VPN

Everything about VPNs Technologies and tools

Sep 25, 2024

Subsections of VPN

SmartDNS Proxy

SmartDNS

This method is usefule when a service is prohibited in your region/area. Buy a vps a 4$ worth VPS is good enough and it is preferable to use Ubuntu/Debian Images.

  • Install nginx with apt install nginx.
  • Modify the Nginx Config at /etc/nginx/nginx.conf with the following config
worker_processes  auto;
worker_rlimit_nofile 35000;
events {
    worker_connections  15000;
    multi_accept off;
}

http {

     access_log /var/log/nginx/access.log;
     error_log /var/log/nginx/error.log;
     server {
            listen 80 default_server;
            listen [::]:80 default_server;
            resolver 8.8.8.8 ipv6=off;
            location / {
                proxy_pass http://$host$request_uri;
            }
    }

}


stream {
   log_format basic '$remote_addr [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
                     '$session_time';

   access_log /var/log/nginx/access.log basic;
   error_log  /var/log/nginx/error.log error;

   server {
        resolver 1.1.1.1 ipv6=off;
        listen 443;
        ssl_preread on;
        proxy_connect_timeout 5s;
        proxy_pass $ssl_preread_server_name:443;
    }
}
  • Download src or prebuilt binaries or packages from smartdns
  • Install it with dpkg command or compile src to get the binary file
  • Use the following config. You can also modify anything you want except the ip addres of the server.
# dns server name, default is host name
# server-name, 
# example:
#   server-name smartdns
#

# whether resolv local hostname to ip address
# resolv-hostname yes

# dns server run user
# user [username]
# example: run as nobody
#   user nobody
#

# Include another configuration options, if -group is specified, only include the rules to specified group.
# conf-file [file] [-group group-name]
# conf-file blacklist-ip.conf
# conf-file whitelist-ip.conf -group office
# conf-file *.conf

# dns server bind ip and port, default dns server port is 53, support binding multi ip and port
# bind udp server
#   bind [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# bind tcp server
#   bind-tcp [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# bind tls server
#   bind-tls [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
#   bind-cert-key-file [path to file]
#      tls private key file
#   bind-cert-file [path to file]
#      tls cert file
#   bind-cert-key-pass [password]
#      tls private key password
# bind-https server
#   bind-https [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# option:
#   -group: set domain request to use the appropriate server group.
#   -no-rule-addr: skip address rule.
#   -no-rule-nameserver: skip nameserver rule.
#   -no-rule-ipset: skip ipset rule or nftset rule.
#   -no-speed-check: do not check speed.
#   -no-cache: skip cache.
#   -no-rule-soa: Skip address SOA(#) rules.
#   -no-dualstack-selection: Disable dualstack ip selection.
#   -no-ip-alias: ignore ip alias.
#   -force-aaaa-soa: force AAAA query return SOA.
#   -force-https-soa: force HTTPS query return SOA.
#   -no-serve-expired: no serve expired.
#   -no-rules: skip all rules.
#   -ipset ipsetname: use ipset rule.
#   -nftset nftsetname: use nftset rule.
# example: 
#  IPV4: 
#    bind :53
#    bind :53@eth0
#    bind :6053 -group office -no-speed-check
#  IPV6:
#    bind [::]:53
#    bind [::]:53@eth0
#    bind-tcp [::]:53
bind <VPS_IPADDRESS>:53

