Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
ss-libev + v2ray-plugin + tls + CentOS-7

v2ray-plugin CentOS-7

ss v2ray-plugin centos-7

购买域名 / 或申请免费域名

配置 cloudflare

  1. cloudflare DNS-> 添加一条 A 记录;name=域名,value=vpsIP, ttl=automatic, status=onlyDns
  2. cloudflare Crypto -> SSL = Flexible (如果有 Web 页面 可以设置 Full 或者 Full-strict ); 总是开启 HTTPS
  3. 如果使用 quit ,则还需在 cloudflare Network 打开 Http/3 (with quit)

安装 golang

查看 Go 的最新版本 ,我当前最新为1.12.5

  • 下载安装 root 下安装
cd ~ && curl -O https://dl.google.com/go/go1.12.5.linux-amd64.tar.gz
  • 解压
tar -C /usr/local -xzf go1.12.5.linux-amd64.tar.gz
  • 添加到环境变量
vim ~/.bash_profile
  • 添加以下两行内容到文末:
export GOPATH=$HOME/work
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
  • 使环境变量生效
source ~/.bash_profile
  • 检查版本
go version

安装 v2ray-plugin

  • 方式1
git clone https://github.com/shadowsocks/v2ray-plugin.git
cd v2ray-plugin
go mod download
go build
cp v2ray-plugin /usr/bin/v2ray-plugin
  • 方式2 到 github release 页面直接下载对应 v2ray-plugin 执行文件,然后把该文件移动到 /usr/bin/ 目录下
cp v2ray-plugin /usr/bin/v2ray-plugin

https ( websocket + tls )

申请免费证书

和官方文档一样使用 acme 脚本自动申请免费证书 (免费证书有效期一般是 3 个月,

脚本会每隔 60 天自动更新一次证书有效期)

在申请之前必须先到 cloudflare 页面,点击右上角的头像,然后点击 My Profile ,在个人信息页面下拉到最后有个 API KEYs -> Global API KEY, 复制你的 API KEY, 同时复制你的 CloundFlare 的登陆邮箱 , key 和 email 用于申请证书

  • 申请证书 (申请证书之前确保你的域名已经解析到你的服务器地址)
export CF_Email="CloundFlare 邮箱"
export CF_Key="API KEY"
curl https://get.acme.sh | sh
~/.acme.sh/acme.sh --issue --dns dns_cf -d 你的域名

执行完上面命令,acme 脚本就会自动帮你申请好了证书,证书存放的目录在 root/.acme.sh/你的域名/ 。里面包含了 ca.cer 、fullchain.cer | .key 等文件。

  • 申请完证书后也可以把证书链接放到 /etc/shadowsocks-libev/ 目录下使用
ln -s ~/.acme.sh/xxxx.com /etc/shadowsocks-libev/xxxx.com

其实 v2ray-plugin 会自动识别并且引用你的 acme 证书文件,你也可以不用在置文件中指定 (我更推荐使用明确指定路径的方式)

配置 ss-libev

  • 修改 ss 配置文件
{
  "server": "0.0.0.0",
  "nameserver": "8.8.8.8",
  "password": "password",
  "method": "chacha20-ietf-poly1305",
  "timeout": 600,
  "fast_open": true,
  "reuse_port": true,
  "no_delay": true,
  "mode": "tcp_and_udp"
}

ss 配置和 v2ray 插件配置整合

  • ss 配置 vim /etc/shadowsocks-libev/config.json
{
  "server": "0.0.0.0",
  "nameserver": "8.8.8.8",
  "server_port": 443,
  "password": "你的密码",
  "method": "chacha20-ietf-poly1305",
  "timeout": 600,
  "no_delay": true,
  "mode": "tcp_and_udp",
  "plugin": "v2ray-plugin",
  "plugin_opts": "server;tls;fast-open;host=xxxxxxxxx.com;cert=/证书目录/fullchain.cer;key=/证书目录/xxxxxxxxx.com.key;loglevel=none"
}
  • service 配置 vim /etc/systemd/system/ss.service
[Unit]
Description=Shadowsocks Server
After=network.target
[Service]
ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/config.json
Restart=on-abort
[Install]
WantedBy=multi-user.target

ss 配置和 v2ray 插件配置分离 (和官方例子一样的)

