StillHammer/couple-repo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7425f4af2e
couple-repo/Projects/CONCEPT/vps_tunnel_china.md
StillHammer 7425f4af2e Reorganize Projects structure by status + update tracking files 
## Projects Organization
- Create status-based folders: WIP/PAUSE/CONSTANT/CONCEPT/ARCHIVE
- Move 17 projects to appropriate status folders
- Delete obsolete README.md

### WIP (4 projects)
- GroveEngine, SEO_Article_Generator, AISSIA, SecondVoice

### PAUSE (6 projects)
- Warfactory, chinese_audio_tts_pipeline, MCP_Game_Asset_Pipeline
- ocr_pdf_service, Essay_Writing_Tingting, shipping_strategy/

### CONSTANT (3 projects)
- ClassGen (Analysis + 2.0), Database_Cours_Chinois, civjdr

### CONCEPT (5 projects)
- pokrovsk_last_day, pokrovsk_drone_command (NEW full design doc)
- social_network_manager, vps_tunnel_china, Claude_Workflow_Optimization

### ARCHIVE (3 items)
- MCP_Creative_Amplification, Backlog_9-10_Octobre_2025, LeBonCoup/

## Tracking Files Updated
- Status_Projets.md: Complete rewrite with current state (Nov 2025)
- planning/TODO_data.md: Updated with new structure and all projects by status
- CLAUDE.md: Updated relation status, Projects section, daily check stats

## Daily Check System
- Add card ACTION-008: essay_writing_tingting
- Update card_database.md: 21 total cards (15 Tingting, 3 Personal, 1 Family, 1 Tech, 1 Comm)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-20 11:25:53 +08:00

10 KiB
Raw Blame History

VPS Tunnel Anti-GFW + Privacy Shield

Objectif : Contourner le Great Firewall (GFW) + Chiffrer tout le trafic personnel contre surveillance Contexte : Shanghai, Chine - Besoin d'accès libre + confidentialité totale Contrainte : Doit être indétectable par DPI (Deep Packet Inspection) du GFW

Stack Technique Recommandée

Option 1 : WireGuard + Obfuscation (Meilleur rapport performance/sécurité)

Pourquoi WireGuard :

  • Chiffrement moderne (ChaCha20, Curve25519)
  • Performance native (kernel-level)
  • Footprint minimal (4000 lignes de code vs 400k OpenVPN)
  • Problème : Facilement détectable par DPI du GFW (pattern UDP reconnaissable)

Solution : Obfuscation Layer

A. WireGuard + obfs4proxy (Tor obfuscation)

# Architecture
Client → obfs4proxy → WireGuard → VPS → Internet
  • obfs4 rend le trafic indistinguable du HTTPS aléatoire
  • Utilisé par Tor, testé en Chine
  • Ajoute ~10-20ms latence

B. WireGuard + Shadowsocks (Simple, efficace Chine)

# Architecture
Client → Shadowsocks → WireGuard → VPS → Internet
  • Shadowsocks spécifiquement conçu anti-GFW
  • Chiffrement AEAD (ChaCha20-IETF-Poly1305)
  • Très répandu en Chine = updates constantes contre nouvelles détections

Option 2 : V2Ray + VMess/VLESS (Gold standard Chine)

Pourquoi V2Ray :

  • Conçu pour la Chine (créé par des devs chinois)
  • Multi-protocoles (VMess, VLESS, Trojan)
  • Camouflage en trafic HTTPS légitime
  • WebSocket + TLS + CDN (Cloudflare) = presque indétectable

Config recommandée :

Client → V2Ray (VLESS+TLS+WebSocket) → Cloudflare CDN → VPS → Internet

Avantages :

  • Trafic ressemble à visite site web normal
  • Cloudflare en front = impossible de bloquer IP VPS
  • Rotation IPs automatique via CDN
  • Résiste aux blocages actifs GFW

Choix VPS

Critères essentiels

  1. Juridiction hors 14-Eyes (Éviter US, UK, EU)
  2. Performance Chine : Latence <150ms vers Shanghai
  3. Bande passante illimitée ou minimum 2TB/mois
  4. No-logs policy crédible
  5. Paiement anonyme (crypto si possible)

Recommandations

Tier 1 : Performance + Privacy (Cher)

