obfs流量混淆给你的SS再增加一道防线，让GFW找不着北！

[Gary12]

obfs流量混淆给你的SS再增加一道防线，让GFW找不着北！

教程如下:

https://xiaolan.me/obfsproxy.html#comment-5220/

http://www.devchen.com/blog/coding/Linux/20150825-shadowsocks-obfs/

本人已经测试成功，喜欢折腾的网友可以来折腾一下。

[BreakWall]

其实区别不大吧，我想。。。

[你谁啊]

强悍！又一利器

On Monday, September 21, 2015 at 2:20:53 PM UTC+8, Gary12 wrote:

[xclimbing]

为什么我的客户端连接vps端时，vps端提示这个错误：

 [WARNING] Could not verify the authentication message's HMAC.

看了半天源程序没看懂什么意思，如何解决呢？

On Monday, September 21, 2015 at 2:20:53 PM UTC+8, Gary12 wrote:

[xclimbing]

@Gary12  试了很多次，无论是混淆ssh2端口（22)，还是混淆ShadowSocks，都不能正常工作，vps端提示错误： [WARNING] Could not verify the authentication message's HMAC.

我用google搜索这条错误信息，只是搜索到了scramblesuit 的源程序，源程序看不明白什么意思。

哪位高手出手给解决一下问题啊，感觉应该是VPS端设置有点儿问题。

[Gary12]

还是你的操作问题，我的SSH和SS都混淆成功了。

把你的所有操作的详细步骤贴上来，同时需要你完整的报错信息



在 2015年9月23日星期三 UTC+8上午11:32:17，xclimbing写道：

[xclimbing]

好，我把我操作的详细步骤列在这里，你看看能不能找出问题所在。

一、首先是关于vps上相关组件的安装，我是完全按照你上面的教程操作的。我的vps的系统是centos 6.7。安装成功后，是下面的状况：

[root@vpn ~]# obfsproxy

usage: obfsproxy [-h] [-v] [--log-file LOG_FILE]

                 [--log-min-severity {error,warning,info,debug}] [--no-log]

                 [--no-safe-logging] [--data-dir DATA_DIR] [--proxy PROXY]

                 {obfs3,obfs2,dummy,managed,b64,scramblesuit} ...

obfsproxy: error: too few arguments

二、关于obfsproxy混淆的试验过程

为了试验混淆效果，我在vps上安装了socks5服务（这个肯定是会被墙的），socks的监听端口是9080，我在IE中设置代理为这个服务，第一次是可以访问网站的，第二次时就被墙重置链接了。

然后我用obfsproxy混淆这个socks5的服务，vps端运行的命令行为：

obfsproxy --log-file obfsproxy_socks.log --log-min-severity debug --data-dir /tmp/obfs/socks scramblesuit --password FUCKGFWFUCKFANGBINXINGFBX4SBDASB --dest 127.0.0.1:9080 server 0.0.0.0:9180

在Windows端我运行的命令行为：

obfsproxy.exe  --log-file obfsproxy_socks.log --log-min-severity debug scramblesuit --password FUCKGFWFUCKFANGBINXINGFBX4SBDASB --dest %vps_ip%:9180 client 127.0.0.1:9080

然后我将IE的代理服务器设置为：127.0.0.1:9080(socks代理），再次访问网站。然后从vps端和windows端的日志文件中得到如下日志：

VPS端日志：

[root@vpn ~]# more obfsproxy_socks.log 

2015-09-23 12:15:45,057 [WARNING] Obfsproxy (version: 0.2.13) starting up.

2015-09-23 12:15:45,057 [DEBUG] argv: ['/usr/bin/obfsproxy', '--log-file', 'obfsproxy_socks.log', '--log-min-severity', 'debug', '--data-dir', '/tmp/obfs/socks', 'scramblesuit',

 '--password', 'FUCKGFWFUCKFANGBINXINGFBX4SBDASB', '--dest', '127.0.0.1:9080', 'server', '0.0.0.0:9180']

2015-09-23 12:15:45,057 [DEBUG] args: Namespace(data_dir='/tmp/obfs/socks', dest=('127.0.0.1', 9080), ext_cookie_file=None, listen_addr=('0.0.0.0', 9180), log_file='obfsproxy_so

cks.log', log_min_severity='debug', mode='server', name='scramblesuit', no_log=False, no_safe_logging=False, proxy=None, uniformDHSecret='FUCKGFWFUCKFANGBINXINGFBX4SBDASB', vali

dation_function=<bound method type.validate_external_mode_cli of <class 'obfsproxy.transports.scramblesuit.scramblesuit.ScrambleSuitTransport'>>)

2015-09-23 12:15:45,058 [ERROR] 

################################################

Do NOT rely on ScrambleSuit for strong security!

