[SOLVED] How do I combine Shadowsocks with OpenVPN?
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
I want to implement the following scenario:
Quote:
VPS (Shadowsocks Server) ---> Home Server (Shadowsocks Client + OpenVPN Server) ---> Client (OpenVPN Connect)
I want the clients to connect to the home server through OpenVPN Connect and the OpenVPN server to use Shadowsocks client Internet. What lines should be added in the Server.conf and Client.conf files?
I found the following tutorials, but they all do the configuration without an intermediate (Home Server) server:
The OpenVPN server (Home Server) configuration is:
Code:
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/Server.crt
key /etc/openvpn/server/Server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-crypt /etc/openvpn/server/ta.key 0
data-ciphers AES-256-GCM
cipher AES-256-GCM
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
And client configuration is:
Code:
client
dev tun
proto udp
remote 172.21.50.76 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
data-ciphers AES-256-GCM
cipher AES-256-GCM
verb 3
socks-proxy 172.21.50.76 1080
route 172.20.2.55 255.255.255.255 net_gateway
I tested the Shadowsocks server on the home server and its worked:
Code:
# httping -x 127.0.0.1:1080 -5 -g http://www.google.com
PING www.google.com:80 (/):
connected to www.google.com:80 (1101 bytes), seq=0 time=172.35 ms
connected to www.google.com:80 (980 bytes), seq=1 time=170.65 ms
connected to www.google.com:80 (1374 bytes), seq=2 time=168.94 ms
connected to www.google.com:80 (1374 bytes), seq=3 time=169.54 ms
connected to www.google.com:80 (1374 bytes), seq=4 time=169.90 ms
connected to www.google.com:80 (1374 bytes), seq=5 time=169.73 ms
...
I tried to connect to OpenVPN server, but I got the following error:
Code:
Mon Jan 29 09:27:06 2024 Note: --socks-proxy disables data channel offload.
Mon Jan 29 09:27:06 2024 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023
Mon Jan 29 09:27:06 2024 Windows version 6.1 (Windows 7), amd64 executable
Mon Jan 29 09:27:06 2024 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
Mon Jan 29 09:27:06 2024 DCO version: v0
Mon Jan 29 09:27:06 2024 MANAGEMENT: TCP Socket listening on [AF_INET]172.21.50.76:25355
Mon Jan 29 09:27:06 2024 Need hold release from management interface, waiting...
Mon Jan 29 09:27:07 2024 MANAGEMENT: Client connected from [AF_INET]172.21.50.76:1118
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'state on'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'log on all'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'echo on all'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'bytecount 5'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'state'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'hold off'
Mon Jan 29 09:27:07 2024 MANAGEMENT: CMD 'hold release'
Mon Jan 29 09:27:07 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]172.21.50.76:1080
Mon Jan 29 09:27:07 2024 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Jan 29 09:27:07 2024 Attempting to establish TCP connection with [AF_INET]172.21.50.76:1080
Mon Jan 29 09:27:07 2024 MANAGEMENT: >STATE:1706507827,TCP_CONNECT,,,,,,
Mon Jan 29 09:29:07 2024 TCP: connect to [AF_INET]172.21.50.76:1080 failed: Unknown error
Mon Jan 29 09:29:07 2024 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
Mon Jan 29 09:29:07 2024 MANAGEMENT: >STATE:1706507947,RECONNECTING,connection-failed,,,,,
I don't know enough specifics to specifically help you, but you can break down the problem by dealing with the three stages of your scenario separately:
(1) You have already determined that the first "arrow" can be crossed: you can talk to the VPS server.
(2) Now, go to the rightmost arrow. Can your client machines connect to the intermediate server? And, when connected, what "virtual network addresses" (e.g. 10.x.y.z) can they see and "ping?"
(3) The last step is routing between the two, which must take place on the "home server." Traffic must be routed between the VPS client process and the OpenVPN server process. The OpenVPN server must be told to expose these addresses so that its clients can see them. And, the incoming VPS traffic must be routed to them.
I don't know enough specifics to specifically help you, but you can break down the problem by dealing with the three stages of your scenario separately:
(1) You have already determined that the first "arrow" can be crossed: you can talk to the VPS server.
(2) Now, go to the rightmost arrow. Can your client machines connect to the intermediate server? And, when connected, what "virtual network addresses" (e.g. 10.x.y.z) can they see and "ping?"
(3) The last step is routing between the two, which must take place on the "home server." Traffic must be routed between the VPS client process and the OpenVPN server process. The OpenVPN server must be told to expose these addresses so that its clients can see them. And, the incoming VPS traffic must be routed to them.
Hello,
Thank you so much for your reply.
No, the client cannot connect to the intermediate server. In the client configuration file, IP 172.21.50.76 must be changed to 127.0.0.1 and shadowsocks client must be running on the client. Otherwise, it is not possible to communicate.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.