这大概是史上最精简的trojan服务搭建方式,告别那些繁琐的教程,在搭建前请先确定你至少有通过ssh操作Linux服务器的基础,并拥有一台能够正常访问的境外服务器。
高级用户,更建议参考下方的trojan+nginx的方案:
注:需要改动的参数下文均会说明,请勿随意更改,如果你不想翻车的话…
本文系统使用AlmaLinux 8.7版本,推荐服务器系统选择AlmaLinux、RockyLinux等基于RedHat 8+的发行版本,Debian除防火墙配置不同外理论上通用,未做测试。
① 下载sing-box
由于sing-box官方编译好的版本功能不完整,所以需要自行编译
# 安装golang curl -L https://go.dev/dl/go1.19.3.linux-amd64.tar.gz -o go1.19.3.linux-amd64.tar.gz tar -C /usr/local -xzf go1.19.3.linux-amd64.tar.gz echo 'export PATH=$PATH:/usr/local/go/bin' > /etc/profile.d/golang.sh source /etc/profile.d/golang.sh # 编译sing-box go install -v -tags with_ech,with_utls,with_acme github.com/sagernet/sing-box/cmd/sing-box@dev-next cp $(go env GOPATH)/bin/sing-box /usr/local/bin/
② 配置trojan
创建配置文件
mkdir -p /etc/sing-box vi /etc/sing-box/config.json
输入以下内容后保存
{
"log": {
"level": "error",
"output": "/etc/sing-box/error.log",
"timestamp": true
},
"inbounds": [
{
"type": "trojan",
"tag": "trojan-in",
"listen": "0.0.0.0",
"listen_port": 443,
"proxy_protocol": true,
"proxy_protocol_accept_no_header": true,
"tcp_fast_open": true,
"udp_fragment": true,
"users": [
{
"name": "mytrojan",
"password": "123456"
}
],
"tls": {
"enabled": true,
"server_name": "10.0.0.1.nip.io",
"alpn": [
"h2",
"http/1.1"
],
"min_version": "1.2",
"max_version": "1.3",
"cipher_suites": [
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"acme": {
"domain": ["10.0.0.1.nip.io"],
"data_directory": "/etc/sing-box",
"email": "[email protected]",
"provider": "letsencrypt"
}
},
"fallback": {
"server": "127.0.0.1",
"server_port": 8080
}
}
]
}
上述配置文件需要将以下4个参数修改为自己的
"password": "123456" "server_name": "10.0.0.1.nip.io", "domain": ["10.0.0.1.nip.io"], "email": "[email protected]",
password 为连接trojan服务时使用的密码
server_name 与 domain 为连接trojan服务时使用的域名
说明:因为trojan是通过伪装访问域名进行连接的,所以借助了nip.io的免费域名解析服务,使用服务器的公网IP生成二级域名 只需要将域名10.0.0.1.nip.io中的10.0.0.1换成自己服务器的IP,无需购买域名指向服务器,例如:1.3.5.7.nip.io 访问域名1.3.5.7.nip.io即可连接IP为1.3.5.7的服务器 然后使用sing-box内置的acme功能自动生成SSL证书,降低部署成本
email 改成自己的邮箱即可
③ 部署trojan
创建sing-box服务
cat <<EOF> /etc/systemd/system/sing-box.service [Unit] Description=sing-box service Documentation=https://sing-box.sagernet.org After=network.target nss-lookup.target [Service] CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE ExecStart=/usr/local/bin/sing-box run -c /etc/sing-box/config.json Restart=on-failure RestartSec=10s LimitNOFILE=infinity [Install] WantedBy=multi-user.target EOF
关闭SEliunx
setenforce 0 sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
关闭防火墙
建议临时关闭,也可自行开启防火墙并放行443/80/22端口
# RedHat关闭防火墙 systemctl stop firewalld systemctl disable firewalld systemctl stop iptables systemctl disable iptables # Debian关闭防火墙 sudo ufw disable
启动sing-box服务
systemctl start sing-box.service systemctl enable sing-box.service
此时已经可以正常使用trojan服务了,如果不愿意折腾,就无需看后续的内容了,使用客户端连接搭建好的trojan服务器即可。
绝大部分trojan教程都有写回落网站,经过多台服务器测试,探针主动探测网站与封禁服务器IP的并未发现关联 经过多个IP反复测试,证明使用Nginx/Caddy等WebServer反代trojan并非是必须的,不会因前端使用WebServer进行SSL加密就不被封禁服务器IP 当trojan配置正确后,即使未使用WebServer也不会被封IP
如果想优化trojan服务,请继续完成后续的步骤
④ 部署回落网站
这里使用caddy返回503状态,将trojan伪装成超载的web服务
# 下载caddy
curl -L https://github.com/caddyserver/caddy/releases/download/v2.6.2/caddy_2.6.2_linux_amd64.tar.gz -o caddy_2.6.2_linux_amd64.tar.gz
tar -C /usr/local/bin -xzf caddy_2.6.2_linux_amd64.tar.gz caddy
# 配置caddy
mkdir -p /etc/caddy
cat <<EOF> /etc/caddy/Caddyfile
{
servers 127.0.0.1:8080 {
protocols h2c h1
}
}
:8080 {
bind 127.0.0.1
encode gzip
log {
level ERROR
}
respond "Service Unavailable" 503 {
close
}
}
EOF
# 部署caddy
cat <<EOF> /etc/systemd/system/caddy.service
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
EOF
# 启动caddy
systemctl start caddy.service
systemctl enable caddy.service
之后重启sing-box服务
systemctl restart sing-box.service
访问 https://x.x.x.x.nip.io (x.x.x.x替换为服务器的IP)
如页面返回 Service Unavailable 则部署成功
⑤ 优化系统参数
echo -e '\n\nulimit -SHn 65535\n' >> /etc/profile && source /etc/profile echo "* soft nofile 65535 * hard nofile 65535 * soft nproc 65535 * hard nproc 65535 * soft core 65535 * hard core 65535 * hard memlock unlimited * soft memlock unlimited ">/etc/security/limits.conf cat >> /etc/sysctl.conf << EOF fs.file-max = 65535 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.tcp_fin_timeout = 1 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.ip_local_port_range = 1024 65500 net.core.somaxconn = 65535 net.ipv4.tcp_max_syn_backlog = 262144 net.core.netdev_max_backlog = 262144 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_fastopen = 3 net.ipv4.tcp_notsent_lowat = 16384 net.core.default_qdisc = fq net.ipv4.tcp_congestion_control = bbr EOF sysctl -p
至此,一台精简的trojan服务器搭建完成
支持trojan协议的客户端,请参考:
https://www.v2ray.com/awesome/tools.html