Trojan-GFW作为一款新兴的代理软件,有着配置简单,使用方便,速度更快等优势,本文主要介绍Trojan的搭建以及使用方式,以及一些注意点等。本文最新更新于2020.2.15。

johnrosen1/trojan-gfw-script
This script will help you set up a trojan-gfw server in an extremely fast way. - johnrosen1/trojan-gfw-script
trojan-gfw/trojan
An unidentifiable mechanism that helps you bypass GFW. - trojan-gfw/trojan

Trojan features multiple protocols over TLS to avoid both active/passive detections and ISP QoS limitations.

附1:Trojan并不使用Websocket,不支持Cloudflare CDN。 而且断流什么的和Trojan-GFW本身并没有任何关系,只能说你的网络环境太差。


一。购买必需品

(1). 购买服务器(VPS)

这个随便谷歌,百毒一大堆,不想多说(而且没有外币卡的请自己去办一张),系统推荐Debian9/10,然后下载Xshell6或者Termius SSH连接就行。例如。

Kamatera – Performance Cloud Infrastructure
Deploy a High Performance, Production, Worldwide Cloud Infrastructure in less than 60 seconds. Sign Up and Try Now - 30 Days Totally Free.
这家的香港伺服器对移动友好 1MONTH300 优惠码首月免费
系统建议选择Debian Buster

(2).购买域名

Trojan必须要域名才能工作,推荐namesilo随便买就行 (很多.xyz仅 0.99usd一年)

Cheap & Cheapest Domain Names | NameSilo
Cheapest Domain Name Registrar. Register and Transfer in your domain names to save money annually. Check out our Domain Prices

(3).添加域名解析

购买完成服务器及域名后到域名提供商的控制面板里添加 A DNS记录 比如:

我买了域名example.com 那么我想让Trojan走子域名www.example.com 就域名前缀里写www 地址填服务器的公网IP就行 (记得先清掉服务商默认的所有解析)

附:namesilo DNS解析最慢需要15min生效,请耐心等待!

DNS Checker - DNS Check Propagation Tool
Check DNS Propagation worldwide. DNS Checker provides name server propagation check instantly. Changed nameservers so do a DNS lookup and check if DNS and nameservers have propagated.
查看dns解析结果

二。连接服务器

(1).以Xshell6为例,点击新增(Alt+N),主机填IP,左侧使用者验证分别填root和你的密码。

(2).点击连接(有现成代理的话推荐在左侧面板里添加现有代理避免SSH掉线),点击接受并保存。


三。建立并配置Trojan服务器

方法一:本人写的一键脚本!!!(强烈推荐,记得去Github给个star !!!)

apt-get update && apt-get install sudo curl -y && sudo -i
依赖请手动安装
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/johnrosen1/trojan-gfw-script/master/vps.sh)"
主菜单
其他可选项

附1:更多请看github详情。(请不要乱选,默认没有选中的都是不推荐的!)

