shadowsocks-libev icon indicating copy to clipboard operation
shadowsocks-libev copied to clipboard

Published 20 hours ago verified publisher icon shadowsocks

UDP doesn't work on Shadowsocks server behind NAT / Wireguard

Open mghadam opened this issue 2 years ago • 0 comments

What version of shadowsocks-libev are you using?

shadowsocks-libev 3.3.4

What operating system are you using?

Centos 7.9

What did you do?

I have a shadowsocks-server on raspberry pi (rpi) that is behind NAT and a VPS with a public IP address. The rpi is connected to the VPS using wireguard :

Shadowsocks clients <------------> VPS with public IP <--------- wireguard -------> Shadowsocks server on Raspberry pi behind NAT

I am now trying to use the public ip address of the VPS to connect clients to the shadowsocks server on rpi. For this purpose, I tried forwarding TCP and UDP packets on a specific port on the VPS to the rpi local IP (10.0.1.10) in wireguard:

iptables -t nat -A PREROUTING -p tcp -d VPS.PUBLIC.IP --dport 8388 -j DNAT --to-destination 10.0.1.10:8388
iptables -t nat -A PREROUTING -p udp -d VPS.PUBLIC.IP --dport 8388 -j DNAT --to-destination 10.0.1.10:8388
#iptables -t mangle -A PREROUTING -p udp -d VPS.PUBLIC.IP --dport 8388 -j TPROXY --on-ip 10.0.1.10 --on-port 8388 --tproxy-mark 0x01/0x01

shadowsocks software on clients can connect to VPS.PUBLIC.IP:8388 on the vps and TCP traffic works fine. UDP traffic however does not work.

I also tried using ss-tunnel to forward TCP and UDP traffic on from VPS.PUBLIC.IP:8388 to the rpi shadowsocks port, still TCP traffic works fine for clients and UDP traffic does not work.

I tested a web browser on the VPS and UDP traffic went through rpi using ss-local without any problem

What did you expect to see?

I expect the UDP traffic to also go through shadowsocks on rpi

What did you see instead?

I see the following information on ss-tunnel verbose log:

 2022-07-14 12:11:33 INFO: [udp] server receive a packet
 2022-07-14 12:11:33 INFO: [8388] [udp] cache hit: 127.0.0.1:8388 <-> client.ip.address:23995
 2022-07-14 12:11:33 INFO: [udp] server receive a packet
 2022-07-14 12:11:33 INFO: [8388] [udp] cache hit: 127.0.0.1:8388 <-> client.ip.address:51340
 2022-07-14 12:11:33 INFO: [udp] server receive a packet
 2022-07-14 12:11:33 INFO: [8388] [udp] cache hit: 127.0.0.1:8388 <-> client.ip.address:25667
 2022-07-14 12:11:33 INFO: [udp] server receive a packet
 2022-07-14 12:11:33 INFO: [8388] [udp] cache hit: 127.0.0.1:8388 <-> client.ip.address:26090
 2022-07-14 12:11:33 INFO: [udp] remote receive a packet
 2022-07-14 12:11:33 INFO: [udp] remote receive a packet
 2022-07-14 12:11:33 INFO: [udp] remote receive a packet
 2022-07-14 12:11:33 INFO: [udp] remote receive a packet
 2022-07-14 12:11:36 INFO: [udp] remote receive a packet
 2022-07-14 12:11:37 INFO: [udp] server receive a packet
 2022-07-14 12:11:37 INFO: [8388] [udp] cache miss: 127.0.0.1:8388 <-> client.ip.address:54810
 2022-07-14 12:11:37 INFO: [udp] server receive a packet
 2022-07-14 12:11:37 INFO: [8388] [udp] cache miss: 127.0.0.1:8388 <-> client.ip.address:25634
 2022-07-14 12:11:37 INFO: [udp] remote receive a packet
 2022-07-14 12:11:37 INFO: [udp] remote receive a packet

What is your config in detail (with all sensitive info masked)?

The config for ss-tunnel on VPS:

{
    "server":"10.0.1.10",
    "server_port":8388,
    "mode": "tcp_and_udp",
    "local_address": "0.0.0.0",
    "local_port":8388, 
    "password":"**********",
    "tunnel_address":"127.0.0.1:8388", 
    "timeout":300,
    "method":"chacha20-ietf-poly1305"
}

mghadam avatar Jul 14 '22 07:07 mghadam