DSCP Tag for Shadowsocks

GGK · November 23, 2024, 8:39pm

I have a Shadowsocks VPN running on router. While I have tagged a few software to use DSCP tag of 10 under Windows. How do I give Shadowsocks VPN the DSCP tag so all traffic goes through for tagged software?

This was simple to do with PBR/luci-app-pbr but unfortunately, it does not support Shadowsocks and OpenVPN/Wireguard are blocked for me.

Other than Command Line, is there any package like PBR that will let me do policy based routing for Shadowsocks? (Other than its own IP based rules/Redir Rules)

brada4 · November 23, 2024, 8:45pm

Is it cs2 0x10 or af11 0x0a?
Why would you ever add externally loud property to a network obfuscator?

Trivial fw role like
meta skuid shadwsks oif $wan_devices ip6 dscp set lephb ?

GGK · November 24, 2024, 1:22pm

I am sorry but I have no idea what you just mentioned, lol.

and I have to use ISP's WAN for everything except a few software on VPN to avoid Govt. block so I just tagged a DSCP on PBR package and used the same tag on Windows for those software and they just worked.

Trying to wrap my head around using Shadowsocks and somehow tagging a DSCP on it. ChatGPT's suggestion of doing it through iptables has not worked i.e.

# For UDP traffic
iptables -t mangle -A OUTPUT -p udp --dport 1100 -j DSCP --set-dscp 10

# For TCP traffic
iptables -t mangle -A OUTPUT -p tcp --dport 1100 -j DSCP --set-dscp 10

brada4 · November 24, 2024, 3:38pm

Please post output of

ubus call system board
iptables -V

This is not the right place to wash LLM hallucinations.

GGK · November 24, 2024, 6:50pm

Had a fresh start and no iptables now but fw4/nftables.

# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "WRT1900ACV1",
        "system": "ARMv7 Processor rev 2 (v7l)",
        "model": "Linksys WRT1900AC v1",
        "board_name": "linksys,wrt1900ac-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

no iptables but nftables now.

Would it work if the custom chain is put under /etc/nftables.d/10-custom-filter-chains.nft?

brada4 · November 24, 2024, 6:55pm

You can add DSCP markings via firewall rules (via luci web) . You did not answer you want to mark shadowsocks outer traffic visible to provider, or you want to inflate priority inside the tunnel?

GGK · November 24, 2024, 7:24pm

Neither I guess. I simply want some software, not everything on Windows, to access VPN I have setup on my server to get over the Government Firewall.

Telegram
Firefox
Signal
Whatsapp
qBitTorrent

Apologies if I am unable to make myself clear. Instead of giving individual IPs to unblock, which seem to change, I simply want a fool proof way of it working. I have been doing this using PBR (luci-app-pbr):

i.e. Give DSCP tag to VPN Interface and then set that tag in Windows for any software and entire traffic of that would go through VPN instead of ISP but Shadowsocks is not supported.

brada4 · November 24, 2024, 7:37pm

@stangri is here, maybe he can add such filter to pbr. As fw4 stands it can match on dscp and set dscp via web ui

stangri · November 25, 2024, 5:30pm

@GGK have you tried AmneziaWG? pbr should work with the amnezia tunnel if it's explicitly declared as supported interface.

If you find a decent documentation in English for the OpenWrt implementation of shadhowsocks, not the walk-thru for a sample setup, but an actual documentation about different options, how it works, etc, I can have a look at supporting it in pbr.

system · December 7, 2024, 8:02am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.