Wednesday, December 11, 2013


                                                        "My Legs Are Weak"
我无法站立


I'm collecting people's tears they cried because they miss you,
They fill the seas and all the lakes,
With memories the wind blew,
I'd run out of jars before a second could pass,
Didn't have enough time with you to turn the hourglass.
人们因为想念你而哭泣,我收集了他们的泪花
微风吹拂着他们的记忆,填埋进了大海和湖泊
顷刻间我就用完了瓶子,来不及和你停转沙漏

Pictures in my head
Suddenly appear
Why d'you have to go away
It's all not very clear.
一幅幅画面突然间呈现,始终不知为何你要离去

Goodbye sweet angel
Sail away on teary seas
Tattooed the time we had
On my memory
My legs are weak.
再见!亲爱的天使!
在泪海中扬帆,在记忆中绣上我们一起的时光
我已经无法站立
When I close my eyes I see you,
The dimples in your cheeks,
I forgot to thank you for the things
Cause I didn't see you for weeks
Woke up this morning and hoped for a dream
But reality sat next to me and forced me to believe.
闭上双眼看见你的酒窝
几周不见让我忘了说声感谢
早上醒来希望我是在梦中
但现实就在我左右
让我不得不相信
Knocked down too soon
Like a skittle on the lanes
The man who took the wrong stop
From life's fast moving train.
陨落的太快
就像小道上的木桩
他在生命的快车上下错了站
Goodbye sweet angel
Sail away on teary seas
Tattooed the time we had
On my memory
My legs are weak.
再见!亲爱的天使!
在泪海中扬帆,在记忆中绣上我们一起的时光
我已经无法站立
Funeral Flowers
Won't make me believe
They can carry out the casket
And I'll still expect to see

You
You
葬礼上的鲜花
无法使我相信
人们带走你的骨灰盒
但我依然希望看到

Come round tomorrow and tell me all your news
明天过来吧,告诉我你的一切消息
I don't ask for much from you
Sleep to my lullaby
Only give me one more chance
To say a last goodbye
我没有太多要求,睡在我的摇篮
只求再给我一个机会,和你最后一次道别
So
那么
Goodbye sweet angel
Sail away on teary seas
Tattooed the time we had
On my memory
My legs are weak.
再见!亲爱的天使!
在泪海中扬帆
在记忆中纹上我们一起的时光
我已经无法站立

Sunday, July 28, 2013

openwrt 的 vpn passthrough

openwrt默认有个非常奇怪的问题,比如两台以上的设备同时连接openwrt路由,两台设备都配置好pptp的vpn客户端,但是同时只能其中一台能拨vpn,另外一台死活拨不了,一开始以为是vpn服务器的设置问题,后来我换个普通的路由器测试下,居然可以同时拨号,说明服务器没问题,是openwrt的问题,google了一下,找到这个解决方案:

http://wiki.openwrt.org/doc/howto/vpn.nat.pptp

简单来说就是装个:
opkg install kmod-ipt-nathelper-extra

如果以上导致所有客户端都不能拨号,尝试:
opkg install kmod-ipt-conntrack-extra kmod-nf-conntrack-netlink
opkg install libnetfilter-conntrack

 
非常奇怪的问题,我很郁闷,花了我很多时间找问题。

openwrt 配置 repeater的几个关键点

openwrt 版本

Linux OpenWrt 3.9.11 #1 Sat Jul 27 00:14:43 PDT 2013 mips GNU/Linux
Atheros的网卡

首先,要设置虚拟局域网
/etc/config/network
添加一个wwan,也就是wireless wan

config interface 'wwan'
        option proto 'dhcp'

其次,要设置防火墙
/etc/config/firewall
将刚才的wwan添加到wan这个zone里面去

 config zone
        option name             wan
        list   network          'wan'
        list   network          'wwan'
 最后,在设置sta的无线网络
/etc/config/wireless

config wifi-iface
        option device   radio0
        option network  wwan
        option mode     sta
        option ssid     wireless-ssid-xxxx
#       option encryption wep
#       option encryption none
        option encryption psk
        option key passwordxxxx

然后重启网络
/etc/init.d/network restart
这条命令会重启 核心网络,dhcp,firewall,无线网络,基本上等于重启系统了。

总结一下,我觉得原理是这样的,先要创建一个wwan的网络,这个名字可以随便写,写成wwan1,wwan2都行,只要在相应设置里面对应起来就可以,最关键的是,这个新建的网络要加入到防火墙的wan这个zone(区域)里面,防火墙定义了内网和外网怎么沟通,这些桥梁搭建好了之后,才是用无线网卡的sta(也就是station模式)做repeater中继。

接下来,有几个问题
现有的有线外网(wan)和无线外网(wwan)是否可以做流量合并?nwan?
是否可以创建多个无线外网(比如wwan1,wwan2),并且把它们都合并?