附2:若已有证书,请放置于/etc/trojan/处,脚本会自动跳过域名解析验证,申请证书以及acme.sh安装


方法二:手动配置

1.安装nginx(其他Web服务器也可以)和Trojan-GFW

wget https://nginx.org/keys/nginx_signing.key
apt-key add nginx_signing.key
rm -rf nginx_signing.key
touch /etc/apt/sources.list.d/nginx.list
从Nginx官方源拉取二进制文件
  cat > '/etc/apt/sources.list.d/nginx.list' << EOF
deb https://nginx.org/packages/mainline/debian/ $(lsb_release -cs) nginx
deb-src https://nginx.org/packages/mainline/debian/ $(lsb_release -cs) nginx
EOF
请将debian改成ubuntu如果你使用ubuntu
sudo apt-get update && sudo apt-get install nginx -y
NGINX Docs | Installing NGINX Open Source
Install NGINX Open Source either as a prebuilt package or from source, following step-by-step instructions for all supported Linux distributions.
Linux下的Nginx效能与安全优化
Nginx作为一款开源,高性能,高并发,配置简单的网站服务器(Web Server),被相当多网站所采用,本文介绍Linux下Nginx的简单效能与安全优化方法。
nginx.conf请参考此文
sudo rm -rf /etc/nginx/sites-available/*
sudo rm -rf /etc/nginx/sites-enabled/*
sudo rm -rf /etc/nginx/conf.d/*
sudo touch /etc/nginx/conf.d/trojan.conf
sudo nano /etc/nginx/conf.d/trojan.conf
新建server块的nginx配置文件
sudo nano /etc/nginx/conf.d/trojan.conf
server {
    listen       80;
    server_name  example.com; #填写你的域名,必须!(acme nginx模式的缘故,这样续签证书方便)
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}
证书申请前的配置
sudo nginx -t
测试配置文件,出现OK即通过
sudo systemctl start nginx
修改完成后启动Nginx
sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install xz-utils -y
sudo bash -c "$(wget -O- https://raw.githubusercontent.com/trojan-gfw/trojan-quickstart/master/trojan-quickstart.sh)"
安装Trojan-GFW
trojan-gfw/trojan-quickstart
A simple installation script for trojan server. Contribute to trojan-gfw/trojan-quickstart development by creating an account on GitHub.

2.申请免费SSL/TLS证书

Let’s Encrypt - Free SSL/TLS Certificates
Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

(1)安装acme脚本 用于自动申请以及续签Let's encrypt证书

sudo apt-get update && apt-get install curl -y&& apt-get install socat -y && curl https://get.acme.sh | sh
sudo mkdir /etc/trojan/

(2)申请证书

sudo ~/.acme.sh/acme.sh --issue --nginx -d example.com -k ec-256 --log --reloadcmd "systemctl reload trojan || true"
example.com换成你的域名并启动自动重载Trojan

注:一小时内申请失败次数大于5次会被暂时禁止申请,过一个小时解禁。

Neilpang/acme.sh
A pure Unix shell script implementing ACME client protocol - Neilpang/acme.sh
更多申请方法请看acme.sh wiki

(3)安装证书

sudo ~/.acme.sh/acme.sh --installcert -d example.com --fullchainpath /etc/trojan/trojan.crt --keypath /etc/trojan/trojan.key --ecc
example.com换成你的域名
chmod +r /etc/trojan/trojan.key
给密钥读取权限
sudo nano /etc/nginx/conf.d/trojan.conf
server {
	listen 127.0.0.1:80; #放在Trojan后面即可做伪装也可以是真正的网站
    server_name example.com;
    location / {
    	root /usr/share/nginx/html/; #默认的根目录
        index index.html; #默认的html文件
        }
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; #HSTS标头
}

server {
    listen 80;
    listen [::]:80;
    server_name example.com;
    return 301 https://example.com; #301 https重定向
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 444;
}
证书申请完成后的参考Nginx配置
sudo nginx -t
测试配置文件,出现OK即通过
sudo nginx -s reload
载入新Nginx配置

