v2ray-vless-tcp-tls

2020年12月21日 950点热度 0人点赞 0条评论

本文介绍v2ray使用vless、tcp、tls的配置示例,仅供参考。因为使用了tls,所以要配置证书;而证书是作用于域名的,所以要申请一个域名,并且做好域名解析,将域名A记录解析到VPS主机的IP。

示例环境

1.VPS主机的系统
[root@  ~]# cat /etc/centos-release
CentOS Linux release 8.2.2004 (Core)

2.没有启用Linux防火墙

前提条件

已经做好域名解析。如果域名解析没有生效,使用certbot获取证书时不成功。

可以在电脑用nslookup命令查看域名解析是否已经生效。

d:\work>nslookup
默认服务器: pdns.dnspod.cn
Address: 119.29.29.29

> baidu.com
服务器: pdns.dnspod.cn
Address: 119.29.29.29

非权威应答:
名称: baidu.com
Addresses: 220.181.38.148
39.156.69.79

>

安装Nginx

安装命令

[root@  ~]# yum install nginx

启动nginx

[root@  ~]# systemctl start nginx

开机启动nginx

[root@  ~]# systemctl enable nginx

其他命令

重新加载配置,但不重启nginx

[root@ ~]# nginx -s reload

查看nginx是否正常工作

[root@ ~]# systemctl status nginx

停止nginx

systemctl stop nginx
如果nginx监听了443端口,在使用certbot获取证书时,可能需要先关闭nginx。因为certbot需要监听443端口。

可以先不用配置nginx,运行certbot命令时会提示你输入域名,certbot执行完成后,会自动修改nginx的配置文件。也可以先修改nginx配置文件,添加域名,执行certbot时提示你选择哪个域名。

[root@  ~]# vim /etc/nginx/nginx.conf
server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name example.com;  #在这里写上你的域名

获取域名的证书

域名的证书可以使用多种方法获取,这里以Let’s Encrypt为例。Let’s Encrypt提供3个月的免费证书,可以续期。可以在VPS使用certbot工具获取Let’s Encrypt的证书。

安装certbot

[root@  ~]# yum install certbot
[root@  ~]# yum install python3-certbot-nginx

获取证书

使用certbot --nginx命令获取证书,certbot会自动获取证书,并修改/etc/nginx/nginx.conf文件的配置。certbot certonly则只获取证书,nginx的配置需要自己修改。

[root@  ~]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): xxx@qq.com  #填写邮箱地址,使用certbot --nginx时,邮箱地址是获取域名的参数之一

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a  #同意服务条款

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n  #是否分享你的邮件地址,no

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com #如果nginx.conf中没有配置域名,会提示手动输入域名
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1  #输入需要获得证书的域名的序号
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/nginx.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem	#证书保存位置
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem	#私钥保存位置
   Your cert will expire on 2021-02-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

certbot执行完成后,可查看nginx配置的变化。

cat /etc/nginx/nginx.conf
nginx.conf文件中带有# managed by Certbot的语句是certbot自动添加的

证书续期

更新证书测试,这只是个测试,并不保存任何文件。

[root@ ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Account registered.
Simulating renewal of an existing certificate for example.com
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

更新证书命令

[root@ ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
#没有执行证书更新
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/example.com/fullchain.pem expires on 2021-02-28 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

#因为证书还没有到期,即使执行certbot renew,也不会更新证书,下面列出了过期时间。

使用Linux的计划任务自动更新证书

[root@ ~]# cat /etc/crontab 
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

0 0 */1 * * root /usr/bin/certbot renew
#配置示例,请自行验证

在证书到期之前的20天左右,会收到邮件提醒。此时就可以进行重认证。直接输入命令进行重认证,不用停止nginx。

[root@localhost ~]# certbot renew --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate for example.com
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@localhost ~]#

安装v2ray

安装命令

bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

安装过程显示的部分信息如下

# /etc/systemd/system/v2ray.service
[Unit]
Description=V2Ray Service
Documentation=https://www.v2fly.org/
After=network.target nss-lookup.target

[Service]
User=nobody  #运行v2ray.service的用户
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ExecStart=/usr/local/bin/v2ray -config /usr/local/etc/v2ray/config.json
Restart=on-failure
RestartPreventExitStatus=23

[Install]
WantedBy=multi-user.target

installed: /usr/local/bin/v2ray
installed: /usr/local/bin/v2ctl
installed: /usr/local/share/v2ray/geoip.dat
installed: /usr/local/share/v2ray/geosite.dat
installed: /usr/local/etc/v2ray/config.json  #v2ray的配置文件
installed: /var/log/v2ray/
installed: /var/log/v2ray/access.log
installed: /var/log/v2ray/error.log
installed: /etc/systemd/system/v2ray.service
installed: /etc/systemd/system/v2ray@.service

手动生成UUID

1.使用以下Linux命令生成UUID,每执行一次就生一个UUID
[root@  ~]# cat /proc/sys/kernel/random/uuid
fadaabcc-8da0-4d7a-b004-ca54133eed1f

