search

shadowsocks / shadowsocks-libev

Bug-fix-only libev port of shadowsocks. Future development moved to shadowsocks-rust
https://github.com/shadowsocks/shadowsocks-rust
GNU General Public License v3.0
15.81k stars 5.7k forks source link

How to regulate or restrict 'x' simultaneous logins per password or user? #2000

Closed privatevpnsupportguy closed 6 years ago

privatevpnsupportguy commented 6 years ago

What version of shadowsocks-libev are you using?

Debian testing's Package: shadowsocks-libev
Version: 3.1.3+ds-1+b1

What operating system are you using?

Debian Testing (PureOS.net)

What did you do?

I want to setup ss-libev server as a replacement for OpenVPN server in a way where we have an option to regular X simultaneous logs per password or user. One method I am thinking about deploying is 'port: password', I assumed it will only allow 1 concurrent login per password but we have no way to restrict 'x' simultaneous logins per port:password.

What did you expect to see?

I except a radius plugin or some sort of method to restrict 'x' simultaneous logins per port:password, also can we use same port for all the passwords? Like port 80:pass1,80:pass2,80:pass3?

What did you see instead?

I saw that one can login for any number of times using a port:password as libev offers no way to restrict it as of now.

Is there any way to replace an OpenVPN server setup with shadowsocks-libev? Also I see that Windows/Mac official clients don't redirect all the traffic via VPN even if Global proxy is enabled. What can be done? Please help me. I am an OpenVPN enthusiast from India, but am really impressed with the idea of shadowsocks and how fast it works and the way it bypasses firewalls of workplace and universities etc.

Also it will be great if someone here can help me setup a server professionally and show me how to share stuff and do things on the OS including Mac, Windows, Linux, Android, iOS, BSD etc. (If not just show me the path). :bowing_man:

ghost commented 6 years ago

Unfortunelatly, shadowsocks is not designed for multiple user. It has no user, and 'password' is just encryption key. So it's hard, if not impossible to intergrate it with RADIUS.

A possible method is send OpenVPN packet over shadowsocks. It provides full OpenVPN function, but it's hard to configure and may very slow. If you just want use ss to across firewall, another way is set an OpenVPN server in the firewall as a relay, then OpenVPN server forward data to a shadowsocks client. It is easier and faster than last method, but you need a server in the firewall and another server out of the firewall.

privatevpnsupportguy commented 6 years ago

Suggest something please?

ghost commented 6 years ago

No other good idea. If openvpn works well, use it. ss only designed as a personal tunnel. You just need across the school/company firewall, not national firewall, right?

privatevpnsupportguy notifications@github.com 于 2018年3月24日周六 17:39写道:

Suggest something please?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shadowsocks/shadowsocks-libev/issues/2000#issuecomment-375861059, or mute the thread https://github.com/notifications/unsubscribe-auth/AQVHEvp-imPq-vMzDe8xIraeFAig049iks5thhRkgaJpZM4S5lSe .

privatevpnsupportguy commented 6 years ago

I am going to use it to replacement OpenVPN like I said. But you say use it as enter node for connecting clients to OpenVPN server. I am going to use it as a solution for a global VPN service. I want to promote use of it as it works better when it comes to penetration and obfuscation in comparison to other OpenVPN or WireGuard.

I can do thing: Use SS-server are enter node to tunnel OpenVPN tunnel for both UDP/TCP and in order to reduce latency and improve bandwidth I will use --cipher none (no data channel encryption) for OpenVPN, is shaodwocks good/security/proven enough to tunnel OpenVPN traffic with --cipher or data cipher set to none or disabled?

So, it will be as follows:

User > SS-server (UDP & TCP) on VPS 1 (Entry/guard node) > OpenVPN-server (UDP & TCP) on VPS 1 (same VPS) > Authentication Server (Radius or something) > Internet

Has shadowsocks been audited enough to do something like this?

Why I want to do such a thing, is because I want VPN service to work out of the box, in whatever place let it be a workplace, university, Egypt, China, UAE etc.

ghost commented 6 years ago

We've tested this: user -> openvpn server(authencation here) -> ss server(just transport) -> internet

Both speed and stablity is OK on our server. Test enviroment is:

Finally we got 10+Mbps per client with 5 client. But it's unfriendly with

For User -> SS-server -> OpenVPN-server -> Authentication Server -> Internet:

We just established connection and transmit some data. It works, but we haven't test it's speed and stablity. OpenVPN over SS is possible, but may be very slow or unstable. If OpenVPN-server and Authentication Server is far away from user, handshake may take a long time.

