HOWTO: Install and configure shadowsocks on VPS/Ubuntu

Introduction

Shadowsocks is a fast tunnel proxy that helps you bypass firewalls.

Installation

Add debian sid to your source list:

$ sudo echo "deb http://shadowsocks.org/debian wheezy main" >> /etc/apt/sources.list

Install shadowsocks:

$ sudo apt-get update
$ sudo apt-get install shadowsocks

Configuration

Edit shadowsocks config file /etc/shadowsocks/config.json:

$ sudo vi /etc/shadowsocks/config.json

Here is my config file

{
   "server":"0.0.0.0",
   "server_port":8388,
   "local_port":0,
   "password":"demo",
   "timeout":600,
   "method":"aes-256-cfb"
}

Explanation of the fields:

Name	Explanation
server	the address your server listens
server_port	server port
local_address	the address your local listens
local_port	local port
password	password used for encryption
timeout	in seconds
method	encryption method, “aes-256-cfb” is recommended
fast_open	use TCP_FASTOPEN, true / false
workers	number of workers, available on Unix/Linux

Usage

Start shadowsocks:

$ sudo /etc/init.d/shadowsocks start

On your client machine, use the same configuration as your server, and start your client.

If you use Chrome, it’s recommended to use SwitchySharp. Change the proxy settings to

protocol: socks5
hostname: 127.0.0.1
port: your local_port

Reference

https://github.com/clowwindy/shadowsocks/wiki

 

 

HOWTO: Install dnscrypt-proxy on ubuntu

Description

Dnscrypt-proxy is a protocol for securing communications between a client and a DNS resolver.

dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server.

The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.

While not providing end-to-end security, it protects the local network, which is often the weakest point of the chain, against man-in-the-middle attacks. It also provides some confidentiality to DNS queries.

Installation

Install libsodium

Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more.

Download the latest libsodium version libsodium-0.7.0.tar.gz and extract it:

$ tar -xzvf libsodium-0.7.0.tar.gz

Compile and install it:

$ ./configure
$ make && make check
$ sudo make install

Install dnscrypt-proxy

Download the latest dnscrypt-proxy version dnscrypt-proxy-1.4.0.tar.gz and extract it:

$ tar -xzvf dnscrypt-proxy-1.4.0.tar.gz

Compile and install it:

$ ./configure
$ make
$ sudo make install

The proxy will be installed as /usr/local/sbin/dnscrypt-proxy by default.

Usage

Start the daemon:

$ dnscrypt-proxy --daemonize --local-address=0.0.0.0:5353 --resolver-name=opendns

Now we test it:

$ dig @127.0.0.1 -p 5353 youtube.com

; <<>> DiG 9.9.5-3-Ubuntu <<>> @127.0.0.1 -p 5353 youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28830
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;youtube.com. IN A

;; ANSWER SECTION:
youtube.com. 300 IN A 74.125.225.198
youtube.com. 300 IN A 74.125.225.200
youtube.com. 300 IN A 74.125.225.201
youtube.com. 300 IN A 74.125.225.192
youtube.com. 300 IN A 74.125.225.194
youtube.com. 300 IN A 74.125.225.193
youtube.com. 300 IN A 74.125.225.206
youtube.com. 300 IN A 74.125.225.195
youtube.com. 300 IN A 74.125.225.196
youtube.com. 300 IN A 74.125.225.199
youtube.com. 300 IN A 74.125.225.197

;; Query time: 56 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Sep 03 02:31:44 UTC 2014
;; MSG SIZE rcvd: 216

 

HOWTO: Install/Configure msmtp and mutt on ubuntu

Introduction

Msmtp is an SMTP client.

In the default mode, it transmits a mail to an SMTP server (for example at a free mail provider) which takes care of further delivery.
To use this program with your mail user agent (MUA), create a configuration file with your mail account(s) and tell your MUA to call msmtp instead of /usr/sbin/sendmail.

Features include:

• Sendmail compatible interface (command line options and exit codes).
• TLS/SSL support, including client certificates.
• Authentication methods PLAIN, LOGIN, CRAM-MD5, EXTERNAL, GSSAPI, SCRAM-SHA-1, DIGEST-MD5, and NTLM.
• PIPELINING support for increased transmission speed.
• DSN (Delivery Status Notification) support.
• RMQS (Remote Message Queue Starting) support (ETRN keyword).
• IPv6 support.
• LMTP support.
• Support for multiple accounts.

Mutt is a small but very powerful text-based mail client for Unix operating systems.

Some of Mutt’s features include:

• color support
• message threading
• MIME support (including RFC2047 support for encoded headers)
• PGP/MIME (RFC2015)
• various features to support mailing lists, including list-reply
• active development community
• POP3 support
• IMAP support
• full control of message headers when composing
• support for multiple mailbox formats (mbox, MMDF, MH, maildir)
• highly customizable, including keybindings and macros
• change configuration automatically based on recipients, current folder, etc.
• searches using regular expressions, including an internal pattern matching language
• Delivery Status Notification (DSN) support
• postpone message composition indefinetly for later recall
• easily include attachments when composing, even from the command line
• ability to specify alternate addresses for recognition of mail forwarded from other accounts, with ability to set the From: headers on replies/etc. accordingly
• multiple message tagging
• reply to or forward multiple messages at once
• .mailrc style configuration files
• easy to install (uses GNU autoconf)
• compiles against either curses/ncurses or S-lang
• translation into at least 20 languages
• small and efficient
• It’s free! (no cost and GPL’ed)

Install msmtp and mutt

$ sudo apt-get update
$ sudo apt-get install msmtp mutt

Configure msmtp

Create the file .msmtprc in your home directory, with no more permissions than user read/write (0600).

# Set default values for all following accounts defaults
#tls_trust_file /etc/ssl/certs/ca-certificates.crt 
logfile ~/.msmtp.log

# Default account
account default
host smtp.qq.com
from demo@qq.com
auth plain
user demo
password demo

This is a simple configuration file and usuallly is sufficient.

Try to send a mail to test it:

$ msmtp demo@gmail.com

Input message and ctrl + D to send it.

Using TLS encryption is always a good idea.

If you are not sure whether the SMTP server supports authentication and/or TLS encryption, find it out with:

$ msmtp --host=smtp.demo.com --serverinfo

To use TLS, it is required to either enable full server certificate verification using the ‘tls_trust_file’ command or ‘–tls-trust-file’ option, or to trust one particular peer certificate using the ‘tls_fingerprint’ command or ‘–tls-fingerprint’ option, or to disable all certificate checks using ‘tls_certcheck off’ or ‘–tls-certcheck=off’.

If your system has a file that collects all system-wide trusted CA certificates, it is easiest to just use this in the ‘defaults’ section of your configuration file. On Debian-based systems, for example, the adequate command would be

tls_trust_file /etc/ssl/certs/ca-certificates.crt

But you can also find out manually which CA certificate you need to trust.

First, issue the following command:

$ msmtp --serverinfo --host=smtp.demo.com --tls=on --tls-certcheck=off

The option ‘–tls-certcheck=off’ allows msmtp to accept any certificate, so that it can print some information about it. The output of this command tells you the common name of the server certificate issuer. You have to trust this issuer to use full TLS security. Usually you can find the CA certificate on the issuer’s homepage.

Now let us add gmail account to configuration file.

First we need to get CA certificate:

$ msmtp --serverinfo --host=smtp.gmail.com --tls=on --tls-certcheck=off
SMTP server at smtp.gmail.com (ig-in-x6c.1e100.net [2607:f8b0:4001:c05::6c]), port 25:
    mx.google.com ESMTP ga10sm76109igd.0 - gsmtp
TLS certificate information:
    Owner:
        Common Name: smtp.gmail.com
        Organization: Google Inc
        Locality: Mountain View
        State or Province: California
        Country: US
    Issuer:
        Common Name: Google Internet Authority G2
        Organization: Google Inc
        Country: US
    Validity:
        Activation time: Tue 15 Jul 2014 08:40:38 AM UTC
        Expiration time: Sat 04 Apr 2015 03:15:55 PM UTC
    Fingerprints:
        SHA1: 9C:0A:CC:93:1D:E7:51:37:90:61:6B:A1:18:28:67:95:54:C5:69:A8
        MD5: E7:48:1D:0B:99:4A:C3:A8:31:86:E5:8F:E5:EE:4F:2A
Capabilities:
    SIZE 35882577:
        Maximum message size is 35882577 bytes = 34.22 MiB
    PIPELINING:
        Support for command grouping for faster transmission
    STARTTLS:
        Support for TLS encryption via the STARTTLS command
    AUTH:
        Supported authentication methods:
        PLAIN LOGIN

The issuer name is Google Internet Authority G2, we got the CA certificate here.

Convert the CA certificate to readable format:

$ openssl x509 -inform DER -in GIAG2.crt -outform PEM -out gmail-smtp.crt

With this CA certificate, the following should succeed:

$ msmtp --serverinfo --host=smtp.gmail.com --tls=on --tls-trust-file=gmail-smtp.crt

Now we add gmail account to configuration file

# Gmail
account gmail
host smtp.gmail.com
from demo@gmail.com
auth on
user demo@gmail.com
password demo
tls on
tls_starttls on
tls_certcheck on
tls_trust_file ~/.ssl/certs/gmail-smtp.crt

Configure mutt

Create the file .muttrc in your home directory

set sendmail="/usr/bin/msmtp"
set use_from=yes
set realname="demo"
set from=demo@outlook.com
set envelope_from=yes

 Usage

Send a mail to test mutt:

$ echo "Hello World" | mutt -s "Hello" -c demo@outlook.com demo@gmail.com

Send a mail with attachment:

$ echo "Hello World" | mutt -s "Hello" -a ~/tmp/demo.tar.gz demo@gmail.com