参考:https://forum.openwrt.org/viewtopic.php?id=39077



Wednesday, March 13, 2013

批量ping脚本

有时候为了确认局域网哪些机器是活动的,需要用到批量ping,下面是脚本:

#!/bin/bash
ip=$1
for i in `seq 1 255`
do
# set ping timeout to 1 sec
  ping $ip.$i -c1  |grep "64 bytes from"
 done


保存,命名为rangeping, 放到/usr/bin,然后
chmod +x /usr/bin/rangeping

这样只需要运行:
rangeping 192.168.1

就能把192.168.1.1~192.168.1.255 ping个遍历,并且只输出活动的设备,每行一个
输出结果如下:

64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=15.533 ms
64 bytes from 192.168.1.4: icmp_seq=0 ttl=128 time=13.152 ms
64 bytes from 192.168.1.5: icmp_seq=0 ttl=128 time=14.160 ms
...

如果只想输出ip地址,那么:

rangeping 192.168.1 |  awk '{print $4}'

输出就是:

192.168.1.1
192.168.1.4
192.168.1.5

如需要将这些输出保存为文本,运行下面即可:

rangeping 192.168.1 >> report.txt


END.

Friday, January 25, 2013

Install Golang and Compile Shadowsocks-go On iPhone


My last blog talked about how to create a Socks 5 proxy with shadowsocks-nodejs and shadowsocks python version on iPhone,  well, they all work perfectly only that the nodejs version costs too much of  RAM and python version is a little bit slow, however, thanks to  , we got golang version of shadowsocks, it has the same speed(maybe better) with nodejs version but cost very little RAM, so i choose the golang version for my daily use and nodejs version as a backup. Okay, let's begin to install google go language and shadowsocks-go on iPhone,  i believe i am the first person to do this.

一篇博客介绍了如何在iPhone上利用shadowsocks-nodejs和Python版创建Socks 5代理,他们运行的很好,只是nodejs版本消耗内存太多而Python版因为缺少gevent而比较慢,还好有人开发了Go版的,它拥有nodejs版的速度,却只用少量的内存,所以我现在主要用Go版的,nodejs版的作为备用。下面就开始在iPhone上安装Google Go 的编译环境和并编译shadowsocks-go for iPhone,我应该是第一个这么做的吧 :)

If you want to be lazy, you can download compiled binary of shadowsocks-go client, it can only run inside  jailbreak iPhone, iPad and iPod Touch
果你想偷懒,可以直接下载我编译好的,只能在越狱的iPhone,iPad,iPod Touch上使用。

Install Google Golang on iPhone


  • SSH into iPhone and run the following command:


wget http://cydia.radare.org/debs/go_15490_iphoneos-arm.deb

sudo dpkg -i go_15490_iphoneos-arm.deb


  • Now we have go languages installed, thanks +minux ma  for porting Golang to iOS, also thanks @trufae for making a working .deb package, they made it easy to install go on iPhone. However @trufae forgot to sign it's package, so we need to sign it after installation,
  • SSH into iPhone and run:

sudo apt-get install ldid
sudo ldid -s /var/go/bin/go
sudo ldid -s  /var/go/src/cmd/*
sudo ldid -s  /var/go/pkg/obj/cmd/* 

Config Google  Golang on iPhone


  • We need to add go to our PATH and also set GOPATH variable, GNU coreutils could help, it can set alias, PATH, export some variable and so.

mkdir ~/gosrc
sudo apt-get install coreutils

  • Next, we need to edit /etc/profile.d/coreutils.sh with vim or nano:

sudo vim /etc/profile.d/coreutils.sh

  • Add the following codes and save:


export GOPATH="/var/mobile/gosrc"
export GOROOT="/var/go"
export PATH="/var/go/bin:$PATH"

  • Now make our settings on the fly:

source /etc/profile.d/coreutils.sh 

Compile Shadowsocks-go on iPhone


  • Download Shadowsocks-go source code and unzip it:

wget --no-check-certificate https://github.com/shadowsocks/shadowsocks-go/archive/master.zip

unzip master.zip

  • We will have a  folder called shadowsocks-go-master at the current directory, now still need some trick:

mkdir -p ~/gosrc/src/github.com/shadowsocks/shadowsocks-go

cp -r shadowsocks-go-master/shadowsocks ~/gosrc/src/github.com/shadowsocks/shadowsocks-go/

cd shadowsocks-go-master/cmd/shadowsocks-local/

go build

sudo cp shadowsocks-local /usr/bin/

  • If no mistake, now we will have a excutable shadowsocks-go client named shadowsocks-local in /usr/bin, we can run it now, only for iPhone.


