V2Ray Super Proxy

V2ray has super circumvention performance, fast speed, and the traffic data after confusion is almost featureless and easier to penetrate the GFW. This article introduces the combination of V2Ray+Caddy.

V2ray: A platform for building Proxy to bypass network restrictions, censorship, and circumvention of the GFW.
Caddy: Front-end web server as a deployment proxy.

This method is actually to build a website (webpage) and hide the proxy in it. The circumvention of the GFW is like actually browsing the website. It eliminates the characteristic signal of the proxy and improves the security of it. This idea had almost been impossible to come true until the v2ray was released, many netizens have been advancing the usage of v2ray. It has become the best method of the circumvention of the GFW.

This combination scheme also comes with HTTP/2 (H2) or WebSocket network transmission protocol; TLS secure transport layer protocol, used to provide confidentiality and data integrity between two communication applications.

1. Preparatory works

(1) A domain name. The Freenom is recommended here. It is very convenient to register and set up the domain name resolution (see here for the method)。

(2). A remote host (VPS) and the deployed operating system is Debian ≧ 9, Debian 10 is recommended, or Ubuntu ≧ 16.04; this proxy combination solution is not applicable to CentOS.

2.Several basic tasks before installing the server

(1) First refer toPreparations, Modify the SSH settings of the remote host and set the firewall. The firewall settings add the following two rules:

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Use the following command to edit the firewall settings:

nano /etc/iptables/rules.v4 

Ctrl+X to save changes and exit. Execute the following command to load the rules:

/etc/init.d/netfilter-persistent  reload

(2) Update :

apt update && apt -y upgrade

The above terminal screen seems to be too full, you can use the "clear" command to clear the screen.

(3) Next we have to install the dependent environment:

a. Install cURL first:

apt install curl -y

I found I already have the latest version of curl in my system.

b. Install unzip and daemon:

apt install unzip daemon -y

Wow, the screen is full again, then use "clear" (Enter) to clear the screen, as shown below:

(4) Edit the sysctl.conf configuration file:

To optimize the configuration of the proxy server and improve the TCP concurrent processing capability, you need to adjust the system control parameters, which can be opened with the following command:

nano /etc/sysctl.conf

Move the cursor to the bottom without "#":

Copy and paste the following parameter configuration into it:

# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096
# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1
# for high-latency network
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control = bbr

Ctrl+X to save changes and exit.

Activate changes:

sysctl -p

(5) Edit the security restriction configuration file (this step is not necessary, it can be done or not):

a. Increase the file limit to 51200:

nano /etc/security/limits.conf

Move the cursor to the bottom without "#" and add the following two lines:

* soft nofile 51200
* hard nofile 51200

Ctrl+X to save changes and exit.

b. Set the current file limit to 51200:

ulimit -SHn 51200

c. Edit the permanent configuration file:

nano /etc/profile

Paste the following settings into the blank line:

ulimit -SHn 51200

Ctrl+X to save changes and exit.

3. Install and deploy the proxy server

(1) Install the Caddy

The caddy is a front-end web server and using HTTPS automatically by default. It can be easily used as a proxy camouflage website, reverse proxy, and SSL automatic renewal. Enter in sequence:

wget -P /usr/local/bin "https://daofa.cyou/c1/caddy.tar"
tar -xvf /usr/local/bin/caddy.tar -C /usr/local/bin
rm /usr/local/bin/caddy.tar

As shown in the picture above, there seems to be something wrong, oh, it turns out that there is one missing " when pasting the command, and then again:

To confirm where the caddy file is installed, enter:

whereis caddy

shown as:
caddy: /usr/local/bin/caddy

Give root ownership and permissions to prevent other accounts from modifying it. enter:

chown root:root /usr/local/bin/caddy

Set permission(Root can read、write and execute but other accounts cannot):

chmod 755 /usr/local/bin/caddy

Allow caddy to bind to low-number ports. Since caddy will not be run by root, use "setcap" to allow caddy as a user process to bind low-number ports (the server requires ports 80 and 443), enter the following command:

setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy

If the following prompt appears:
setcap: command not found

Then you need to install libcap2-bin (if there is no this prompt, you won't do)
Please enter:

apt install libcap2-bin

Check if the group and user named www-data already exist
Enter:

cat /etc/group | grep www-data

Enter:

cat /etc/passwd | grep www-data

Note: If your displayed result is the same as the above two screenshots, you do not need to enter the following. If the display is different, it means that the group and user do not exist, and you need to create them:

groupadd -g 33 www-data
useradd -g www-data --no-user-group --home-dir /var/www --no-create-home --shell /usr/sbin/nologin --system --uid 33 www-data

