Trojan-GFW on Ubuntu 20.04 Server

Trojan is popular in China because it's easier to configure than V2Ray. The diagram below explains how it works. (Source: https://trojan-tutor.github.io/2019/04/10/p41.html)




Traffic arrives at port 443 or port 80.

  • Port 443 is handled by Trojan.
    • Good passwords goes to the Trojan server.
    • Bad passwords go to Nginx on localhost port 80.
  • Port 80 is handled directly by Nginx.

The server runs Ubuntu 20.04. A DNS record type A points from host.example.com to the server's IP address.

Install and Configure Nginx


apt install nginx -y

Edit the configuration file:

vi /etc/nginx/sites-available/default

Change the contents to read as follows. Nginx listens on port 80. Change host.example.com in the example below to your actual server name.

server {
        listen 80 default_server;
        root /var/www/html;
        index index.html;
        server_name host.example.com;
        location / {
                try_files $uri $uri/ =404;
        }
}

Save the file. Restart Nginx with the new configuration:

systemctl restart nginx

Add Website Content


For extra camouflage, add some sample content. For example:

apt install wget zip unzip -y

wget https://github.com/lionlibr/sample-hexo-blog/archive/master.zip

unzip master.zip

cd sample-hexo-blog-master

cp -rf public/* /var/www/html/

Get Let's Encrypt SSL Certificate


Follow the Let's Encrypt instructions for Nginx on Ubuntu 20.04 obtaining a certificate only (i.e., no automated changes to Nginx configuration file).

apt install certbot python3-certbot-nginx -y

certbot certonly --nginx

certbot renew --dry-run

Install and Configure Trojan-GFW


apt install trojan -y

Edit the configuration file:

vi /etc/trojan/config.json

Define passwords for as many users as you have. The template starts with two users. Example:

    "password": [
        "pass1234",
        "pass5678"
    ],

Of course, in real life you would make the passwords stronger!

Specify the real certificate and key locations:

    "cert": "/etc/letsencrypt/live/host.example.com/fullchain.pem",
    "key": "/etc/letsencrypt/live/host.example.com/privkey.pem",

Save the revised configuration file.

Make Private Key Accessible


The commands below are necessary to allow access to the private key /etc/letsencrypt/live/host.example.com/privkey.pem. You should find a better solution than this if you can.

Edit the systemd service file:

vi /usr/lib/systemd/system/trojan.service

Set the user for Trojan to the Nginx user:

user=www-data

Make the Let's Encrypt files more widely accessible.

chgrp -R www-data /etc/letsencrypt

chmod -R 755 /etc/letsencrypt

Start Trojan


systemctl enable trojan

systemctl start trojan

Optionally Add CDN


For extra protection, hide your server IP behind a CDN by adding your domain example.com to Cloudflare.

Install and Configure Client


These instructions are for Windows. MacOS and Linux are similar. For an introduction to the macOS client for Trojan, visit https://www.oilandfish.com/posts/trojan-gfw.html#2-3. For Android, install the Igniter client.

Download the Windows client from https://github.com/trojan-gfw/trojan/releases.

Unzip the downloaded zip file.

Open a Windows Command Prompt and navigate to the extracted trojan directory.

Run VC_redist.x64.exe to install the C++ redistributable. Restart your computer after the install.

Edit config.json in the same folder.

    "remote_addr": "host.example.com",

    "password": [
        "pass1234",
        "pass5678"
    ],

Run trojan.exe in a Command Prompt. It is a command-line program. There is no GUI. Leave the Command Prompt window open.

Configure your browser to use the SOCKS5 proxy server on 127.0.0.1 port 1080.

Comments

Post a Comment

Popular posts from this blog

Shadowsocks Manager

Image
Shadowsocks Manager offers a graphical user interface (GUI) for managing Shadowsocks and Wireguard nodes and users. This tutorial is for a Debian 10 virtual private server (VPS). All commands are issued as root. Add DNS and rDNS Records If you have not already done so, add a DNS A record pointing from your hostname (e.g. yourhost.yourdomainname.tld ) to your server IP address. Since we will be sending email, add a DNS record of type MX pointing from your naked domain to your hostname (such as yourhost.yourdomainname.tld ). The naked domain is often represented by a commercial at sign in control panels. Add a Sender Policy Framework (SPF) TXT record for your domain. The name of the entry is the naked domain. The value of the text field is: v=spf1 mx -all This specifies that you will allow the domain's MX server(s) to send email for the domain, but you want to prohibit all other servers from sending email on your behalf. Some email recipients will check your that
Read more

V2-UI V2Ray User Management Panel

Image
https://www.youtube.com/watch?v=-hyeCe3w4-s You will need a VPS and a domain name that points to that VPS. Start by installing Nginx on your VPS: apt install nginx Edit the Nginx default site configuration file: vi /etc/nginx/sites-available/default Insert your real server_name. Write the file to disk and quit the editor. Restart Nginx: systemctl restart nginx Install an SSL certificate as explained on https://certbot.eff.org Download and run the V2-UI installation script: apt install curl bash <(curl -Ls https://blog.sprov.xyz/v2-ui.sh) Install the Sqlite3 shell for Sqlite: apt install sqlite3 Invoke Sqlite3 for the V2-UI database: sqlite3 /etc/v2-ui/v2-ui.db Set the value of the base path equal to /v2-ui (leading slash but no trailing slash): update setting set value="/v2-ui" where key="base_path"; Do Ctrl + d to exit from Sqlite3. Restart the V2-UI panel: v2-ui restart You should see a message v2-ui 重启成功 (which mean
Read more

Shadowsocks with V2Ray Plugin for Windows and Android Clients

Image
Domain Take out a domain name, e.g. example.com . Add A and/or AAAA DNS record(s) for server, e.g. my.example.com . Add domain example.com to Cloudflare. Set nameservers to Cloudflare nameservers. Initially, set Cloudflare SSL/TLS Encryption mode Off . Server Nginx These instructions are for Debian 10 logged in as root user. apt update && apt upgrade -y apt install nginx -y apt install wget zip unzip -y wget https://github.com/arcdetri/sample-blog/archive/master.zip unzip master.zip cp -rf sample-blog-master/html/* /var/www/html/ Edit /etc/nginx/sites-available/default . Replace my.example.com with actual server name. server {         listen 80 default_server;         listen [::]:80 default_server;         root /var/www/html;         index index.html;         server_name my.example.com;         location / {                 try_files $uri $uri/ =404;         } } systemctl restart nginx apt install certbot python-certbot-nginx -y certbot --nginx certbot renew --dry-run Now you
Read more