Code Blog

Displaying 1-5 of 8 results.
2016/12/14 VPN,OpenWRT

I made a previous post about how I set up Shadowsocks on my OpenWRT router (back in February, see post ...). My router had basically stopped working so I had to go through it and try to understand what was wrong. After some testing it seemed that the TCP-tunnel was working fine but the ChinaDNS had problems working correctly.

The shadowsocks-libev has also been updated. The shadowsocks-libev-spec seems to have been discontinued and is now merged in the shadowsocks-libev, which has more functions sorted (now supporting SOCKS proxy and transparent proxy). The same is true for the luci frontend, everything is now through one single GUI.

To solve the problems with DNS I also installed the DNS-forwarder package.

Shadowsocks-libev is written in pure C and only depends on libev and OpenSSL or mbedTLS or PolarSSL.
Using alternative crypto library There are three crypto libraries available: OpenSSL (default) mbedTLS PolarSSL (Deprecated)

shadowsocks-libev
Client side/
└── usr/
  └── bin/
    ├── ss-local // provides SOCKS proxy
    ├── ss-redir // provides transparent proxy, since v2.2.0 also supports UDP
    └── ss-tunnel // used for packet transmission, can be used DNS lookups

shadowsocks-libev-server
Server side/
└── usr/
  └── bin/
    └── ss-server // server executable

wget -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n"
, $4, 32-log($5)/log(2)) }' > ignore.list

I installed the following packages by first downloading them on my computer and scp them over to the router.

opkg update

opkg install ip ipset libopenssl iptables-mod-tproxy

Shadowsocks-libev required that I first installed libpcre and libpthread packages.

ChinaDNS_1.3.2-4_ar71xx.ipk

dns-forwarder_1.1.1-1_ar71xx.ipk
libpcre_8.39-1_ar71xx.ipk
libpthread_0.9.33.2-1_ar71xx.ipk
luci-app-chinadns_1.5.0-1_all.ipk
luci-app-shadowsocks_1.3.7-1_all.ipk
shadowsocks-libev_2.5.6-1_ar71xx.ipk

/etc/config/dns-forwarder

config dns-forwarder
option enable '1'
option listen_addr '0.0.0.0'
option listen_port '5300'
option dns_servers '8.8.8.8'

/etc/config/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option noresolv '1'
option nohosts '1'
option local '127.0.0.1#5353'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'


/etc/config/chinadns

config chinadns
option enable '1'
option bidirectional '0'
option chnroute '/etc/chinadns_chnroute.txt'
option port '5353'
option server '114.114.114.114,127.0.0.1#5300'

Another new feature is that Shadowsocks now supprts AES-256-CTR. I have used CFB before. CTR is used if you want good parallelization (ie. speed), instead of CBC/OFB/CFB.

Links:

https://github.com/shadowsocks/shadowsocks-libev

 

2016/04/22 VPN,Hosting

How to set up Shadowsocks on AWS - This information available at many other websites, my purpose it just to make sure I have all the information collected in my code blog. So this is how to do it:

Log in to the AWS console. During the sign up for EC2 service you will need to confirm your phone number.

Launch instance

Select Ubuntu (I my case Ubuntu Server 14.04 LTS)

Select t2.micro -> Review and launch

Create security group

Configure security group - add rule for tcp 8000-8388 - only allow my ip

Step 7: Click Launch

Optional: Create billing alerts - warn if you pass over a limit 

Create elastic ip - assign to running instance

 

A good guide is available at https://www.vpndada.com/how-to-setup-shadowsocks-server-on-amazon-ec2/

 

2016/03/31 VPN

 

I have aready set up Shadowsocks on AWS, which has been working well, but I was wondering how AWS compare in price with other VPS providers.

  • Microsoft Azure
  • IBM SoftLayer
  • DigitalOcean
  • vr.org (HK VPS servers)
  • linode.com (Japan and US VPS)
  • budgetvm.com
  • Vultr (Japan and US VPS) https://www.vultr.com/

 I run Ubuntu on AWS, but other Linux distributions such as CentOS or Debian should work too. 

2016/03/30 VPN,OpenWRT

Useful commands from ssh terminal

/etc/init.d/shadowsocks enable
/etc/init.d/shadowsocks start
/etc/init.d/ChinaDNS enable
/etc/init.d/ChinaDNS start
killall dnsmasq 
/etc/init.d/dnsmasq start
iptables -L -n -v
iptables -L OUTPUT -n -v iptables -L FORWARD -n -v cat /proc/meminfo cat /proc/cpuinfo netstat -tulpn

Note: dropbear is the ssh-server included in OpenWRT. Its a lightweight ssh-server.

shadowsocks-libev vs shadowsocks-libev-spec

shadowsocks-libev includes ss-{local,redir,tunnel}. Default config is running ss-local creating a local SOCKS proxy. shadowsocks-libev-spec is a special version for OpenWrt, that includes ss-{redir,rules,tunnel}. ss-redir will create the transparent proxy. ss-rules generates the proxy rules. ss-tunnel provide UDP transmission. Starting from v1.5.2 it uses the LuCI interface.

