Guide: Shadowsocks setup on OpenWrt for beginners

Installing and Using OpenWrt
1

Hello,

as an OpenWrt and proxy beginner, I've spent quite a lot of time figuring out how to set up shadowsocks on OpenWrt due to many outdated guides, how-tos and forum discussions. Thus, here's a summary on how to install and setup shadowsocks on a fresh OpenWrt installation:

  1. Install packages:
    The names of the packages have changed from what many guides state. These are working at the time of writing. Install the following packages using opkg:
luci-app-shadowsocks-libev
shadowsocks-libev-ss-local
shadowsocks-libev-ss-redir
shadowsocks-libev-ss-rules
shadowsocks-libev-ss-tunnel

  1. Configure server:
    In the Luci Web UI, head to Services > Shadowsocks-libev > Remote Servers and edit the existing sss0 server (or add a new one). Set at least IP, port, method and password, and don't forget to untick the Disable checkbox.

  2. Configure services and rules:
    The simplest recipe is to forward all traffic through the tunnel. Follow the steps outlined in the readme file under Recipes > forward all: https://github.com/openwrt/packages/blob/master/net/shadowsocks-libev/README.md#recipes
    You can do this either via command line or in the web interface.

  3. Change DNS config:
    This must be done via command line according to the instructions in https://github.com/openwrt/packages/blob/master/net/shadowsocks-libev/README.md#recipes

I hope this small guide helps you setting up your shadowsocks tunnel! Feel free to comment and update the content, if necessary.

Additional steps required for shadowsocks on a NanoPi R2S:
The NanoPi R2S is a cheap little device with two ethernet ports that can easily be plugged between the modem and wifi router to provide tunneling service to your entire network, even if the wifi router doesn's support OpenWrt (or you don't want to change it due to warranty reasons). Unfortunately, at the time of writing, the operating system shipped with the NanoPi (FriendlyWrt fork of OpenWrt) has some issues and doesn't allow an easy installation of shadowsocks. The packages kmod-ipt-tproxy and iptables-mod-tproxy are missing from the release repositories and need to be downloaded and installed manually. Follow the instructions in this post: https://github.com/openwrt/packages/issues/11457#issuecomment-711164213

5 Likes
2

@bobafetthotmail Where in the wiki could these instructions be placed?

3

Shadowsocks is an encrypted proxy so it should go here https://openwrt.org/docs/guide-user/services/proxy/start

I've created the article now https://openwrt.org/docs/guide-user/services/proxy/shadowsocks

2 Likes
4

Thanks guys, you're right, the wiki is a better place for this guide! I'll keep updating the content over there from now on.

5 Likes
5

Hi there
I have a question about shadowsocksI use Shadowsocks on my router (Archer C60 V2) and it works Flawlessly!! When I restart my router, I have to go to system/startup and after restart shadowsocks-libev my router back online
Is there a way that shadowsocks works without restart in the startup section after every restarting router?
Thank You

Untitled
Untitled1346×583 36.5 KB

6

not a solution, but possible workaround, put a /etc/init.d/shadowsocks-whatever-name restart
in your local startup script ?

image

3 Likes
7

it's done and now it works after restart
Thank You :pray: :ok_hand: :+1:

8

Hey thanks for your awesome tutorial.

How would I have to change my config (/etc/config/shadowsocks-libev) if I want to have multiple different remote servers.

Would that work:

config server 'sss0'
	option disabled 0
	option server '_sss_addr_'
	option server_port '_sss_port_'
	option password '********'
	option method 'aes-256-cfb'

config server 'server2'
	option disabled 0
	option server '_sss_addr_'
	option server_port '_sss_port_'
	option password '********'
	option method 'aes-256-cfb'

config ss_tunnel
	option disabled 0
	option server 'sss0'
        option server 'server2'
	option local_address '0.0.0.0'
	option local_port '8053'
	option tunnel_address '8.8.8.8:53'
	option mode 'tcp_and_udp'

config ss_redir ssr0
	option disabled 0
	option server 'sss0'
        option server 'server2'
	option local_address '0.0.0.0'
	option local_port '1100'
	option mode 'tcp_and_udp'
	option reuse_port 1

config ss_rules 'ss_rules'
	option disabled 0
	option redir_tcp 'ssr0'
	option redir_udp 'ssr0'
	option src_default 'checkdst'
	option dst_default 'forward'
	option local_default 'forward'

Thanks for your help in advance :)
9

Hello, this is the most complete tutorial that I have seen on the internet related to Openwrt and shadowsocks.
I have some doubts, and I don't know if this can do it.

I have this scenario.

  • A server with Outline (shadowsocks server) ip: 10.0.0.1
  • A VM with OpenWRT with 1 br-lan interface 192.0.0.1
  • A VM with mikrotik

My idea is to connect the OpenWRT to the Outline server (using shadowsock client), in such a way that the mikrotik can use the OpenWRT as a gateway and go directly to the Outline.

VM Outline Server < ---- VM OpenWRT <------ Mikrotik

how can I do this ?

10

All most everything is clear to understand except how to setup connection to my Cloud Outline server, b/c I've spent about couple of days and 4 tries to get it work for me

I have this link from my Outline manager

ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTpIbEdtWkZSZUZUQGI@123.123.123.123:8080/?outline=1

And here in Remote Server tab we see 4 parameters - two in plain text and two encrypted:
Server:123.123.123.123
Port: 8080
Method: ?????
Password: ????

Sorry, new users can only put one embedded media item in a post.

So, to get correct Method and Password from this cryptic link you need to decode this part of link

ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTpIbEdtWkZSZUZUQGI@123.123.123.123:8080/?outline=1

In this code Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTpIbEdtWkZSZUZUQGI Method and password are stored, but they encrypted by BASE64

to decode this I used form on this site https://www.base64decode.org/

put your link to the upper field named Decode from Base64 format like this

Sorry, new users can only put one embedded media item in a post.

and keep only code and press DECODE button

Sorry, new users can only put one embedded media item in a post.

Now you have your Method and password to paste into required fields of Remote Server settings on your OpenWRT Router
image

Paste them to the settings like this and press Save & Apply
Sorry, new users can only put one embedded media item in a post.

May be this step-by-step tutorial will be useful for someone who wants to setup this feature over GUI like me.

2 Likes
11
12

So in order to config the server ss, we put the ip of the ss server where it's label : sss_addr and put the psw under it ?

13

@geokvant : In Shadowsocks LUCi page --> Remote Servers Tab, click the Import Links button. Paste your encoded ss:// (the longs string ending with outline = 1) in the field provided. Click import and the server information automatically shows on the remote servers tab. Simples!

No need to decode the string from your outline server!

Best you delete the above key and generate a new one for your privacy!

On another note....

Is it possible for someone to update the forward all recipes article link above to include the LUCi graphical interface - Redir Rules tab?

The article also provides how to test forward all but uses command strings that are not supported (nft and curl). Plus it needs to say what the output should look like as I cant tell if the output from the test validates if forward all is actually working!

Thanks

JJ

1 Like
14

Is it possible for someone to update the "forward all" recipes article link above to current OpenWRT commands and include the LUCi graphical interface - Redir Rules tab?

The article also provides how to test forward all but uses command strings that are not supported (nft and curl). Plus it needs to say what the output should look like as I cant tell if the output from the test validates if forward all is actually working!

Thanks

JJ

1 Like