Using shadowsocks to replace OpenVPN setup

[tsi08]

ˆ^this. Free apps on my work computer. My company's IT is a joke and they probably only know Astrill so free apps work better at the moment and OpenVPN and Astrill show signs of betterment.
BTW, do you use the built-in VPN client or do you use the Astrill applet? I use the latter because it is quite convenient.

But seriously, what's the point of messing with OpenVPN? They don't shut it off fully (even though they've just proven again they can) but they make it utterly slow and inconvenient. As far as I know OpenVPN is still the standard protocol for most corporate VPNs that so many foreign and domestic companies (have to) rely on.

But back to my main question (how) can I create an exception for a service that runs on the router to bypass a socks5 proxy?

Sorry for being so persistent about this but I view this as a chance to learn a bit about networking fundamentals (where I am very clearly lacking the essentials). I do, however, enjoy the offtopic discussion quite a bit

Sorry for the late reply. Been busy lately. I use the built in VPN client and honestly it works/connects all the time. As I mentioned before Astrill is dead in China now of course unless you get in their stealth addon which I think is a joke for an extra 5 bucks a month. When speed throttling happens I usually disconnect and reconnect my WAN connection with openvpn being still on. That fixes the speed issue most of the time. I might also have to restart the router at odd times to get things working again. On another note, I also have had to switch from UDP to TCP a few times when things just wouldn't be normal speedwise. But hey, its the great firewall doing its job and there's nothing much you can do about it.
As regards to your question, as long as you are in China, I'd really advise you to stick to openvpn no matter what. Route all your traffic through it if safety and privacy are your primary concerns (for me, damn right!) Expressvpn, vyprvpn and airvpn all work very well.

 

[stfn]

Ok, thanks for the input.

Verdict:

• Astrill is pretty much dead, I second that. It's not clear if they will recover. Tbh, I wouldn't even be surprised if they had just given up the constant fight against the GFW and just cashed out. Or they have lost their guanxi with the regulators here.
• OpenVPN works for some with some VPNs. Worth a try
• shadowsocks still sounds like a viable alternative and is definitely worth a try.
• I made zero progress with finding an answer to my initial question
• This thread is entertaining and less scary than I thought. Maybe that's your evil master plan; being super nice and friendly to make me look paranoid and suffering from persecutory delusion

 

[chrisSNB]

i am using vpn520.net. ISP is China Telecom (Shanghai). most of the time works ok. but i am studying to switch over to ShadowSocks RSS (SSR).

the easiest way is to exclude a specific source IP from using VPN, then all you need to do is keep your bt/private tracker downloader on that specific device (can be a NAS running daemons). how to set up that on your router, suppose it depends on your router... for me i am using Mikrotik RouterOS which can split the traffic quite easily. but the learning curve for Mikrotik is a bit steep...

having said that, an idea just came to my head. if you use two routers, one is for PPPoE (have your BT client attached to this router), and one for shadowsocks / VPN, then:

modem
|
router A (PPPoE) --- router B (ShadowSocks / SSR) --- PCs
|
BT

 

[stfn]

I've been running ss for a while now and it is definitely better than any VPN I've tested so far. The integration with gfwlist works great and I can easily tune which traffic should be tunneled. The Android client is amazing, I hardly notice any battery drain.

Recently I've tested kcptun which often gives much higher speeds than ss. However, I am struggling with frequent timeouts/disconnects. Currently experimenting with MTU settings. But only being at home during peak internet hours doesn't help with objective testing.

So now you chuck in SSR. What's the main difference when compared to regular SS?

I don't want to run another router. The modem has a WiFi router integrated so that should do it. BT client is not in my focus atm. Appreciate your help though.

 

[redhat27]

I've been running ss for a while now and it is definitely better than any VPN I've tested so far. The integration with gfwlist works great and I can easily tune which traffic should be tunneled. The Android client is amazing, I hardly notice any battery drain.

Recently I've tested kcptun which often gives much higher speeds than ss.

I totally agree that the ss is a far superior VPN solution. I am a newbie to networking (far greener than you) I have managed to run ss-server on my merlin'd asus rt-ac66u (shadowsocks-libev-polarssl) and the andriod client on my phone.

It works wonderfully well, my only regret being it seems to disregard any DNS resolvers my router is configured to use. It always defaults to googles resolvers, that I verified with dnsleaktest. It does not matter if I am inside my home network or outside (with port forwards to ss-servers' 8388) I tried udp forwarding, but it does not help. Neither does setting any dns option on the server config json or the -u or -U flag (tried them all). Have you been able to use your own DNS resolvers on the ss-server that you run?