################################################

2015-09-23 12:15:45,058 [DEBUG] Setting the state location to `/tmp/obfs/socks/scramblesuit/'.

2015-09-23 12:15:45,058 [INFO] Writing server password to file `/tmp/obfs/socks/scramblesuit/server_password'.

2015-09-23 12:15:45,076 [INFO] StaticDestinationServerFactory starting on 9180

2015-09-23 12:15:45,077 [INFO] Starting factory <obfsproxy.network.network.StaticDestinationServerFactory instance at 0x1456758>

2015-09-23 12:15:45,077 [DEBUG] fact_s_0x1456758: Starting up static destination server factory.

2015-09-23 12:15:45,077 [INFO] Launched 'server' listener at '[scrubbed]:9180' for transport 'scramblesuit'.

2015-09-23 12:18:01,016 [DEBUG] fact_s_0x1456758: New connection from [scrubbed]:28045.

2015-09-23 12:18:01,016 [DEBUG] Initialising ScrambleSuit.

2015-09-23 12:18:01,016 [INFO] Attempting to load the server's state file from `/tmp/obfs/socks/scramblesuit/server_state.cpickle'.

2015-09-23 12:18:01,023 [DEBUG] Switching to state ST_WAIT_FOR_AUTH.

2015-09-23 12:18:01,024 [DEBUG] Initialising AES-CTR instance.

2015-09-23 12:18:01,024 [DEBUG] Initialising AES-CTR instance.

2015-09-23 12:18:01,024 [INFO] Starting factory <obfsproxy.network.network.StaticDestinationClientFactory instance at 0x1460638>

2015-09-23 12:18:01,024 [DEBUG] fact_c_0x1460638: Client factory started connecting.

2015-09-23 12:18:01,025 [DEBUG] conn_0x1400fd0: connectionMade (server): Setting it as downstream on our circuit.

2015-09-23 12:18:01,025 [DEBUG] circ_0x14605f0: Setting downstream connection (conn_0x1400fd0).

2015-09-23 12:18:01,035 [DEBUG] conn_0x1462350: connectionMade (server): Setting it as upstream on our circuit.

2015-09-23 12:18:01,035 [DEBUG] circ_0x14605f0: Setting upstream connection (conn_0x1462350).

2015-09-23 12:18:01,035 [DEBUG] circ_0x14605f0: Circuit completed.

2015-09-23 12:18:01,045 [DEBUG] conn_0x1400fd0: dataReceived called without a reason.

2015-09-23 12:18:01,124 [DEBUG] circ_0x14605f0: downstream: Received 442 bytes.

2015-09-23 12:18:01,124 [DEBUG] Attempting to decrypt and verify ticket.

2015-09-23 12:18:01,124 [DEBUG] Attempting to extract the remote machine's UniformDH public key out of 442 bytes of data.

2015-09-23 12:18:01,124 [DEBUG] Successfully located the mark.

2015-09-23 12:18:01,125 [DEBUG] HMAC invalid.  Trying next epoch value.

2015-09-23 12:18:01,125 [DEBUG] HMAC invalid.  Trying next epoch value.

2015-09-23 12:18:01,125 [DEBUG] HMAC invalid.  Trying next epoch value.

2015-09-23 12:18:01,125 [WARNING] Could not verify the authentication message's HMAC.

2015-09-23 12:18:01,126 [DEBUG] Authentication unsuccessful so far.  Waiting for more data.

2015-09-23 12:18:01,607 [DEBUG] fact_s_0x1456758: New connection from [scrubbed]:17772.

2015-09-23 12:18:01,607 [DEBUG] Initialising ScrambleSuit.

