由于路由管控系统的建立,实时动态黑洞路由已成为最有效的封锁手段,TCP连接重置和DNS污染成为次要手段,利用漏洞的穿墙方法已不再具有普遍意义。对此应对方法是多样化协议的VPN来抵抗识别。这里介绍一种太简单、有时很朴素的“穷人VPN”。
朴素VPN只需要一次内核配置(Linux内核),即可永久稳定运行,不需要任何用户态守护进程。所有流量转换和加密全部由内核完成,原生性能,开销几乎没有。静态配置,避免动态握手和参数协商产生指纹特征导致被识别。并且支持NAT,移动的内网用户可以使用此方法。支持广泛,基于L2TPv3标准,Linux内核3.2+都有支持,其他操作系统原则上也能支持。但有两个局限:需要root权限;一个隧道只支持一个用户。
朴素VPN利用UDP封装的静态L2TP隧道实现VPN,内核XFRM实现静态IPsec。实际上IP-in-IP隧道即可实现VPN,但是这种协议无法穿越NAT,因此必须利用UDP封装。内核3.18将支持Foo-over-UDP,在UDP里面直接封装IP,与静态的L2TP-over-UDP很类似。
| /** | |
| * Here's a turing machine that fits into a tweet with an example program. | |
| * Original tweet: https://twitter.com/mrrrgn/status/630419814666780673 | |
| * Gif: http://i.imgur.com/4t31zA2.gif | |
| * Turing machines: https://www.youtube.com/watch?v=dNRDvLACg5Q | |
| * | |
| * Think this is neat? Consider following me for more computer silliness: | |
| * twitter.com/mrrrgn or rss my blog linuxpoetry.com | |
| **/ |
| # -*- coding: utf-8 -*- | |
| """ | |
| hash_ring | |
| ~~~~~~~~~~~~~~ | |
| Implements consistent hashing that can be used when | |
| the number of server nodes can increase or decrease (like in memcached). | |
| Consistent hashing is a scheme that provides a hash table functionality | |
| in a way that the adding or removing of one slot | |
| does not significantly change the mapping of keys to slots. |
Our Virtual Machines are provisioned using Vagrant from a Linux base box to run using VirutalBox. If the Hard Disk space runs out and you cannot remove files to free-up space, you can resize the Hard Disk using some VirtualBox and Linux commands.
The following steps assume you've got a set-up like mine, where:
| // Just before switching jobs: | |
| // Add one of these. | |
| // Preferably into the same commit where you do a large merge. | |
| // | |
| // This started as a tweet with a joke of "C++ pro-tip: #define private public", | |
| // and then it quickly escalated into more and more evil suggestions. | |
| // I've tried to capture interesting suggestions here. | |
| // | |
| // Contributors: @r2d2rigo, @joeldevahl, @msinilo, @_Humus_, | |
| // @YuriyODonnell, @rygorous, @cmuratori, @mike_acton, @grumpygiant, |
##ss-redir 的 iptables 配置(透明代理)
透明代理指对客户端透明,客户端不需要进行任何设置就使用了网管设置的代理规则
创建 /etc/ss-redir.json 本地监听 7777
运行ss-redir -v -c /etc/ss-redir.json
iptables -t nat -N SHADOWSOCKS
# 在 nat 表中创建新链
iptables -t nat -A SHADOWSOCKS -p tcp --dport 23596 -j RETURN
# 23596 是 ss 代理服务器的端口,即远程 shadowsocks 服务器提供服务的端口,如果你有多个 ip 可用,但端口一致,就设置这个
clowwindy设计Shadowsocks的思路分析以及设计理念
鄙人不才,尝试站在原作者clowwindy的角度,来分析一下原版协议的设计思路和理念。 没参与过最初开发,不过设计了AEAD这个协议。读了一些资料,评论。
在 7:58 PM, 31 Aug 2015 作者发了这么一段话,我很好奇其中的指代内容,遂有本文。
眼睁睁看着一群人把一个东西搞错然后朝着错误的方向走了。不过懒得管了 =。=
| template <typename Left, typename Right> | |
| struct ConcatExpr; | |
| template <typename Left, typename Right> | |
| struct AltExpr; | |
| template <typename SubExpr> | |
| struct RepeatExpr; | |
| template <char ch> |
| adb shell appops set com.tencent.mm OP_READ_PHONE_STATE ignore | |
| adb shell appops set com.tencent.mm COARSE_LOCATION ignore | |
| adb shell appops set com.tencent.mm FINE_LOCATION ignore | |
| adb shell appops set com.tencent.mm RUN_IN_BACKGROUND ignore |