Shadowsocks config help?

[Lost Dog]

I'm trying to get shadowsocks running on my RT-AC56U and have run in to some headaches... I normally use OpenVPN or a ssh tunnel depending on what I'm doing and figured I'd play around with a new option.

From what I can tell I have the correct packages installed through opkg:

shadowsocks-libev-config - 3.0.8-15
shadowsocks-libev-ss-redir - 3.0.8-15
shadowsocks-libev-ss-rules - 3.0.8-15
shadowsocks-libev-ss-server - 3.0.8-15
shadowsocks-libev-ss-tunnel - 3.0.8-15

Contents of my shadowsocks.json:

{
    "server":"192.168.10.10",
    "server_port":8388,
    "local_port":1081,
    "password":"xxxxxxx",
    "timeout":60,
    "method":"aes-256-gcm"
}

I changed the server: to the actual IP of my router and not the 127.0.0.1 that was in there but that didn't make a difference to my issues.

I've confirmed that it's running and when I'm at home using my android phone with the shadowsocks client I can connect and get connected to the internet. If I'm outside my network I cannot connect. This is using the actual IP address assigned by my ISP or the dynamic DNS I use in case that IP changes.

Any suggestions?

Thanks!

 

[Noble]

I had many problems running shadowsocks on my Ac88u with merlin, i searched and i didn't find any help in this forum, a few people here know about shadowsocks, the only solution i found is to flash Xiaobao/Koolshare firmware its a merlin firmware with more options and tools, its a VPN oriented fw. There is also Padavan firmware, both come with shadowsocks, Shadowsocks-R, dnscrypt, chinadns, GFWlist, redsocks,......everything you need


Sent from my iPhone using Tapatalk

 

[Lost Dog]

I had many problems running shadowsocks on my Ac88u with merlin, i searched and i didn't find any help in this forum, a few people here know about shadowsocks, the only solution i found is to flash Xiaobao/Koolshare firmware its a merlin firmware with more options and tools, its a VPN oriented fw. There is also Padavan firmware, both come with shadowsocks, Shadowsocks-R, dnscrypt, chinadns, GFWlist, redsocks,......everything you need


Sent from my iPhone using Tapatalk

Thanks for the reply!

I'm amazed that more people have not played with shadowsocks. From everything I've read it gives faster performance than OpenVPN. I use a Gl.iNET AR-300M router when I travel and connect to my RT-AC56U at home for secure hotel wifi access. For a travel router the AR-300M is fantastic but the trade-off for the size is overall processing power. If I could eek out a bit more throughput using shadowsocks it would be great.

I'd rather stick with the stock merlin firmware than try the Xiaobao/Koolshare. Maybe I'll throw a shadowsocks server on one of my systems at home and just route through that.

Still, if anyone has suggestions on getting it running with stock merlin I'd like to work through it with you!

 

[Noble]

Thanks for the reply!

I'm amazed that more people have not played with shadowsocks. From everything I've read it gives faster performance than OpenVPN. I use a Gl.iNET AR-300M router when I travel and connect to my RT-AC56U at home for secure hotel wifi access. For a travel router the AR-300M is fantastic but the trade-off for the size is overall processing power. If I could eek out a bit more throughput using shadowsocks it would be great.

I'd rather stick with the stock merlin firmware than try the Xiaobao/Koolshare. Maybe I'll throw a shadowsocks server on one of my systems at home and just route through that.

Still, if anyone has suggestions on getting it running with stock merlin I'd like to work through it with you!

I would to run it on stock Merlin too without Entware-NG, btw i am running it on openwrt and it runs perfect.


Sent from my iPhone using Tapatalk

 

[Lost Dog]

Ok, I'd like to figure this out just for the exercise...

When I'm on my local network I can connect to the shadowsocks server on my router. When I'm outside my local network I cannot connect. The issue seems to be some routing issue going from WAN to the LAN. Can anyone with more networking experience suggest some troubleshooting to get a better idea of what's going on?

 

[kvic]

@Lost Dog

Have the startup script in /opt/etc/init.d to run "ss-server" (which is server). Default is "ss-local" (which is client) on an earlier Entware-ng package that I checked.

Also have port 8388 open on your WAN firewall.

