ShadowSocks on Merlin

[gjf]

Hi All.

I have my own VPS with ShadowSocks server installed on it.

So my question: is it possible to install client only part on Merlin? The only solution I have found here looks like a transparent proxy only (ss-redir) but I want just SOCKS5 proxy on a specific port of my router to be used only when necessary (ss-local).

To redirect all traffic thru ShadowSocks is not a solution.

 

[eibgrad]

I'm NOT a user of that proxy, but looking at the following file on that same GitHub site ...

shadowsocks-asuswrt-merlin/scripts/apply_iptables_rule.sh at master · Acris/shadowsocks-asuswrt-merlin

Shadowsock for Asuswrt-Merlin New Gen. Contribute to Acris/shadowsocks-asuswrt-merlin development by creating an account on GitHub.

github.com

... it appears to me that there are two if/fi blocks, one for TCP (see below), the other UDP, where you can define exceptions to NOT be redirected.

if iptables -t nat -N SHADOWSOCKS_TCP 2>/dev/null; then
  # TCP rules
  iptables -t nat -N SS_OUTPUT
  iptables -t nat -N SS_PREROUTING
  iptables -t nat -A OUTPUT -j SS_OUTPUT
  iptables -t nat -A PREROUTING -j SS_PREROUTING
  iptables -t nat -A SHADOWSOCKS_TCP -p tcp -m set --match-set localips dst -j RETURN
  iptables -t nat -A SHADOWSOCKS_TCP -p tcp -m set --match-set whitelist dst -j RETURN
  iptables -t nat -A SHADOWSOCKS_TCP -p tcp -m set --match-set userwhitelist dst -j RETURN
  if [[ ${mode} -eq 1 ]]; then
    iptables -t nat -A SHADOWSOCKS_TCP -p tcp -m set --match-set chinaips dst -j RETURN
  fi
  if [[ ${mode} -eq 0 ]]; then
    iptables -t nat -A SHADOWSOCKS_TCP -p tcp -s ${lan_ips} -m set --match-set gfwlist dst -j REDIRECT --to-ports ${local_redir_port}
  else
    iptables -t nat -A SHADOWSOCKS_TCP -p tcp -s ${lan_ips} -j REDIRECT --to-ports ${local_redir_port}
  fi
  iptables -t nat -A SHADOWSOCKS_TCP -p tcp -s ${lan_ips} -m set --match-set usergfwlist dst -j REDIRECT --to-ports ${local_redir_port}
  # Apply TCP rules
  iptables -t nat -A SS_OUTPUT -p tcp -j SHADOWSOCKS_TCP
  iptables -t nat -A SS_PREROUTING -p tcp -s ${lan_ips} -j SHADOWSOCKS_TCP
fi

Notice it attempts to match on three different ipset hash tables (localips, whitelist, and userwhitelist), and when a match is found, RETURNs, which in this case means to abandon the redirection that follows further down the block.

So it appears to me that scripts does provide for selective redirection. But it's NOT as if I tested it. I just skimmed it and it appears to be what you want.

 

[gjf]

Just found a correct way (thanks to Acris from github for pushing in a right direction).

So to install a SOCKS5 ShadowSocks client on Asus Merlin you need:

1. Install client through Entware:

opkg install shadowsocks-libev-ss-local

2. Copy v2ray-plugin in /opt/bin with setting a corresponding permissions. I took the file from here: https://github.com/shadowsocks/v2ra...v1.3.1/v2ray-plugin-linux-arm64-v1.3.1.tar.gz

3. Copy configs in /opt/etc/sslocal/ - examples of such configs are attached, config1.txt corresponds to the "pure" ShadowSocks and config2.txt corresponds to ShadowSocks+v2ray. Of course files should be edited and proper renamed.

4. Add the following string into /jffs/scripts/wan0-connected

ss-local -c /opt/sslocal/config.json -f /opt/var/run/ss-local.pid

Now everything is working as expected.

The only issue: I have to hardcode my router IP in config.json as "192.168.1.1". If somebody tell how to put a proper system variable corresponding to router's IP - it will be very usefull. (Have no idea how to insert "nvram get lan_ipaddr" code into json).

 

[SoFluffy]

Will the LAN IP change? On Merlin I have only run the server side of shadowsocks/v2ray-plugin over websocket with nginx as a reverse proxy. I just use 0.0.0.0, which I suppose is binding to WAN as well, but blocked in iptables.

Not to hijack, but I wanted to just call out that if you are using the tcpandudp setting (calls being done over TCP and UDP to your endpoint), and not using a websocket, your obfuscation is easily detected. Depending on your purposes, this may be a concern. I have switched over to using trojan-go (with websocket), allowing only TCP port 443 being opened. This passes any active probe tests with a dummy website behind it and true https handshakes. UDP works well in this configuration without needing the additional UDP port opened on the server (like shadowsocks needs), keeping traffic looking like innocent https.

If your shadowsocks setup isn’t being used for bypassing censorship and/or there are no risks or legal concerns of being detected, your setup should work well.

 

[gjf]

Will the LAN IP change?

You are absolutely right. It's just because I hate hardcoding in settings

As for other concerns - the config is intended just to have a proper SOCKS to be used when some resources are blocked. It is not intended for overcoming a strict censorship as it is not an issue for my region (yet?)

To overcome censorship I have much stronger instruments on my mobile devices those I am using when travelling.

And as I told: there is client only side on the router. The server side on a remote VPS is much more complicated with v2ray obfuscation, dummy website forwarding etc.

 

[omnia6890]

Thank you gjf, Do you have any link for v2ray setup on Merlin?
I've run it but I couldn't know how to test the connectivity & proxy my entire traffic through the tunnel.

 

[gjf]

Thank you gjf, Do you have any link for v2ray setup on Merlin?
I've run it but I couldn't know how to test the connectivity & proxy my entire traffic through the tunnel.

No I am happy with ss-local and see no need in v2ray yet.