couple-repo/Projects/vps_tunnel_china.md

# VPS Tunnel Anti-GFW + Privacy Shield

**Objectif** : Contourner le Great Firewall (GFW) + Chiffrer tout le trafic personnel contre surveillance
**Contexte** : Shanghai, Chine - Besoin d'accès libre + confidentialité totale
**Contrainte** : Doit être **indétectable** par DPI (Deep Packet Inspection) du GFW

---

## Stack Technique Recommandée

### Option 1 : WireGuard + Obfuscation (Meilleur rapport performance/sécurité)

**Pourquoi WireGuard** :
- Chiffrement moderne (ChaCha20, Curve25519)
- Performance native (kernel-level)
- Footprint minimal (4000 lignes de code vs 400k OpenVPN)
- **Problème** : Facilement détectable par DPI du GFW (pattern UDP reconnaissable)

**Solution : Obfuscation Layer**

#### A. WireGuard + obfs4proxy (Tor obfuscation)
```bash
# Architecture
Client → obfs4proxy → WireGuard → VPS → Internet
```
- obfs4 rend le trafic indistinguable du HTTPS aléatoire
- Utilisé par Tor, testé en Chine
- Ajoute ~10-20ms latence

#### B. WireGuard + Shadowsocks (Simple, efficace Chine)
```bash
# Architecture
Client → Shadowsocks → WireGuard → VPS → Internet
```
- Shadowsocks spécifiquement conçu anti-GFW
- Chiffrement AEAD (ChaCha20-IETF-Poly1305)
- Très répandu en Chine = updates constantes contre nouvelles détections

### Option 2 : V2Ray + VMess/VLESS (Gold standard Chine)

**Pourquoi V2Ray** :
- **Conçu pour la Chine** (créé par des devs chinois)
- Multi-protocoles (VMess, VLESS, Trojan)
- Camouflage en trafic HTTPS légitime
- WebSocket + TLS + CDN (Cloudflare) = presque indétectable

**Config recommandée** :
```
Client → V2Ray (VLESS+TLS+WebSocket) → Cloudflare CDN → VPS → Internet
```

**Avantages** :
- Trafic ressemble à visite site web normal
- Cloudflare en front = impossible de bloquer IP VPS
- Rotation IPs automatique via CDN
- Résiste aux blocages actifs GFW

---

## Choix VPS

### Critères essentiels
1. **Juridiction hors 14-Eyes** (Éviter US, UK, EU)
2. **Performance Chine** : Latence <150ms vers Shanghai
3. **Bande passante illimitée** ou minimum 2TB/mois
4. **No-logs policy crédible**
5. **Paiement anonyme** (crypto si possible)

### Recommandations

#### Tier 1 : Performance + Privacy (Cher)
- **Njalla** (Nevis, Caribbean) - $15/mois - Crypto OK - Anonymat maximal
- **1984 Hosting** (Islande) - $10/mois - Privacy-focused - GDPR+ protections
- **FlokiNET** (Roumanie/Islande) - $6/mois - Anti-censure stance - Crypto OK

#### Tier 2 : Budget + Performance (Bon rapport)
- **Linode Tokyo** - $5/mois - 60-80ms vers Shanghai - Solide
- **Vultr Tokyo/Seoul** - $6/mois - 50-70ms - Snapshots gratuits
- **DigitalOcean Singapore** - $6/mois - 70-90ms - Simple setup

#### Tier 3 : Maximum Privacy (Latence acceptable)
- **Mullvad** (Suède, pas de VPS mais VPN) - €5/mois - NO LOGS prouvé - Cash/crypto
- **IVPN** (Gibraltar) - $6/mois - Audits indépendants - WireGuard natif

**Choix optimal Alexis** :
- **Primary** : Vultr Tokyo (performance) + V2Ray + Cloudflare
- **Backup** : Njalla (privacy paranoia) + WireGuard + obfs4

---

## Architecture Complète

### Layer 1 : VPS Setup

```bash
# Ubuntu 22.04 LTS (Tokyo)
apt update && apt upgrade -y
apt install -y curl wget git ufw fail2ban

# Hardening basique
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp  # SSH (changer port après)
ufw allow 443/tcp # HTTPS (V2Ray)
ufw enable

# Disable SSH password auth
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd
```

### Layer 2 : V2Ray + TLS + WebSocket

```bash
# Install V2Ray
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

# Install Caddy (auto HTTPS)
curl https://getcaddy.com | bash -s personal

# Config V2Ray (VLESS + TLS)
# /usr/local/etc/v2ray/config.json
{
  "inbounds": [{
    "port": 10000,
    "protocol": "vless",
    "settings": {
      "clients": [{
        "id": "UUID_HERE",  # uuidgen
        "level": 0
      }],
      "decryption": "none"
    },
    "streamSettings": {
      "network": "ws",
      "wsSettings": {
        "path": "/your-secret-path"
      }
    }
  }],
  "outbounds": [{
    "protocol": "freedom",
    "settings": {}
  }]
}

# Caddy config (reverse proxy + TLS)
# /etc/caddy/Caddyfile
yourdomain.com {
  reverse_proxy /your-secret-path localhost:10000
  # Fake website content pour masquerade
  root * /var/www/html
  file_server
}
```

### Layer 3 : Cloudflare CDN (Optional, max stealth)

1. Domaine → Cloudflare DNS
2. A record : yourdomain.com → VPS IP
3. Enable Cloudflare proxy (orange cloud)
4. SSL/TLS : Full (strict)
5. Client se connecte à Cloudflare, Cloudflare forward à VPS

**Résultat** : GFW voit connexion HTTPS Cloudflare (impossible bloquer sans casser tout internet chinois)

### Layer 4 : Client Setup

#### Windows
- **V2RayN** : GUI simple, config QR code
- **Clash for Windows** : Plus features, metriques

#### macOS
- **V2RayU** : Native, simple
- **ClashX Pro** : Feature-rich

#### Linux
- **V2Ray core** : CLI
- **Qv2ray** : GUI Qt

#### Mobile
- **V2RayNG** (Android)
- **Shadowrocket** (iOS, $2.99)

---

## Configuration Client (V2RayN exemple)

```json
{
  "address": "yourdomain.com",
  "port": 443,
  "id": "UUID_HERE",
  "security": "tls",
  "network": "ws",
  "wsPath": "/your-secret-path",
  "sni": "yourdomain.com"
}
```

**Import** : Serveur → Scan QR code → Connect

---

## Privacy Hardening

### DNS Leak Prevention
```bash
# Sur VPS, installer DNS over HTTPS
apt install dnscrypt-proxy -y

# Config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
server_names = ['cloudflare', 'quad9']
require_dnssec = true
require_nofilter = true
```

### Kill Switch (Client-side)
- **Windows** : Network adapter binding priority
- **macOS** : pf rules
- **Linux** : iptables rules

```bash
# Linux kill switch (allow only V2Ray traffic)
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -d your-vps-ip -j ACCEPT
iptables -A OUTPUT -j DROP
```

### Traffic Analysis Protection
- **Sur VPS** : Activer BBR (TCP congestion control)
```bash
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p
```

- **Client** : Fake traffic generation (rend timing analysis difficile)

### Log Purge
```bash
# Cron job VPS (daily)
0 3 * * * find /var/log -type f -name "*.log" -mtime +1 -delete
0 3 * * * journalctl --vacuum-time=1d
```

---

## Monitoring & Maintenance

### Status Check Script
```bash
#!/bin/bash
# /root/check_tunnel.sh

# Check V2Ray running
if ! systemctl is-active --quiet v2ray; then
    systemctl restart v2ray
    echo "V2Ray restarted at $(date)" >> /var/log/tunnel_monitor.log
fi

# Check Caddy running
if ! systemctl is-active --quiet caddy; then
    systemctl restart caddy
    echo "Caddy restarted at $(date)" >> /var/log/tunnel_monitor.log
fi

# Test connectivity
if ! curl -s https://www.google.com > /dev/null; then
    echo "WARNING: Outbound connectivity issue at $(date)" >> /var/log/tunnel_monitor.log
fi
```

Cron : `*/5 * * * * /root/check_tunnel.sh`

### Bandwidth Monitoring
```bash
# vnstat pour tracking usage
apt install vnstat -y
systemctl enable vnstat
systemctl start vnstat

# Check usage
vnstat -m  # Monthly
vnstat -d  # Daily
```

### Performance Testing
```bash
# Sur client, tester latence/throughput
ping -c 10 yourdomain.com
curl -o /dev/null https://speed.cloudflare.com/__down?bytes=100000000
```

---

## Backup & Disaster Recovery

### Config Backup
```bash
# Backup VPS config
tar -czf v2ray_backup_$(date +%F).tar.gz \
  /usr/local/etc/v2ray/ \
  /etc/caddy/ \
  /etc/systemd/system/v2ray.service \
  /etc/systemd/system/caddy.service

# Download local
scp root@vps:/root/v2ray_backup_*.tar.gz ~/backups/
```

### Fallback Servers
- Configurer 2-3 VPS secondaires (différents providers)
- Client V2Ray supporte multiple servers avec auto-failover
- Subscription link pour update config automatique

---

## Coûts Estimés

### Setup Minimal (Performance focus)
- VPS Vultr Tokyo : $6/mois
- Domaine .com : $12/an = $1/mois
- Cloudflare : Free
- **Total** : ~$7/mois

### Setup Paranoia (Privacy max)
- VPS Njalla : $15/mois
- Domaine privacy : $15/an = $1.25/mois
- Backup VPS (Vultr) : $6/mois
- **Total** : ~$22/mois

---

## Roadmap Déploiement

### Phase 1 : Basic Setup (1 jour)
- [ ] Choisir VPS provider + créer instance
- [ ] Setup domaine + DNS
- [ ] Installer V2Ray + Caddy
- [ ] Config basique VLESS+WS+TLS
- [ ] Test connexion client

### Phase 2 : Hardening (1 jour)
- [ ] Cloudflare CDN setup
- [ ] DNS leak prevention
- [ ] Kill switch client
- [ ] Firewall rules strictes
- [ ] Monitoring scripts

### Phase 3 : Optimization (ongoing)
- [ ] BBR activation
- [ ] Performance tuning
- [ ] Backup VPS setup
- [ ] Auto-update scripts
- [ ] Bandwidth optimization

---

## Red Flags & Troubleshooting

### GFW Detection Signs
- Connexion marche puis drop soudain après 5-10min → **Active probing**
  - Solution : Change port, add fake website content
- Latence spike régulier → **QoS throttling**
  - Solution : CDN + protocol obfuscation
- Blocage total IP VPS → **IP blacklist**
  - Solution : Change VPS IP ou migrate Cloudflare

### Performance Issues
- Latence >200ms → VPS location problem
- Throughput <5Mbps → Bandwidth throttling ou VPS oversold
- Packet loss >5% → Route optimization needed (consider BGP tunneling)

### Privacy Leaks
- DNS leaks → Check via dnsleaktest.com
- WebRTC leaks → Disable in browser
- IPv6 leaks → Disable IPv6 if VPS no support

---

## Questions Ouvertes

1. **Budget max** : $10/mois ou budget illimité si privacy vaut le coup ?
2. **Usage primaire** :
   - Browsing général + social media ?
   - Streaming (Netflix, YouTube) ?
   - Gaming ?
   - Torrenting ?
3. **Devices** : Combien ? (PC, phone, tablet ?)
4. **Famille** : Tingting aussi ? → Multi-user setup needed
5. **Paranoia level** :
   - "Je veux juste contourner GFW" → V2Ray suffit
   - "Je veux que PERSONNE voit mon trafic" → Add encryption layers

---

## Next Steps

Dis-moi :
1. Quel niveau de privacy tu vises (1-10) ?
2. Budget monthly acceptable ?
3. Tingting utilise aussi ?
4. Usage principal (browsing, streaming, gaming, all) ?

Et je te fais un setup script complet clé en main.