July 19, 2023
The scenario in this post is that you want to connect to an OpenVPN server at a remote location, but your OpenVPN packets are being detected and blocked by a firewall. Therefore you decide to pass your OpenVPN packets through a Shadowsocks tunnel.
The server IP address is given in the examples as:
YOUR.SERVER.IP.ADDRESSInstall and configure OpenVPN using the script from https://github.com/angristan/openvpn-install.
Securely download the generated client configuration file from your server to your client.
Install Shadowsocks from the repositories:
apt install -y shadowsocks-libevEdit the Shadowsocks configuration file /etc/shadowsocks-libev/config.json. Of course, you can change the server_port and password, provided you make equivalent changes in your client configuration. Also, it is the Shadowsocks server_port, not the OpenVPN port, that must be open in your server firewall for both TCP and UDP input.
{
"server":"0.0.0.0",
"server_port":8388,
"method":"chacha20-ietf-poly1305",
"password":"32w7kfoylvdoerov",
"mode":"tcp_and_udp",
"fast_open":false
}
Restart Shadowsocks with the new configuration:
systemctl restart shadowsocks-libevInstall the Shadowsocks GUI client for Windows from https://github.com/shadowsocks/shadowsocks-windows.
Configure the client to match your server.
Install the OpenVPN GUI client for Windows from https://openvpn.net/community-downloads/.
Add these lines to your downloaded OpenVPN client configuration file:
socks-proxy 127.0.0.1 1080 route YOUR.SERVER.IP.ADDRESS 255.255.255.255 net_gateway block-outside-dns
Import the amended client configuration file into the OpenVPN GUI.
Connect the OpenVPN client to the OpenVPN server.
Install Shadowsocks from the repositories:
sudo apt install -y shadowsocks-libevStop Shadowsocks server:
sudo systemctl stop shadowsocks-libevsudo systemctl disable shadowsocks-libevConfigure the Shadowsocks client by editing /etc/shadowsocks-libev/local-config.json:
{
"server":"YOUR.SERVER.IP.ADDRESS",
"server_port":8388,
"local_address":"127.0.0.1",
"local_port":1080,
"method":"chacha20-ietf-poly1305",
"password":"32w7kfoylvdoerov",
"mode":"tcp_and_udp",
"fast_open":false
}
Start the Shadowsocks client running:
sudo systemctl enable shadowsocks-libev-local@local-configsudo systemctl start shadowsocks-libev-local@local-configInstall OpenVPN for Network Manager from the repositories:
sudo apt install -y network-manager-openvpn-gnomeAdd a line to the downloaded OpenVPN client configuration:
socks-proxy 127.0.0.1 1080Determine default gateway:
ip routeAdd static route to server:
sudo ip route add YOUR.SERVER.IP.ADDRESS via <default_gateway> dev <default_device>Start OpenVPN from the Network Manager GUI.
These notes on the configuration for macOS clients are based on an email received by the author of https://www.tipsforchina.com/how-to-tunnel-expressvpn-over-shadowsocks-for-increased-speed-from-china.html.
Install ShadowsocksX-NG, the Shadowsocks client for macOS, from https://github.com/shadowsocks/ShadowsocksX-NG.
Configure the client to match your server.
Turn on Manual Mode in ShadowsocksX-NG.
Download Tunnelblick, the OpenVPN client for macOS, from https://tunnelblick.net/.
Add these lines to your downloaded OpenVPN client configuration file (assuming 1086 is the port ShadowsocksX-NG listens on):
socks-proxy 127.0.0.1 1086 route YOUR.SERVER.IP.ADDRESS 255.255.255.255 net_gateway
Import the amended client configuration file into Tunnelblick.
Connect the OpenVPN client to the OpenVPN server.