# tcp connection idle timeout
# tcp-idle-time [second]

# dns cache size
# cache-size [number]
#   0: for no cache
#   -1: auto set cache size
# cache-size 32768

# dns cache memory size
# cache-mem-size [size]

# enable persist cache when restart
# cache-persist no

# cache persist file
# cache-file /tmp/smartdns.cache

# cache persist time
# cache-checkpoint-time [second]
# cache-checkpoint-time 86400

# prefetch domain
# prefetch-domain [yes|no]
# prefetch-domain yes

# cache serve expired 
# serve-expired [yes|no]
# serve-expired yes

# cache serve expired TTL
# serve-expired-ttl [num]
# serve-expired-ttl 0

# reply TTL value to use when replying with expired data
# serve-expired-reply-ttl [num]
# serve-expired-reply-ttl 30

# List of hosts that supply bogus NX domain results 
# bogus-nxdomain [ip/subnet]

# List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter
# blacklist-ip [ip/subnet]

# List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter
# whitelist-ip [ip/subnet]

# List of IPs that will be ignored
# ignore-ip [ip/subnet]

# alias of IPs
# ip-alias [ip/subnet] [ip1[,ip2]...]
# ip-alias 192.168.0.1/24 10.9.0.1,10.9.0.2

# speed check mode
# speed-check-mode [ping|tcp:port|none|,]
# example:
#   speed-check-mode ping,tcp:80,tcp:443
#   speed-check-mode tcp:443,ping
#   speed-check-mode none

# force AAAA query return SOA
# force-AAAA-SOA [yes|no]

# force specific qtype return soa
# force-qtype-SOA [-,][qtypeid |...]
# force-qtype-SOA [qtypeid|start_id-end_id|,...]
# force-qtype-SOA 65 28 add type 65,28
# force-qtype-SOA 65,28 add type 65,28
# force-qtype-SOA 65-68 add type 65-68
# force-qtype-SOA -,65-68, clear type 65-68
# force-qtype-SOA - clear all type
force-qtype-SOA 65

# Enable IPV4, IPV6 dual stack IP optimization selection strategy
# dualstack-ip-selection-threshold [num] (0~1000)
# dualstack-ip-allow-force-AAAA [yes|no]
# dualstack-ip-selection [yes|no]
# dualstack-ip-selection no

# edns client subnet
# edns-client-subnet [ip/subnet]
# edns-client-subnet 192.168.1.1/24
# edns-client-subnet 8::8/56

# ttl for all resource record
# rr-ttl: ttl for all record
# rr-ttl-min: minimum ttl for resource record
# rr-ttl-max: maximum ttl for resource record
# rr-ttl-reply-max: maximum reply ttl for resource record
# example:
# rr-ttl 300
# rr-ttl-min 60
# rr-ttl-max 86400
# rr-ttl-reply-max 60

# Maximum number of IPs returned to the client|8|number of IPs, 1~16
# example:
# max-reply-ip-num 1

# Maximum number of queries per second|0|number of queries, 0 means no limit.
# example:
# max-query-limit 65535

# response mode
# response-mode [first-ping|fastest-ip|fastest-response]

# set log level
# log-level: [level], level=off, fatal, error, warn, notice, info, debug
# log-file: file path of log file.
# log-console [yes|no]: output log to console.
# log-syslog [yes|no]: output log to syslog.
# log-size: size of each log file, support k,m,g
# log-num: number of logs, 0 means disable log
log-level info

# log-file /var/log/smartdns/smartdns.log
# log-size 128k
# log-num 2
# log-file-mode [mode]: file mode of log file.

# dns audit
# audit-enable [yes|no]: enable or disable audit.
# audit-enable yes
# audit-SOA [yes|no]: enable or disable log soa result.
# audit-size size of each audit file, support k,m,g
# audit-file /var/log/smartdns-audit.log
# audit-console [yes|no]: output audit log to console.
# audit-syslog [yes|no]: output audit log to syslog.
# audit-file-mode [mode]: file mode of audit file.
# audit-size 128k
# audit-num 2