PandoraBox

PandoraBox is a router firmware fork of OpenWRT, made by the Chinese OpenWRT community. The Intellectual Property and copyright laws must be different in China, since the source code contain Mediatek copyrighted material, which is clearly not allowed in the standard version of OpenWRT. Basically PandoraBox added wifi-support for routers still not supported in OpenWRT, but the source code cannot be added to the OpenWRT distribution for copyright reasons. If OpenWRT lack support for a router it is possible PandoraBox may support it instead.

GFWList - Sites blocked in China

We have already set up the China accelerated list in my previous OpenWRT post. However there is also the foreign_list.conf (GFWList) that can be added to dnsmasq.

In this way the logic will be:

  1. Check China accelerated list: Directly resolve IP if match is found, otherwise continue
  2. Check China blocked list: Directly resolve IP if match is found, otherwise continue 
  3. Use ChinaDNS for all remaining DNS requests. ChinaDNS will decide if it will use China DNS server or tunnel to DNS server outside of China. ChinaDNS uses the /etc/chinadns_chnroute.txt file to determine if an IP is in China or not.

Traffic statistics

vnStat

vnStati - provides image output support for statistics collected using vnstat

collectd

Good list of different software for bandwidth monitoring: https://wiki.openwrt.org/doc/howto/wrtbwmon

Update: vnStat worked but did not have a lot of options to configure. I wanted to see amount of traffic going through Shadowsocks tunnel but this didnt seem possible with vnStat.

OpenWRT Ad-blocker - Privoxy

The privoxy package is designed to filter out traffic going to known ad-site servers. I could not find a package build in the stable Chaos Chamber repository, but there is a package build available in the snapshot/trunk repository, see:

http://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/packages/

Snapshots are automatically built every 1-2 days from the SVN trunk (development) repository sources by the buildbot. They are untested and might not work properly.

opkg update
opkg list | grep privoxy
opkg install privoxy
opkg install luci-app-privoxy

Update: Seems I had some problem to get this package to work well with Redsocks2/Shadowsocks/ChinaDNS so I removed privoxy and vnstat and the router was working well again. To remove packages from OpenWRT run "opkg remove packagename".

Alternative to ChinaDNS - DNSCrypt

DNSCrypt uses strong encryption for DNS traffic.There's an updated list of public servers DNSCrypt can use. For more information see https://dnscrypt.org/ 

For OpenWRT one need to install the package "dnscrypt-proxy".

/etc/dnsmasq.conf configuration file example: 

# Ignore the resolve file /etc/resolv.conf
no-resolv
no-poll
# Use DNSCrypt as upstream DNS server 
server=127.0.0.1#5301
# Turn off DHCP for the network interface 
no-dhcp-interface=eth0
# Local hosts file 
addn-hosts=/etc/dns/hosts

Alternative to Shadowsocks - obfsproxy

Shadowsocks may not be enough because of deep packet inspection used by the GFW. One alternative is using an obfuscated SSH tunnel, based on Tor's obfsproxy.

DNS cache: pdnsd

pdnsd is a DNS server designed for local caching of DNS information. Correctly configured, it can significantly increase browsing speed on a broadband connection. Compared to BIND or dnsmasq it can remember its cache after a reboot; "p" stands for persistent.

I can't find a package to install for my version of OpenWRT, might need to build from source code.

dnsmasq -> ChinaDNS -> If China: 114.114.114.114 / If outside China -> pdnsd -> ss-tunnel -> 8.8.8.8

Other notes & links to websites

There is a shadowsocks version using polarssl, so I quick check online revealed the following:

mbed TLS (previously PolarSSL) is an implementation of the TLS and SSL protocols and the respective cryptographic algorithms and support code required.
Its a light-weight open source cryptographic and SSL/TLS library written in C with small memory footprint.

Then there is another package available called ShadowVPN, which seems to offer similiar functionality as Shadowsocks+Redsocks2 but maybe faster and more lightweight, see link:

https://github.com/clowwindy/ShadowVPN/wiki/Compared-to-Shadowsocks-and-OpenVPN
ShadowVPN is a fast, safe VPN based on libsodium 

Both ShadowVPN and PolarSSL might be interesting to test out. I'm not really sure how to set up a ShadowVPN server that the OpenWRT can tunnel to though but maybe there is more information available if I would actually install the package.  

I found a lot of good and helpful information (in Chinese) at
https://cokebar.info/archives/978
https://cokebar.info/archives/948  
For example the tester script I have copied from cokebar.info

Now here's a story, the guy that developed shadowsocks (clowwindy) is Chinese, and run into some trouble last year:

On August 22 2015, an open source project called ShadowSocks was removed from GitHub. According to the project’s author, the police contacted him and asked him to stop working on the tool and to remove all of the code from GitHub. He later removed the reference of the police, presumably under the pressure of the police.

I guess he mentioned the police in the first readme notice as the source code was taken down. Now the "readme.md" file at github reads "Removed according to regulations.". That's just insane. China plays by other rules.

