Preface#
I bought a RackNerd VPS and after looking around, I found that it was the most suitable for me. It has low prices, high configurations, large bandwidth, and timely ticket responses. I also happened to catch the Black Friday special offer for 2022 (I don't know why the promotion hasn't ended yet), so I placed an order. I have to mention the advantage of timely ticket responses. Because I hadn't prepared the payment method yet, I created the order first and paid for it two days later. As a result, the machine was stuck in the waiting state after payment. So I opened a ticket and received a quick response. After waiting for about two hours, the machine was set up. I guess it's because of my credit card, they need to check if I'm doing anything suspicious before proceeding.
VPS Configuration#
CPU: 1
Memory: 1 GB
Storage: 17 GB (RAID 10)
Bandwidth: 3 TB/month (1Gbps port)
IPv4: 1 IPv6: 0
$10.98/year
Purchase link:
https://my.racknerd.com/aff.php?aff=7324&pid=358
This configuration is perfect for setting up a proxy. It costs $11 per year and comes with 3TB of monthly bandwidth and a 1Gbps port. The most important thing is that the IP supports unlocking Tiktok and ChatGPT. It does not support NetFlix, but it can be unlocked by using an IPv6.
Server Configuration#
The system is Ubuntu20.04
1. Update Packages & Upgrade Software#
# Switch to root
sudo -i
# Update Packages
apt update -y
# Upgrade Software
apt upgrade -y
2. Install Common Software#
# Install wget, curl, vim, git, net-tools, lrzsz
apt install wget curl vim git net-tools lrzsz -y
3. Modify System Timezone#
# Check if Shanghai is in the list
timedatectl list-timezones | grep Shanghai
# Set the timezone to Shanghai
sudo timedatectl set-timezone Asia/Shanghai
# Check the system time
date -R
The authentication of the VMess protocol is based on time, so make sure that the system time of the server and client is within 90 seconds of each other.
4. Enable TCP BBR Congestion Control Algorithm#
# Download the script
wget --no-check-certificate -O /opt/bbr.sh https://github.com/teddysun/across/raw/master/bbr.sh
# Modify the script permissions
chmod 755 /opt/bbr.sh
# Run the script
/opt/bbr.sh
Note: BBR requires kernel version 4.9 or above. Since the kernel has been updated during the previous upgrade, running this script will enable BBR without the need to restart the system.
4.1 Check if BBR is successfully enabled
uname -r # Check the kernel version
sysctl net.ipv4.tcp_available_congestion_control
The return value is generally:
net.ipv4.tcp_available_congestion_control = reno cubic bbr
sysctl net.ipv4.tcp_congestion_control
The return value is generally:
net.ipv4.tcp_congestion_control = bbr
sysctl net.core.default_qdisc
The return value is generally:
net.core.default_qdisc = fq
lsmod | grep bbr
If the return value includes tcp_bbr, it means that BBR is enabled.
tcp_bbr 20480 125
5. Modify SSH Port [Optional]#
The default port is 22, which is well-known and poses a certain risk. To prevent brute force attacks, it is recommended to change the SSH port.
# Modify the configuration
vim /etc/ssh/sshd_config
# Locate around line 15
# Port 22
Remove the '#' symbol, change '22' to the desired port number, and save → Port xxxx
# Restart the sshd service
sudo service sshd restart
# To ensure that the server does not lose connection, after restarting the sshd service, open a new session to test if you can connect to the server
Set Up Vmes+WebSocket+TLS#
Setting up this proxy requires a domain name and Cloudflare.
1. Add the domain name to Cloudflare's NameServers#
2. Add an A record for the domain name#
This A record is used to disguise the address. Do not enable the cloud icon before proceeding to step 3.
3. Install the service#
# Run the script
wget https://git.io/tcp-wss.sh && bash tcp-wss.sh
This script includes:
-
Installing and configuring Nginx
-
Automatically applying an SSL certificate for the domain name
-
Configuring the Vmess protocol
4. Configure Cloudflare#
4.1 Enable SSL/TLS
Path: Click SSL/TLS → Overview → Select Full or Full(strict)
4.2 Purge Cache
Clear the CF cache by clicking Caching > Configuration > Click Purge Everything to clear all caches.
4.3 Enable DNS Proxy
Enable the cloud icon (actually, it is effective even if it is not enabled, but it should not be enabled before running the script, otherwise the installation will fail).
5. Connect to the Proxy#
After successful installation, the terminal will display the configuration parameters:
===========Configuration Parameters=============
Address: ${domain}
Port: 443/8080
UUID: ${v2uuid}
Encryption: aes-128-gcm
Transport Protocol: ws
Path: /${v2path}
Underlying Transport: tls
Note: Port 8080 is a free flow port and does not require tls
Configure the client according to these parameters.
6. Modify Nginx Configuration#
By examining the source code of the script, we can see that the content of the root path / is only "Hello World". If the server's traffic becomes high and the firewall detects that the page with only two words is consuming so much traffic every day, it will be suspected. Therefore, we need to modify the proxy target address of the root path / to a website that appears to have a lot of traffic. It is generally recommended to use a self-built network disk address that meets the characteristics of high traffic.
This is the automatically configured content in the script:
location / {
default_type text/plain;
return 200 "Hello World !";
}
Replace this part of the content with the following:
https://www.fan-2000.com This network disk address was randomly found on Google.
location / {
proxy_pass <https://www.fan-2000.com>;
proxy_redirect off;
proxy_ssl_server_name on;
sub_filter_once off;
sub_filter "fan-2000.com" $server_name;
proxy_set_header Host "fan-2000.com";
proxy_set_header Referer $http_referer;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Accept-Encoding "";
proxy_set_header Accept-Language "zh-CN";
}
After modifying, save and exit, then reload the Nginx configuration.
systemctl reload nginx
At this point, the Vmess+ws+tls proxy setup is complete.