Setting Up Shadowsocks Proxy Server & Client for Routing OpenVPN Traffic

Bypass OpenVPN Blocks with Shadowsocks.

• Dependencies
• Setting Up Shadowsocks Server
  • Shadowsocks Server Inside Docker Container
• Setting Up Shadowsocks Client
• Routing OpenVPN Traffic Through Shadowsocks
  • Troubleshooting

Dependencies

Assuming you’re using Debian/Ubuntu. Package for both the server and client is the same:

sudo apt install shadowsocks-libev

Setting Up Shadowsocks Server

To configure Shadowsocks server, create a config.json file with the following contents (replace placeholders in angle brackets with actual values):

{
  "server_port": 443,
  "mode": "tcp_and_udp",
  "password": "<SHADOWSOCKS_PASSWORD>",
  "timeout": 60,
  "method": "chacha20-ietf-poly1305",
  "fast_open": true
}

If both your server and clients are running on Linux, you can optimize your setup for reduced latency by setting "fast_open": true. Be sure to enable it on both your server and client machines:

sudo echo "net.ipv4.tcp_fastopen = 3" >> /etc/sysctl.d/99-sysctl.conf
sudo sysctl -p

See TCP fast open for details.

If you don’t want to use Shadowsocks proxy on mobile you may disable TCP server by setting: "mode": "udp_only". But you still need TCP on a Linux client.

Run Shadowsocks server:

ss-server -a nobody -c config.json

Shadowsocks Server Inside Docker Container

You may run it inside Docker container. Check out this gist (don’t forget to adjust settings in config.json):

Setting Up Shadowsocks Client

Disable server:

sudo systemctl disable --now shadowsocks-libev

Create /etc/shadowsocks-libev/<SERVER>.json (replace placeholders in angle brackets with actual values) and put the following contents there:

{
  "server": "<SHADOWSOCKS_SERVER_HOST>",
  "server_port": 443,
  "local_address": "127.0.0.1",
  "local_port": 1080,
  "mode": "tcp_and_udp",
  "password": "<SHADOWSOCKS_PASSWORD>",
  "timeout": 60,
  "method": "chacha20-ietf-poly1305",
  "fast_open": true
}

Start client:

sudo systemctl enable --now shadowsocks-libev-local@<SERVER>

Check the logs:

sudo journalctl -t ss-local

You should find something like:

ss-local[30443]:  2023-11-02 17:18:07 INFO: initializing ciphers... chacha20-ietf-poly1305
ss-local[30443]:  2023-11-02 17:18:07 INFO: listening at 127.0.0.1:1080
ss-local[30443]:  2023-11-02 17:18:07 INFO: udprelay enabled

Routing OpenVPN Traffic Through Shadowsocks

socks-proxy-retry
socks-proxy 127.0.0.1 1080

Troubleshooting

If you’re encountering connectivity issues in certain apps & you’re seeing the following messages in the server or client logs:

ERROR: [udp] remote_recv_sendto: Message too long

Client log:

ERROR: [udp] server_recv_sendto: Message too long

You can try to resolve this by adjusting the Maximum Transmission Unit (MTU), typically set at 1500. You can experiment with OpenVPN client options like tun-mtu, mssfix, and tun-mtu-extra. For example:

For instance:

tun-mtu 1400
mssfix 1350
tun-mtu-extra 32

---

References:

• TCP Fast Open
• Optimizing Shadowsocks
• OpenVPN MTU: Finding The Correct Settings
• Android Shadowsocks client

---

Published: Nov 2, 2023

Debian Ubuntu Linux Shadowsocks Proxy OpenVPN VPN Censorship Privacy Docker UDP shadowsocks-libev