Trojan-GFW on Ubuntu 20.04 Server
Traffic arrives at port 443 or port 80.
- Port 443 is handled by Trojan.
- Good passwords goes to the Trojan server.
- Bad passwords go to Nginx on localhost port 80.
- Port 80 is handled directly by Nginx.
The server runs Ubuntu 20.04. A DNS record type A points from host.example.com to the server's IP address.
Install and Configure Nginx
apt install nginx -y
Edit the configuration file:
vi /etc/nginx/sites-available/default
Change the contents to read as follows. Nginx listens on port 80. Change host.example.com in the example below to your actual server name.
server {
listen 80 default_server;
root /var/www/html;
index index.html;
server_name host.example.com;
location / {
try_files $uri $uri/ =404;
}
}
Save the file. Restart Nginx with the new configuration:
systemctl restart nginx
Add Website Content
For extra camouflage, add some sample content. For example:
apt install wget zip unzip -y
wget https://github.com/lionlibr/sample-hexo-blog/archive/master.zip
unzip master.zip
cd sample-hexo-blog-master
cp -rf public/* /var/www/html/
Get Let's Encrypt SSL Certificate
Follow the Let's Encrypt instructions for Nginx on Ubuntu 20.04 obtaining a certificate only (i.e., no automated changes to Nginx configuration file).
apt install certbot python3-certbot-nginx -y
certbot certonly --nginx
certbot renew --dry-run
Install and Configure Trojan-GFW
apt install trojan -y
Edit the configuration file:
vi /etc/trojan/config.json
Define passwords for as many users as you have. The template starts with two users. Example:
"password": [
"pass1234",
"pass5678"
],
Of course, in real life you would make the passwords stronger!
Specify the real certificate and key locations:
"cert": "/etc/letsencrypt/live/host.example.com/fullchain.pem",
"key": "/etc/letsencrypt/live/host.example.com/privkey.pem",
Make Private Key Accessible
The commands below are necessary to allow access to the private key /etc/letsencrypt/live/host.example.com/privkey.pem. You should find a better solution than this if you can.
Edit the systemd service file:
vi /usr/lib/systemd/system/trojan.service
Set the user for Trojan to the Nginx user:
user=www-data
Make the Let's Encrypt files more widely accessible.
chgrp -R www-data /etc/letsencrypt
chmod -R 755 /etc/letsencrypt
Start Trojan
systemctl enable trojan
systemctl start trojan
Optionally Add CDN
Install and Configure Client
These instructions are for Windows. MacOS and Linux are similar. For an introduction to the macOS client for Trojan, visit https://www.oilandfish.com/posts/trojan-gfw.html#2-3. For Android, install the Igniter client.
Download the Windows client from https://github.com/trojan-gfw/trojan/releases.
Unzip the downloaded zip file.
Open a Windows Command Prompt and navigate to the extracted trojan directory.
Run VC_redist.x64.exe to install the C++ redistributable. Restart your computer after the install.
Edit config.json in the same folder.
"remote_addr": "host.example.com",
"password": [
"pass1234",
"pass5678"
],
Run trojan.exe in a Command Prompt. It is a command-line program. There is no GUI. Leave the Command Prompt window open.
Configure your browser to use the SOCKS5 proxy server on 127.0.0.1 port 1080.
Comments
Post a Comment