# Support reading dnsmasq dhcp file to resolve local hostname
# dnsmasq-lease-file /var/lib/misc/dnsmasq.leases

# certificate file
# ca-file [file]
# ca-file /etc/ssl/certs/ca-certificates.crt

# certificate path
# ca-path [path]
# ca-path /etc/ssl/certs

# remote udp dns server list
# server [IP]:[PORT]|URL [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
# default port is 53
#   -blacklist-ip: filter result with blacklist ip
#   -whitelist-ip: filter result with whitelist ip,  result in whitelist-ip will be accepted.
#   -check-edns: result must exist edns RR, or discard result.
#   g|-group [group]: set server to group, use with nameserver /domain/group.
#   e|-exclude-default-group: exclude this server from default group.
#   p|-proxy [proxy-name]: use proxy to connect to server.
#   b|-bootstrap-dns: set as bootstrap dns server.
#   -set-mark: set mark on packets.
#   -subnet [ip/subnet]: set edns client subnet.
#   -host-ip [ip]: set dns server host ip.
#   -interface [interface]: set dns server interface.
server 8.8.8.8  -group g1
#server 8.8.8.8 -group g2
# server tls://dns.google:853 
# server https://dns.google/dns-query

# remote tcp dns server list
# server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group]
# default port is 53
server-tcp 8.8.8.8 -group g1
#server-tcp 8.8.8.8 -group g2
#server-tcp 18.130.3.145 -group g3
# remote tls dns server list
# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
#   -spki-pin: TLS spki pin to verify.
#   -tls-host-verify: cert hostname to verify.
#   -host-name: TLS sni hostname.
#   k|-no-check-certificate: no check certificate.
#   p|-proxy [proxy-name]: use proxy to connect to server.
#   -bootstrap-dns: set as bootstrap dns server.
# Get SPKI with this command:
#    echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# default port is 853
# server-tls 8.8.8.8
# server-tls 1.0.0.1

# remote https dns server list
# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
#   -spki-pin: TLS spki pin to verify.
#   -tls-host-verify: cert hostname to verify.
#   -host-name: TLS sni hostname.
#   -http-host: http host.
#   k|-no-check-certificate: no check certificate.
#   p|-proxy [proxy-name]: use proxy to connect to server.
#   -bootstrap-dns: set as bootstrap dns server.
# default port is 443
# server-https https://cloudflare-dns.com/dns-query

# socks5 and http proxy list
# proxy-server URL -name [proxy name]
#   URL: socks5://[username:password@]host:port
#        http://[username:password@]host:port
#   -name: proxy name, use with server -proxy [proxy-name]
# example:
#   proxy-server socks5://alireza:[email protected]:2059 -name proxy
#proxy-server http://127.0.0.1:6660 -name proxy

# specific nameserver to domain
# nameserver [/domain/][group|-]
# nameserer group, set the domain name to use the appropriate server group.
#nameserver /chatgpt.com/g1, #Set the domain name to use the appropriate server group.
# nameserver /www.example.com/-, ignore this domain

# expand ptr record from address record
# expand-ptr-from-address yes

# specific address to domain
# address [/domain/][ip1,ip2|-|-4|-6|#|#4|#6]
# address #, block all A and AAAA request.
# address #6, block all AAAA request.
# address -6, allow all AAAA request.
#5.202.100.100,5.202.100.101,185.55.226.26,185.55.225.25,78.157.42.100,78.157.42.101,91.107.164.5
# address /www.example.com/1.2.3.4,5.6.7.8, return multiple ip addresses
# address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all
# address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all

# specific cname to domain
# cname /domain/target

# add srv record, support multiple srv record.
# srv-record /domain/[target][,port][,priority][,weight]
# srv-record /_ldap._tcp.example.com/ldapserver.example.com,389
# srv-record /_ldap._tcp.example.com/

# https-record /domain/[target=][,port=][,priority=][,alph=][,ech=][,ipv4hint=][,ipv6hint=]
# https-record noipv4hint,noipv6hint
# https-record /www.example.com/ipv4hint=192.168.1.2

# enable DNS64 feature
# dns64 [ip/subnet]
# dns64 64:ff9b::/96

# enable ipset timeout by ttl feature
# ipset-timeout [yes]

# specific ipset to domain
# ipset [/domain/][ipsetname|#4:v4setname|#6:v6setname|-|#4:-|#6:-]
# ipset [ipsetname|#4:v4setname|#6:v6setname], set global ipset.
# ipset /www.example.com/block, set ipset with ipset name of block. 
# ipset /www.example.com/-, ignore this domain.
# ipset ipsetname, set global ipset.

