科学上网教程 - vmess + ws + TLS

一、购买服务器和域名

1、海外服务器购买

需要访问海外服务，所以需要使用海外服务器进行代理。

推荐使用 racknerd.com，$22.99 /年即可搭建，地址： https://my.racknerd.com/aff.php?aff=12472。

不推荐搬瓦工，目前搬瓦工地址被长城防火墙针对严重，非必要建议不使用。

2、购买域名

万网购买即可，https://wanwang.aliyun.com/。
哪个便宜买哪个。然后添加一个域名解析比如 v2.domain.top

解析到海外服务器的地址上。

二、搭建服务

1、选择系统

选择 CentOS 7 64 Bit 即可

2、修改 yum 源、防火墙、selinux

centos7 官方源停止服务，可以修改为阿里源继续使用

[root@racknerd-56b96f conf]# cat /etc/yum.repos.d/centos.repo 

# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the 
# remarked out baseurl= line instead.
#
#
 
[base]
name=CentOS-$releasever - Base - mirrors.aliyun.com
failovermethod=priority
baseurl=https://mirrors.aliyun.com/centos-vault/7.9.2009/os/$basearch/
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/centos-vault/RPM-GPG-KEY-CentOS-7
 
#released updates 
[updates]
name=CentOS-$releasever - Updates - mirrors.aliyun.com
failovermethod=priority
baseurl=https://mirrors.aliyun.com/centos-vault/7.9.2009/updates/$basearch/
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/centos-vault/RPM-GPG-KEY-CentOS-7
 
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras - mirrors.aliyun.com
failovermethod=priority
baseurl=https://mirrors.aliyun.com/centos-vault/7.9.2009/extras/$basearch/
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/centos-vault/RPM-GPG-KEY-CentOS-7
 
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus - mirrors.aliyun.com
failovermethod=priority
baseurl=https://mirrors.aliyun.com/centos-vault/7.9.2009/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://mirrors.aliyun.com/centos-vault/RPM-GPG-KEY-CentOS-7
 
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib - mirrors.aliyun.com
failovermethod=priority
baseurl=https://mirrors.aliyun.com/centos-vault/7.9.2009/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://mirrors.aliyun.com/centos-vault/RPM-GPG-KEY-CentOS-7

# 关闭防火墙，直接关了，如果会防火墙规则可以按需方形
$ systemctl disable firewalld
$ systemctl stop firewalld

# 关闭 Selinux
$ setenforce 0

# 从 enforcing 修改为 disabled
[root@racknerd-56b96f conf]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled

3、安装 vmess

// 安装可执行文件和 .dat 数据文件,安装脚本为官方提供原版脚本
# bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

4、编写配置文件

$ vi /usr/local/etc/v2ray/config.json

{
  "inbounds": [
    {
      "tag": "cloudmessage.top.json",
      "port": 7072,
      "listen": "127.0.0.1",
      "protocol": "vmess",
      "settings": {
        "clients": [
          {
            "id": "466eb1fe-6943-4935-b893-9e8adb3c6b00"
          }
        ]
      },
      "streamSettings": {
        "network": "ws",
        "security": "none",
        "wsSettings": {
          "path": "/wangyangroc",	// 修改为你的路径随意即可但是必须记住后续使用
          "headers": {
            "Host": "xxxx.cloudmessage.top"	// 修改为你的科学域名
          }
        }
      },
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      }
    }
  ]
}

$ systemctl restart v2ray
$ systemctl enable v2ray

5、安装 nginx 服务

$ yum -y install nginx openssl openssl-devel zlib zlib-devel pcre pcre-devel
$ wget http://nginx.org/download/nginx-1.20.1.tar.gz

$ tar -zxvf nginx-1.20.1.tar.gz
$ ./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_sub_module
$ make && make install

$ vi /usr/local/nginx/conf/nginx.conf

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;


    server {
        listen 443 ssl;
        listen [::]:443 ssl;

        server_name xxx.cloudmessage.top;  #修改为你的已解析域名
        ssl_certificate       /root/fullchain.cer; 
        ssl_certificate_key   /root/cert.key;
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;
        ssl_session_tickets off;

        ssl_protocols         TLSv1.2 TLSv1.3;
        ssl_ciphers           ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;
    
        location / {
            proxy_pass https://cloudmessage.top; #伪装网址
            proxy_ssl_server_name on;
            proxy_redirect off;
            sub_filter_once off;
            sub_filter "cloudmessage.top" $server_name;
            proxy_set_header Host "cloudmessage.top";
            proxy_set_header Referer $http_referer;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header User-Agent $http_user_agent;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header Accept-Encoding "";
            proxy_set_header Accept-Language "zh-CN";
        }
    
        location /wangyangrocvws {
            proxy_redirect off;
            proxy_pass http://127.0.0.1:7072;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }

    server {
        listen 80;
        server_name xxx.cloudmessage.top;    #修改为你的已解析域名
        rewrite ^(.*)$ https://${server_name}$1 permanent;
    }
}

6、申请 HTTPS 证书

推荐使用 ohttps：https://ohttps.com/，申请完成后下载证书上传至服务器 /root 目录下，修改为 /root/fullchain.cer、/root/cert.key 即可。

7、编写 systemd 管理脚本

[root@racknerd-56b96f conf]# cat /etc/systemd/system/nginx.service
[Unit]
Description=The NGINX HTTP and reverse proxy server
After=network.target

[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true

[Install]
WantedBy=multi-user.target

# 启动 nginx 服务
$ systemctl start nginx
$ systemctl enable nginx

三、客户端配置

windows：https://github.com/2dust/v2rayN/releases，使用说明 https://www.v2raynos.com/80/#:~:text=%E5%9F%BA%E6%9C%AC%E7%95%8C%E9%9D%A2%E5%8A%9F%E8%83%BD%E4%BB%8B%E7%BB%8D.

ios：Shadowrocket

四、最后

小工具：端口是否封禁测试网站 https://tcp.ping.pe/