Also, with the latest update the android client has support for kcptun over shadowsocks. How have you run kcptun on your router? Can you share the binaries with me? Thanks in advance

 

[stfn]

I actually bit the bullet and installed a Chinese mod of Merlin's firmware that has everything integrated. SS/SSR, GFWlist, CNroute, etc.
It has an auto updater of everything integrated (binaries, lists) and works really well. This is how I learned about kcptun in the first place. You can find their kcptun binaries (client and server) here: https://github.com/clangcn/kcp-server/tree/master/latest

I saw that Max Lv has updated the Android app with kcptun support. I haven't tried it out yet since it seems to be a bit of a different implementation. In the app you can't input a dedicated password for kcptun which my server requires. It might be hidden in the CLI options but I only had a very quick glance at it. So far the solution on my router works really well. Have been streaming YouTube on the weekend in 1080p.

Shounak De, you are running the server on your router? Then your setup is very different from mine (I assume you don't live in the middle kingdom) since I am running a VPS abroad (server) and all my devices (router, smartphone, computer) are clients.
To be honest I haven't paid attention to DNS leaks, yet. I've been using DNSCrypt and maybe relied on a false feeling of security. Good point, I'll look into it when I find time.

 

[redhat27]

Hello @stfn Sorry for the late reply. Thanks much for the link. You are correct, I'm not in China and use ss-server on my router. I guessed you might be using ss-local on yours

BTW, I am using DNSCrypt myself, but if your shadowsocks client is not using your router's DNS then it is probably not being used. I know that the android client does not: It has Googles DNS resolvers hardcoded. I only recently learned of this (since my last post) I had only suspected as much earlier.

You might need to use iptables nat output chain on your router to force redirect to your local DNSCrypt address: port

I use pixelserv-tls as well, so this is very handy, I can use the shadowsocks VPN from whereever I am to use my own DNS, and I get ad filtering to boot!

I saw that Max Lv has updated the Android app with kcptun support. I haven't tried it out yet since it seems to be a bit of a different implementation. In the app you can't input a dedicated password for kcptun which my server requires. It might be hidden in the CLI options but I only had a very quick glance at it.

You are right, there is a --key option (see: Global options) that you may be able to supply your own password in the CLI

I will try out the kcp-server on my router when I get a chance. Thanks again for the link.

 

[stfn]

My pleasure, @Shounak De

I updated the kcptun client plugin on the router yesterday. It now has a couple of DNS options integrated so now I'm sending my foreign requests through DNSCrypt (OpenDNS makes everything a lot faster when compared to CN DNS) and local ones go through Ali. That works really nice and can be conveniently configured through a GUI.

Also tried out kcptun CLI client on OSX today. Works as well but doesn't allow GFWlist. So it's not really suitable for me atm at work.

How do you do the ad filtering? [EDIT: just saw Pixelserv. Cool, will try soon. Really cool, thanks for the tip]

And what I still haven't managed to find out: what is the difference between Shadowsocks and ShadowsocksR??? There is a client on Android that basically resembles the regular one, just with support for SSR.

Try out kcptun. Works really well at times.

 

[Cake]

I have excellent results with the following-
Message the user hggomes on here for a rmerlin firmware with openvpn xor patch. Rent a vps (linux) and install openvpn it, and xor patch it. Since you mention you use Android, there is a openvpn app that just added xor patch support this year. Works great. I used to use dnscrypt as well, but I am to lazy to figure out how to route the dnscrypt queries over the VPN. Also the hgg ver. includes tools to track down questionable connections.

 

[kvic]

I have excellent results with the following-
Message the user hggomes on here for a rmerlin firmware with openvpn xor patch. Rent a vps (linux) and install openvpn it, and xor patch it. Since you mention you use Android, there is a openvpn app that just added xor patch support this year. Works great. I used to use dnscrypt as well, but I am to lazy to figure out how to route the dnscrypt queries over the VPN. Also the hgg ver. includes tools to track down questionable connections.

Interesting to hear the patch is still doing great. GFW is getting smarter everyday..

Do you see in your server log that to establish the OpenVPN connection, your client has to perform multiple attempts? Any random loss of connection or/and sporadic slowdown during a session?

 

[Cake]

Interesting to hear the patch is still doing great. GFW is getting smarter everyday..