注:建议自行修改/usr/share/nginx/html/下的index.html等文件来使伪装更加真实

2.修改密码以及证书路径等内容

sed  -i 's/path/etc/g' /usr/local/etc/trojan/config.json
sed  -i 's/to/trojan/g' /usr/local/etc/trojan/config.json
sed  -i 's/certificate.crt/trojan.crt/g' /usr/local/etc/trojan/config.json
sed  -i 's/private.key/trojan.key/g' /usr/local/etc/trojan/config.json
sed  -i 's/password1/yourpasswd/g' /usr/local/etc/trojan/config.json
sed  -i 's/password2/yourpasswd/g' /usr/local/etc/trojan/config.json
自动化替换
sudo nano /usr/local/etc/trojan/config.json
{
    "run_type": "server",
    "local_addr": "::", //同时监听v4和v6
    "local_port": 443,
    "remote_addr": "127.0.0.1",
    "remote_port": 80,
    "password": [
        "password1",
        "password2"
    ],
    "log_level": 1,
    "ssl": {
        "cert": "/etc/trojan/trojan.crt", //自动化中已替换的证书路径
        "key": "/etc/trojan/trojan.key", //自动化中已替换的密钥路径
        "key_password": "",
        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
        "cipher_tls13": "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
        "prefer_server_cipher": true,
        "alpn": [
            "http/1.1"
        ],
        "reuse_session": true,
        "session_ticket": false,
        "session_timeout": 600,
        "plain_http_response": "",
        "curves": "",
        "dhparam": ""
    },
    "tcp": {
        "prefer_ipv4": false,
        "no_delay": true,
        "keep_alive": true,
        "reuse_port": false,
        "fast_open": true,
        "fast_open_qlen": 20
    },
    "mysql": {
        "enabled": false,
        "server_addr": "127.0.0.1",
        "server_port": 3306,
        "database": "trojan",
        "username": "trojan",
        "password": ""
    }
}
如需禁用TLS1.2,cipher仅保留TLS1.3的cipher即可
Config
An unidentifiable mechanism that helps you bypass GFW.
更多细节请看这里
sudo systemctl restart trojan
sudo systemctl enable trojan

附:Trojan日志查看方法

journalctl -e -u trojan.service
按q退出
sudo nginx -s reload
后期如需修改配置文件可用此命令软重启Nginx 无输出则表示正常

注:配置完成后直接访问 你的域名 若看见Nginx Welcome Page就表明成功了!


4. TCP Turbo(非必须)

原理:启用BBR,TFO并禁用TCP慢启动提高吞吐量以及加快连接建立。

注:openvz机器不支持此操作,除非联系商家让他们帮你修改内核参数。

自动添加并生效

  cat > '/etc/sysctl.d/99-sysctl.conf' << EOF
# Overrule forwarding behavior. Accept Router Advertisements
net.ipv6.conf.all.accept_ra = 2
# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096
# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_max_syn_backlog = 12800
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
EOF
sudo sysctl -p

5. Dnsmasq(非必须)

原理:缓存Dns加快重复网站访问速度

注:Trojan-GFW使用远程Dns解析,即调用服务器端Dns配置解析网站域名,配置Dnsmasq缓存可加快重复网站访问速度,比如Google等。

sudo apt-get install dnsmasq -y
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.bak
sudo touch /etc/dnsmasq.conf
默认配置过于繁琐,故新建
sudo cat > '/etc/dnsmasq.conf' << EOF
port=53
domain-needed
bogus-priv
no-resolv
server=8.8.4.4#53
server=1.1.1.1#53
interface=lo
bind-interfaces
cache-size=10000
no-negcache
log-queries 
log-facility=/var/log/dnsmasq.log 
EOF
仅监听本机
sudo chattr -i /etc/resolv.conf || true
sudo rm /etc/resolv.conf || true
sudo touch /etc/resolv.conf || true
sudo echo "nameserver 127.0.0.1" > '/etc/resolv.conf' || true
sudo chattr +i /etc/resolv.conf || true
设定系统dns服务器为本机
sudo systemctl restart dnsmasq
sudo systemctl enable dnsmasq
sudo systemctl status dnsmasq
启动Dnsmasq并设置开机自启

四。客户端配置

  1. 桌面客户端(Windows)

(1)下载安装Microsoft Visual Studio 2015, 2017 and 2019(官方win release中已包含)

https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads

重启后生效

(2)从github下载预编译release并解压

trojan-gfw/trojan
An unidentifiable mechanism that helps you bypass GFW. - trojan-gfw/trojan

