bb33bb
commented
1 year ago I also need this detailed documentation.
Open SkullFace141 opened 1 year ago
bb33bb
commented
1 year ago I also need this detailed documentation.
Alecyrus
commented
1 year ago @xjasonlyu If possible, could you please tell us how to configure gateway mode? The current wiki doesn't mention this at all.
xjasonlyu
commented
1 year ago Technically, there is no such gateway mode. It's just a server/host with ip forwarding enabled.
Therefore, to turn on "gateway mode", you only need to setup tun2socks as usual and enable the ip forwarding on your machine, e.g. sysctl -w net.ipv4.ip_forward=1
To let LAN clients access internet via this gateway, just configuring your clients' gateway ip to your tun2socks server's ip. easy peasy :-P
sonvirgo
commented
11 months ago Technically, there is no such gateway mode. It's just a server/host with ip forwarding enabled.
Therefore, to turn on "gateway mode", you only need to setup tun2socks as usual and enable the ip forwarding on your machine, e.g.
sysctl -w net.ipv4.ip_forward=1To let LAN clients access internet via this gateway, just configuring your clients' gateway ip to your tun2socks server's ip. easy peasy :-P
tried lot of methods, also by iptablez , did not work ip is routed through en0 instead of tun0
n-r-w
commented
10 months ago Gateway mode working fine. This is my test startup script for manual run and cleanup after finish. After run just set client gateway to server's address and all traffic going to shadowsocks-server.
#!/bin/bash
sysctl -w net.ipv4.ip_forward=1
ip tuntap add mode tun dev tun0
ip addr add 198.18.0.1/15 dev tun0
ip link set tun0 up
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route add default via 198.18.0.1 dev tun0 metric 1
ip route add default via 192.168.1.1 dev ens18 metric 10
ip route add <shadowsocks-server-address>/32 via 192.168.1.1
./tun2socks -device tun0 -proxy socks5://127.0.0.1:1080 -interface ens18
sysctl -w net.ipv4.ip_forward=0
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route del <shadowsocks-server-address>/32
ip route add default via 192.168.1.1 dev ens18But how to make it work on a router (I have ubuntu 20.04 configured as a router), I don't understand. Here my iptables config for routing. Tried to forward from LAN to tun0, etc... Nothing helped. LAN - enp3s0 WAN - enp4s0
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp4s0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# basic global accept rules - ICMP, loopback, traceroute, established all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# enable traceroute rejections to get sent out
-A INPUT -p UDP --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
# DNS - accept from LAN
-A INPUT -i enp3s0 -p tcp --dport 53 -j ACCEPT
-A INPUT -i enp3s0 -p udp --dport 53 -j ACCEPT
-A INPUT -i enp3s0 -p tcp --dport 53 -j ACCEPT
-A INPUT -i enp3s0 -p udp --dport 53 -j ACCEPT
# SSH - accept from LAN and WAN
-A INPUT -i enp3s0 -p tcp --dport 22 -j ACCEPT
-A INPUT -i enp4s0 -p tcp --dport 22 -j ACCEPT
# DHCP client requests - accept from LAN
-A INPUT -i enp3s0 -p udp --dport 67:68 -j ACCEPT
# Refuse anything else
-A INPUT -j DROP
# Forwarding rules
# forward packets along established/related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# forward from LAN (enp3s0) to WAN (enp4s0)
-A FORWARD -i enp3s0 -o enp4s0 -j ACCEPT
# drop all other forwarded traffic
-A FORWARD -j DROP
COMMITBut how to make it work on a router (I have ubuntu 20.04 configured as a router), I don't understand. Here my iptables config for routing. Tried to forward from LAN to tun0, etc... Nothing helped. LAN - enp3s0 WAN - enp4s0
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o enp4s0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # basic global accept rules - ICMP, loopback, traceroute, established all accepted -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT # enable traceroute rejections to get sent out -A INPUT -p UDP --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable # DNS - accept from LAN -A INPUT -i enp3s0 -p tcp --dport 53 -j ACCEPT -A INPUT -i enp3s0 -p udp --dport 53 -j ACCEPT -A INPUT -i enp3s0 -p tcp --dport 53 -j ACCEPT -A INPUT -i enp3s0 -p udp --dport 53 -j ACCEPT # SSH - accept from LAN and WAN -A INPUT -i enp3s0 -p tcp --dport 22 -j ACCEPT -A INPUT -i enp4s0 -p tcp --dport 22 -j ACCEPT # DHCP client requests - accept from LAN -A INPUT -i enp3s0 -p udp --dport 67:68 -j ACCEPT # Refuse anything else -A INPUT -j DROP # Forwarding rules # forward packets along established/related connections -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # forward from LAN (enp3s0) to WAN (enp4s0) -A FORWARD -i enp3s0 -o enp4s0 -j ACCEPT # drop all other forwarded traffic -A FORWARD -j DROP COMMIT
Same here, Ubuntu router, all other hosts traffic are not picked up by tun0
Gateway mode working fine. This is my test startup script for manual run and cleanup after finish. After run just set client gateway to server's address and all traffic going to shadowsocks-server.
