shadowsocks-rust icon indicating copy to clipboard operation
shadowsocks-rust copied to clipboard

Published 20 hours ago verified publisher icon shadowsocks

shadowsocks-rust on openwrt never transfer ipv6 trafic

Open youkechat opened this issue 2 years ago • 5 comments

as title, I think there is something wrong, shadowsocks-rust compatible with openwrt's ipv6 iptable rule? need add iptable6 rule's manully?

btw, my network support ipv6 well

youkechat avatar Apr 16 '22 09:04 youkechat

after add iptable6 rule's, ipv5 trafic transferred, but ipv4 cannot, how can tell me how to setup iptable right both for ipv4 and ipv6, thanks very much

youkechat avatar Apr 16 '22 13:04 youkechat

sslocal must be started with protocol: redir and listens to different addresses for IPv4 and IPv6. You cannot use one local instance to handle both IPv4 and IPv6 traffic.

How was your iptables configuration? You should provide more useful detail instead of just describing what you just saw.

zonyitoo avatar Apr 16 '22 14:04 zonyitoo

sslocal must be started with protocol: redir and listens to different addresses for IPv4 and IPv6. You cannot use one local instance to handle both IPv4 and IPv6 traffic.

How was your iptables configuration? You should provide more useful detail instead of just describing what you just saw. sorry for lack of detail vi /etc/dnsmasq.d/gfwlist6.conf server=/ipv6.google.com/127.0.0.1#5300 ipset=/ipv6.google.com/gfwlist6

ipset create gfwlist6 hash:ip family inet6 ip6tables -t nat -A PREROUTING -p tcp -m set --match-set gfwlist6 dst -j REDIRECT --to-port 1234 ip6tables -t nat -A OUTPUT -p tcp -m set --match-set gfwlist6 dst -j REDIRECT --to-port 1234

my iptables rule followed another issue under shadowsocks-libev, sorry forget exact url. this instructions means, when request ipv6.google.com, dnsmasq will use dns-forwarder use tcp connection sent to shadowsocks server, then add dns result to ipset list. so iptables rule will transfer ipv6 address in gfwlist6 to shadowsocks.

does those ip6table rule have any problem?

I tried only use one instance, tomorrow I will try use two instance

youkechat avatar Apr 16 '22 16:04 youkechat

can make shadowsocks-rust listen to ipv6 and ipv4 same time?

youkechat avatar Apr 16 '22 16:04 youkechat

can make shadowsocks-rust listen to ipv6 and ipv4 same time?

If you mean dual-stack, of course, because it is a system provided feature, just set local_address to :: will make it listens to both IPv4 and IPv6.

But the key point is dual-stack is not working for redir, because system's API won't be able to get the destination address properly. So sslocal must run redir with 2 different instances that listening to 2 different ports, for example:

{
    "locals": [
        {
            "local_address": "0.0.0.0",
            "local_port": 1234,
            "protocol": "redir"
        },
        {
            "local_address": "::",
            "local_port": 1235,
            "protocol": "redir"
        }
    ]
}

Set IPv4 redirect rules with iptables to 1234, and IPv6 rules set to 1235.

BTW, since I have already set IPV4_V6ONLY on the IPv6 listener, actually you can use the same port for both instances:

{
    "locals": [
        {
            "local_address": "0.0.0.0",
            "local_port": 1234,
            "protocol": "redir"
        },
        {
            "local_address": "::",
            "local_port": 1234,
            "protocol": "redir"
        }
    ]
}

zonyitoo avatar Apr 16 '22 16:04 zonyitoo