打开config.json remote_addr填你的服务器的IP sni填你的服务器的域名 password记得要和服务器一样

{
    "run_type": "client",
    "local_addr": "127.0.0.1",
    "local_port": 1080,
    "remote_addr": "1.1.1.1", //你的服务器ip
    "remote_port": 443,
    "password": [
        "example" //你的密码,和服务器必须一致,password1或者2皆可
    ],
    "log_level": 1,
    "ssl": {
        "verify": true,
        "verify_hostname": true,
        "cert": "",
        "cipher": "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA",
        "cipher_tls13":"TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384",
        "sni": "yourdomain", //你的域名
        "alpn": [
            "h2",
            "http/1.1"
        ],
        "reuse_session": true,
        "session_ticket": false,
        "curves": ""
    },
    "tcp": {
        "no_delay": true,
        "keep_alive": true,
        "reuse_port": false,
        "fast_open": true,
        "fast_open_qlen": 20
    }
}
Trojan-GFW客户端Config配置
Proxy SwitchyOmega
Manage and switch between multiple proxies quickly & easily.
omega方法(全局代理)

(3)Trojan客户端仅支持socks5并且不支持分流,因此建议V2ray把socks5代理转换成http代理使用


{
	"inbounds": [
        {
            "listen": "127.0.0.1",
            "port": 8001,
            "protocol": "http",
            "settings": {
                 "timeout": 0,
                 "allowTransparent": false,
                 "userLevel": 0
                        },
            "sniffing": {
                "enabled": true,
                "destOverride": ["http","tls"]
            }
        },
            {
               "tag": "dns-in",
               "protocol": "dokodemo-door",
               "listen": "127.0.0.1",
               "port": 53,
               "settings": {
                    "address": "1.1.1.1",
                    "port": 53,
                    "network": "udp"
            }
        }
	],
	"outbounds": [
    {
      "tag": "proxy",
      "protocol": "socks",
      "settings": {
  "servers": [{
    "address": "127.0.0.1",
    "port": 1080 //代理出口
  }]
}
    },
        {
      "tag": "direct",
      "protocol": "freedom", //直连出口
      "settings": {},
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      }
    },
         {
         "tag": "adblock",
         "protocol" : "blackhole", //黑洞出口
         "settings": {},
         "streamSettings": {
         "sockopt": {
           "mark": 255
           }
         }
      },
      {
      "protocol": "dns",
      "tag": "dns-out"
      }
	],
    "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "inboundTag": ["dns-in"],
        "outboundTag": "dns-out"
      },
      {
        "type": "field",
        "ip": ["8.8.4.4","1.1.1.1"],
        "outboundTag": "proxy"
      },
      {
        "type": "field",
        "outboundTag": "direct",
        "ip": ["geoip:private"]
      },
      {
        "type": "field",
        "outboundTag": "direct",
        "ip": ["geoip:cn"]
      },
      {
        "type": "field",
        "outboundTag": "direct",
        "domain": ["geosite:cn"]
      },
      {
         "type": "field",
         "outboundTag": "direct",
         "protocol": ["bittorrent"]
      }
    ]
  },
    "dns": {
    	"hosts": {
		"geosite:qihoo360": "0.0.0.0"
		},
    "servers": [
      "1.1.1.1", //dns走远程解析
        {
           "address": "114.114.114.114",
           "port": 53,
           "domains": ["geosite:cn"]
      }
    ]
  }
}
附:配合使用V2ray分流的json

双击trojan.exe运行,如果闪退请安装 Microsoft Visual C++套件。

注:Trojan本身仅支持全局代理,配合V2ray实现分流后可实现国内直连,代理Steam等功能,运行V2ray并设置系统代理为 http://127.0.0.1:8001 即可(win10在->开始菜单->设置->Proxy-> 127.0.0.1:8001即可,linux为 export https_proxy=http://127.0.0.1:8001之类的 )

附:为防止DNS污染或者泄露(非必须),上述V2ray配置已配置无污染DNS伺服器(国内外分流)建议将Windows/Linux 系统DNS伺服器改成 127.0.0.1 (即本机)

Win配置
omega配置(v2ray国内外分流)
win10+V2ray方法(无需配置omega)
FelisCatus/SwitchyOmega
Manage and switch between multiple proxies quickly & easily. - FelisCatus/SwitchyOmega

