My first try to access google is to set up VPS, but at that time I’m so naive. Today, after several years of learning, I come back again.

Before Setup VPS

At the very beginning, if you don’t get a block from the GFW just after you setup the VPS, I suggest using a relatively complex protocol to protect your network data.

Then you need a domain, and a DNS server.

I choose namesilo as provider and got the domain and DNS service from it.

Virtual Private Server (VPS)

I choose Vultr as the provider, as I used it at the very beginning and I have the account.

Then choose the cheapest scheme.

Trojan-go

I choose Trojan-go as server which works on Vultr server.

Setting up auto restart Service

File: /etc/systemd/system/trojan-go.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[Unit]
Description=trojan-go server
After=network.target

[Service]
Type=simple
ExecStart=/root/workspace/trojan-go-app/trojan-go -config /root/workspace/trojan-go-app/server.json
WorkingDirectory=/root/workspace/trojan-go-app
Restart=always
RestartSec=5
StandardOutput=journal
StandardError=journal
User=root

[Install]
WantedBy=multi-user.target

Enable and start the service

1
2
3
sudo systemctl daemon-reload
sudo systemctl enable trojan-go.service
sudo systemctl start trojan-go.service

systemd will restart the process after it quit in 5 seconds.

Build up nginx server

HTTPS using Nginx and Let’s encrypt in Docker

set Let’s encrypt automate refresh

docker-compose are used by ubuntu. On other OS might be docker compose

1
0 2 1 * * docker-compose run --rm certbot renew >> /var/log/certbot-renew.log 2>&1

Tech referance

架设双栈代理服务器通过 IPv6 绕过校园网计费系统的方法

Trouble Shooting

Issue 1

现象

客户端部分网页无法访问,部分可以。

Issue

服务器端

1
2
3
4
5
root@vultr:~# nslookup www.booth.pm
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; no servers could be reached

Solution

这是 Ubuntu 默认的 DNS 机制在作怪,不是“坏掉的 127.0.0.1”。
为什么是 127.0.0.53?
Ubuntu 使用 systemd-resolved 作为本地 DNS 缓存/转发器,它在本机回环地址 127.0.0.53:53 上提供“stub resolver”。
/etc/resolv.conf 通常会指向这个本地 stub。真正的上游 DNS(比如 8.8.8.8)由 systemd-resolved 通过 DHCP/Netplan/配置文件获得,再去查询。
你现在的报错:

1
2
communications error to 127.0.0.53#53: timed out
no servers could be reached

说明要么 systemd-resolved 没在跑、挂了,或被防火墙/网络阻断;要么它没有任何可用的上游 DNS。
快速自检与临时修复

1) 看服务是否在跑

1
systemctl status systemd-resolved

2) 若异常,重启并清缓存

1
2
sudo systemctl restart systemd-resolved
sudo resolvectl flush-caches

3) 看上游 DNS 与接口绑定情况

1
resolvectl status

4) 检查 resolv.conf 是否正确指向 stub

1
2
3
4
ls -l /etc/resolv.conf
# 正常应为 -> /run/systemd/resolve/stub-resolv.conf
# 若不是,修正:
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

5) 测试直接查 8.8.8.8(绕过本地 stub)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
dig @8.8.8.8 www.booth.pm +short
# 若这里也超时,说明出站 53/udp 被阻断(看云厂商防火墙/iptables/ufw)
我就想用 8.8.8.8 ——三种方式
方案 A(推荐):继续用 systemd-resolved,但把上游改成 8.8.8.8
持久化配置
# 创建 drop-in 目录
sudo mkdir -p /etc/systemd/resolved.conf.d

# 写入自定义 DNS
sudo tee /etc/systemd/resolved.conf.d/10-dns.conf >/dev/null <<'EOF'
[Resolve]
DNS=8.8.8.8 1.1.1.1
FallbackDNS=9.9.9.9
# 如需禁用系统/接口自动下发的 DNS,可加:
# Domains=~.
EOF

# 重启服务并确认
sudo systemctl restart systemd-resolved
resolvectl status | sed -n '1,80p'

确保 /etc/resolv.conf 指向 stub-resolv.conf(见上面第 4 步)。

What I saw

Before

1
2
3
4
5
6
7
8
9
10
11
12
root@vultr:~/workspace/trojan-go-app# resolvectl status
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub

Link 2 (enp1s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 2001:19f0:300:1704::6
       DNS Servers: 108.61.10.10 2001:19f0:300:1704::6
...

After

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@vultr:~/workspace/trojan-go-app# resolvectl status | sed -n '1,80p'
Global
           Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
  Current DNS Server: 8.8.8.8
         DNS Servers: 8.8.8.8 1.1.1.1
Fallback DNS Servers: 9.9.9.9

Link 2 (enp1s0)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 108.61.10.10
       DNS Servers: 108.61.10.10 2001:19f0:300:1704::6

...