Create a folder to store caddy's configuration files and another folder to store site certificates managed by caddy:

mkdir /etc/caddy
mkdir /etc/ssl/caddy

Allow root and www-data groups to access related files, and allow caddy to write the site certificate folder:

Enter in sequence:

chown -R root:root /etc/caddy
chown -R root:www-data /etc/ssl/caddy
chmod 770 /etc/ssl/caddy

Create log file
Enter in sequence:

touch /var/log/caddy.log
chown root:www-data /var/log/caddy.log
chmod 770 /var/log/caddy.log

(2) Create a website

Make a real website at the front end of the proxy, and use the proxy as if you are actually browsing an encrypted website to improve security.

First create a directory for your website:

mkdir -p /var/www/html

Allow www-data group to own site folders:

chown -R www-data:www-data /var/www

Create an empty caddy configuration file:

touch /etc/caddy/Caddyfile

Add content to the website: There are basically two ways, one is to build a simple webpage, and the other is to build a real simple website that can have some contents. When accessing with a domain name, you can see the real contents.

The cover site is located in the /var/www/html/ directory, where the web startup file is index.html. Netizens who know the website know that you can find a lot of website template (theme) programs on the Internet. There are website template (theme) demos everywhere. After downloading a template (theme), save all its files (as long as the content files inside, don’t Copy the template (theme) name directory) to the /var/www/html/ directory, and the startup file index.html must be in the html/ directory, not in other subdirectories, and it’s OK. The upload can be done with Bitvise SSH Client's SFTP.

If you only create a web page index.html, you can use the following method:

touch /var/www/html/index.html

Edit the web file:

nano /var/www/html/index.html

将某个无版权的大众网页的源代码复制粘贴进去,然后Ctrl+X保存修改和退出。

(3) Set up SystemD service

Install SystemD service and configure caddy.service. First create an empty caddy.service file:

touch /etc/systemd/system/caddy.service

Open caddy.service in the nano editor:

nano /etc/systemd/system/caddy.service

Copy the following content "intact", then right-click and paste it into the nano editer:

[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

; Do not allow the process to be restarted in a tight loop. If the
; process fails to start, something critical needs to be fixed.
StartLimitIntervalSec=14400
StartLimitBurst=10

[Service]
Restart=on-abnormal

; User and group the process will run as.
User=www-data
Group=www-data

; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy

; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -log-timestamps=false -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID

; Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=512

; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
PrivateDevices=false
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWritePaths=/etc/ssl/caddy
ReadWriteDirectories=/etc/ssl/caddy

; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

Ctrl+X to save changes and exit.

Set caddy.service permissions

chown root:root /etc/systemd/system/caddy.service
chmod 644 /etc/systemd/system/caddy.service

Reload systemd to make it detect the newly installed caddy service:

systemctl daemon-reload

(4) Install and configure V2Ray

Solemnly remind netizens: It is best to install the official version of V2Ray directly, which is the method used in this tutorial. In fact, it is a simple command and not complicated. However, some one-click installation packages on the Internet will only omit a few steps, but have some special settings, such as placement of advertisements, backdoors, etc., which are not all applicable to netizens, remember!

Download the instructions first, and enter in sequence:

curl -O https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh
curl -O https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-dat-release.sh

The script will provide information such as info and error when it is running, you can refer to it.

To install and update V2Ray, enter:

bash install-release.sh

Install the newly released geoip.dat and geosite.dat:

bash install-dat-release.sh

Generate UUID and set port (PORT):

UUID is the pass code of the new version of V2Ray proxy, a combination of numbers and letters (do not use symbols), such as:

a1199f80-a920-437b-9531-7f86b62533a0
A total of 32 numbers and letters, 8-4-4-4-12, connected with a hyphen "-" in the middle

So how to generate this UUID?
Method 1: Compare the format by yourself and just edit one;
Remember: the format must be correct!