Run Shadowsocks-go on iPhone


  • First  create a config file for shadowsocks-go:

cd ~
touch config.json
vim config.json

  • Copy and paste the following code and save

{

    "server":"your server ip or domain name",

    "server_port":11111,
    "local_port":9090,
    "password":"your password, make this password long and complex enough",
    "timeout":600,
    "method":"rc4"
}


  • Also copy config.json to server, shadowsocks-go server version can be downloaded here:
  • on the server side:

nohup shadowsocks-server -c ~/config.json > /dev/null 2>&1 &

  • Or we can set an alias for this long command:

vim ~/.bashrc
alias sgp="nohup shadowsocks-server -c ~/config.json > /dev/null 2>&1 &"
source ~/.bashrc


  • on iPhone side:

nohup shadowsocks-local -c ~/config.json > /dev/null 2>&1 &

  • Or we can set an alias for this long command:

sudo vim /etc/profile.d/coreutils.sh
alias sgp="nohup shadowsocks-local -c ~/config.json > /dev/null 2>&1 &"
source /etc/profile.d/coreutils.sh

Create PAC file to use shadowsocks-go proxy on iPhone

Please see my last blog, the same with shadowsocks-nodejs and python version.

END
Follow me @cattyhouse




Tuesday, January 22, 2013

Jailbreak iPhone,Linux, OS X, Shadowsocks-nodejs, PAC, GFW, 翻墙

My last blog talked about getting through the GFW with Shadowsocks python version on a jailbreak iPhone, this time, i'm going to talk about a better alternative, Shadowsocks-nodejs, here we go:


How does it work?


  • Create a Socks 5 proxy inside the iPhone with Shadowsocks-nodejs.
  • Create a PAC file inside the iPhone to tell which connection goes Proxy and which one goes Direct.
  • Create a bash script to add website to PAC file, so we don't need to edit the file maunally.
  • Assign the PAC file to WiFi and 3g/edge/gprs network.
  • PAC on iPhone is a system wide proxy, it will work for all apps.

How we gonna make it?

1 Create a Socks 5 proxy.


  • Go get the Shadowsocks-nodejs code and config it, see the project homepage.
  • on the server side, we need to get nodejs installed, find it at nodejs.org, and run:
nohup node server.js > /dev/null 2>&1 &
  • on the iPhone side, we  also need to install nodejs, find it in cydia store, the version should be 0.6.14, it works like a charm, after we got it, run inside iPhone:
nohup node local.js > /dev/null 2>&1 &
  • now we  have a running Socks 5 proxy inside iPhone, for example, 127.0.0.1:9090

2 Create a PAC file.


  • A basic PAC file is something like this:

function FindProxyForURL(url, host) {  // this is the beginning of PAC file

var XXGFW = "SOCKS 127.0.0.1:9090"; // this defines a variable to look clean and easy to modify

if (
isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) {

return "DIRECT";

} // this tells all local site to go DIRECT

if (
//added by hand
dnsDomainIs(host, "gmail.com") ||
dnsDomainIs(host, "blogger.com") ||
dnsDomainIs(host, "blogspot.com") ||
dnsDomainIs(host, "appspot.com") ||
dnsDomainIs(host, "bit.ly") ||
dnsDomainIs(host, "wikipedia.org") ||
dnsDomainIs(host, "twitter.com") ||
dnsDomainIs(host, "facebook.com") ||
dnsDomainIs(host, "google.com.hk") ||
dnsDomainIs(host, "youtube.com")) {

return XXGFW;

} // this tells the listed websites to go our Socks 5 proxy, "||" means OR

else {

return "DIRECT";

} // this tells everything else to go DIRECT

} // this is the end of PAC file

  • Save the above code to autoproxy.pac (for example) and move it to /var/root/ inside the iPhone, and run:

sudo chown mobile:mobile /var/root/autoproxy.pac
sudo chmod 777 /var/root/autoproxy.pac


3 Create a bash script to add website to PAC file

  • Now we got a working PAC, next we need to create a bash script, so that we can add any GFWed website into this PAC file, the script is like this:
#!/bin/bash
domain=$1
ed -s /var/root/autoproxy.pac << EOF
/\/\/added by hand/a
dnsDomainIs(host, "${domain}") ||
.
w
EOF
  • Save it and name it as agfw, move it to /usr/bin and give it the ability to excute:
sudo chmod +x /usr/bin/agfw
  • To run this script, we need to install ed in cydia store, once we find a website that is blocked by GFW, take the newly GFWed github.com for example, we can add it to PAC file just by running:
agfw github.com
  • Go and check the autoproxy.pac, we'll see that github.com is in there. Now we can view github.com with any  iPhone apps. We can add any website we want to the PAC file with this script, just a single command, it's pretty awesome :)