SS use OpenSSL, same as OpenVPN. SS protocol is used to transmit 'sensitive' data for many years. For now, we haven't find risk of data leak. But I suggest that if your system runs well without --cipher none option, don't use it. Encrypt some encrypted data isn't a big problem, and SS isn't optimized to avoid data leak.

Deploy a stable out-of-the-box VPN service for China will be a big challenge. GFW is the one of the most powerful firewall in the world. You not only need encrypt, you need know how to hide your dataflow/server in the internet. You can communicate with Chinese programmers, they have much experience about that. You can start your project in workplace, then to other country, they're easier. China is too hard for a new VPN project.

BTW, or we can try to modify OpenVPN, let OpenVPN use SS as transport layer directly? And I remember that some openvpn client can use a socks5 proxy(SS provide one) to relay data.

privatevpnsupportguy commented 6 years ago

Thanks! I just wanted to a solution with shadowsocks only, I think It can be done just fine on Android and iOS as we have apps for it already.

Why can't I connect to OpenVPN over SS with --cipher none? That is the whole point. Can't we reckon on data encryption that shadowsocks has to offer.

Also I am not going to run a service just for the Chinese but for all. I just wanted to use shadowsocks as a replacement for OpenVPN and maybe get some help on developing Apps for it.

My plan is to use ss over UDP and TCP both to make good free/open VPN apps for a service and deploy it. The only issue I am facing is multiple connections. But I guess as of now there is no way to control it other than by using iptables with port+password method. It should work fine.

Do you have any suggestions for what TCP/UDP ports should I use? Should I start with port 80-200? or 80-120 and 400-443?

I think I will somehow deploy shadowsocks only VPN service soon. :dancer:

Do you have any suggestions on how to route all the traffic to ss-servers on Windows / MacOS? I see that Android App and iPhone app does it fine, esp. (Wingy and shadowrocket). But not with Windows and MacOS.

I know how to get it gone on GNU/Linux though.

Are you on IRC or Signal? Are you from China?

ghost commented 6 years ago

Ofcourse you can connect to OpenVPN with none cipher. My suggest is just for more safety.

For port, use many random port.

For route all traffic on windows, no good idea. You can try to do the same thing which openvpn done: create virtual nic, edit route table, encrypt it's traffic, then forward to server.

I use telegram, most people under these project is Chinese.

privatevpnsupportguy notifications@github.com 于 2018年3月25日周日 01:24写道:

Thanks! I just wanted to a solution with shadowsocks only, I think It can be done just fine on Android and iOS as we have apps for it already.

Why can't I connect to OpenVPN over SS with --cipher none? That is the whole point. Can't we reckon on data encryption that shadowsocks has to offer.

Also I am not going to run a service just for the Chinese but for all. I just wanted to use shadowsocks as a replacement for OpenVPN and maybe get some help on developing Apps for it.

My plan is to use ss over UDP and TCP both to make good free/open VPN apps for a service and deploy it. The only issue I am facing is multiple connections. But I guess as of now there is no way to control it other than by using iptables with port+password method. It should work fine.

Do you have any suggestions for what TCP/UDP ports should I use? Should I start with port 80-200? or 80-120 and 400-443?

I think I will somehow deploy shadowsocks only VPN service soon. 💃

Do you have any suggestions on how to route all the traffic to ss-servers on Windows / MacOS? I see that Android App and iPhone app does it fine, esp. (Wingy and shadowrocket). But not with Windows and MacOS.

I know how to get it gone on GNU/Linux though.

Are you on IRC or Signal? Are you from China?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shadowsocks/shadowsocks-libev/issues/2000#issuecomment-375909880, or mute the thread https://github.com/notifications/unsubscribe-auth/AQVHEm1TJu68t31rqGP9XNG6MSgRihPXks5thoE1gaJpZM4S5lSe .

privatevpnsupportguy commented 6 years ago

Can you help me find people who will develop VPN tunnel style Apps for me on iOS/Android/Windows/Mac/Linux/BSD even. If possible? I want to promote SS as a replacement for OpenVPN as it is more faster and has less latency and works out of the box even if you connect from behind any workplace firewall, university router etc.

If it helps, I am going to release the source code of the clients we develop under free/open license, so that even one gets to benefit from it. What do you say?

Also if you find it all, what budget do you think is needed to get Apps done with a beautiful skin, what uses Port == Pin, and password == License code format for what the popular platforms?