#!/bin/bash sysctl -w net.ipv4.ip_forward=1 ip tuntap add mode tun dev tun0 ip addr add 198.18.0.1/15 dev tun0 ip link set tun0 up ip route del default via 198.18.0.1 ip route del default via 192.168.1.1 ip route add default via 198.18.0.1 dev tun0 metric 1 ip route add default via 192.168.1.1 dev ens18 metric 10 ip route add <shadowsocks-server-address>/32 via 192.168.1.1 ./tun2socks -device tun0 -proxy socks5://127.0.0.1:1080 -interface ens18 sysctl -w net.ipv4.ip_forward=0 ip route del default via 198.18.0.1 ip route del default via 192.168.1.1 ip route del <shadowsocks-server-address>/32 ip route add default via 192.168.1.1 dev ens18
Gateway portion Did not work. For the 127.0.0.1 part I have a better solution, as remote socks servers address are unknown. https://github.com/sonvirgo/tun2socks-127.0.0.1-loopback
sudo ip route add default via 192.168.43.1 dev enp3s0 metric 1 table 110
sudo ip rule add uidrange 1001-1001 lookup 110 pref 29000
pkexec --user psiphon ./psiphon-tunnel-core-x86_64 --config psiphone.conf
sudo ip tuntap add mode tun dev tun0
sudo ip addr add 198.18.0.1/15 dev tun0
sudo ip link set dev tun0 up
sudo ip route del default
sudo ip route add default via 198.18.0.1 dev tun0 metric 1
sudo ip route add default via 192.168.43.1 dev enp3s0 metric 10
tun2socks -device tun0 -proxy socks5://127.0.0.1:2088
Youaresmarter
commented
10 months ago Gateway mode working fine. This is my test startup script for manual run and cleanup after finish. After run just set client gateway to server's address and all traffic going to shadowsocks-server.
#!/bin/bash sysctl -w net.ipv4.ip_forward=1 ip tuntap add mode tun dev tun0 ip addr add 198.18.0.1/15 dev tun0 ip link set tun0 up ip route del default via 198.18.0.1 ip route del default via 192.168.1.1 ip route add default via 198.18.0.1 dev tun0 metric 1 ip route add default via 192.168.1.1 dev ens18 metric 10 ip route add <shadowsocks-server-address>/32 via 192.168.1.1 ./tun2socks -device tun0 -proxy socks5://127.0.0.1:1080 -interface ens18 sysctl -w net.ipv4.ip_forward=0 ip route del default via 198.18.0.1 ip route del default via 192.168.1.1 ip route del <shadowsocks-server-address>/32 ip route add default via 192.168.1.1 dev ens18
@n-r-w Hi! The same question and still does not work. Can you explain your network structure and the script?
n-r-w
commented
10 months ago @Youaresmarter my full configuration https://github.com/n-r-w/tunnel
sonvirgo
commented
9 months ago Gateway mode working fine. This is my test startup script for manual run and cleanup after finish. After run just set client gateway to server's address and all traffic going to shadowsocks-server.
#!/bin/bash sysctl -w net.ipv4.ip_forward=1 ip tuntap add mode tun dev tun0 ip addr add 198.18.0.1/15 dev tun0 ip link set tun0 up ip route del default via 198.18.0.1 ip route del default via 192.168.1.1 ip route add default via 198.18.0.1 dev tun0 metric 1 ip route add default via 192.168.1.1 dev ens18 metric 10 ip route add <shadowsocks-server-address>/32 via 192.168.1.1 ./tun2socks -device tun0 -proxy socks5://127.0.0.1:1080 -interface ens18 sysctl -w net.ipv4.ip_forward=0 ip route del default via 198.18.0.1 ip route del default via 192.168.1.1 ip route del <shadowsocks-server-address>/32 ip route add default via 192.168.1.1 dev ens18@n-r-w Hi! The same question and still does not work. Can you explain your network structure and the script?
it did not work for sure, waste your time I have both Ubuntu and macos with ip forwarding enabled If it is so simple as toggle ip forwarding, it is not so many people here We are not amateurs at all
n-r-w
commented
9 months ago @sonvirgo I didn't fully understand your post, but the configuration I described here https://github.com/n-r-w/tunnel works right now.
n-r-w
commented
9 months ago Found out that UDP traffic is not routed :( @xjasonlyu do you have any adviсe? I used a different server to test udp as I have problems with voice chat.
server:
iperf -s -p 42533client:
iperf -c server_ip -b 1M -p 42533server:
iperf -s -u -p 42533client:
iperf -c server_ip -u -b 1M -p 42533@n-r-w I didn't fully understand your post, but the configuration I described here https://github.com/n-r-w/tunnel works right now.