Do you see in your server log that to establish the OpenVPN connection, your client has to perform multiple attempts? Any random loss of connection or/and sporadic slowdown during a session?

I am not under the GFW. I am nearby in a soon to be pene-enclave. lol Sometimes I travel through a airport there. Is the XOR patch defeated now? I haven't kept up on the news like I should. To me shadowsocks seems more complicated, maybe its just me. The patch from git (XOR) is very tiny, (2.7Kb), I googled around to see if anyone uses it for pfsense. nope! All rank and file, if openvpn dev says no, then nope. gawd ...

 

[kvic]

I am not under the GFW. I am nearby in a soon to be pene-enclave. lol Sometimes I travel through a airport there. Is the XOR patch defeated now? I haven't kept up on the news like I should. To me shadowsocks seems more complicated, maybe its just me. The patch from git (XOR) is very tiny, (2.7Kb), I googled around to see if anyone uses it for pfsense. nope! All rank and file, if openvpn dev says no, then nope. gawd ...

My memory went bad. I thought u live under GFW. lol. OpenVPN still works (even without the patch) but just doesn't work that well..with the issues I mentioned above. I expect the XOR patch won't help but I haven't tried.

 

[stfn]

For everyone living under the GFW try out $$ over kcptun. This is a good starting point. However, the G20 summit does not really help with anything (except for occasional Youtube access). If you want to try out I'd wait until it's over. I'm waiting to fire up a new VPS in a strategic location. But as you said, kvic, GFW getting smarter every day.
BTW, I read recently that $$ might have been breached. Apparently, some scientists/researchers achieved that feat and raked in a lot of money...

 

[redhat27]

@stfn I could not get kcptun to run natively on my AC66U router. Maybe I need a separate (mipsel?) build. Can you point me to where you downloaded your firmware from? Or maybe share your kcp* binaries? Anyway, I'm not too worried: ss-server (even without kcp is working out quite well)

On a completely separate off-topic note, I will be travelling through China (to India) in December this year with my transit time in Shanghai and Kunming (->PVG->KMG->) totaling a little over 27 hrs. Its 2 hops in China, longest wait in Kumning (over 23 hrs) Would you happen to know if I need to apply for a Chinese visa, or just can wait in out in the airport? I ask just in case you know this, so no need to fret in case you don't

 

[Cake]

You might need a transit visa. (Free on arrival)
In Beijing I had to get my baggage, clear immigration, (fill out transit visa form) customs, then go back to check in counter upstairs. Back through immigration ...
In guangzhou airport I never have had to do that. If you don't get a definitive answer about the two cities in you post above I would plan for the worst.

 

[stfn]

Usually, this site has pretty good and recent information.
Kunming is supposed to be beautiful with great weather. Unfortunately, I haven't made it there yet. But I think it'd be worth the trouble. Have a look

Back to topic: Shounak De, do you want the binaries for client or server? You have checked here? The firmware is from koolshare. You have to register, though, and everything is in Chinese. If you just want the firmware I could upload it for you and send you the link through PM.

 

[redhat27]

@Cake thanks for the free transit visa info. Do you know where I'd find more info on that? I am planning to call the immigration desk @PVG (Shanghai), but I doubt if I would be able to communicate properly.
@stfn I did go to that site before. As I understood it, 72 hour rule applied if you are exiting China from the same airport you entered, and even though the list of eligible airports has both PVG and KMG, the rule says one stop in one city. I am going through 2 cities in China, so I do not think it applies to me.

I never did know of this koolshare place before. The pictures look as if it a lot more featured than Merlins build... I wonder if the kcp binaries would natively run on my router. I would be running the kcp-server primarily, but it probably wouldn't hurt to get the client as well (If I plan to use a VPS later on) It would be awesome if you can PM me a link to your binaries

 

[stfn]

PM sent.
They have more features but they mostly center around "scientific" connectivity, if you catch my drift.
There is a plugin system and you can download the kcptun module there. Again, most plugins are centered around connectivity. There are also things that allow you to rename your WiFi with special characters. So if you always wanted your SSIDs to be a shruggie, there's your chance.

 

[kvic]

That's an interesting derivative of AsusWRT. Keep up the effort!

 

[stfn]

It is indeed interesting and they are moving at a rapid pace. I'll install the newest release on the weekend. They have included Merlin's 380.61 changes and added some of their own changes. Not 100% sure if it's their own effort or Merlin's but for instance htop is now included. I guess it makes sense for debugging the scientific connectivity that can be a resource hog at times