  • ss 配置 vim /etc/shadowsocks-libev/config.json
{
  "server": "0.0.0.0",
  "nameserver": "8.8.8.8",
  "password": "你的密码",
  "method": "chacha20-ietf-poly1305",
  "timeout": 600,
  "no_delay": true,
  "mode": "tcp_and_udp"
}
  • service 配置 vim /etc/systemd/system/ss.service
[Unit]
Description=Shadowsocks Server
After=network.target
[Service]
ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -p 443 --plugin /usr/bin/v2ray-plugin --plugin-opts "server;tls;fast-open;host=xxxxxxxxx.com;cert=/证书目录/fullchain.cer;key=/证书目录/xxxxxxxxx.key;loglevel=none"
Restart=on-abort
[Install]
WantedBy=multi-user.target

上面的配置需要注意 5 点:

  1. v2ray-plugin 和 ss-server 文件的路径要正确
  2. 开放 443 端口
  3. host=你的域名(不包含 https 或 http)
  4. cert=证书存放的位置/证书名/fullchain.cer
  5. ket=证书存放的位置/证书名/xxxxxx.com.key
  • 检查
systemctl daemon-reload
systemctl restart ss
systemctl status ss -l
  • cloudflare 的小云朵确保是灰色的,onlyDns
  • 在本地电脑上 ping 域名,确认对应的 ip 地址是否正确
  • 在浏览器上访问域名

quic ( quic + tls )

Quic 协议是基于 http2 的基础上( 所以必须要有证书 ),v2ray-plugin 中的 quic 默认强制启用 tls

国内某些地区运营商对 UDP 的支持不友好, UDP 丢包严重,特别是局域网较深的地方, quic 核心就是 UDP。所以在某些地区不开更好,总之因地制宜。

  • ss 配置文件中需要关闭 udp
{
  "mode": "tcp_only"
}
  • ss.service 文件, 修改 mode 为 quic(mode 默认为 websocket; quic 默认强制启用tls, 这里就不需要再添加 tls 选项了)
ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -p 443 --plugin /usr/bin/v2ray-plugin --plugin-opts "server;mode=quic;fast-open;host=你的域名;cert=/证书目录/fullchain.cer;key=/证书目录/你的域名.key;loglevel=none"

如果不想使用 CDN,直接在客户端的地址栏将原来的域名换成真实服务器地址即可。

客户端

PC

  • 请先把 v2ray-plugin-win.exe 文件下载到本地 SS 目录下
  • 服务器地址: xxxxxxx.com
  • 端口: 443
  • 密码和加密看自己的配置文件
  • 插件程序:v2ray-plugin-win
  • 插件选项: tls;host=xxxxxx.com

Android

  • 和 PC 差不多,从 github 或 谷歌应用市场下载安装 v2ray-plugin-android.apk,
  • Trasport mode 选择: websocket-tls
  • Hostname:xxxxxxxx.com
  • 剩下默认即可。
  • 开 fast-open

最后能成功连上的回,记得把 cloudflare 的 dnsonly 改为 proxied

@aueu

This comment has been minimized.

Copy link

aueu commented May 19, 2019

cd 进源码目录后,go mod download 比直接 go build 好一些

@no-name2017

This comment has been minimized.

Copy link

no-name2017 commented Aug 11, 2019

你好,可以请教一些问题吗?我搭建的是v2ray+ws+tls,用的是let's encrypt证书,而ss也是写在v2ray配置上的,这种情况如何给ss启用ss v2ray-plugin?谢谢

@shuanghua

This comment has been minimized.