2015-09-23 12:18:01,607 [INFO] Attempting to load the server's state file from `/tmp/obfs/socks/scramblesuit/server_state.cpickle'.

2015-09-23 12:18:01,609 [DEBUG] Switching to state ST_WAIT_FOR_AUTH.

2015-09-23 12:18:01,609 [DEBUG] Initialising AES-CTR instance.

2015-09-23 12:18:01,609 [DEBUG] Initialising AES-CTR instance.

2015-09-23 12:18:01,609 [INFO] Starting factory <obfsproxy.network.network.StaticDestinationClientFactory instance at 0x1468e18>

2015-09-23 12:18:01,610 [DEBUG] fact_c_0x1468e18: Client factory started connecting.

2015-09-23 12:18:01,610 [DEBUG] conn_0x1462710: connectionMade (server): Setting it as downstream on our circuit.

2015-09-23 12:18:01,610 [DEBUG] circ_0x1468dd0: Setting downstream connection (conn_0x1462710).

2015-09-23 12:18:01,611 [DEBUG] conn_0x1462850: connectionMade (server): Setting it as upstream on our circuit.

2015-09-23 12:18:01,611 [DEBUG] circ_0x1468dd0: Setting upstream connection (conn_0x1462850).

2015-09-23 12:18:01,611 [DEBUG] circ_0x1468dd0: Circuit completed.

2015-09-23 12:18:01,621 [DEBUG] conn_0x1462710: dataReceived called without a reason.

2015-09-23 12:18:01,717 [DEBUG] circ_0x1468dd0: downstream: Received 1451 bytes.

2015-09-23 12:18:01,718 [DEBUG] Attempting to decrypt and verify ticket.

2015-09-23 12:18:01,718 [DEBUG] Attempting to extract the remote machine's UniformDH public key out of 1451 bytes of data.

2015-09-23 12:18:01,718 [DEBUG] Successfully located the mark.

2015-09-23 12:18:01,718 [DEBUG] HMAC invalid.  Trying next epoch value.

2015-09-23 12:18:01,719 [DEBUG] HMAC invalid.  Trying next epoch value.

2015-09-23 12:18:01,719 [DEBUG] HMAC invalid.  Trying next epoch value.

2015-09-23 12:18:01,719 [WARNING] Could not verify the authentication message's HMAC.

2015-09-23 12:18:01,719 [DEBUG] Authentication unsuccessful so far.  Waiting for more data.

Windows端日志：

2015-09-23 16:19:59,858 [WARNING] Obfsproxy (version: unknown) starting up.

2015-09-23 16:19:59,858 [DEBUG] argv: ['obfsproxy.exe', '--log-file', 'obfsproxy_socks.log', '--log-min-severity', 'debug', 'scramblesuit', '--password', 'FUCKGFWFUCKFANGBINXINGFBX4SBDASB', '--dest', '%vps_ip%:9180', 'client', '127.0.0.1:9080']

2015-09-23 16:19:59,858 [DEBUG] args: Namespace(data_dir=None, dest=('%vps_ip%', 9180), ext_cookie_file=None, listen_addr=('127.0.0.1', 9080), log_file='obfsproxy_socks.log', log_min_severity='debug', mode='client', name='scramblesuit', no_log=False, no_safe_logging=False, proxy=None, uniformDHSecret='FUCKGFWFUCKFANGBINXINGFBX4SBDASB', validation_function=<bound method type.validate_external_mode_cli of <class 'obfsproxy.transports.scramblesuit.scramblesuit.ScrambleSuitTransport'>>)

2015-09-23 16:19:59,858 [ERROR] 

################################################

Do NOT rely on ScrambleSuit for strong security!

################################################

2015-09-23 16:19:59,858 [INFO] StaticDestinationServerFactory starting on 9080

2015-09-23 16:19:59,858 [INFO] Starting factory <obfsproxy.network.network.StaticDestinationServerFactory instance at 0x00F9BAD0>

2015-09-23 16:19:59,858 [DEBUG] fact_s_0xf9bad0: Starting up static destination server factory.

2015-09-23 16:19:59,858 [INFO] Launched 'client' listener at '[scrubbed]:9080' for transport 'scramblesuit'.