  • Njalla (Nevis, Caribbean) - $15/mois - Crypto OK - Anonymat maximal
  • 1984 Hosting (Islande) - $10/mois - Privacy-focused - GDPR+ protections
  • FlokiNET (Roumanie/Islande) - $6/mois - Anti-censure stance - Crypto OK

Tier 2 : Budget + Performance (Bon rapport)

  • Linode Tokyo - $5/mois - 60-80ms vers Shanghai - Solide
  • Vultr Tokyo/Seoul - $6/mois - 50-70ms - Snapshots gratuits
  • DigitalOcean Singapore - $6/mois - 70-90ms - Simple setup

Tier 3 : Maximum Privacy (Latence acceptable)

  • Mullvad (Suède, pas de VPS mais VPN) - €5/mois - NO LOGS prouvé - Cash/crypto
  • IVPN (Gibraltar) - $6/mois - Audits indépendants - WireGuard natif

Choix optimal Alexis :

  • Primary : Vultr Tokyo (performance) + V2Ray + Cloudflare
  • Backup : Njalla (privacy paranoia) + WireGuard + obfs4

Architecture Complète

Layer 1 : VPS Setup

# Ubuntu 22.04 LTS (Tokyo)
apt update && apt upgrade -y
apt install -y curl wget git ufw fail2ban

# Hardening basique
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp  # SSH (changer port après)
ufw allow 443/tcp # HTTPS (V2Ray)
ufw enable

# Disable SSH password auth
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd

Layer 2 : V2Ray + TLS + WebSocket

# Install V2Ray
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

# Install Caddy (auto HTTPS)
curl https://getcaddy.com | bash -s personal

# Config V2Ray (VLESS + TLS)
# /usr/local/etc/v2ray/config.json
{
  "inbounds": [{
    "port": 10000,
    "protocol": "vless",
    "settings": {
      "clients": [{
        "id": "UUID_HERE",  # uuidgen
        "level": 0
      }],
      "decryption": "none"
    },
    "streamSettings": {
      "network": "ws",
      "wsSettings": {
        "path": "/your-secret-path"
      }
    }
  }],
  "outbounds": [{
    "protocol": "freedom",
    "settings": {}
  }]
}

# Caddy config (reverse proxy + TLS)
# /etc/caddy/Caddyfile
yourdomain.com {
  reverse_proxy /your-secret-path localhost:10000
  # Fake website content pour masquerade
  root * /var/www/html
  file_server
}

Layer 3 : Cloudflare CDN (Optional, max stealth)

  1. Domaine → Cloudflare DNS
  2. A record : yourdomain.com → VPS IP
  3. Enable Cloudflare proxy (orange cloud)
  4. SSL/TLS : Full (strict)
  5. Client se connecte à Cloudflare, Cloudflare forward à VPS

Résultat : GFW voit connexion HTTPS Cloudflare (impossible bloquer sans casser tout internet chinois)

Layer 4 : Client Setup

Windows

  • V2RayN : GUI simple, config QR code
  • Clash for Windows : Plus features, metriques

macOS

  • V2RayU : Native, simple
  • ClashX Pro : Feature-rich

Linux

  • V2Ray core : CLI
  • Qv2ray : GUI Qt

Mobile

  • V2RayNG (Android)
  • Shadowrocket (iOS, $2.99)

Configuration Client (V2RayN exemple)

{
  "address": "yourdomain.com",
  "port": 443,
  "id": "UUID_HERE",
  "security": "tls",
  "network": "ws",
  "wsPath": "/your-secret-path",
  "sni": "yourdomain.com"
}

Import : Serveur → Scan QR code → Connect

Privacy Hardening

DNS Leak Prevention

# Sur VPS, installer DNS over HTTPS
apt install dnscrypt-proxy -y

# Config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
server_names = ['cloudflare', 'quad9']
require_dnssec = true
require_nofilter = true

Kill Switch (Client-side)

  • Windows : Network adapter binding priority
  • macOS : pf rules
  • Linux : iptables rules
# Linux kill switch (allow only V2Ray traffic)
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d your-vps-ip -j ACCEPT
iptables -A OUTPUT -j DROP

Traffic Analysis Protection

  • Sur VPS : Activer BBR (TCP congestion control)
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p
  • Client : Fake traffic generation (rend timing analysis difficile)

Log Purge

# Cron job VPS (daily)
0 3 * * * find /var/log -type f -name "*.log" -mtime +1 -delete
0 3 * * * journalctl --vacuum-time=1d