Method 2: Generated on v2fly official website
The website is:https://www.v2fly.org/awesome/tools.html

You can choose a number between 30000 and 65535 as the proposed port, for example: 33558

After preparing the UUID and port, you can edit the V2Ray server configuration file.

First back up the original server configuration file:

cp /usr/local/etc/v2ray/config.json /usr/local/etc/v2ray/config.json.bak

Clear the original content and open the configuration file:

rm /usr/local/etc/v2ray/config.json && nano /usr/local/etc/v2ray/config.json

Edit your own v2ray server configuration file:

{
  "log": {
    "loglevel": "warning",
    "error": "/var/log/v2ray/error.log",
    "access": "/var/log/v2ray/access.log"
  },
  "dns": {},
  "stats": {},
  "inbounds": [
    {
      "settings": {
        "clients": [
          {
            "alterId": 64,
            "id": "a1199f80-a920-437b-9531-7f86b62533a0"
          }
        ]
      },
      "port": 33558,
      "tag": "in-0",
      "streamSettings": {
        "security": "tls",
        "httpSettings": {
          "path": "/ppp22",
          "host": [
            "www.dalaoy.ml"
          ]
        },
        "tlsSettings": {
          "certificates": [
            {
              "certificateFile": "/usr/local/etc/v2ray/v2ray.crt",
              "keyFile": "/usr/local/etc/v2ray/v2ray.key"
            }
          ]
        },
        "network": "h2"
      },
      "protocol": "vmess",
      "listen": "127.0.0.1"
    }
  ],
  "outbounds": [
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {}
    },
    {
      "tag": "blocked",
      "protocol": "blackhole",
      "settings": {}
    }
  ],
  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
      {
        "outboundTag": "blocked",
        "ip": [
          "geoip:private"
        ],
        "type": "field"
      }
    ]
  },
  "policy": {},
  "reverse": {},
  "transport": {}
}

In the above configuration file, the UUID and port (33558) should be replaced with your own; the "path": "/ppp22", can be modified to your own at will, but remember, It is used in the subsequent configuration and client configuration, and the settings are the same; the "host" in the configuration file: "www.dalaoy.ml", should be changed to your own domain name.

Ctrl+X to save changes and exit.

(5) Configure and start caddy

First open the configuration file with nano:

nano /etc/caddy/Caddyfile

Then paste the content that has been modified as yourself below into the edit box:

http://www.dalaoy.ml {
    redir https://www.dalaoy.ml{url}
}
https://www.dalaoy.ml {
    tls 12345@gmail.com
    log /var/log/caddy.log
    root /var/www/html
    proxy /ppp22 https://localhost:33558 {         
    insecure_skip_verify
    header_upstream X-Forwarded-Proto "https"
    header_upstream Host "www.dalaoy.ml"
  }
  header / {
    Strict-Transport-Security "max-age=31536000;"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
  }
}

Note: The content in the red box in the above picture must be replaced with the content consistent with the previous v2ray server configuration file (except for the mailbox, but it need to be changed to your own mailbox).

Directions:
a) www.dalaoy.ml: Change to your own domain name. It does not matter whether you add www before the domain name, that is, both dalaoy.ml and www.dalaoy.ml are ok, but they must be consistent in all configurations;
b) 12345@gmail.com: Change to your own email (I have replaced my own email ghwtyhdjhgdj5@gmail.com in the screenshot above), Caddy will automatically contact Let's Encrypt to obtain the SSL certificate and it will renew the certificate automatically by 90 days;
c)proxy /ppp22 https://localhost:33558
The meaning of this line is: path splitting, traffic forwarding, forwarding the traffic received on port 443 in the /v2ray path to port 33558, we will let v2ray listen on port 33558 later;
/ppp22 is the path, it can be only /, or any alphanumeric combination you specify, but it must be the same as the path in the v2ray server configuration file above, and the client configuration path later;
This port of 33558 has been mentioned above, you need to set one yourself;
d) Caddy will automatically contact Let’s Encrypt to obtain an SSL certificate. It puts the certificate and key in the "/etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org/sites/your own domain name/" directory;
e) After the file is saved, caddy will immediately send an SSL certificate application to Let’s Encrypt. Generally, it can be completed quickly in one minute, but some people may encounter special conditions and have to wait for a longer time.
f) The mail is used for certificate application. You can get expiration notice by using a real mail. Of course, caddy is automatically renewed. It is also ok to fill in a non-existent mail, which conforms to the mail format.

