科学上网工具 Trojan 的安装与配置

发表于 | 分类于

Github:trojan

安装

按照官方 Wiki 安装 trojan

创建CA证书

先安装所需的工具:

1
apt install gnutls-bin gnutls-doc

创建 CA 模板文件 ca.tmpl,内容为(cn 与 organization 可以随便写,但是为了避免可能发生的问题,服务器证书的 cn 填 VPS 的 IP 或域名):

1
2
3
4
5
6
7
8
cn = "ff"
organization = "ff"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

生成 CA 密钥:

1
certtool --generate-privkey --outfile ca-key.pem

生成 CA 证书:

1
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

创建服务器证书模板:

创建文件 server.tmpl,内容为:

1
2
3
4
5
6
cn = "xxx.xxx.xxx.xxx"
organization = "ff"
expiration_days = 3650
signing_key
encryption_key
tls_www_server

生成服务器证书密钥:

1
certtool --generate-privkey --outfile server-key.pem

生成服务器证书:

1
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

服务端配置文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
{
    "run_type": "server",
    "local_addr": "0.0.0.0",
    "local_port": 443,
    "remote_addr": "127.0.0.1",
    "remote_port": 80,
    "password": [
        "Password1",
        "Password2"
    ],
    "log_level": 1,
    "ssl": {
        "cert": "/.../server-cert.pem",
        "key": "/.../server-key.pem",
        "key_password": "",
        "cipher": "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
        "prefer_server_cipher": true,
        "alpn": [
            "http/1.1"
        ],
        "reuse_session": true,
        "session_timeout": 300,
        "curves": "",
        "sigalgs": "",
        "dhparam": ""
    }
}

需要修改的地方:

1
2
3
4
5
6
7
8
"password": [
    "Password1",
    "Password2"
]

"cert": "/.../server-cert.pem"

"key": "/.../server-key.pem"

客户端配置文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{
    "run_type": "client",
    "local_addr": "127.0.0.1",
    "local_port": 1080,
    "remote_addr": "你的 VPS 的 IP",
    "remote_port": 443,
    "password": ["Password1"],
    "append_payload": true,
    "log_level": 1,
    "ssl": {
        "verify": true,
        "verify_hostname": true,
        "cert": "ca-cert.pem",
        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA",
        "sni": "你的 VPS 的 IP",
        "alpn": [
            "h2",
            "http/1.1"
        ],
        "reuse_session": true,
        "curves": "",
        "sigalgs": ""
    }
}

需要修改的地方:

1
2
3
4
5
"remote_addr": "你的 VPS 的 IP"

"cert": "ca-cert.pem" 设置为自己生成的证书

"sni": "你的 VPS 的 IP"

运行:

通过 brew info trojan 可以查看

macOS client base on ShadowsocksX-NG

参考:1 2