tun2socks + shadosocks + and route 2 targets

[AnonymousWebHacker]

I have an Ubuntu VM with shadosock server and a Ubutnu VM with a client

VM Ubuntu - Shadowsock Server - 10.0.0.1 VM Ubuntu - Shadowsock Client - [eth0 -192.0.0.1 & tun0-192.0.0.2]

1 - In the VM Client , I have a shadowsock client running perfect, it creates a local proxy for me localhost:1080 So my idea was to use tun2sock, to create a tun0 interface tun2socks --device tun://tun0 -proxy socks5://127.0.0.1:1080 --interface tun0 this tun0-192.0.0.2

So reading the wiki, I see this, but I don't know if i was use socks5:// or ss://

Shadowsocks
-proxy ss://method:password@server_host:port/<?obfs=http;obfs-host=xxx>
or SIP002
-proxy ss://base64_encode(method:password)@server_host:port/<?obfs=http;obfs-host=xxx>

what is it supposed to be ;obfs-host=xxx> and /<?obfs=http;obfs-host=xxx> any example?

2 - In client Ubuntu VM, I have those two interfaces eth0 and tun0 eth0 - It is a captive portal, I have to authenticate myself tun0 - supposedly the interface to connect to the external shadowsock server

supposedly the interface to connect to the external shadowsock server

[AnonymousWebHacker]

when I read the documentation, it is sent to create a table in the system paths, or add it as default. IF I do this, the captive portal that enters through the default route of eth0 does not load

[xjasonlyu]

1. You can use both socks5 or ss in your case, and as for the ss url format see SIP002 for details.
2. I didn’t get your second problem, but tun2socks won’t set routes by itself, you can config the routes to meet your circumstances.

[AnonymousWebHacker]

@xjasonlyu Thank you for answering me, I appreciate your time Excuse my questions, the wiki is not entirely clear

I can use direct tun2sock to connect to a remote server? tun2socks -device tun://tun0 -proxy ss://method:password@server_host:port My case tun2socks -device tun://tun0 -proxy ss://chacha20-ieft-poly1305:password@10.0.0.1:4444

This should create a tun0 interface, then, it is necessary, give it an ip range, and up.

The last step would be to add the routes for the system to use that interface.

Would all the traffic from my PC be going out through that interface? as if using normal outline-client.appimage?

[xjasonlyu]

I can use direct tun2sock to connect to a remote server?

Yes.

Would all the traffic from my PC be going out through that interface? as if using normal outline-client.appimage?

It depends your route tables which are configured on your own.

[AnonymousWebHacker]

If I create a tun0 interface that redirects traffic to a shadowsocks server, can that tun0 interface be used by other machines in my internal network, as a gateway to exit through it?

[xjasonlyu]

Yes, by enabling ip forwarding.

[AnonymousWebHacker]

@xjasonlyu I can't get it to work for me . Lab: VM Ubuntu eth0 ip: 144.100.1.4

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 144.100.1.4  netmask 255.255.248.0  broadcast 144.100.7.255
        inet6 fe80::9c54:d4ff:fe59:67d0  prefixlen 64  scopeid 0x20<link>
        ether 9e:54:d4:59:67:d0  txqueuelen 1000  (Ethernet)
        RX packets 8762473  bytes 981174718 (981.1 MB)
        RX errors 0  dropped 497690  overruns 0  frame 0
        TX packets 294952  bytes 178551451 (178.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 

1 - tun2socks-linux-amd64 -device tun://tun0 -proxy ss://chacha20-ietf-poly1305:password@ip-server:port -loglevel debug

2 - ip addr add 144.100.1.30/21 dev tun0 tun create and up ifconfig tun0 up

tun0: flags=4240<POINTOPOINT,NOARP,MULTICAST>  mtu 1500
        inet 144.100.1.30  netmask 255.255.248.0  destination 144.100.1.30
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

without having added the route, it is already there when I check with route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         144.100.3.9     0.0.0.0         UG    0      0        0 eth0
144.100.0.0     0.0.0.0         255.255.248.0   U     0      0        0 eth0
144.100.0.0     0.0.0.0         255.255.248.0   U     0      0        0 tun0

3 - Add route ip route add 144.100.1.30/21 dev tun0

ip route add 144.100.1.30/21 dev tun0
Error: Invalid prefix for given prefix length.

and

 route add -net 144.100.1.30 netmask 255.255.248.0 tun0
route: netmask doesn't match route address

[xjasonlyu]

Why would you want your TUN ip in the same subnet with your gateway?

[AnonymousWebHacker]

I want it to have an IP subnet of the same network, because the objective is to connect a mikrotik to that tun0 interface and go to the internet through that gateway

[xjasonlyu]

try use multi interfaces, but don't assign that subnet ip to TUN

Hold on, you already have the eth0 in the same network.

[AnonymousWebHacker]

Hold on, you already have the eth0 in the same network.

yes, eth0 is 144.100.1.4 and tun0 144.100.1.30 are on the same network

The idea is that the other PCs and mikrotik that are in the 144.100.1. * range can use tun0 144.100.1.30 of the gateway to go to the internet

[xjasonlyu]

Yes, that's what I do in my home-lab. But I use different network namespace for that and assign a reversed ip for TUN.