2.访问以下网站可以直接得到UUID,每刷新一次页面都可以生成一个UUID
https://www.uuidgenerator.net/

3.也可以使用v2ray客户端生成

配置v2ray服务器端

配置/usr/local/etc/v2ray/config.json,以下是示例,请根据自己情况配置。

[root@  ~]# vim /usr/local/etc/v2ray/config.json
{
    "log": {
        "loglevel": "warning"
    },
    "inbounds": [
        {
            "port": 44388,  #配置v2ray监听的端口
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "fadaabcc-8da0-4d7a-b004-ca54133eed1f",  #配置刚才生成的UUID
                        "level": 0,
                        "email": "love@v2fly.org"
                    }
                ],
                "decryption": "none",
                "fallbacks": [
                    {
                        "dest": 80
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "tlsSettings": {
                    "alpn": [
                        "http/1.1"
                    ],
                    "certificates": [
                        {
                            "certificateFile": "/etc/letsencrypt/live/example.com/fullchain.pem",  #配置certbot生成的证书
                            "keyFile": "/etc/letsencrypt/live/example.com/privkey.pem"  #配置certbot生成的密钥
                        }
                    ]
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom"
        }
    ]
}

port:设置v2ray监听的端口,可以写其他端口
id:就是UUID
certificateFile:指定证书目录
keyFile:指定私钥目录

修改/etc/systemd/system/v2ray.service

[root@  ~]# vim /etc/systemd/system/v2ray.service
User=root

将
User=nobody
修改为
User=root

启动v2ray

[root@  ~]# systemctl start v2ray

如果是修改过/etc/systemd/system/v2ray.service中的用户名,启动或重启v2ray时可能出现下面的提示,按提示进行操作即可。

[root@  ~]# systemctl restart v2ray
Warning: The unit file, source configuration file or drop-ins of v2ray.service changed on disk. Run 'systemctl daemon-reload' to reload units.

先执行以下命令
[root@  ~]# systemctl daemon-reload
再启动或重启v2ray
[root@ ~]# systemctl restart v2ray

开机启动v2ray

[root@  ~]# systemctl enable v2ray
Created symlink /etc/systemd/system/multi-user.target.wants/v2ray.service → /etc/systemd/system/v2ray.service.

停止v2ray

[root@  ~]# systemctl stop v2ray

重启v2ray

[root@  ~]# systemctl restart v2ray

查看v2ray状态

[root@  ~]# systemctl status v2ray
● v2ray.service - V2Ray Service
   Loaded: loaded (/etc/systemd/system/v2ray.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/v2ray.service.d
           └─10-donot_touch_single_conf.conf
   Active: active (running) since Mon 2020-11-30 09:45:55 UTC; 11s ago
     Docs: https://www.v2fly.org/
 Main PID: 35566 (v2ray)
    Tasks: 6 (limit: 5902)
   Memory: 12.5M
   CGroup: /system.slice/v2ray.service
           └─35566 /usr/local/bin/v2ray -config /usr/local/etc/v2ray/config.json

Nov 30 09:45:55 .hostwindsdns.com systemd[1]: Started V2Ray Service.
Nov 30 09:45:55 .hostwindsdns.com v2ray[35566]: V2Ray 4.33.0 (V2Fly, a community-driven edition of V>
Nov 30 09:45:55 .hostwindsdns.com v2ray[35566]: A unified platform for anti-censorship.
Nov 30 09:45:55 .hostwindsdns.com v2ray[35566]: 2020/11/30 09:45:55 [Info] v2ray.com/core/main/jsone>
Nov 30 09:45:55 .hostwindsdns.com v2ray[35566]: 2020/11/30 09:45:55 [Warning] v2ray.com/core: V2Ray >

配置v2ray客户端

这里以windows客户端v2rayN为例。v2rayN下载

运行v2rayN.exe

"服务器”-“添加[VLESS]服务器

新建VLESS服务器
新建VLESS服务器

输入v2ray服务器的信息

配置服务器信息
配置服务器信息

地址:填写你的域名
端口:填写v2ray服务器端监听的端口
用户ID:填写UUID
流控:新版本v2rayN支持,这里不填
加密:none
别名:自己起个名字
传输协议:tcp
伪装类型:none
伪装域名:填写你的域名(或者留空)
路径:留空
底层传输安全:tls
路过证书验证:false

点击v2rayN主界面的“参数设置”

core基础配置
core基础配置

选择“Core:基础配置”标签,在“http代理”中选择“开启PAC,并自动配置系统代理(PAC模式)”,v2rayN会自动配置windows系统的代理。

v2rayN配置完成后,在主界面双击新建的服务器(或者选择服务器后回车)进行激活。

v2rayN主界面底部显示了监听的IP和端口。

v2ray监听的ip和端口
v2ray监听的ip和端口

查看windows的代理设置,“使用设置脚本”已经打开,“脚本地址”已经自动填写了v2ray设置的地址。

windows的代理设置
windows的代理设置

开启BBR

可根据自己的VPS系统配置BBR,以下是一个示例。

[root@hwsrv-759060 ~]# cat /etc/sysctl.conf 
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
net.ipv4.tcp_fastopen = 3

[root@hwsrv-759060 ~]# sysctl -p
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_fastopen = 3

视频

参考资料

客户端下载
v2ray
v2rayN
v2ray配置示例
nobody用户的问题
JSON文档格式

arben

这个人很懒,什么都没留下

文章评论