Code Blog

Displaying 1-1 of 1 result.
2016/12/14 VPN,OpenWRT

I made a previous post about how I set up Shadowsocks on my OpenWRT router (back in February, see post ...). My router had basically stopped working so I had to go through it and try to understand what was wrong. After some testing it seemed that the TCP-tunnel was working fine but the ChinaDNS had problems working correctly.

The shadowsocks-libev has also been updated. The shadowsocks-libev-spec seems to have been discontinued and is now merged in the shadowsocks-libev, which has more functions sorted (now supporting SOCKS proxy and transparent proxy). The same is true for the luci frontend, everything is now through one single GUI.

To solve the problems with DNS I also installed the DNS-forwarder package.

Shadowsocks-libev is written in pure C and only depends on libev and OpenSSL or mbedTLS or PolarSSL.
Using alternative crypto library There are three crypto libraries available: OpenSSL (default) mbedTLS PolarSSL (Deprecated)

shadowsocks-libev
Client side/
└── usr/
  └── bin/
    ├── ss-local // provides SOCKS proxy
    ├── ss-redir // provides transparent proxy, since v2.2.0 also supports UDP
    └── ss-tunnel // used for packet transmission, can be used DNS lookups

shadowsocks-libev-server
Server side/
└── usr/
  └── bin/
    └── ss-server // server executable

wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n"
, $4, 32-log($5)/log(2)) }' > ignore.list

I installed the following packages by first downloading them on my computer and scp them over to the router.

opkg update

opkg install ip ipset libopenssl iptables-mod-tproxy

Shadowsocks-libev required that I first installed libpcre and libpthread packages.

ChinaDNS_1.3.2-4_ar71xx.ipk

dns-forwarder_1.1.1-1_ar71xx.ipk
libpcre_8.39-1_ar71xx.ipk
libpthread_0.9.33.2-1_ar71xx.ipk
luci-app-chinadns_1.5.0-1_all.ipk
luci-app-shadowsocks_1.3.7-1_all.ipk
shadowsocks-libev_2.5.6-1_ar71xx.ipk

/etc/config/dns-forwarder

config dns-forwarder
option enable '1'
option listen_addr '0.0.0.0'
option listen_port '5300'
option dns_servers '8.8.8.8'

/etc/config/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option noresolv '1'
option nohosts '1'
option local '127.0.0.1#5353'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'


/etc/config/chinadns

config chinadns
option enable '1'
option bidirectional '0'
option chnroute '/etc/chinadns_chnroute.txt'
option port '5353'
option server '114.114.114.114,127.0.0.1#5300'

Another new feature is that Shadowsocks now supprts AES-256-CTR. I have used CFB before. CTR is used if you want good parallelization (ie. speed), instead of CBC/OFB/CFB.

Links:

https://github.com/shadowsocks/shadowsocks-libev