4 Assign the PAC file to WiFi and 3G/EDGE/GPRS network


  • For WiFi, go to Settings > WiFi > Your connected WiFi > HTTP Proxy > Auto, fill it with:
file:///var/root/autoproxy.pac
  • For  3G/Edge/GPRS, we need to edit the following file with iFile:
/var/preferences/SystemConfiguration/preferences.plist
  • Add the following colored code to the correct position of the this file:
<string>com.apple.CommCenter (ip1)</string> 
</dict> 
<key>Proxies</key> 
<dict> 
<key>ProxyAutoConfigEnable</key>
 <integer>1</integer> 
<key>ProxyAutoConfigURLString</key> 
<string>file:///var/root/autoproxy.pac</string> 
</dict>
 <key>UserDefinedName</key> 
<string>com.apple.CommCenter (ip1)</string>
  • Save and reboot to make it work.


What we got?


  • The proxy will work 24/7 as long as our VPS server works 24/7, always online, no login needed (compared to ssh tunnel & VPN), it just forwards GFWed connection to the server and get feed back.
  • This is the best solution for iPhone to make us feel that GFW seems not existed.
  • Gmail Push goes normal (in seconds) after i put main google domains into the PAC file, even when iPhone is sleeping.
  • The PAC file, the Socks 5 proxy and the Bash script that is used to add website to PAC file are all inside iPhone, once we found a website we can't open, just open Mobileterminal.app (which can be found on cydia store), run agfw balabala.com, done! pretty simple.
  • This solution also works for Linux and OS X client, because iOS is a lite version of OS X :)
END
Follow me @cattyhouse

Thursday, November 29, 2012

越狱iPhone下 VPS+Shadowsocks+PAC翻墙

这篇已经过时,请参考这里的最新版

提要: 在这之前一直用SSH Tunnel 配合PAC翻墙,这也是一种大家最常用的方法,没什么大的问题,但是SSH原本不是用来做代理翻墙的工具,所以效率上并不是太好,而且作为iPhone来讲,后台运行一个SSH Tunnel会一直保持与SSH Server的连接,会严重影响iPhone的续航,而且由于手机经常会在edge/3G/wifi下切换,每次切换,SSH就会需要重新连接服务器,连接是需要花时间的,连不上还会一直连,所以很耗电。最近研究出来一个非常好的方法,耗电量和延迟会大大降低,实现了无缝翻墙。

实现条件:
a, 一个国外的VPS服务器
b, 一个越狱了的iPhone
c, 用Python建立SOCKS Proxy的代码Shadowsocks,VPS和iPhone上都要安装
d, PAC以及随时随地添加被GFW的网站到PAC的一个Bash脚本。

具体过程:

a 建立代理
a1  VPS服务器端安装Python程序,这个无需多说。
a2, iPhone上安装Python程序,最新版在这里,安装方法很简单:
打开iPhone的 mobileterminal, 或者ssh到iphone,运行下列命令:
wget https://yangapp.googlecode.com/files/python_2.7.3-3_iphoneos-arm.deb
dpkg -i python_2.7.3-3_iphoneos-arm.deb
安装完成
a3 下载Python代码 Shadowsocks,作者项目主页,点这里下载
a4 部署python代码 Shadowsocks,代码分为服务器端server.py和iPhone端local.py,server.py放在VPS服务器,local.py放在iPhone。
a4.1 在服务器端,修改server.py的代码,如下红色部分改成自己的其余地方不需要变动。
PORT = 9999
KEY = "123456789"
说明:PORT 随便什么端口都行,但要跟下面iPhone端的local.py相同。KEY 随便什么密码都行(为了安全起见,尽可能长且乱),但要跟下面iPhone端的local.py相同

然后在VPS服务器终端运行:
nohup python server.py > /dev/null 2>&1 &
这条命令会让这个python代码在后台运行且不输出任何历史记录。


a4.2 在iPhone端,修改local.py的下面几个地方:
SERVERS = [
        ('yourvpsipaddress', 9999),
    ]

PORT = 8080
KEY = "123456789"
说明:
SERVERS:填入你的vps的ip地址和上面server.py设置的PORT。
PORT:是建立本地SOCKS代理的端口,比如我设置8080,那么建立的SOCKS代理就是 127.0.0.1:8080
KEY要跟server.py里面的一致
然后在iPhone下面运行:
nohup python local.py > /dev/null 2>&1 & 

