- A+
Trojan是一个比较新的上网技术,在设计时采用了更适应国情的思路。在穿透GFW时,人们认为强加密和随机混淆可能会欺骗GFW的过滤机制。然而,Trojan实现了这个思路的反面:它模仿了互联网上最常见的HTTPS协议,以诱骗GFW认为它就是HTTPS,流量完全是HTTPS流量从而不被识别。
网站:https://trojan-gfw.github.io/trojan/
Github:https://github.com/trojan-gfw/trojan
作者提供了用于 Windows 和 Mac 的预编译版本,Ubuntu 和 Arch 可以通过包管理工具安装,其中 Ubuntu 需要添加 PPA 软件源。至于 Debian 等其他发行版,可能就需要自己编译了。
在 Ubuntu 安装 Trojan:
sudo apt-get install python-software-properties sudo add-apt-repository ppa:greaterfire/trojan sudo apt update sudo apt install trojan
创建 CA 证书:
先安装所需的工具:apt install gnutls-bin gnutls-doc
创建 CA 模板 ca.tmpl,内容为(cn 与 organization 可以随便写,但是为了避免可能发生的问题,服务器证书的 cn 填 VPS 的 IP 或域名):
cn = "ff" organization = "ff" serial = 1 expiration_days = 3650 ca signing_key cert_signing_key crl_signing_key
生成 CA 密钥:
certtool --generate-privkey --outfile ca-key.pem
生成 CA 证书:
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
创建服务器证书模板 :
创建文件 server.tmpl,内容为:
cn = "xxx.xxx.xxx.xxx" organization = "ff" expiration_days = 3650 signing_key encryption_key tls_www_server
生成服务器证书密钥:
certtool --generate-privkey --outfile server-key.pem
生成服务器证书:
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
以上证书生成过程参考《搭建 AnyConnect 服务器》。如果用 openssl 生成证书,可参考《Openssl 生成 SSL 证书的流程》。
服务端配置文件:
{ "run_type": "server", "local_addr": "0.0.0.0", "local_port": 443, "remote_addr": "127.0.0.1", "remote_port": 80, "password": [ "Password1", "Password2" ], "log_level": 1, "ssl": { "cert": "/.../server-cert.pem", "key": "/.../server-key.pem", "key_password": "", "cipher": "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS", "prefer_server_cipher": true, "alpn": [ "http/1.1" ], "reuse_session": true, "session_timeout": 300, "curves": "", "sigalgs": "", "dhparam": "" } }
客户端配置文件:
{ "run_type": "client", "local_addr": "127.0.0.1", "local_port": 1080, "remote_addr": "你的 VPS 的 IP", "remote_port": 443, "password": ["Password1"], "append_payload": true, "log_level": 1, "ssl": { "verify": true, "verify_hostname": true, "cert": "ca-cert.pem", "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA", "sni": "你的 VPS 的 IP", "alpn": [ "h2", "http/1.1" ], "reuse_session": true, "curves": "", "sigalgs": "" } }
运行:
trojan 配置文件路径
客户端代理的类型为 SOCKS5。开发者有发布三大系统客户端:https://github.com/trojan-gfw/trojan/releases