Tom

Tom

HomeArchives加密货币定投

How to use ShadowTLS

#ShadowTLS#如何使用ShadowTLS#安装ShadowTLS1784
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
ShadowTLS is a tool that uses TLS obfuscation without needing a website certificate. It is not widely used due to the lack of a Windows client with a GUI. Installation is easy and it requires additional encryption software on the server. It can be configured with ShadowTLS and Snell for added security. Instructions for installation and configuration can be found on the official GitHub page.

1. Introduction#

The advantage of ShadowTLS lies in its use of TLS obfuscation, but it does not require a website-side certificate and can use any website certificate for obfuscation. Currently, there is no official Windows client for ShadowTLS, and there is no GUI client available. If you want to use it, you need a certain level of expertise, so it is still relatively niche. It is very easy to install, just run the binary file directly, and the parameters are not complicated. Because it is a tool designed for obfuscation, an encryption program needs to be separately enabled on the server, such as Shadowsocks or snell.

The process is as follows: SS listens on a port -> ShadowTLS configures a port -> ShadowTLS listens on a port -> the client configures the ShadowTLS listening port.

2. Installing the Encryption Proxy Program#

It is recommended to use TeddySun's Docker installation method. For specific instructions, please refer to: https://hub.docker.com/r/teddysun/shadowsocks-rust

If you can't access it, I will mainly write the configuration below.

# Create the configuration file
mkdir -p /etc/shadowsocks-rust
# Write the configuration file, modify the password and the port number as needed. If you don't modify the port number, you don't need to change many instructions when starting the docker.
# If you need to modify the port number, pay attention to the mapping of the port number inside and outside the container. If you don't understand, you can search or refer to my docker notes.
cat > /etc/shadowsocks-rust/config.json <<EOF
{
    "server":"0.0.0.0",
    "server_port":9000,
    "password":"password0",
    "timeout":300,
    "method":"aes-256-gcm",
    "nameserver":"8.8.8.8",
    "mode":"tcp_and_udp"
}
EOF
# Pull the image and start the container
docker pull teddysun/shadowsocks-rust
docker run -d -p 9000:9000 -p 9000:9000/udp --name ss-rust --restart=always -v /etc/shadowsocks-rust:/etc/shadowsocks-rust teddysun/shadowsocks-rust

If you only use Surge, you can consider using Snell. Here is a comparison between the two by the author of Surge:

  • Completely without characteristics: such as shadowsocks, VMess, and other derivative protocols. Encrypted traffic of this kind does not have any characteristics at all after encryption, but it is easy to be blocked as a specific feature.
  • Random characteristics: Snell is designed in a way that the Snell client generates random characteristics, and the characteristics generated depend on the current session (each time Surge reloads the configuration, it counts as a new session), PSK hash, and other inputs, making the traffic characteristics of each user different. (Please rest assured, the characteristics are weak and the algorithm is irreversible, and the characteristics will be updated every time Surge is restarted. They will never be used for user tracking.) This solution is currently performing well.

Snell is also relatively niche. If needed, you can use it by referring to the Surge Manual. It can also be run directly as a binary. However, I am already using ShadowTLS, so the encryption used at the lower level is no longer important.

3. Configuring ShadowTLS#

Refer to the official GitHub: https://github.com/ihciah/shadow-tls/releases

There are two ways to do it: modify the provided docker-compose.yml file and use Docker to run it, or download the binary file and run it.

I am using the binary method:

# Download the binary file to /usr/bin. I downloaded the latest version at the moment. If there are updates in the future, you need to find them in the releases yourself.
cd /usr/bin
wget https://github.com/ihciah/shadow-tls/releases/download/v0.2.23/shadow-tls-x86_64-unknown-linux-musl
# Add execution permissions
chmod +x shadow-tls-x86_64-unknown-linux-musl
# Modify the startup service file:
cat > /etc/systemd/system/shadow-tls.service <<EOF
[Unit]
Description=Shadow-TLS Custom Server Service
Documentation=man:sstls-server(1)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/shadow-tls-x86_64-unknown-linux-musl --v3 server --listen 0.0.0.0:45632 --password I6knDArfHW2TPhRdB7 --server 127.0.0.1:9000 --tls www.bing.com:443

[Install]
WantedBy=multi-user.target
EOF

# The above I6knDArfHW2TPhRdB7 is the password file, --v3 is the running version, --listen is the listening port at 45632, which should be the port configured on the client side, --server corresponds to the port of the encryption proxy configured above, which is 9000, --tls is the website certificate used for obfuscation, do not fill in websites like Google.
# Then refresh and start the service
systemctl daemon-reload
systemctl enable shadow-tls.service
systemctl start shadow-tls.service

4. Configuring the Client#

When configuring the client, please note that the proxy type or method should be set to the encryption proxy method, such as ss or snell. Enter the port number of ShadowTLS in the port field, and enter the password used in the encryption proxy. In the separate Shadow-TLS configuration field, enter the corresponding version: v3. For the Shadow-TLS Password, enter the password used when starting Shadow-TLS. For the SNI field, enter the corresponding website address used in the --tls parameter when starting Shadow-TLS.

If you are using Windows, you will need to use sing-box. For specific instructions, please refer to: https://sing-box.sagernet.org/zh/examples/shadowtls/

You will need to write the configuration document yourself. I recommend using NekoBox, which comes with the ability to set up a chain of proxies. In the settings, select sing-box as the core, and then create configurations for ShadowTLS and ss based on the official instructions. For ShadowTLS, a custom outbound configuration is required. For more details, please refer to the official manual: https://matsuridayo.github.io/n-configuration/#_13

Here is a partial excerpt:

Example: Using ShadowTLS Server in NekoBox.

  1. Create a custom outbound configuration (Configuration 1).
{
  "type": "shadowtls",
  "tag": "shadowtls-out",
  "server": "server IP address",
  "server_port": 45632,
  "tls": {
    "enabled": true,
    "server_name": "www.bing.com"
  }
}
  1. Create a Shadowsocks outbound configuration (Configuration 2) can be created through the visual interface.
  2. Compose the chain proxy in the order of Configuration 1 and Configuration 2.

By using the chain proxy feature of NekoBox, even if you don't use ShadowTLS, you can forward traffic to your own server through a service provider to avoid the server being banned. If you are interested, you can try the service provider I use, Renzhe Cloud.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.