好了,iPhone后台就已经建立了一个SOCKS代理127.0.0.1:8080,这个代理可以供下面要介绍的PAC文件使用。

b 建立iPhone用的PAC文件
PAC= Proxy Auto Config,就是自动代理,它的作用就是决定哪些网站直连,哪些网站走SOCKS代理
在iPhone终端(或者ssh进入iphone)下面运行以下命令:
su (取得root权限,需要输入密码,默认密码是alpine)
touch /var/root/pac (建立空白文件)
chmod 777 /var/root/pac (改变文件权限为任何程序可读可写可执行)
chown mobile:mobile /var/root/pac (改变文件的所有者和组为mobile)
然后用nano(或者vim)编辑这个pac文件:
nano -w /var/root/pac
复制下面的代码到这个文件并保存:
function FindProxyForURL(url, host)

var PROXY = "SOCKS 127.0.0.1:8080";
//added by hand
if (dnsDomainIs(host, "img.ly")) return PROXY;
if (dnsDomainIs(host, "googlevideo.com")) return PROXY;
if (dnsDomainIs(host, "github.com")) return PROXY;
if (dnsDomainIs(host, "igfw.net")) return PROXY;
if (dnsDomainIs(host, "t.co")) return PROXY;
if (dnsDomainIs(host, "webkit.org")) return PROXY;
if (dnsDomainIs(host, "limelinx.com")) return PROXY;
if (dnsDomainIs(host, "slingfile.com")) return PROXY;
if (dnsDomainIs(host, "sendspace.com")) return PROXY;
if (dnsDomainIs(host, "j.mp")) return PROXY;
if (dnsDomainIs(host, "myrepospace.com")) return PROXY;
if (dnsDomainIs(host, "xsellize.com")) return PROXY;
if (dnsDomainIs(host, "hackulo.us")) return PROXY;
if (dnsDomainIs(host, "saurik.com")) return PROXY;
if (dnsDomainIs(host, "thebigboss.org")) return PROXY;
if (dnsDomainIs(host, "fb.me")) return PROXY;
if (dnsDomainIs(host, "getfoxyproxy.org")) return PROXY;
if (dnsDomainIs(host, "4share.com")) return PROXY;
if (dnsDomainIs(host, "posterous.com")) return PROXY;
if (dnsDomainIs(host, "foursquare.com")) return PROXY;
if (dnsDomainIs(host, "twitpic.com")) return PROXY;
if (dnsDomainIs(host, "vimeo.com")) return PROXY;
if (dnsDomainIs(host, "mobile01.com")) return PROXY;
if (dnsDomainIs(host, "tiananmenmother.org")) return PROXY;
if (dnsDomainIs(host, "bannedbook.org")) return PROXY;
if (dnsDomainIs(host, "dwnews.com")) return PROXY;
if (dnsDomainIs(host, "ntdtv.com")) return PROXY;
if (dnsDomainIs(host, "soundofhope.org")) return PROXY;
if (dnsDomainIs(host, "boxun.com")) return PROXY;
if (dnsDomainIs(host, "epochtimes.com")) return PROXY;
if (dnsDomainIs(host, "fangbinxing.com")) return PROXY;
if (dnsDomainIs(host, "ruanyifeng.com")) return PROXY;
if (dnsDomainIs(host, "wuala.com")) return PROXY;
if (dnsDomainIs(host, "dupola.com")) return PROXY;
if (dnsDomainIs(host, "scribd.com")) return PROXY;
if (dnsDomainIs(host, "gfw.org.uk")) return PROXY;
if (dnsDomainIs(host, "chinadigitaltimes.net")) return PROXY;
if (dnsDomainIs(host, "kenengba.com")) return PROXY;
if (dnsDomainIs(host, "dbanotes.net")) return PROXY;
if (dnsDomainIs(host, "chinagfw.org")) return PROXY;
if (dnsDomainIs(host, "friendfeed.com")) return PROXY;
if (dnsDomainIs(host, "ijailbreaknow.com")) return PROXY;
if (dnsDomainIs(host, "ksu.edu.tw")) return PROXY;
if (dnsDomainIs(host, "vbird.org")) return PROXY;
if (dnsDomainIs(host, "pornhub.com")) return PROXY;
if (dnsDomainIs(host, "youporn.com")) return PROXY;
if (dnsDomainIs(host, "google.com.tw")) return PROXY;
if (dnsDomainIs(host, "mediawiki.org")) return PROXY;
if (dnsDomainIs(host, "wikitionary.com")) return PROXY;
if (dnsDomainIs(host, "wikimediafoundation.org")) return PROXY;
if (dnsDomainIs(host, "wikimedia.org")) return PROXY;
if (dnsDomainIs(host, "yahoo.com")) return PROXY;
if (dnsDomainIs(host, "yimg.com")) return PROXY;
if (dnsDomainIs(host, "flickr.com")) return PROXY;
if (dnsDomainIs(host, "dropbox.com")) return PROXY;
if (dnsDomainIs(host, "akamaihd.net")) return PROXY;
if (dnsDomainIs(host, "facebook.net")) return PROXY;
if (dnsDomainIs(host, "fbcdn.net")) return PROXY;
if (dnsDomainIs(host, "ggpht.com")) return PROXY;
if (dnsDomainIs(host, "gstatic.com")) return PROXY;
if (dnsDomainIs(host, "googleusercontent.com")) return PROXY;
if (dnsDomainIs(host, "goo.gle")) return PROXY;
if (dnsDomainIs(host, "feedburner.com")) return PROXY;
if (dnsDomainIs(host, "googlelabs.com")) return PROXY;
if (dnsDomainIs(host, "googlesyndication.com")) return PROXY;
if (dnsDomainIs(host, "chrome.com")) return PROXY;
if (dnsDomainIs(host, "android.com")) return PROXY;
if (dnsDomainIs(host, "chromium.org")) return PROXY;
if (dnsDomainIs(host, "keyhole.com")) return PROXY;
if (dnsDomainIs(host, "googlesource.com")) return PROXY;
if (dnsDomainIs(host, "googleapis.com")) return PROXY;
if (dnsDomainIs(host, "twimg.com")) return PROXY;
if (dnsDomainIs(host, "ytimg.com")) return PROXY;
if (dnsDomainIs(host, "gmail.com")) return PROXY;
if (dnsDomainIs(host, "blogger.com")) return PROXY;
if (dnsDomainIs(host, "blogspot.com")) return PROXY;
if (dnsDomainIs(host, "appspot.com")) return PROXY;
if (dnsDomainIs(host, "bit.ly")) return PROXY;
if (dnsDomainIs(host, "wikipedia.org")) return PROXY;
if (dnsDomainIs(host, "twitter.com")) return PROXY;
if (dnsDomainIs(host, "facebook.com")) return PROXY;
if (dnsDomainIs(host, "google.com.hk")) return PROXY;
if (dnsDomainIs(host, "youtube.com")) return PROXY;
//以上部分说明这些网站需要走SOCKS代理
if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
        isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
        isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
        isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0")) return "DIRECT";
//以上部分告知本地的网络直连
                  return "DIRECT";
//以上部分告知如果代理走不通,就直连
}