# add to ipset when ping is unreachable
# ipset-no-speed ipsetname
# ipset-no-speed pass

# enable nftset timeout by ttl feature
# nftset-timeout [yes|no]
# nftset-timeout yes

# add to nftset when ping is unreachable
# nftset-no-speed [#4:ip#table#set,#6:ipv6#table#setv6]
# nftset-no-speed #4:ip#table#set

# enable nftset debug, check nftset setting result, output log when error.
# nftset-debug [yes|no]
# nftset-debug yes

# specific nftset to domain
# nftset [/domain/][#4:ip#table#set,#6:ipv6#table#setv6]
# nftset [#4:ip#table#set,#6:ipv6#table#setv6] set global nftset.
# nftset /www.example.com/ip#table#set, equivalent to 'nft add element ip table set { ... }'
# nftset /www.example.com/-, ignore this domain
# nftset /www.example.com/#6:-, ignore ipv6
# nftset #6:ip#table#set, set global nftset.

# set ddns domain
# ddns-domain domain

# lookup local network hostname or ip address from mdns
# mdns-lookup [yes|no]
# mdns-lookup no

# set hosts file
# hosts-file [file]

# set domain rules
# domain-rules /domain/ [-speed-check-mode [...]]
# rules:
#   [-c] -speed-check-mode [mode]: speed check mode
#                             speed-check-mode [ping|tcp:port|none|,]
#   [-a] -address [address|-]: same as address option
#   [-n] -nameserver [group|-]: same as nameserver option
#   [-p] -ipset [ipset|-]: same as ipset option
#   [-t] -nftset [nftset|-]: same as nftset option
#   [-d] -dualstack-ip-selection [yes|no]: same as dualstack-ip-selection option
#   [-g|-group group-name]: set domain-rules to group.
#   -no-serve-expired: ignore expired domain
#   -delete: delete domain rule
#   -no-ip-alias: ignore ip alias
#   -no-cache: ignore cache

# collection of domains 
# the domain-set can be used with /domain/ for address, nameserver, ipset, etc.
# domain-set -name [set-name] -type list -file [/path/to/file]
#   [-n] -name [set name]: domain set name
#   [-t] -type [list]: domain set type, list only now
#   [-f] -file [path/to/set]: file path of domain set
# 
# example:
domain-set -name sanction -type list -file /etc/smartdns/proxy.list
address /domain-set:sanction/<VPS_IP_ADDRESS>
nameserver /domain-set:sanction/g1
# ipset /domain-set:domain-list/ipset
# domain-rules /domain-set:domain-list/ -speed-check-mode ping

# set ip rules
# ip-rules ip-cidrs [-ip-alias [...]]
# rules:
#   [-c] -ip-alias [ip1,ip2]: same as ip-alias option
#   [-a] -whitelist-ip: same as whitelist-ip option
#   [-n] -blacklist-ip: same as blacklist-ip option
#   [-p] -bogus-nxdomain: same as bogus-nxdomain option
#   [-t] -ignore-ip: same as ignore-ip option

# collection of IPs 
# the ip-set can be used with /ip-cidr/ for ip-alias, ignore-ip, etc.
# ip-set -name [set-name] -type list -file [/path/to/file]
#   [-n] -name [set name]: ip set name
#   [-t] -type [list]: ip set type, list only now
#   [-f] -file [path/to/set]: file path of ip set
# 
# example:
# ip-set -name ip-list -file /etc/smartdns/ip-list.conf
# bogus-nxdomain ip-set:ip-list
# ip-alias ip-set:ip-list 1.2.3.4
# ip-alias ip-set:ip-list ip-set:ip-map-list

# set client rules
# client-rules [ip-cidr|mac|ip-set] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection]
# client-rules option is same as bind option, please see bind option for detail.

