144 lines
5.6 KiB
Bash
Executable File
144 lines
5.6 KiB
Bash
Executable File
#!/bin/bash
|
||
# =============================================================
|
||
# 节点 3:美国落地机(Debian 12,洛杉矶)
|
||
# 部署:GOST 出口 + TCP 指纹伪装
|
||
# 接收 CN中转 relay+tls :8443 → 直连 Anthropic/Google
|
||
# =============================================================
|
||
# 用法:sudo bash setup-node3-us-landing.sh
|
||
|
||
set -euo pipefail
|
||
GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m'
|
||
ok() { echo -e "${GREEN}✅ $*${NC}"; }
|
||
info() { echo -e "${YELLOW}ℹ $*${NC}"; }
|
||
fail() { echo -e "${RED}❌ $*${NC}"; }
|
||
|
||
GOST_USER="${GOST_USER:-gostuser}"
|
||
GOST_PASS="${GOST_PASS:-}" # 与 CN中转机相同,启动时填写
|
||
LISTEN_PORT="${LISTEN_PORT:-8443}"
|
||
|
||
echo "================================================"
|
||
echo " 节点3:美国落地机 部署(Debian 12 / LA)"
|
||
echo "================================================"
|
||
|
||
[ "$(id -u)" != "0" ] && { fail "请用 sudo 执行"; exit 1; }
|
||
|
||
# ── 1. 系统更新 ─────────────────────────────────────
|
||
info "更新系统包..."
|
||
apt-get update -qq && apt-get upgrade -y -qq
|
||
ok "系统已更新"
|
||
|
||
# ── 2. TCP 指纹伪装(macOS 特征)──────────────────────
|
||
info "应用 TCP 指纹伪装..."
|
||
|
||
# 实时生效
|
||
sysctl -w net.ipv4.ip_default_ttl=64 # TTL=64(macOS 标准)
|
||
sysctl -w net.ipv4.tcp_timestamps=0 # 禁用 TCP 时间戳(防 uptime 推算)
|
||
sysctl -w net.ipv4.tcp_window_scaling=1 # 窗口扩展(macOS 开启)
|
||
sysctl -w net.ipv4.tcp_rmem="4096 65535 6291456" # 接收窗口65535(macOS默认)
|
||
sysctl -w net.ipv4.tcp_wmem="4096 65535 6291456" # 发送窗口65535
|
||
sysctl -w net.ipv6.conf.all.disable_ipv6=1
|
||
sysctl -w net.ipv6.conf.default.disable_ipv6=1
|
||
|
||
# BBR 拥塞控制(降低丢包,提高吞吐)
|
||
sysctl -w net.core.default_qdisc=fq
|
||
sysctl -w net.ipv4.tcp_congestion_control=bbr
|
||
|
||
# 持久化到 sysctl.conf
|
||
cat >> /etc/sysctl.conf << 'EOF'
|
||
|
||
# ── Antigravity macOS TCP Fingerprint ──
|
||
net.ipv4.ip_default_ttl=64
|
||
net.ipv4.tcp_timestamps=0
|
||
net.ipv4.tcp_window_scaling=1
|
||
net.ipv4.tcp_rmem=4096 65535 6291456
|
||
net.ipv4.tcp_wmem=4096 65535 6291456
|
||
net.ipv6.conf.all.disable_ipv6=1
|
||
net.ipv6.conf.default.disable_ipv6=1
|
||
net.core.default_qdisc=fq
|
||
net.ipv4.tcp_congestion_control=bbr
|
||
EOF
|
||
sysctl -p > /dev/null 2>&1 || true
|
||
ok "TCP 指纹伪装已应用(TTL=64, Window=65535, 时间戳禁用)"
|
||
|
||
# ── 3. 时区(洛杉矶,匹配落地 IP 地理位置)─────────────
|
||
timedatectl set-timezone America/Los_Angeles
|
||
ok "时区已设置: $(date)"
|
||
|
||
# ── 4. 安装 GOST ────────────────────────────────────
|
||
if ! command -v gost &>/dev/null; then
|
||
info "安装 GOST..."