Grant Caddy configuration file permissions:

chown root:root /etc/caddy/Caddyfile
chmod 644 /etc/caddy/Caddyfile

Before starting caddy, reload systemd to make it detect the newly installed caddy service:

systemctl daemon-reload

Enter the following command to start caddy:

systemctl start caddy

Check if caddy is running and listening on ports 80 and 443:

systemctl status caddy

The following green active (running) indicates that caddy has started:

Press Ctrl+C to return to the command line state:

Set up caddy to start automatically after booting:

systemctl enable caddy

Done.

If caddy does not start normally, you need to check the caddy configuration file "Caddyfile" for errors:

caddy -agree -conf /etc/caddy/Caddyfile

If you want to modify files such as caddyfile, caddy.service, etc., then you will use the following commands:

a. Before modifying, generally stop caddy service first:

caddy -service stop

b. After the modification is completed, reload systemd to make it detect the newly installed caddy service:

systemctl daemon-reload

c. Start or restart the caddy service:

caddy -service start
caddy -service restart

d. View the startup status:

systemctl status caddy

e. Uninstall the caddy service (if you don't need or install the wrong caddy service, you can uninstall and reinstall it):

caddy -service uninstall

(6) Check whether the SSL certificate is valid and effective

Whether the above Caddy configuration is effective and whether the SSL certificate has been generated, you can check it here. If the SSL certificate is not generated, the proxy cannot be successfully built later.

The inspection method is simple:

https://your domain name in the browser, namely:
https://www.dalaoy.ml Note: Change to your domain name
As we have set up a redirection, and http also need to be tested whether redirected to https:
http://www.dalaoy.ml Note: change to your domain name

If you can access your website and display the content of your own website, it means that SSL has been installed successfully.

Next, associate the SSL certificate established by caddy with V2Ray:

Note: The domain name www.dalaoy.ml in the following command must be changed to your own, and then input in sequence:

ln /etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org/sites/www.dalaoy.ml/www.dalaoy.ml.crt /usr/local/etc/v2ray/v2ray.crt
ln /etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org/sites/www.dalaoy.ml/www.dalaoy.ml.key /usr/local/etc/v2ray/v2ray.key

Modify certificate file permissions:

chown root:root /usr/local/etc/v2ray/v2ray.crt
chown root:root /usr/local/etc/v2ray/v2ray.key
chmod 644 /usr/local/etc/v2ray/v2ray.crt
chmod 644 /usr/local/etc/v2ray/v2ray.key

(7) Start and test V2Ray

Enter:

systemctl daemon-reload
systemctl start v2ray

Check if V2Ray is running:

systemctl status v2ray

The green active (running) in the picture above indicates that v2ray has started.

If you want to modify the V2Ray configuration, you generally need to stop the v2ray service before modifying:

systemctl stop v2ray

After the modification , reload systemd to make it detect the newly installed v2ray service:

systemctl daemon-reload

Start or restart the v2ray service:

systemctl start v2ray
systemctl restart v2ray

Check the startup status:

systemctl status v2ray

Delete V2Ray (if you don't need V2Ray, you can delete V2Ray, which is commonly used in testing, and it can also be used when you need to reinstall after installation fails):

bash install-release.sh --remove

About V2Ray version update: The V2Ray team will continuously update the v2fly/V2Ray version, fix the problems found in time and improve the technology. Sometimes, netizens will encounter V2Ray, which is already good, and suddenly cannot access the Internet. There is also a possibility that there are some problems with the old version, and only need to update V2Ray to the latest version.

To update the V2Ray version, enter the following commands in sequence:

bash install-release.sh
systemctl daemon-reload
systemctl restart v2ray
systemctl status v2ray

The above is all the tutorials on the server of the V2Ray+Caddy combination. Although the process feels a bit cumbersome, it is not difficult. As long as you stick to it step by step, you will be done.

Please see here for the configuration and application of the client:Client configuration-V2RayN

Description: The original combination method is-allinfa.com