# set group rules
# group-begin [group-name]
# group-match [-g|group group-name] [-domain domain] [-client-ip [ip-cidr|mac|ip-set]]
# group-end

# load plugin
# plugin [path/to/file] [args]
# plugin /usr/lib/smartdns/libsmartdns-ui.so --p 8080 -i 0.0.0.0 -r /usr/share/smartdns/wwwroot
  • Create a domain list at this location /etc/smartdns/proxy.list and put the actual domain name any slash or https things line by line, each line just one domain. For instance
asfadfad.com
asfdkanskf.net
.
.
.
.
.
  • Everything is ready just power the smartdns and nginx up ! ;)

DNS and Certificate

Acquiring TLS Certificate and Key

If you want to run a website that supports HTTPS you should get tls certificate for it. I will not delve into the technical things behind the TLS and HTTPS protocol. Just Acquiring Free 3-months certificate.

  • Clone this repo acme.sh and cd to that directory.
  • Run acme.sh --issue --server letsencrypt -d 'qharib.ir' --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
  • Follow the instructions to add the respective TXT record
  • Run again with --renew except the --issue flag
  • It is ready under ~/.acme.sh directory

Running DOH, Plain DNS, and DOT

I use Adguard Home.

  • Run wget --no-verbose -O - https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
  • It will download everything that is necessary
  • Just follow the instruction to access the panel on your localhost and modify its settings

Running dns-proxy

We use Adguard Dns-Proxy tool to proxify our dns queries through DOH.

  • Install it from this_link
  • Extract it and run it using the following command or adjust it based on the description of the Project
  • See the complete guide in the project directory, it is thorough and simple ;)
dnsproxy -l <public_ip_of_vps> -p 53 --https-port=443 --tls-crt=/path/crt.crt --tls-key=/path/key.pkcs8.pem -u https://dnsoverhttps.doh/dns-query  -b 8.8.8.8:53

Install Common VPN Protocols

OpenVPN and Wireguard

Use Nyr scripts to fully install and manage users with them. Download the respective clients from the official sources to avoid further problems

Openconnect and L2TP/IPSec

  • First install the Docker based on the DigitalOcean instructions Ubuntu22
  • Run the following commands to run your server, the second command ask for password for your user
docker run --name ocserv --restart always --privileged -p 443:443 -p 443:443/udp -e CA_CN="fqdn.sth" -e CA_ORG="fqdn.sth" -e CA_DAYS=3650 -e SRV_CN=fqdn.sth -e SRV_ORG="fqdn.sth" -e SRV_DAYS=3650 -e NO_TEST_USER=1 -d tommylau/ocserv

docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd -g "Route,All" tommy 
docker run --name ipsec-vpn-server --restart=always --env-file ./vpn.env  -v /mnt/ikev2-vpn-data:/etc/ipsec.d -v /lib/modules:/lib/modules:ro -p 500:500/udp -p 4500:4500/udp -d --privileged hwdsl2/ipsec-vpn-server
  • put the following in the vpn.env file
VPN_IPSEC_PSK=your_ipsec_pre_shared_key
VPN_USER=your_vpn_username
VPN_PASSWORD=your_vpn_password
  • Use openconnect client and native L2TP/IPSec available on various Operating Systems

How to Run TOR Bridge ?

