[SOLVED] How do I combine Shadowsocks with OpenVPN?

Jason.nix · 01-28-2024, 06:27 AM

Hello,
I want to implement the following scenario:

Quote:

VPS (Shadowsocks Server) ---> Home Server (Shadowsocks Client + OpenVPN Server) ---> Client (OpenVPN Connect)

I want the clients to connect to the home server through OpenVPN Connect and the OpenVPN server to use Shadowsocks client Internet. What lines should be added in the Server.conf and Client.conf files?

I found the following tutorials, but they all do the configuration without an intermediate (Home Server) server:

https://thematrix.dev/use-openvpn-over-shadowsocks/

https://blog.fadyothman.com/bypassing-openvpn/

Thank you.

Jason.nix · 01-29-2024, 12:33 AM

Hello,

Code:

VPS: 172.20.2.55
Home Server: 172.21.50.76
Client: 172.21.50.72

Shadowsocks server (VPS) configuration is as follows:

Code:

{
    "server":["172.20.2.55"],
    "mode":"tcp_and_udp",
    "server_port":8388,
    "local_port":1080,
    "password":"123456",
    "timeout":86400,
    "method":"chacha20-ietf-poly1305"
}

And Shadowsocks client (Home Server) configuration is as follows:

Code:

{
    "server":"172.20.2.55",
    "mode":"tcp_and_udp",
    "server_port":8388,
    "local_address":"127.0.0.1",
    "local_port":1080,
    "password":"123456",
    "timeout":60,
    "method":"chacha20-ietf-poly1305"
}

The OpenVPN server (Home Server) configuration is:

Code:

port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/Server.crt
key /etc/openvpn/server/Server.key                             
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0              
push "redirect-gateway def1 bypass-dhcp"   
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"             
keepalive 10 120
tls-crypt /etc/openvpn/server/ta.key 0                            
data-ciphers AES-256-GCM                   
cipher AES-256-GCM
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

And client configuration is:

Code:

client
dev tun
proto udp
remote 172.21.50.76 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
data-ciphers AES-256-GCM        
cipher AES-256-GCM
verb 3

socks-proxy 172.21.50.76 1080
route 172.20.2.55 255.255.255.255 net_gateway

I tested the Shadowsocks server on the home server and its worked:

Code:

# httping -x 127.0.0.1:1080 -5 -g http://www.google.com
PING www.google.com:80 (/):
connected to www.google.com:80 (1101 bytes), seq=0 time=172.35 ms 
connected to www.google.com:80 (980 bytes), seq=1 time=170.65 ms 
connected to www.google.com:80 (1374 bytes), seq=2 time=168.94 ms 
connected to www.google.com:80 (1374 bytes), seq=3 time=169.54 ms 
connected to www.google.com:80 (1374 bytes), seq=4 time=169.90 ms 
connected to www.google.com:80 (1374 bytes), seq=5 time=169.73 ms 
...

I tried to connect to OpenVPN server, but I got the following error:

Code:

Mon Jan 29 09:27:06 2024 Note: --socks-proxy disables data channel offload.
Mon Jan 29 09:27:06 2024 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
Mon Jan 29 09:27:06 2024 Windows version 6.1 (Windows 7), amd64 executable
Mon Jan 29 09:27:06 2024 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
Mon Jan 29 09:27:06 2024 DCO version: v0
Mon Jan 29 09:27:06 2024 MANAGEMENT: TCP Socket listening on [AF_INET]172.21.50.76:25355
Mon Jan 29 09:27:06 2024 Need hold release from management interface, waiting...
Mon Jan 29 09:27:07 2024 MANAGEMENT: Client connected from [AF_INET]172.21.50.76:1118
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'state on'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'log on all'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'echo on all'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'bytecount 5'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'state'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'hold off'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'hold release'
Mon Jan 29 09:27:07 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]172.21.50.76:1080
Mon Jan 29 09:27:07 2024 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Jan 29 09:27:07 2024 Attempting to establish TCP connection with [AF_INET]172.21.50.76:1080
Mon Jan 29 09:27:07 2024 MANAGEMENT: >STATE:1706507827,TCP_CONNECT,,,,,,
Mon Jan 29 09:29:07 2024 TCP: connect to [AF_INET]172.21.50.76:1080 failed: Unknown error
Mon Jan 29 09:29:07 2024 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
Mon Jan 29 09:29:07 2024 MANAGEMENT: >STATE:1706507947,RECONNECTING,connection-failed,,,,,

What is wrong?

Jason.nix · 01-29-2024, 11:52 PM

Hello,
Is TCP: connect to [AF_INET]172.21.50.76:1080 failed: Unknown error a routing related error?

Thank you.

sundialsvcs · 02-13-2024, 08:36 AM

I don't know enough specifics to specifically help you, but you can break down the problem by dealing with the three stages of your scenario separately:

(1) You have already determined that the first "arrow" can be crossed: you can talk to the VPS server.

(2) Now, go to the rightmost arrow. Can your client machines connect to the intermediate server? And, when connected, what "virtual network addresses" (e.g. 10.x.y.z) can they see and "ping?"

(3) The last step is routing between the two, which must take place on the "home server." Traffic must be routed between the VPS client process and the OpenVPN server process. The OpenVPN server must be told to expose these addresses so that its clients can see them. And, the incoming VPS traffic must be routed to them.

Jason.nix · 02-16-2024, 12:05 PM

Quote:

Originally Posted by sundialsvcs

I don't know enough specifics to specifically help you, but you can break down the problem by dealing with the three stages of your scenario separately:

(1) You have already determined that the first "arrow" can be crossed: you can talk to the VPS server.

(2) Now, go to the rightmost arrow. Can your client machines connect to the intermediate server? And, when connected, what "virtual network addresses" (e.g. 10.x.y.z) can they see and "ping?"

(3) The last step is routing between the two, which must take place on the "home server." Traffic must be routed between the VPS client process and the OpenVPN server process. The OpenVPN server must be told to expose these addresses so that its clients can see them. And, the incoming VPS traffic must be routed to them.

Hello,
Thank you so much for your reply.
No, the client cannot connect to the intermediate server. In the client configuration file, IP 172.21.50.76 must be changed to 127.0.0.1 and shadowsocks client must be running on the client. Otherwise, it is not possible to communicate.