Copy link
Owner Author

shuanghua commented Aug 13, 2019

@no-name2017 在下面的命令中替换相应的 cert 和 key 试试

ExecStart=/usr/local/bin/ss-server -c /etc/shadowsocks-libev/config.json -p 443 --plugin /usr/bin/v2ray-plugin --plugin-opts "server;tls;fast-open;host=你的域名;cert=/etc/shadowsocks-libev/你的域名/fullchain.cer;key=/etc/shadowsocks-libev/你的域名/你的域名.key;loglevel=none"

替换成类似这样,具体看你的证书文件格式和存放的路径,certbot 申请的则是 pem 格式, acme 申请的则是 cer 和 key 格式

cert=/fullchain.pem
key=/privkey.pem
@shuanghua

This comment has been minimized.

Copy link
Owner Author

shuanghua commented Sep 13, 2019

@DearTanker

This comment has been minimized.

Copy link

DearTanker commented Sep 25, 2019

你好,用systemctl stop ss的时候会卡住是什么原因会知道吗?

首次start没有问题,查看status显示active没有毛病。

如果stop就会卡住。

● ss.service - Shadowsocks Manager Server
   Loaded: loaded (/etc/systemd/system/ss.service; disabled; vendor preset: disabled)
   Active: failed (Result: timeout) since Wed 2019-09-25 23:52:15 CST; 2s ago
  Process: 2073 ExecStop=/usr/local/bin/ss-manager --manager-address /var/run/shadowsocks-manager.sock -c /etc/shadowsocks-libev/config.json stop (code=exited, status=0/SUCCESS)
  Process: 2046 ExecStart=/usr/local/bin/ss-manager --manager-address /var/run/shadowsocks-manager.sock -c /etc/shadowsocks-libev/config.json start (code=exited, status=0/SUCCESS)
 Main PID: 2046 (code=exited, status=0/SUCCESS)

Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 ERROR: Could not bind
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 ERROR: port is not available, please check.
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 INFO: try to bind interface: 0.0.0.0, port: 29001
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 ERROR: bind: Address already in use
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 ERROR: Could not bind
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 ERROR: port is not available, please check.
Sep 25 23:52:15 do-1v-2g-2t-sfo2-01 systemd[1]: ss.service stopping timed out. Terminating.
Sep 25 23:52:15 do-1v-2g-2t-sfo2-01 systemd[1]: Stopped Shadowsocks Manager Server.
Sep 25 23:52:15 do-1v-2g-2t-sfo2-01 systemd[1]: Unit ss.service entered failed state.
Sep 25 23:52:15 do-1v-2g-2t-sfo2-01 systemd[1]: ss.service failed.

再次start还是会卡住:

● ss.service - Shadowsocks Manager Server
   Loaded: loaded (/etc/systemd/system/ss.service; disabled; vendor preset: disabled)
   Active: deactivating (stop) since Wed 2019-09-25 23:50:45 CST; 44s ago
 Main PID: 2046 (ss-manager);         : 2073 (ss-manager)
   CGroup: /system.slice/ss.service
           ├─2046 /usr/local/bin/ss-manager --manager-address /var/run/shadowsocks-manager.sock -c /etc/shadowsocks-libev/config.json start
           └─control
             └─2073 /usr/local/bin/ss-manager --manager-address /var/run/shadowsocks-manager.sock -c /etc/shadowsocks-libev/config.json stop

Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 INFO: running from root user
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 INFO: working directory points to /root/.shadowsocks
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 INFO: try to bind interface: 0.0.0.0, port: 29000
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 ERROR: bind: Address already in use
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 ERROR: Could not bind
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 ERROR: port is not available, please check.
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 INFO: try to bind interface: 0.0.0.0, port: 29001
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 ERROR: bind: Address already in use
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 ERROR: Could not bind
Sep 25 23:50:45 do-1v-2g-2t-sfo2-01 ss-manager[2073]: 2019-09-25 23:50:45 ERROR: port is not available, please check.
@shuanghua

This comment has been minimized.

Copy link
Owner Author

shuanghua commented Sep 28, 2019

@DearTanker 请尝试用以下命令查看地址和端口占用情况; 看那个程序占用了 0.0.0.0 : 29000

netstat -tulpn
@wallena3

This comment has been minimized.

Copy link

wallena3 commented Dec 29, 2019

确认下 一切配置完毕后 应该再把cloudflare的dnsonly 改为 proxied

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.