Shadowsocks is easier than OpenVPN to set it up and run. Indeed it's time to retire OpenVPN for most ppl.

 

[RMerlin]

OpenVPN is well documented, and far more flexible. Shadowsocks is in no way a viable replacement for OpenVPN, it's only an alternative for some very specific scenarios. Good luck getting shadowsocks to work with anything but the most basic network setup, or in an environment where you have to manage multiple users.

 

[Lost Dog]

@Lost Dog

Have the startup script in /opt/etc/init.d to run "ss-server" (which is server). Default is "ss-local" (which is client) on an earlier Entware-ng package that I checked.

Also have port 8388 open on your WAN firewall.

Shadowsocks is easier than OpenVPN to set it up and run. Indeed it's time to retire OpenVPN for most ppl.

Yeah, I discovered S22shadowsocks was pointing to ss-local and got that resolved. Where in the router settings do you open port 8388 on the WAN firewall? I tried port forwarding to the router's IP but that didn't work.

 

[Noble]

OpenVPN is well documented, and far more flexible. Shadowsocks is in no way a viable replacement for OpenVPN, it's only an alternative for some very specific scenarios. Good luck getting shadowsocks to work with anything but the most basic network setup, or in an environment where you have to manage multiple users.

The original Shadowsocks preject repo has been shut down by the chinese gov and it creator has been treated for imprisonment, and now there is many independent developers/communities keeping it alive each community is using an enhanced code and different branches, you can also find Shadowsocks-R which is another different protocol.

Shadowsocks offer un undetectable protocol without any backdoor compared to the rest of protocols, openvpn been easy to detect and to block even with XOR patch, IPsec and Ikev has backdoors (everyone know that) and easily detectable, only Shadowsocks and Shadowsocks-R has proven to be the go for a stealth protocol in heavily censored countries (UAE, China, Iran, Northkorea,...etc). been impossible to detect.

 

[RMerlin]

Shadowsocks offer un undetectable protocol without any backdoor compared to the rest of protocols (openvpn been easy to detect and to block even with XOR patch, IPsec and Ikev has backdoors and easily detectable) only Shadowsocks and Shadowsocks-R has proven to be the go for a heavily censored countries (UAE, China, Iran, Northkorea,...etc). been impossible to detect.

OpenVPN 2.4 added support for encryption of the TLS control channel data, making it very difficult to detect. From the feedback I've received, it's able to successfully bypass the Chinese firewall so far.

Anyway, my point isn't about whether shadowsocks can do a better job at something or not. Just that it's in no way in a position to make OpenVPN obsolete and in need of being retired, as it only covers a small subset of usage scenarios possible with OpenVPN.

 

[kvic]

Where in the router settings do you open port 8388 on the WAN firewall?

I don't know about the GUI. You can first try in ssh:

iptables -I INPUT -i eth0 -p tcp -m multiport --dports 8388 -j ACCEPT

eth0 is assumed to be your WAN interface. If not, issue 'ifconfig' to check and identify the interface name with your public IPv4.

See if connection from WAN works now.

If so, then consult your firmware docs to put the line somewhere in the startup script for automation.

 

[Lost Dog]

I don't know about the GUI. You can first try in ssh:

iptables -I INPUT -i eth0 -p tcp -m multiport --dports 8388 -j ACCEPT

eth0 is assumed to be your WAN interface. If not, issue 'ifconfig' to check and identify the interface name with your public IPv4.

See if connection from WAN works now.

If so, then consult your firmware docs to put the line somewhere in the startup script for automation.

Perfect!!! That worked! Thank you much for your help!

 

[Lost Dog]

I've been playing around with shadowsocks but so far have only been able to use it with my phone (both wifi and cellular) to connect to my router at home. Using the same cipher (AES-128-GCM) OpenVPN is about 10Mbs faster on average. I've not been in a position to use it with my travel router (GL.iNet AR-300M) yet.

The biggest issue is ss-server quits randomly often. I cannot seem to find anything in the logs saying it quit or why but with the frequency of it happening it's not a viable option for regular use.

 

[kvic]

@Lost Dog

The C version of shadowsocks has very good quality of coding. That's the version on Entware-ng. My longest run was over a month and believed me it served *many* users and *hundreds* of GB during that period without a single glitch. That was the last version in 2.x if I remember correctly.

