shadowsocks-libev icon indicating copy to clipboard operation
shadowsocks-libev copied to clipboard

Published 20 hours ago verified publisher icon shadowsocks

Openvpn udp through ss not working

Open wiryonolau opened this issue 2 years ago • 2 comments

What version of shadowsocks-libev are you using?

shadowsocks-libev/oldstable,now 3.3.5+ds-4

What operating system are you using?

latest debian 11

What did you do?

tunneling openvpn udp through ss not working openvpn client -> local ss -> remote ss -> openvpn server

What did you expect to see?

openvpn connection established

What did you see instead?

2023-09-13 05:59:48 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:1080
2023-09-13 05:59:48 Attempting to establish TCP connection with [AF_INET]127.0.0.1:1080 [nonblock]
2023-09-13 05:59:48 TCP connection established with [AF_INET]127.0.0.1:1080
2023-09-13 05:59:48 SOCKS proxy wants us to send UDP to [AF_INET]127.0.0.1:1080
2023-09-13 05:59:48 UDPv4 link local (bound): [AF_INET][undef]:0
2023-09-13 05:59:48 UDPv4 link remote: [AF_INET]REMOTE_VPN_IP:1194
2023-09-13 06:00:48 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2023-09-13 06:00:48 TLS Error: TLS handshake failed
2023-09-13 06:00:48 SIGUSR1[soft,tls-error] received, process restarting

What is your config in detail (with all sensitive info masked)?

ss-client

{
    "server":["REMOTE_SS_IP"],
    "mode":"tcp_and_udp",
    "server_port":8388,
    "local_address":"127.0.0.1",
    "local_port":1080,
    "password":"SS_PASSWORD",
    "timeout":86400,
    "method":"aes-256-gcm"
}

ss-server

{
    "server":["0.0.0.0"],
    "mode":"tcp_and_udp",
    "server_port":8388,
    "local_port":1080,
    "password":"SS_PASSWORD",
    "timeout":86400,
    "method":"aes-256-gcm"
}

ss-server sysctl

net.ipv4.ip_forward=1

ss-server iptables

*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT

-F POSTROUTING
-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:USER-INPUT -

-F INPUT
-F FORWARD
-F USER-INPUT

-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j USER-INPUT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "DROPINPUT: " --log-level 7
-A INPUT -j DROP

-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -j USER-INPUT
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "DROPFORWARD: " --log-level 7
-A FORWARD -j DROP

-A USER-INPUT -p tcp -m tcp --dport 8388 -m conntrack --ctstate NEW -j ACCEPT

COMMIT

openvpn client

dev tun
persist-tun
persist-key
data-ciphers-fallback AES-256-CBC
auth SHA256
client
resolv-retry infinite
remote REMOTE_VPN_IP 1194
lport 0
remote-cert-tls server
auth-user-pass
auth-nocache
comp-lzo adaptive
socks-proxy 127.0.0.1 1080
route REMOTE_SS_IP 255.255.255.255 net_gateway

openvpn direct connection working openvpn client -> openvpn server

chrome over ss working chrome -> local ss -> remote ss -> WAN

wiryonolau avatar Sep 12 '23 23:09 wiryonolau

{ "server":["REMOTE_SS_IP"], "mode":"tcp_and_udp", "server_port":8388, "local_address":"127.0.0.1", "local_port":1080, "password":"SS_PASSWORD", "timeout":86400, "method":"aes-256-gcm" }

Kobwar avatar Sep 23 '23 03:09 Kobwar

If I change ovpn connection using tcp it working But the routing somehow is not directed inside ss

wiryonolau avatar Sep 24 '23 02:09 wiryonolau