OK,现在用于iPhone自动代理的pac文件建立好了,可以看到,上面添加了很多被GFW了的网站,这些都是我用一个脚本添加的,没有用gfwlist,因为我觉得gfwlist的语法写的太烂了,一点都不干净,而且漏掉了很多被GFW的网站,又不方便自己添加,所以我自己做了一个。
以上的pac文件每行一个代码,可以根据自己的需求删减。但是一定不要删掉红色代码部分,因为这个下面的脚本要用到。

c 添加新的被墙网站到这个pac文件
为此我做了一个脚本,下面是生成这个脚本的命令, 在iPhone终端:
su
touch /usr/bin/agfw
nano -w /usr/bin/agfw
复制下面的代码,并保存
#!/bin/bash
domain=$1
ed -s /var/root/pac << EOF
/\/\/added by hand/a
if (dnsDomainIs(host, "${domain}")) return PROXY;
.
w
EOF
说明:运行这个脚本需要安装ed这个软件

然后iPhone终端下面运行,让这个脚本可执行:
chmod +x /usr/bin/agfw
如果发现某个网站例如twitter.com你用safari打不开,那么只需要在iPhone终端下面运行:
agfw twitter.com
然后关闭safari(调出多任务,长按,xx掉safari)再运行一次safari就能立马打开了。
这个脚本的意思是,读取agfw这个命令后面的参数,按照脚本里面的一定的规则,写入到/var/root/pac文件中 //added by hand 这部分的下面。

d 让WIFI/EDGE/3G 使用PAC文件

好了,现在Python的服务端和客户端都正常运行了,SOCKS代理也有了,PAC文件也建立好了,怎么用呢?

WIFI:
很简单,在iPhone的wifi的HTTP代理设置部分,点自动,然后填入下面的地址:
file:///var/root/pac
注意是三个斜杠。

3G/EDGE:
需要修改iPhone的一个文件,用iFile打开:
/var/preferences/SystemConfiguration/preferences.plist
找到如下灰色部分,注意一定要找准地方,不能找错了,添加红色的代码:

<string>com.apple.CommCenter (ip1)</string>
 </dict>
 <key>Proxies</key> 
<dict>
 <key>ProxyAutoConfigEnable</key>
 <integer>1</integer> 
<key>ProxyAutoConfigURLString</key>
 <string>file:///var/root/pac</string>
 </dict> 
<key>UserDefinedName</key>
 <string>com.apple.CommCenter (ip1)</string>

保存后重启iphone


现在WIFI/edge/3G都能用上这个PAC文件了。

e 总结:

以上是全部过程,简单来讲就是两个东西
1 在服务器端和iphone端安装python程序并执行代理的python代码
2 在iPhone端设置PAC和使用PAC

f 优点:

1 可以看到,server.py 已经在vps上建立了一个代理接口,local.py负责连接这个接口,相比较ssh tunnel方式,这种没有登录过程,只有link的过程,所以反应相当迅速,且基本不耗电,local.py在iphone占用内存5M左右,要知道一个电话程序,常驻后台,占内存都10M了。
2 有了agfw这个脚本,随时随地添加被GFW的网站,不用等gfwlist
3 iPhone是手机,手机不免要经常切换网络,这个代理完全不受网络切换的影响,可以说是24h在线。相比较ssh tunnel和vpn来说,iphone如果切换了网络或者进入休眠状态,99%是需要重新连接的。
4 pac文件在iphone是全局的,并且我的这个pac文件好处就是,任何网站(包括pac里的list)如果socks代理走不通,会自动跳到直连,也就是说如果socks 代理挂了,原来你不用代理能打开的网站照样能打开。真正的无缝!


有任何问题,可以在twitter上找到我 @cattyhouse
END

Monday, November 26, 2012

iphone下面通过bash script 自动添加被墙网站到pac文件

最近研究pac文件疯了,我iphone里面有一个autoproxy2pac项目生成的pac文件

这个文件是基于gfwlist的,gfwlist也会有漏网之鱼,所以有时候需要手动添加

但是在iphone下面用ifile编辑这个pac文件是非常痛苦的事情,所以我研究是不是有bash script能更好的帮助我更新这个pac文件

研究结果出来了,完全可行,感谢 irc.freenode.net  #bash 频道的三位国外大神的帮助

首先几个前提:
1 我已经有一个基础的 pac文件位于 /var/root/ap , 且权限为 777,所有者和组为 mobile,所有手动添加的被墙网站我都会放在文件里面一句 //added by hand 下面。(注意下面的脚本用到了这句话,以确保加入到pac的代码能在合适的位置)
2 说到bash,那肯定是要在命令行下面执行的,所以需要ssh进入iphone
3 这个script需要用到ed,所以安装ed,用 apt-get ed


脚本内容:

#!/bin/bash
domain=${1//./\\.}
ed -s /var/root/ap << EOF
/\/\/added by hand/a
if(/\.${domain}/i.test(url)) return PROXY;
if(/^[\w\-]+:\/+(?!\/)(?:[^\/]+\.)?${domain}/i.test(url)) return PROXY;
if(/^https?:\/\/[^\/]+${domain}/i.test(url)) return PROXY;
.
w
EOF


将以上内容保存到 /usr/bin/upac
并运行 chmod +x /usr/bin/upac

以后要添加被墙网站到pac 就直接终端运行:

upac twitter.com
upac google.com
upac google.com.hk
upac bit.ly

等等等等!!!

我的PAC文件,有兴趣可以以此为基础添加今后可能会被墙的网站

https://www.dropbox.com/s/u6u6rsy5m22jf8u/ap

update:
已经有更简洁的方式了,不需要依赖任何gfwlist 见:
http://catty-house.blogspot.com/2012/11/iphonevpspythonpac.html






Thursday, November 22, 2012

windows 7 wifi 热点

目的:

将windows 7 PC的有线连接共享给无线网卡,同时让无线网卡作为AP,供iPhone使用。

方法:

以下命令逐条执行(需administrators组权限):
netsh wlan set hostednetwork mode=allow
netsh wlan set hostednetwork ssid=yourssid key=yourpasswd keyUsage=persistent
netsh wlan start hostednetwork
此时 位于 Control Panel\Network and Internet\Network Connections 会出现一个:
Wireless Network Connection 2

然后到 Local Area Connection 属性界面,开启共享,共享给 Wireless Network Connection 2

用iPhone连接此无线即可上网。

Monday, October 15, 2012

iPhne/iPad 通过SSH终极翻墙解决方案

此文写的比较简洁,并没有将所有细节都写出来,相信在PC上翻墙过的人,都能看懂,某些地方看不懂的,自行google一下相关知识吧。
有朋友说道goagent,这个东西首先用的是google app engine,但是gae本身就不稳定,经常被墙,而且goagent需要安装一堆东西。
此方法通过autossh连接的tunnel即使在mobileterminal被关闭的情况下,连接还有效,甚至respring了,连接还有效。只是重启了之后才需要重连,非常稳定的说。
用过很多种翻墙的工具,本人觉的SSH是目前仅次于VPN的最安全,最快速,最稳定的翻墙方式。

准备工作:

1 越狱
2 SSH帐号一枚
3 安装mobile terminal, openssh, automatic ssh,iFile.

