
        then
                echo "Not starting $DESC: not configured."
                exit 0
        fi
        echo -n "Starting $DESC: "
        touch_pidfile
        start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE \
                --exec $DAEMON -- -f $CONFFILE -p $PIDFILE -D
        echo "$NAME."
        ;;
  stop)
        echo -n "Stopping $DESC: "
        start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE \
                --exec $DAEMON
        echo "$NAME."
        ;;
  restart)
        #
        #       If the "reload" option is implemented, move the "force-reload"
        #       option to the "reload" entry above. If not, "force-reload" is
        #       just the same as "restart".
        #
        echo -n "Restarting $DESC: "
        start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
        sleep 1
        touch_pidfile
        start-stop-daemon --start --quiet --pidfile $PIDFILE \
          --exec $DAEMON -- -D
        echo "$NAME."
        ;;
  *)
        N=/etc/init.d/$NAME
        # echo "Usage: $N {start|stop|restart}" >&2
        echo "Usage: $N {start|stop|restart}" >&2
        exit 1
        ;;
esac

exit 0

配置完毕后重启 dante-server

systemctl enable danted
service danted restart

使用freeradius进行登录验证

未完成

dante-server查错

关闭dante-server服务

service danted stop

非daemon模式运行,并打开debug输出

danted -d -f /etc/danted.conf

安装和配置stunnel

安装stunnel

apt-get install stunnel4

配置stunnel服务器

stunnel4的配置文件默认位于/etc/stunnel目录内,配置文件的例子在/usr/share/doc/stunnel4/examples目录。

首先,将/etc/default/stunnel4的ENABLED改为1,以启用stunnel服务。

然后创建stunnel的服务器证书

cd /etc/stunnel
mkdir certs && cd certs
openssl req -new -x509 -days 3650 -nodes \
    -config /usr/share/doc/stunnel4/examples/stunnel.cnf \
    -out stunnel.pem -keyout stunnel.pem

# 修改证书权限
sudo chmod 600 certs/stunnel.pem
sudo chmod 700 certs
sudo chown -R stunnel4:stunnel4 certs

接下来创建stunnel配置文件/etc/stunnel/stunnel.conf,配置说明

  1. 日志位于/var/log/stunnel4/stunnel4.log,默认日志级别为debug(7),下面的配置里修改为warning(4)。
  2. 证书和key都为上面创建的stunnel.pem(根证书是错误的,可参考Stunnel Howto配置)。
  3. 最后的danted服务配置,stunnel将在1998端口监听dante-server的连接请求,并转发到dante-server的监听端口1999。
  4. client = no这里作为全局配置,默认所有的应用都启用server模式,如果某个应用需要使用client模式,则可以单独为其配置client = yes

完整的配置文件如下

; chroot = /var/lib/stunnel4/
; Chroot jail can be escaped if setuid option is not used
setuid = stunnel4
setgid = stunnel4

; PID is created inside the chroot jail
pid = /var/run/stunnel4/stunnel4.pid

; Debugging stuff (may useful for troubleshooting)
; log level is waring(4), debug log level is 7
; debug = 4
output = /var/log/stunnel4/stunnel.log

CAfile = /etc/stunnel/certs/stunnel.pem
cert = /etc/stunnel/certs/stunnel.pem
verify = 2

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2

; The following options provide additional security at some performance penalty
; Default ECDH/DH parameters are strong/conservative, so it is quite safe to
; comment out these lines in order to get a performance boost
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE

client = no

[danted]
accept = 1998
connect = 127.0.0.1:1999

最后,重启stunnel服务

service stunnel4 restart

配置stunnel客户端

在你的客户端机器上安装stunnel,并将/etc/default/stunnel4的ENABLED改为1。

然后将服务器端生成的stunnel.pem拷贝到客户端系统,假设放在/etc/stunnel/stunnel.pem

# 最好也设置下证书的权限
chmod 600 /etc/stunnel/stunnel.pem
chown stunnel4:stunnel4 /etc/stunnel/stunnel.pem

接下来创建配置文件/etc/stunnel/stunnel.conf,配置说明

  1. 客户端配置文件与服务端基本类似(日志配置等),注意将client设置为yes。
  2. 最后的danted服务配置,stunnel将在本地的1997端口监听dante-server的socks连接请求,并发送到服务端stunnel监听的1998端口(见服务端配置)。注意将配置中的YOUR_SERVER改为你的服务器域名或IP。

完整的配置文件如下

; chroot = /var/lib/stunnel4/
; Chroot jail can be escaped if setuid option is not used
setuid = stunnel4
setgid = stunnel4

; PID is created inside the chroot jail
pid = /var/run/stunnel4/stunnel4.pid

; Debugging stuff (may useful for troubleshooting)
; log level is waring(4), debug log level is 7
; debug = 4
output = /var/log/stunnel4/stunnel.log

verify = 2

; Debugging stuff (may useful for troubleshooting)
; warning level 4, debug is level 7
debug = 4
output = /stunnel.log

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2

; The following options provide additional security at some performance penalty
; Default ECDH/DH parameters are strong/conservative, so it is quite safe to
; comment out these lines in order to get a performance boost
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE

cert = /etc/stunnel/stunnel.pem
CAfile = /etc/stunnel/stunnel.pem
client = yes

[danted]
accept = 127.0.0.1:1997
connect = YOUR_SERVER:1998

最后重启客户端stunnel服务

service stunnel4 restart

使用socks5代理

按照上文的相关配置,将浏览器的socks5代理项设置为localhost:1997即可使用。

查错

遇到问题先检查程序日志,如有需要可修改配置文件的日志输出级别。 根据日志的相关错误输出,先在程序官网的faq页面检索。

如果不能找到解决方案,再查看相关文档和google即可。

阅读资料

  1. Stunnel Howto
  2. 通过 stunnel 搭建安全高性能的 sockts 代理服务器
  3. How To Set Up an SSL Tunnel Using Stunnel on Ubuntu
#note#proxy#socks5#stunnel#ubuntu

评论