One reason is that shadowsocks is very simple how it works. So it can be made very fast and efficient. I had the same good experience with 3.0.6 and stay with it. Haven't tried >=3.1.0.

My only problem now is that router firmware crashes before applications die.

EDIT:

v3.0.8 is what I meant to say. Not 3.0.6.

 

[Lost Dog]

@Lost Dog

The C version of shadowsocks has very good quality of coding. That's the version on Entware-ng. My longest run was over a month and believed me it served *many* users and *hundreds* of GB during that period without a single glitch. That was the last version in 2.x if I remember correctly.

One reason is that shadowsocks is very simple how it works. So it can be made very fast and efficient. I had the same good experience with 3.0.6 and stay with it. Haven't tried >=3.1.0.

My only problem now is that router firmware crashes before applications die.

EDIT:

v3.0.8 is what I meant to say. Not 3.0.6.

Interesting... I'm using the version from Entware-ng which is 3.0.8 as well. On my RT-AC56U it crashes after only a few minutes.

 

[Lost Dog]

Well, oddly enough Shadowsocks has been running without issue for the past 24 hours. I'll put it through more testing tomorrow from a few different locations see if I get any crashing.

 

[Lost Dog]

I seemed to figure out the issue with ss-server stopping... The ss-server will stop after a short time if it's started manually using:

/opt/etc/init.d/S22shadowsocks start

By just restarting the router and letting everything start on it's own keeps ss-server running.... odd.

 

[kvic]

Good that you sorted it out. Though the conclusion sounds weird to me but it works!

The C code of Shadowsocks is robust, efficient and stable. You shall run it on your best always-on hardware e.g. NAS and better with kernel >= 3.16.

Also consider switch to use 'chacha20' for encryption.

 

[Lost Dog]

Good that you sorted it out. Though the conclusion sounds weird to me but it works!

The C code of Shadowsocks is robust, efficient and stable. You shall run it on your best always-on hardware e.g. NAS and better with kernel >= 3.16.

Also consider switch to use 'chacha20' for encryption.

Yeah, odd but it works!

I've switched to chacha20-ietf-poly1305 and using my phone with a shadowsocks client I've seen an increase of ~10Mb/s on average over aes-128-gcm. This is running both ss-server and OpenVPN on my RT-AC56U.

I'm traveling for work next week and I'm anxious to see how it works with a client on my travel router.

 

[Xentrk]

Thanks for the reply!

I'm amazed that more people have not played with shadowsocks. From everything I've read it gives faster performance than OpenVPN. I use a Gl.iNET AR-300M router when I travel and connect to my RT-AC56U at home for secure hotel wifi access. For a travel router the AR-300M is fantastic but the trade-off for the size is overall processing power. If I could eek out a bit more throughput using shadowsocks it would be great.

I'd rather stick with the stock merlin firmware than try the Xiaobao/Koolshare. Maybe I'll throw a shadowsocks server on one of my systems at home and just route through that.

Still, if anyone has suggestions on getting it running with stock merlin I'd like to work through it with you!

I have nothing but good things to say about the travel router. Good value for the $40 cost. I purchased the GL-AR300M model. When my wife was in the hospital, I used the router to tether the hospital's WIFI connection. The router supports OpenVPN. I had it configured to route traffic to my PrivateIP server in USA. I also brought along my newly acquired Amazon Firestick. This enabled us to stream Netflix, Hulu, SlingTV, NFL, etc from the hospital room. How cool is that!? The cable at the hospital lacks international channels. So, having the router and firestick made the stay much better than it would have been if I only had access to Thai TV. I did get some buffering and changed to the no encryption option on the OpenVPN client to improve the streaming experience. When I tested it at my home, no issues.

Then, a few days later, we lost internet connection. Our home is at the edge of the radio WIFI signal for the Children's Home we volunteer at. So, I connected the GL-AR300M to the power outlet outside of our home but within reach of the WIFI Signal from the childrens home to provide WIFI to our home during the outage.

I run a small host file ad blocker posted on this website https://paul.is-a-geek.org/2015/06/dns-based-adblock-using-openwrt-opendns-and-dnsmasq/ and an old version of pixelserv I found on github for openwrt.