配置过程:

1 建立ssh socks tunnel:
1.1 生成id_rsa,放到到 /var/mobile/.ssh/ 以便连接ssh无需输入密码
1.2 在mobile terminal下运行 ssh username@yoursshserver.com 生成know_hosts文件
1.3 在mobile terminal下运行autossh -M 20000 -D 9090 -Nfq username@yourserver.com 建立不会中断的ssh socks tunnel

2 利用gfwlist生成自动代理pac文件

2.1 配置好google chrome的插件switchysharp,保证chrome能利用gfwlist翻墙
2.2 在switchysharp配置里面导出成pac文件,比如sp.pac
2.3 用文本编辑器编辑 sp.pac,替换掉里面的 ‘SOCKS5 127.0.0.1:9090’ 为 “SOCKS 127.0.0.1:9090”  (PS: 不这样做的话,iphone上使用这个pac会有问题)
2.4 将sp.pac 放入iphone的 /var/root/
2.5 用iFile编辑sp.pac 属性,将用户,组,其他的权限全部设置为可读可写可执行



2 生成pac文件 (见这里b,c部分)

3 将pac植入 edge/3G的配置文件中
3.1  用iFile编辑文件: /private/var/preferences/systemconfiguration/preferences.plist
在如下位置插入红色部分代码:

<string>com.apple.CommCenter (ip1)</string> 
</dict> 
<key>Proxies</key>  
<dict> 
<key>ProxyAutoConfigEnable</key> 
<integer>1</integer>  
<key>ProxyAutoConfigURLString</key> 
<string>file:///var/root/pac</string> </dict> 
<key>UserDefinedName</key> 
<string>com.apple.CommCenter (ip1)</string>

3.2 重启iOS设备

4 上网设置:

无论哪种方式上网,首先运行: autossh -M 0 -D 9090 -Nfq username@yourserver.com(或者ip地址)

edge/3G 上网:试着打开下facebook,测试成功!

wifi 上网:连接wifi,在wifi设置里面,找到自动代理,填入: file:///var/root/pac

注意事项1:

在ssh连接部分,暂时无法实现edge/3g 与 wifi自动切换,意思就是,有2种情况:
1 edge打开wifi关闭情况下,连接autossh,如果再打开wifi,这时候,国内流量走的是wifi,而被墙网站走的是edge流量,此时只需要在mobile terminal下面执行 killall autossh,再运行上文提到的autossh连接命令,这时候,所有流量都走wifi。

2 wifi和edge同时开启,连接autossh,此时所有流量都走wifi,但是如果在此时把wifi关闭,由于autossh无法自动切换到edge连接上去,此时的socks tunnel实际上是没有建立成功的,用edge只能访问国内网站,被墙的会因为找不到代理接口而无法访问,但还是如 1提到的解决方法,先kill掉autossh再重连。

这是目前此方法唯一的缺点,其他的都工作的很好,因为pac是基于gfwlist转换而来的,所以能达到gfwlist的效果,也就是被墙网站走ssh,没有被墙网站不走ssh,保证了所有网站可访问,同时保证了速度!

update 1:

ssh 有个配置选项可以解决网络切换的问题
编辑iPhone/iPad下的 /etc/ssh/ssh_config
添加如下代码
ServerAliveInterval 10
如果ssh在30s内没有数据传输,就会自己中断,autossh就会检测到,于是重连。所以在wifi切换到edge的时候,或者一个wifi切换到另外一个wifi的时候,都可以自行切换


update 2 : 如果开启了 ServerAliveInterval 则可以关闭TCPKeepAlive 同样编辑iPhone/iPad下的 /etc/ssh/ssh_config
添加: TCPKeepAlive no
同时可以设置 autossh的参数 -M 0 (替代原来的-M 20000)


注意事项2:
pac 文件一定要放到 /var/root/ 文件夹下面,经过n此测试,不放在这里,很多程序便无法读取到这个pac文件。也许是iOS的sandbox在作怪。网上有很多教程把这个文件放在/var/mobile 是不行的,但是他们居然还敢发文。。。

技巧:
上面连接autossh的命令比较长,在iphone下面输入会比较麻烦,还好 mobileterminal有shortcut功能,可以将这段代码放到shortcut里面去,下次只需要触摸下菜单,回车就运行了。其他需要在mobileterminal下面执行的命令以此类推。 update 3

其实iphone也可以用alias的,我现在已经不怎么用以上的mobile terminal快捷方式了
alias在此处设置 /etc/profile.d/coreutils.sh
alias proxy = 'autossh -M 0 -D 9090 -Nfq username@yourserver.com
然后保存,再在iPhone/iPad 上运行:
source /etc/profile.d/coreutils.sh
然后只需要运行
proxy  
就能启动ssh tunnel