2.  移动客户端

注:安卓客户端目前不支持添加多个节点,去广告,负载均衡等功能。

trojan-gfw/igniter
A trojan client for Android (UNDER CONSTRUCTION). Contribute to trojan-gfw/igniter development by creating an account on GitHub.
安卓客户端
‎Shadowrocket
Rule based proxy utility client for iPhone/iPad. - Capture all HTTP/HTTPS/TCP traffic from any applications on your device, and redirect to the proxy server. - Record and display HTTP, HTTPS, DNS requests from your iOS devices. - Configure rules using domain match, domain suffix, domain keyword, CI…
苹果客户端

3. OPENWRT--Trojan-GFW

Openwrt固件分享.Lenyu
Openwrt固件发布频道.By_Lenyu.欢迎订阅!固件介绍: 1.本固件基于lean大神源码编译!后台为:192.168.1.2 密码:password 2.增加网页版TTYD终端,方便刷入命令 3.内核为大家推荐稳定的4.14.xxx【xxx即为lean大佬最新的同步版本号】 4.共存ssrplus+和Lienol大佬的科学,均支持Trojan 5.其他未尽事宜欢迎订阅查看每个固件发布详情 6.分享固件只能作为教育/科学研究用,严禁从事非法活动,后果自负

4. Macos

方法一:安装homebrew并运行下属命令

Homebrew
The missing package manager for macOS (or Linux).
brew tap trojan-gfw/homebrew-trojan
brew install trojan

并使用 brew services 来启动Trojan

方法二:下载预编译二进制文件并运行


5. 树莓派(Ubuntu arm64系统)

sudo add-apt-repository ppa:greaterfire/trojan
sudo apt-get install trojan -y
sudo nano /etc/trojan/config.json
config具体配置和桌面端一样
树莓派4B折腾记
树莓派相比于动辄几千上万的x86-64服务器而言,价格低廉,CPU效能虽远不及高端的x86-64芯片组,但对于像我一样的个人用户而言作为本地服务器而言已然足够,毕竟如果效果一样,谁又乐意花费额外的金钱呢? 本文主要为我个人从树莓派到手,安装,使用等方面的经历,仅供参考。

五。友情提示

1.Trojan可以和现有网站共存,TLS交给Trojan就行。

2. Let's encrypt的证书有效期3个月,会自动更新,无需担心。

3.CAA解析(用于防止证书伪造)

value 填 letsencrypt.org 就行

4.将域名加入HSTS Preload列表(推荐)

https://hstspreload.org/

注:若出现www二级域名通不过的情况,你可以选择使用acme.sh的api模式申请泛域名证书以通过。

5.测试SSL/TLS可靠性网站

SSL Server Test (Powered by Qualys SSL Labs)
A comprehensive free SSL test for your public web servers.

Trojan效果(若仅开启TLS1.3的情况下则为A,为正常情况)

7.Trojan-GFW也提供了后端数据库(MySQL)的支持,详情请看:

Authenticator
An unidentifiable mechanism that helps you bypass GFW.

六.题外话

Trojan救不了烂线路 --鲁迅

相关链接

Trojan Channel
https://github.com/trojan-gfw/trojan
JR的日常
You can view and join @johnrosen1 right away.

七.本文更新历史

1.第一版写于2019.11.27

2.2019.12.2:增加包括移动端配置,官方脚本安装,常见误解解答等内容。

3.2019.12.3:增加自动化部署命令并更新了注释

4.2019.12.4:增加Dnsmasq配置,进一步详细桌面端配置。

5.2019.12.5:增加Macos配置并增加HSTS preload推荐,进一步完善注释。

6.2019.12.7:去除手动配置,仅保留半自动化配置使文章精简。

7.2019.12.12:增加本人写的一键脚本。

8.2019.12.13:加强一键安装,实现全自动化极速部署。

9.2019.12.28:版本更新,更新服务器以及客户端config并加上V2ray分流方案。

10.2019.12.31:更新配置及优化文章排版并添加TLS1.3 only的配置方法。

11. 2020.1.1:修改证书申请方法以解决证书自动续期问题

12.2020.1.3:简化手动安装方式

13.2020.1.8:更新脚本图片及注释,更新配置文件