2015-09-23 16:20:45,655 [DEBUG] fact_s_0xf9bad0: New connection from [scrubbed]:2274.

2015-09-23 16:20:45,655 [DEBUG] Initialising ScrambleSuit.

2015-09-23 16:20:45,655 [DEBUG] Switching to state ST_WAIT_FOR_AUTH.

2015-09-23 16:20:45,655 [DEBUG] Initialising AES-CTR instance.

2015-09-23 16:20:45,655 [DEBUG] Initialising AES-CTR instance.

2015-09-23 16:20:45,655 [DEBUG] Dumping probability distribution.

2015-09-23 16:20:45,671 [DEBUG] P(1169) = 0.807

2015-09-23 16:20:45,671 [DEBUG] P(377) = 0.187

2015-09-23 16:20:45,671 [DEBUG] Dumping probability distribution.

2015-09-23 16:20:45,671 [DEBUG] P(0.00347823032987) = 0.129

2015-09-23 16:20:45,671 [DEBUG] P(0.00427382308033) = 0.035

2015-09-23 16:20:45,671 [DEBUG] P(0.00636557018606) = 0.039

2015-09-23 16:20:45,671 [DEBUG] P(0.00599017665133) = 0.065

2015-09-23 16:20:45,671 [DEBUG] P(0.00550654872604) = 0.717

2015-09-23 16:20:45,671 [INFO] Starting factory <obfsproxy.network.network.StaticDestinationClientFactory instance at 0x00F9CF08>

2015-09-23 16:20:45,671 [DEBUG] fact_c_0xf9cf08: Client factory started connecting.

2015-09-23 16:20:45,671 [DEBUG] conn_0xf92d30: connectionMade (client): Setting it as upstream on our circuit.

2015-09-23 16:20:45,671 [DEBUG] circ_0xf9cee0: Setting upstream connection (conn_0xf92d30).

2015-09-23 16:20:45,671 [DEBUG] conn_0xf92d30: Incomplete circuit; cached 3 bytes.

2015-09-23 16:20:45,812 [DEBUG] conn_0xf929b0: connectionMade (client): Setting it as downstream on our circuit.

2015-09-23 16:20:45,812 [DEBUG] circ_0xf9cee0: Setting downstream connection (conn_0xf929b0).

2015-09-23 16:20:45,812 [DEBUG] circ_0xf9cee0: Circuit completed.

2015-09-23 16:20:45,812 [DEBUG] Attempting to read master key and ticket from file `session_ticket.yaml'.

2015-09-23 16:20:45,812 [DEBUG] Opening `session_ticket.yaml' for reading.

2015-09-23 16:20:45,812 [INFO] Found no ticket for bridge `IPv4Address(TCP, '%vps_ip%', 9180)'.

2015-09-23 16:20:45,812 [DEBUG] No session ticket to redeem.  Running UniformDH.

2015-09-23 16:20:45,812 [DEBUG] Creating UniformDH handshake message.

2015-09-23 16:20:45,937 [DEBUG] conn_0xf929b0: Writing 442 bytes.

2015-09-23 16:20:45,953 [DEBUG] circ_0xf9cee0: upstream: Received 3 bytes.

2015-09-23 16:20:45,953 [DEBUG] Buffered 3 bytes of outgoing data.

2015-09-23 16:20:46,250 [DEBUG] fact_s_0xf9bad0: New connection from [scrubbed]:2276.

2015-09-23 16:20:46,250 [DEBUG] Initialising ScrambleSuit.

2015-09-23 16:20:46,250 [DEBUG] Switching to state ST_WAIT_FOR_AUTH.