All your script is holy crap We use different SOCKS software But the most important part is IP FORWARDING didn't work
sonvirgo
commented
8 months ago @xjasonlyu
Simply turn on IP Forwarding didn't work
This is the local host run both tun2socks and socks5 server
ip4 forward enabled
This is host on local LAN, can not access internet through the tun2socks
Try google also not work https://www.google.com/search?q=ubuntu+forward+all+LAN+traffic+to+TUN+interface
sonvirgo
commented
8 months ago Done! I change my Wifi card. Also disable systemd-resolve. Some how it works. Don't know the cause, however. Now tun2socks work as NAT Router beautifully, forwarding Ethernet to Wifi TUN interface , both in Linux and Windows. Can't figure out how to make it work on Darwin, as loopback is not resolved in macOS.
Btw: Ubuntu NAT Router requires only 1 NIC. Windows NAT Router requires 2 NICs.
PaPa1ya
commented
6 months ago Режим шлюза работает нормально. Это мой тестовый сценарий запуска для ручного запуска и очистки после завершения. После запуска просто установите клиентский шлюз на адрес сервера, и весь трафик пойдет на Shadowsocks-сервер.
#!/bin/bash sysctl -w net.ipv4.ip_forward=1 ip tuntap add mode tun dev tun0 ip addr add 198.18.0.1/15 dev tun0 ip link set tun0 up ip route del default via 198.18.0.1 ip route del default via 192.168.1.1 ip route add default via 198.18.0.1 dev tun0 metric 1 ip route add default via 192.168.1.1 dev ens18 metric 10 ip route add <shadowsocks-server-address>/32 via 192.168.1.1 ./tun2socks -device tun0 -proxy socks5://127.0.0.1:1080 -interface ens18 sysctl -w net.ipv4.ip_forward=0 ip route del default via 198.18.0.1 ip route del default via 192.168.1.1 ip route del <shadowsocks-server-address>/32 ip route add default via 192.168.1.1 dev ens18
Guys this does work, it really just requires you to specify sysctl -w net.ipv4.ip_forward=1. (in the case of v2raya enable in the GUI otherwise the service will overwrite the changes).
My configuration:
Debian 12 LXC.
No iptables or other firewall installed.
socks5 v2raya on the same server.
My mistake was that I didn't make sure that while tun2socks was running, the proxy was still running. I forgot to route the remote server address through the local route.
zaknenou
commented
3 months ago @sonvirgo I didn't fully understand your post, but the configuration I described here https://github.com/n-r-w/tunnel works right now.
@n-r-w I know I'm late to the party but thank you bro, it finally worked for me thanks to your great script! You're a genius and great teacher
n-r-w
commented
3 months ago @n-r-w I know I'm late to the party but thank you bro, it finally worked for me thanks to your great script! You're a genius and great teacher
I'm using a different configuration now. Server: https://github.com/n-r-w/shadow-server Client: https://github.com/n-r-w/shadow-client
zaknenou
commented
3 months ago I'm using a different configuration now. Server: https://github.com/n-r-w/shadow-server Client: https://github.com/n-r-w/shadow-client
thanks for providing this, I'll check it later. But I'm surprised you too still using this, I thought I'm the only one who couldn't use the rust implementation of shadowsocks, I see it claimed that its' ss-redir solves the problem but couldn't manage to make it work my self. What do you think about it?
n-r-w
commented
3 months ago thanks for providing this, I'll check it later. But I'm surprised you too still using this, I thought I'm the only one who couldn't use the rust implementation of shadowsocks, I see it claimed that its' ss-redir solves the problem but couldn't manage to make it work my self. What do you think about it?
In the configuration above, I do not use shadowsocks and tun2socks at all, because I could not make UDP work properly. Instead, I use Cloak + Wireguard.
Description
[Feature] Guide to use tunsocks on linux host as a gateway to other hosts ex: LXC containers and VMs
the guide in the wiki shows configuration for single machine use.
Thanks