This site provides several tutorials for friends who are interested in creating their own VPN and SOCKS5 proxy:
Self-built VPN: the classic SoftetherVPN and the emerging WireGuard Self-built Scoks5 proxy: the simplest SSH agent and super V2Ray proxy There are detailed descriptions and pictures for the server and the client, which can be selected according to the main and auxiliary menus
The initial work of the self-built proxy is to rent a VPS (Virtual Private Server). A VPS with a monthly rent of a few dollars can satisfy personal use. You can search for VPS suppliers with VPS keywords on the search engine, or you can choose through the website that introduces VPS. A strong password is required to register a VPS account.
Recommend: Rental Vultr VPS graphic tutorial
The operating system of VPS is linux as the common one. Debian system is recommended here, which takes up relatively small resources. This article uses Debian and Ubuntu systems (ubuntu is a Debian-based system) as examples. The operating system is often chosen by oneself to deploy. After deployment, you will get a domain name or IP, and you need to set a strong password. We first need to log in to the remote VPS system. Here we recommend Bitvise SSH Client （Bitvise SSH Client）。
On the Login interface of Bitvise SSH Client, fill in the Host domain (or IP), Username (usually root), port (default 22), and Password (previously set), then you can log in remotely and open the terminal (Terminal is shown in the figure below) . Our self-built VPN server process must be carried out through this terminal.
Before building an proxy, you need to do necessarysecurity maintenance on the remote host.First of all, it is recommended to install and use Fail2Ban to defend against SSH brute force password cracking.
Update the system first:
apt-get update apt-get upgrade -y
You can use the "clear" command to clear the screen.
apt install -y fail2ban
View fail2ban service status:
systemctl status fail2ban.service
As you can see, the green "active (running)" indicates that the fail2ban service is already running. If this is not the case, you need to start the fail2ban service:
systemctl start fail2ban
Set the fail2ban service to start automatically after booting:
systemctl enable fail2ban
The most critical step isto configure jail.local：
Because it is a newly created file, it is blank. Copy and paste the following content into it:
[DEFAULT] bantime = 604800 findtime = 6000 [sshd] enabled = true port = 22 filter = sshd logpath = /var/log/auth.log maxretry = 3
Use "Ctrl+X" to save and exit.
When you press "Ctrl+X", "Save modified buffer?" will pop up:
At this time, enter "Y" and press Enter:
You will see that "File Name to Write: /etc/fail2ban/jail.local" pops up again:
Press Enter again to save it.
Finally, restart the fail2ban service:
systemctl restart fail2ban
In the above configuration: maxretry = 3, which means that as long as the password is entered incorrectly three times, the program will prohibit the malicious cracker's IP from continuing to try to log in. You can simulate and test it yourself. After three failures, you will lose the opportunity to log in again. You will see this record (in the red box):
Tip: After the test your computer will be forbidden to log in, you have to change your Internet IP to log in to the remote host again.
Preparation 2: Set up the firewall
Use this command to see the firewall settings
apt-get install iptables-persistent
Windows will pop up during the installation process, all select yes
After the installation, the current settings will be automatically stored in /etc/iptables/rules.v4 /etc/iptables/rules.v6
Save the pre-drawn firewall rules in /etc/iptables/rules.v4 (use the following command to clear the original content of rules.v4 and open it for editing
rm /etc/iptables/rules.v4 && nano /etc/iptables/rules.v4
Copy and paste the following settings into it (click the right mouse button to paste, do not use ctrl+v to paste) ：
*filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] ### Flush all rules -F ### Trusted IP Access -A INPUT -i lo -j ACCEPT #內網全放行 #-A INPUT -s 192.168.0.0/16 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # ↓隱形掃瞄攻擊防範 -A INPUT -p tcp --tcp-flags ALL NONE -j DROP -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP COMMIT
Ctrl+X to save changes and exit.
Execute the following command to load the rules:
With the iptables -L command, you can see that the proposed firewall rules have been successfully loaded: