#!/bin/bash # ============================================================= # 节点 3:美国落地机(Debian 12,洛杉矶) # 部署:GOST 出口 + TCP 指纹伪装 # 接收 CN中转 relay+tls :8443 → 直连 Anthropic/Google # ============================================================= # 用法:sudo bash setup-node3-us-landing.sh set -euo pipefail GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m' ok() { echo -e "${GREEN}✅ $*${NC}"; } info() { echo -e "${YELLOW}ℹ $*${NC}"; } fail() { echo -e "${RED}❌ $*${NC}"; } GOST_USER="${GOST_USER:-gostuser}" GOST_PASS="${GOST_PASS:-}" # 与 CN中转机相同,启动时填写 LISTEN_PORT="${LISTEN_PORT:-8443}" echo "================================================" echo " 节点3:美国落地机 部署(Debian 12 / LA)" echo "================================================" [ "$(id -u)" != "0" ] && { fail "请用 sudo 执行"; exit 1; } # ── 1. 系统更新 ───────────────────────────────────── info "更新系统包..." apt-get update -qq && apt-get upgrade -y -qq ok "系统已更新" # ── 2. TCP 指纹伪装(macOS 特征)────────────────────── info "应用 TCP 指纹伪装..." # 实时生效 sysctl -w net.ipv4.ip_default_ttl=64 # TTL=64(macOS 标准) sysctl -w net.ipv4.tcp_timestamps=0 # 禁用 TCP 时间戳(防 uptime 推算) sysctl -w net.ipv4.tcp_window_scaling=1 # 窗口扩展(macOS 开启) sysctl -w net.ipv4.tcp_rmem="4096 65535 6291456" # 接收窗口65535(macOS默认) sysctl -w net.ipv4.tcp_wmem="4096 65535 6291456" # 发送窗口65535 sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1 # BBR 拥塞控制(降低丢包,提高吞吐) sysctl -w net.core.default_qdisc=fq sysctl -w net.ipv4.tcp_congestion_control=bbr # 持久化到 sysctl.conf cat >> /etc/sysctl.conf << 'EOF' # ── Antigravity macOS TCP Fingerprint ── net.ipv4.ip_default_ttl=64 net.ipv4.tcp_timestamps=0 net.ipv4.tcp_window_scaling=1 net.ipv4.tcp_rmem=4096 65535 6291456 net.ipv4.tcp_wmem=4096 65535 6291456 net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr EOF sysctl -p > /dev/null 2>&1 || true ok "TCP 指纹伪装已应用(TTL=64, Window=65535, 时间戳禁用)" # ── 3. 时区(洛杉矶,匹配落地 IP 地理位置)───────────── timedatectl set-timezone America/Los_Angeles ok "时区已设置: $(date)" # ── 4. 安装 GOST ──────────────────────────────────── if ! command -v gost &>/dev/null; then info "安装 GOST..." ARCH=$(uname -m) [ "$ARCH" = "x86_64" ] && GARCH="amd64" || GARCH="arm64" LATEST=$(curl -sf https://api.github.com/repos/go-gost/gost/releases/latest \ | grep '"tag_name"' | cut -d'"' -f4) VER="${LATEST#v}" wget -qO /tmp/gost.tar.gz \ "https://github.com/go-gost/gost/releases/download/${LATEST}/gost_${VER}_linux_${GARCH}.tar.gz" tar xzf /tmp/gost.tar.gz -C /tmp/ mv /tmp/gost /usr/local/bin/gost chmod +x /usr/local/bin/gost fi ok "GOST $(gost -V 2>/dev/null | head -1 || echo '已安装')" # ── 5. 填写 GOST 密码 ────────────────────────────── if [ -z "$GOST_PASS" ]; then read -rp "请输入 GOST 密码(与 CN中转机相同): " GOST_PASS fi # ── 6. 创建 GOST 出口服务 ────────────────────────── # 落地机职责:监听 CN中转机 relay+tls 连接,直接出口到 Anthropic/Google cat > /etc/systemd/system/gost-sub2api-exit.service << EOF [Unit] Description=GOST sub2api US Landing Exit - 接收中转,直连 Anthropic/Google After=network.target [Service] Type=simple User=nobody # 监听 CN中转机的连接,透传到最终目标(relay 模式自动解析目标地址) ExecStart=/usr/local/bin/gost -L "relay+tls://${GOST_USER}:${GOST_PASS}@:${LISTEN_PORT}" Restart=always RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable gost-sub2api-exit systemctl restart gost-sub2api-exit sleep 2 ok "GOST 出口服务已启动" # ── 7. 防火墙 ────────────────────────────────────── if command -v ufw &>/dev/null; then ufw allow ssh ufw allow "${LISTEN_PORT}/tcp" comment "GOST from CN Relay" ufw --force enable ok "防火墙已配置(只开放 SSH + $LISTEN_PORT)" fi # ── 8. 验证 ─────────────────────────────────────── echo "" echo "================================================" echo " 节点3 部署完成" echo "================================================" echo "" echo "【验证指纹伪装】" echo " TTL: $(sysctl -n net.ipv4.ip_default_ttl) (应为 64)" echo " TCP 时间戳: $(sysctl -n net.ipv4.tcp_timestamps) (应为 0)" echo " 时区: $(timedatectl show -p Timezone --value)" echo " 当前时间: $(date)" echo "" echo "【GOST 服务状态】" systemctl status gost-sub2api-exit --no-pager -l | tail -5 echo "" echo "【出口 IP 信息】" curl -sf ipinfo.io 2>/dev/null | python3 -c " import json,sys d=json.load(sys.stdin) print(f' IP: {d.get(\"ip\")}') print(f' ISP: {d.get(\"org\")}') print(f' 城市: {d.get(\"city\")}, {d.get(\"region\")}') " || echo " (获取 IP 信息失败)"