在上面的日志和命令行中，%vps_ip%代理我的VPS的IP地址，为了安全，这里隐去。

请看一下问题出在哪里？谢谢。

[Gary12]

你混淆的是SSH还是SS，另外你的浏览器设置127.0.0.1:9080的代理肯定是不对的，具体原因自己好好想一想。 浏览器代理要么是7070的代理端口要么是1080的代理端口

在 2015年9月23日星期三 UTC+8下午4:40:39，xclimbing写道：

[xclimbing]

端口是可以自己定义的好吧。我上面的帖子说得很清楚啊，我混淆的是socks5的代理，不是说obfsproxy可以混淆任何TCP的链接嘛，既然可以混淆SS和SSH，当然也能混淆Socks5的。

混淆之后，我的浏览器代理当然要设置成127.0.0.1:9080了，这是混淆后的本地服务端口啊。而且，从日志上确实可以看到，客户端和服务端发生了通讯，只不过因为那个HMAC的错误没有连接成功。

[Gary12]

你不用跟我争论，因为你还没有搞懂整个链路的逻辑关系。

你按照我说的去做，就知道答案了 : 浏览器设置sock5 1080的代理，ss切到你的vps节点

[Gary12]

另外客户端ss的目标服务器ip要写成127.0.0.1:9080

[xclimbing]

没有跟你争论，是你在置疑我的用法。我觉得我的用法没错，只是你没有认真看帖。

我一直在强调，我混淆的不是SS，而是Socks5的代理：我在VPS上安装了Socks5的代理服务器，在本地用浏览器直接访问服务器上的socks5代理肯定是要被GFW重置链接的，那么，我用obfs将它混淆后，是不是就可以正常访问了呢？

VPS的Socks5代理端口是9080。在服务器端混淆成0.0.0.0:9180。而在客户端又将这个服务映射到了127.0.0.1:9080。你说我的浏览器是不是要将socks代理设置成：127.0.0.1:9080。

[Gary12]

不加密的sock5应该是不能翻墙的，即便是混淆了也没用，这种透明传输的方式会直接被gfw阻断

[xclimbing]

混淆的作用不就是让人猜不透你在用什么协议吗？相当于通过一个加密隧道加密了你正常的访问协议，在两端才解密。否则的话，以gfw的分析能力，这个混淆对Ssh和SS也没用，事实证明是有用的。另外，我只是拿socks5作为出错的例子演示，实际上，我也尝试过混淆ssh和SS，但出错的信息是一样的。

我的vps上ssh和SS服务都工作正常（我可以远程ssh上去，也可以使用SS正常翻墙），就是这个obfsproxy不能用，出错的信息是一样的。

我怀疑是我的obfsproxy安装过程中可能少装了什么组件，所以才导致这个问题。但是，从错误日志和源代码上我是看不出问题在哪儿的。我在github上提交了issue，看看原作者能不能看出来问题在哪儿。

On Wednesday, September 23, 2015 at 6:22:19 PM UTC+8, Gary12 wrote:

不加密的sock5应该不能翻墙的，即便是混淆了也没用

[wz]

你还有出错信息，我连出错信息都沒有，无论是服务端还是客户端都和教程的成功信息一致，就是连接不成功，至于ss，ssH都正常运行中

[Gary12]

用Squid在VPS搭建3128代理，混淆为443端口，本地客户端用443远程对接VPS,本地用22222监听，直接用浏览器22222代理，也无法上网，原因未知。
但是同样方法：SS和SSH均用obfs混淆成功，本地能正常上网。

[OnTheFloor]

请问，加上混淆后，对性能影响大吗？

在 2015年9月21日星期一 UTC+8下午2:20:53，Gary12写道：

[m.jack...@gmail.com]

客户端貌似要将client改为socks，client是为tor客户端设定的，可参见https://community.openvpn.net/openvpn/wiki/TrafficObfuscation
我只是推测...


还有为毛用socks,完全可以在vps上装openvpn上全局代理的

[syki...@gmail.com]

openVPN 上线之后你的 VPS IP 地址将在24小时内被功夫网定点摧毁

[m.jack...@gmail.com]

谁教你裸上openvpn了，上面不是讨论了一堆obfsproxy套子(或其他具备流量混淆的socks/https)流量混淆了么
[ client <-> openvpn(127.0.0.1) <--socks5--> obfsproxy ...............internet............... obfsproxy(vps ip) <--socks5--> openvpn(127.0.0.1) <-> server ]

另外最好启用vps内建防火墙，添加规则只允许选定ip范围（这点动态ip比较麻烦，要搜集你的ips经常给你分配哪些ip段的地址）的大陆ip访问你的vpn代理vps，防止gfw主动窥测