|
||
ARCH=$(uname -m)
|
||
[ "$ARCH" = "x86_64" ] && GARCH="amd64" || GARCH="arm64"
|
||
LATEST=$(curl -sf https://api.github.com/repos/go-gost/gost/releases/latest \
|
||
| grep '"tag_name"' | cut -d'"' -f4)
|
||
wget -qO /tmp/gost.tar.gz \
|
||
"https://github.com/go-gost/gost/releases/download/${LATEST}/gost_linux_${GARCH}.tar.gz"
|
||
tar xzf /tmp/gost.tar.gz -C /tmp/
|
||
mv /tmp/gost /usr/local/bin/gost
|
||
chmod +x /usr/local/bin/gost
|
||
fi
|
||
ok "GOST $(gost -V 2>/dev/null | head -1 || echo '已安装')"
|
||
|
||
# ── 5. 填写 GOST 密码 ──────────────────────────────
|
||
if [ -z "$GOST_PASS" ]; then
|
||
read -rp "请输入 GOST 密码(与 CN中转机相同): " GOST_PASS
|
||
fi
|
||
|
||
# ── 6. 创建 GOST 出口服务 ──────────────────────────
|
||
# 落地机职责:监听 CN中转机 relay+tls 连接,直接出口到 Anthropic/Google
|
||
cat > /etc/systemd/system/gost-exit.service << EOF
|
||
[Unit]
|
||
Description=GOST US Landing Exit - 接收中转,直连 Anthropic/Google
|
||
After=network.target
|
||
|
||
[Service]
|
||
Type=simple
|
||
User=nobody
|
||
# 监听 CN中转机的连接,透传到最终目标(relay 模式自动解析目标地址)
|
||
ExecStart=/usr/local/bin/gost -L "relay+tls://${GOST_USER}:${GOST_PASS}@:${LISTEN_PORT}"
|
||
Restart=always
|
||
RestartSec=5
|
||
LimitNOFILE=65536
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
EOF
|
||
|
||
systemctl daemon-reload
|
||
systemctl enable gost-exit
|
||
systemctl restart gost-exit
|
||
sleep 2
|
||
ok "GOST 出口服务已启动"
|
||
|
||
# ── 7. 防火墙 ──────────────────────────────────────
|
||
if command -v ufw &>/dev/null; then
|
||
ufw allow ssh
|
||
ufw allow "${LISTEN_PORT}/tcp" comment "GOST from CN Relay"
|
||
ufw --force enable
|
||
ok "防火墙已配置(只开放 SSH + $LISTEN_PORT)"
|
||
fi
|
||
|
||
# ── 8. 验证 ───────────────────────────────────────
|
||
echo ""
|
||
echo "================================================"
|
||
echo " 节点3 部署完成"
|
||
echo "================================================"
|
||
echo ""
|
||
echo "【验证指纹伪装】"
|
||
echo " TTL: $(sysctl -n net.ipv4.ip_default_ttl) (应为 64)"
|
||
echo " TCP 时间戳: $(sysctl -n net.ipv4.tcp_timestamps) (应为 0)"
|
||
echo " 时区: $(timedatectl show -p Timezone --value)"
|
||
echo " 当前时间: $(date)"
|
||
echo ""
|
||
echo "【GOST 服务状态】"
|
||
systemctl status gost-exit --no-pager -l | tail -5
|
||
echo ""
|
||
echo "【出口 IP 信息】"
|
||
curl -sf ipinfo.io 2>/dev/null | python3 -c "
|
||
import json,sys
|
||
d=json.load(sys.stdin)
|
||
print(f' IP: {d.get(\"ip\")}')
|
||
print(f' ISP: {d.get(\"org\")}')
|
||
print(f' 城市: {d.get(\"city\")}, {d.get(\"region\")}')
|
||
" || echo " (获取 IP 信息失败)"
|