Installing TOR on Debian Based Distros

  • Install apt-transport-https apt install apt-transport-https
  • Create a new file in /etc/apt/sources.list.d/ named tor.list. Add the following entries
deb     [arch=amd64 signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION>/jammy main
deb-src [arch=amd64 signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION>/jammy main
  • Then add the gpg key used to sign the packages wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/deb.torproject.org-keyring.gpg >/dev/null
  • Finally Run apt update && apt install tor deb.torproject.org-keyring

Configuring Obfs4 Bridge

  • Clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird
  • Install gvm https://github.com/jetsung/golang-install and latest golang tools
  • Compile the lyrebird with the instruction provided in its repository then put the binary in /usr/local/bin/ directory
  • Open /etc/tor/torrc file add the following lines
RunAsDaemon 1
ORPort 6889
ExtORPort auto
ExitPolicy reject *:*
BridgeRelay 1
PublishServerDescriptor 0
ServerTransportPlugin obfs4 exec /usr/local/bin/lyrebird
ServerTransportListenAddr obfs4 0.0.0.0:<port>
ContactInfo [email protected]
Nickname FreeBeerPrivate
  • Open /etc/apparmor.d/system_tor and add this line /usr/local/bin/lyrebird ix,
  • Run sudo apparmor_parser -r /etc/apparmor.d/system_tor
  • Restart the tor.service with systemd
  • Obtain fingerprint and the bridge with these two commands cat /var/lib/tor/pt_state/obfs4_bridgeline.txt, cat /var/lib/tor/fingerprint

Configuring WebTunnel Bridge

  • You can create a new tor instance with tor-instances create <name> or replace it with OBFS4
  • Open the instance torrc file or the original torrc file and add the following lines
ORPort 36788
ExtORPort auto
ExitPolicy reject *:*
BridgeRelay 1
PublishServerDescriptor 0
ServerTransportPlugin webtunnel exec /usr/local/bin/webtunnel
ServerTransportListenAddr webtunnel 127.0.0.1:15003
ServerTransportOptions webtunnel url=https://domain.sth:443/<sth>
ContactInfo [email protected]
Nickname sth
  • Like Obfs4 do the following
nano/vi /etc/apparmor.d/system_tor

add this line: /usr/local/bin/webtunnel ix,

sudo apparmor_parser -r /etc/apparmor.d/system_tor
  • install nginx and add a conf like this
server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name domain.sth;
    #ssl on;

    # certificates generated via acme.sh
    ssl_certificate path.crt;
    ssl_certificate_key path.key;

    ssl_session_timeout 15m;

    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    ssl_prefer_server_ciphers off;

    ssl_session_cache shared:MozSSL:50m;
    #ssl_ecdh_curve secp521r1,prime256v1,secp384r1;
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    location = /<sth> {
        proxy_pass http://127.0.0.1:15003;
        proxy_http_version 1.1;

        ### Set WebSocket headers ###
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        ### Set Proxy headers ###
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;

        proxy_redirect     off;
        access_log  off;
        error_log off;
    }

}
  • You can put the domain.sth behind CDN or not ;)

Thanks and Enjoy The Bridge

SniProxy

SniProxy

SniProxy based on dnsmasq and nginx It works like shecan.ir in Iran. SniProxy

How to Run ?!

  • Install docker and docker-compose
  • Run with docker-compose up -d
  • Change docker-compose.yml based on your preferences !
  • I try to update the dnsmasq/proxy.conf file based on the internet status of Iran
  • It could be resource intensive task to serve this dns service to many people so bring a powerhouse
  • I tested on a 2gigs 2 cpus vps and It is OK for me, my family, and friends
  • Also dnsmasq is limited to lo interface, localhost
  • Use AdGuard Home to deploy DOT, DOH, and use it with SniProxy
  • I wrote a script to add all sanctioned domains in Iran into multiple files
  • You can use it to update your domains list
  • I have added a hosts file which helps you to block (Ads, Malwares, Porn, Fakenews and Gambling Websites), like pi-hole but along with SniProxy Capability
  • Also you can check Steven Black github repo to change the hosts file based on your preferences

Thanks !

v2ray v2fly Steven Black