Monitoring & Maintenance

Status Check Script

#!/bin/bash
# /root/check_tunnel.sh

# Check V2Ray running
if ! systemctl is-active --quiet v2ray; then
    systemctl restart v2ray
    echo "V2Ray restarted at $(date)" >> /var/log/tunnel_monitor.log
fi

# Check Caddy running
if ! systemctl is-active --quiet caddy; then
    systemctl restart caddy
    echo "Caddy restarted at $(date)" >> /var/log/tunnel_monitor.log
fi

# Test connectivity
if ! curl -s https://www.google.com > /dev/null; then
    echo "WARNING: Outbound connectivity issue at $(date)" >> /var/log/tunnel_monitor.log
fi

Cron : */5 * * * * /root/check_tunnel.sh

Bandwidth Monitoring

# vnstat pour tracking usage
apt install vnstat -y
systemctl enable vnstat
systemctl start vnstat

# Check usage
vnstat -m  # Monthly
vnstat -d  # Daily

Performance Testing

# Sur client, tester latence/throughput
ping -c 10 yourdomain.com
curl -o /dev/null https://speed.cloudflare.com/__down?bytes=100000000

Backup & Disaster Recovery

Config Backup

# Backup VPS config
tar -czf v2ray_backup_$(date +%F).tar.gz \
  /usr/local/etc/v2ray/ \
  /etc/caddy/ \
  /etc/systemd/system/v2ray.service \
  /etc/systemd/system/caddy.service

# Download local
scp root@vps:/root/v2ray_backup_*.tar.gz ~/backups/

Fallback Servers

  • Configurer 2-3 VPS secondaires (différents providers)
  • Client V2Ray supporte multiple servers avec auto-failover
  • Subscription link pour update config automatique

Coûts Estimés

Setup Minimal (Performance focus)

  • VPS Vultr Tokyo : $6/mois
  • Domaine .com : $12/an = $1/mois
  • Cloudflare : Free
  • Total : ~$7/mois

Setup Paranoia (Privacy max)

  • VPS Njalla : $15/mois
  • Domaine privacy : $15/an = $1.25/mois
  • Backup VPS (Vultr) : $6/mois
  • Total : ~$22/mois

Roadmap Déploiement

Phase 1 : Basic Setup (1 jour)

  • Choisir VPS provider + créer instance
  • Setup domaine + DNS
  • Installer V2Ray + Caddy
  • Config basique VLESS+WS+TLS
  • Test connexion client

Phase 2 : Hardening (1 jour)

  • Cloudflare CDN setup
  • DNS leak prevention
  • Kill switch client
  • Firewall rules strictes
  • Monitoring scripts

Phase 3 : Optimization (ongoing)

  • BBR activation
  • Performance tuning
  • Backup VPS setup
  • Auto-update scripts
  • Bandwidth optimization

Red Flags & Troubleshooting

GFW Detection Signs

  • Connexion marche puis drop soudain après 5-10min → Active probing
    • Solution : Change port, add fake website content
  • Latence spike régulier → QoS throttling
    • Solution : CDN + protocol obfuscation
  • Blocage total IP VPS → IP blacklist
    • Solution : Change VPS IP ou migrate Cloudflare

Performance Issues

  • Latence >200ms → VPS location problem
  • Throughput <5Mbps → Bandwidth throttling ou VPS oversold
  • Packet loss >5% → Route optimization needed (consider BGP tunneling)

Privacy Leaks

  • DNS leaks → Check via dnsleaktest.com
  • WebRTC leaks → Disable in browser
  • IPv6 leaks → Disable IPv6 if VPS no support

Questions Ouvertes

  1. Budget max : $10/mois ou budget illimité si privacy vaut le coup ?
  2. Usage primaire :
    • Browsing général + social media ?
    • Streaming (Netflix, YouTube) ?
    • Gaming ?
    • Torrenting ?
  3. Devices : Combien ? (PC, phone, tablet ?)
  4. Famille : Tingting aussi ? → Multi-user setup needed
  5. Paranoia level :
    • "Je veux juste contourner GFW" → V2Ray suffit
    • "Je veux que PERSONNE voit mon trafic" → Add encryption layers

Next Steps

Dis-moi :

  1. Quel niveau de privacy tu vises (1-10) ?
  2. Budget monthly acceptable ?
  3. Tingting utilise aussi ?
  4. Usage principal (browsing, streaming, gaming, all) ?

Et je te fais un setup script complet clé en main.