Naiveproxy tutorial

Posted on Edited on

The sources of this post include:

Buy VPS

International lines out of China are congested. Therefore it is important to pay attention to the routing of traffic to your VPS. The most expensive option is IPLC/IEPL. Assuming you can’t or won’t go that far, the next most expensive is a VPS with CN2 GIA routing in Hong Kong. That service is offered by BandwagonHost. Again, it is still very expensive. A CN2 GIA server in Los Angeles is more affordable. To find all the CN2 GIA options on the BandwagonHost website, click CN2 GIA, read the description of the different possibilities, then scroll down and click All Services. Search the services page (Ctrl+f) for CN2 GIA.

Some other options for China are Vultr and Aliyun (Alibaba Cloud).

For Iran, the difficulty is in making payment. Try AlphaVPS, RackNerd, Noez, or Aeza.

Since IP addresses frequently get blocked, ask potential providers if you can change your server’s IP address whenever necessary.

For the VPS hardware, 1 GB of RAM is sufficient for a small number of users. Choose a recent version of Debian or Ubuntu as your operating system.

Get terminal app

You can use the terminal application in macOS or Linux to SSH into your server. Modern versions of Windows PowerShell also support SSH.

You may prefer to use a purpose-built SSH app such as PuTTY, XSHELL, or FinalShell.

Buy domain name

A cheap domain name registrar is NameSilo. You can search for top-level domains (TLDs) with a low cost for the first year. If necessary, you can just buy a new domain name when the first-year discounted domain name expires.

Add DNS record(s)

You can add your DNS record(s) at your domain name registrar, or you can switch your domain over to use Cloudflare DNS services. That gives you the option of proxying certain ports through Cloudflare. On the other hand, censors have sometimes started to block access to Cloudflare.

Once your DNS record(s) have propagated, ping your DNS name to both check DNS resolution and check access to your IP address.

Prepare server

SSH into your server using Windows PowerShell or the terminal app in Linux or macOS. Replace <SERVER-IP-ADDRESS> by your actual server IP address in the command below:

1
ssh root@<SERVER-IP-ADDRESS>

Suppress lengthy login messages:

1
touch .hushlogin

Get the existing package metadata up to date, and upgrade all existing packages:

1
apt update && apt upgrade

You may be prompted to reboot and then SSH back in again.

Protect your server with iptables, replacing <HOME-IP-ADDRESS> by your actual home IP address:

1
2
3
4
5
6
7
8
9
10
11
12
13
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s <HOME-IP-ADDRESS> -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -P INPUT DROP

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -P INPUT DROP

Check that you can still access the server with these rules before you make them permanent:

1
2
3
exit

ssh root@<SERVER-IP-ADDRESS>

Make the iptables rules permanent:

1
apt install iptables-persistent

Enable BBR congestion control algorithm

Copy and paste these three commands into your SSH session to enable the Bottleneck Bandwidth and Round-trip propagation time (BBR) congestion control algorithm:

1
2
3
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p

Compile and install caddy2 + naive

Install Go language:

1
apt install golang-go

Get the latest source from GitHub:

1
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest

Build caddy2 with naive as the forward proxy:

1
~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive

Configure Caddyfile

Choose a user id and password.

Create a new text file named Caddyfile (no extension).

In the template below:

  • Replace demo10.cscot.buzz by your actual server hostname
  • Replace example@example.com by your own email address
  • Replace user by your chosen user id and pass by your chosen password
  • You can support multiple users by having multiple forward_proxy sections, each with its own user and pass
  • Replace https://demo.cloudreve.org by your choice of camouflage URL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
:443, demo10.cscot.buzz
tls example@example.com
route {
 forward_proxy {
   basic_auth user pass
   hide_ip
   hide_via
   probe_resistance
  }
 reverse_proxy  https://demo.cloudreve.org  {
   header_up  Host  {upstream_hostport}
   header_up  X-Forwarded-Host  {host}
  }
}

Save the file.

Run caddy

Run caddy in the background: 

1
./caddy start

It will automatically obtain a TLS certificate for you.

Download client

Get the client from https://github.com/klzgrad/naiveproxy/releases/latest.

Example: naiveproxy-v110.0.5481.100-1-win-x64.zip.

Unzip the zip file.

Configure client

Edit the file Downloads\naiveproxy-v110.0.5481.100-1-win-x64\naiveproxy-v110.0.5481.100-1-win-x64\config.json.

In the template below:

  • Replace demo10.cscot.buzz by your actual server hostname
  • Replace user by your chosen user id and pass by your chosen password
1
2
3
4
5
{
  "listen": "socks://127.0.0.1:10808",
  "proxy": "https://user:pass@demo10.cscot.buzz",
  "padding": true
}

Open a terminal and change into the unzipped directory:

1
cd Downloads\naiveproxy-v110.0.5481.100-1-win-x64\naiveproxy-v110.0.5481.100-1-win-x64

Then run the client with the command:

1
.\naive.exe config.json

Configure your browser to use the SOCKS proxy that is now listening on 127.0.0.1 port 10808.

v2rayN

You can alternatively configure v2rayN to act as a client to a Naiveproxy server. You must rename config.json to naive.json and specify a custom server configuration. See the source tutorials for a demonstration of how to do this.