More tips

Speed up Apple downloads:

Create the file /etc/dnsmasq.d/apple.conf and add the line below to it:
server=/.apple.com/199.91.73.222

I read online that:

"shadowsocks-libev has ss-redir which works as a transparent proxy, so redsocks is not needed"

Not sure about this, will need to try it myself

 

2016/03/30 VPN,Hosting

I was doing a bit of research for "cloud computing" hosting costs for running Shadowsocks. Amazon Web Services (AWS) is a good option as it's free for the first 12 months when signing up.

For running Shadowsocks the most suitable choice is the small, general cloud computing service "t2.micro" that is free for 12 months (with max 1 instance running). The general cloud computing service is called Amazon Elastic Compute Cloud, normally written Amazon EC2.

Regarding hosting costs I was a bit surprised to see AWS charges different rates for different regions (See https://aws.amazon.com/ec2/pricing/). I have selected Japan for hosting, but AWS also has servers in Seoul, Singapore, US, Europe etc. The hosting costs is actually quite a lot higher in Asia compared to US/Europe.

On-demand t2.micro linux/unix costs (2016-03-30)

Region Cost (USD) / hour Cost (USD) / month (750 h)
US West (Oregon) 0.013 9.75
US West (Northern California) 0.017 12.75
EU (Frankfurt) 0.015 11.25
Asia Pacific (Tokyo) 0.02 15
Asia Pacific (Seoul) 0.02 15
Asia Pacific (Singapore) 0.02 15

Better prices can be had if buying 24/7 hosting contracts over longer periods. AWS writes: "Reserved Instances provide you with a significant discount (up to 75%) compared to On-Demand Instance pricing."

1-year contract for t2.micro linux/unix at Asia Pacific (Tokyo) (2016-03-30)

Payments Upfront Monthly Effective hourly Effective monthly Savings over On-Demand hourly
No upfront 0 10.95 0.015 10.95 25%
Partial upfront 85 3.65 0.0147 10.73 27%
All upfront 126 0 0.0144 10.5 28%

Its basically not a big difference between paying upfront or not (5.4 USD max savings per year) so for me the best choice is monthly with "no upfront". 3-year contracts are also available, with savings up to 53% (effectively 6.86 USD/month for 3 years upfront).

Performance

Technical specs for "t2.micro": 1 vCPU, 1 GB ram, "EBS only" instance storage

From AWS:

T2 instances are Burstable Performance Instances that provide a baseline level of CPU performance with the ability to burst above the baseline. The baseline performance and ability to burst are governed by CPU Credits.

For example, a t2.small instance receives credits continuously at a rate of 12 CPU Credits per hour. This capability provides baseline performance equivalent to 20% of a CPU core. If at any moment the instance does not need the credits it receives, it stores them in its CPU Credit balance for up to 24 hours. If and when your t2.small needs to burst to more than 20% of a core, it draws from its CPU Credit balance to handle this surge seamlessly.

Many applications such as web servers, developer environments and small databases don’t need consistently high levels of CPU, but benefit significantly from having full access to very fast CPUs when they need them. T2 instances are engineered specifically for these use cases. If you need consistently high CPU performance for applications such as video encoding, high volume websites or HPC applications, we recommend you use Fixed Performance Instances.

This is a pretty clever setup for this type of services. The t2.micro gets 6 CPU Credits / hour and runs on Intel Xeon family CPU (up to 3.3 GHz). I guess this means the t2.micro baseline performance is 10% of a Xeon 3.3 GHz CPU.

Binding IP addresses

You can have one Elastic IP (EIP) address associated with a running instance at no charge. If you associate additional EIPs with that instance, you will be charged for each additional EIP associated with that instance per hour on a pro rata basis.

So one IP address is for free which should be enough for Shadowsocks. Here I actually made a mistake, I changed the IP for my instance (as it was working poorly) but I never erased the old one! Turns out one has to pay for Ip addresses not attached to running instances too:

$0.005 per Elastic IP address not attached to a running instance per hour (prorated)

From my monthly bill statement. Turns out you can detach an IP and keep it for free for 1 h, after that AWS will charge you each hour. IP binding remapping are also free for 100 IP bindings/month. 

Data transfer

Data Transfer IN To Amazon EC2 From
Internet $0.00 per GB

Data Transfer OUT From Amazon EC2 To Internet
First 1 GB / month $0.000 per GB
Up to 10 TB / month $0.140 per GB

So here one needs to estimate how much data will actually go via Shadowsocks. If there is a lot of data this will actually be a quite big cost, especially as Youtube is blocked so all that traffic need to go through Shadowsocks.

From my monthly bill I can read that the first 15 GB transfer out was not charged (included in monthly global free tier). The 12 month free tier includes: "15 GB of bandwidth out aggregated across all AWS services".

Storage

Amazon Elastic Block Store (Asia Pacific Tokyo) prices:

Amazon EBS General Purpose (SSD) volumes
$0.12 per GB-month of provisioned storage

Amazon EBS Magnetic volumes
$0.080 per GB-month of provisioned storage
$0.080 per 1 million I/O requests 

 As there wont be any data stored for Shadowsocks this isn't an issue.

The 12 month free tier includes: "30 GB of Amazon Elastic Block Storage in any combination of General Purpose (SSD) or Magnetic".