[AnonymousWebHacker]

your tun2sock repo doesn't have a discussion channel on matrix.org? it is somewhat uncomfortable to speak for comments.

Anyway, you mean, you have 144.100.1. In your network and you give tun 100.144.1. For example?

The problem that happens to me is that tun0 is where tun0 would connect to the external server, and through eth0, is the captive portal.

If you do not log in to the eth0 portal, tun0 cannot connect to the external server. That's why I can't put it in the system paths as the default route

[xjasonlyu]

your tun2sock repo doesn't have a discussion channel on matrix.org? it is somewhat uncomfortable to speak for comments.

Hmm, what is that?

Anyway, you mean, you have 144.100.1. In your network and you give tun 100.144.1. For example?

My network subnet is 10.0.0.0/16 and my tun2socks is running in an isolated namespace (eth0 is 10.0.0.2/16, tun0 is 198.18.0.1/15)

The problem that happens to me is that tun0 is where tun0 would connect to the external server, and through eth0, is the captive portal.

If you do not log in to the eth0 portal, tun0 cannot connect to the external server. That's why I can't put it in the system paths as the default route

Why tun0 need to connect to external server? that's not how it works. You don't have to make it as the default route, just customize the routes as you need.

[AnonymousWebHacker]

@xjasonlyu https://matrix.to/#/#tun2socks:matrix.org register, to give you the administration of the room and you can add it to your repository as discussions

[xjasonlyu]

@xjasonlyu https://matrix.to/#/#tun2socks:matrix.org register, to give you the administration of the room and you can add it to your repository as discussions

But GitHub already have discussion feature for repos

[AnonymousWebHacker]

hahaha seriously don't you know what is Matrix or Element? It is a chat that allows public and private rooms, discussions ... etc, I was surprised that tun2sock did not have its room.

tun0 needs to connect to an external shadowsock server

[xjasonlyu]

hahaha seriously don't you know what is Matrix or Element? It is a chat that allows public and private rooms, discussions ... etc, I was surprised that tun2sock did not have its room.

Something like Discord? I don't think every repo would have their discussion room either.

tun0 needs to connect to an external shadowsock server

No, tun0 is only for LAN packets send/receive, it's not responsible for connecting servers.

[AnonymousWebHacker]

You should try it, most of the repositories have a room and it is easier when solving problems, it is more practical.

According to the wiki, I can run this, so that tun0 connects to an external shadowsock server tun2socks-linux-amd64 -device tun://tun0 -proxy ss://chacha20-ietf-poly1305:password@ip-server:port -loglevel debug

[xjasonlyu]

No, it’s just command line arguments, it means little

[AnonymousWebHacker]

No, son solo argumentos de línea de comando, significa poco

so? I do not understand, with this line tun2sock, did not redirect the traffic to an external shadowsock? ip-server:port

tun2socks-linux-amd64 -device tun://tun0 -proxy ss://chacha20-ietf-poly1305:password@ip-server:port -loglevel debug

[xjasonlyu]

In general, it "redirects" the traffic from tun0 to remote server, but in code implementation, it uses tun0 to receive lan packets and uses another interface like eth0 to connect server.

[AnonymousWebHacker]

@xjasonlyu VM Ubuntu etho 1.4 and tun0 1.30 [(already activate the enabling ip forwarding)]

tun2socks-linux-amd64 -device tun://tun0 -proxy ss://chacha20-ietf-poly1305:pass@ip-server:port-loglevel debug
ip addr add 144.100.1.30/21 dev tun0
ifconfig tun0 up

ifconfig

root@outline:/home/proxmox# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 144.100.1.4  netmask 255.255.248.0  broadcast 144.100.7.255
        inet6 fe80::9c54:d4ff:fe59:67d0  prefixlen 64  scopeid 0x20<link>
        ether 9e:54:d4:59:67:d0  txqueuelen 1000  (Ethernet)
        RX packets 10217455  bytes 1159604996 (1.1 GB)
        RX errors 0  dropped 581920  overruns 0  frame 0
        TX packets 555644  bytes 253654783 (253.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 12073  bytes 74307471 (74.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12073  bytes 74307471 (74.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 144.100.1.30  netmask 255.255.248.0  destination 144.100.1.30
        inet6 fe80::3d2f:1348:8f8d:17d3  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1  bytes 48 (48.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

route add -net 144.100.1.30 netmask 255.255.255.255 gw 144.100.1.30 dev tun0

root@outline:/home/proxmox# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         144.100.3.9     0.0.0.0         UG    0      0        0 eth0
144.100.0.0     0.0.0.0         255.255.248.0   U     0      0        0 eth0
144.100.0.0     0.0.0.0         255.255.248.0   U     0      0        0 tun0
144.100.1.30    144.100.1.30    255.255.255.255 UGH   0      0        0 tun0

testing curl on interface tun0 on this PC [successful] tun0 has internet, checked by curl test

curl -C - -O https://website/uploads/d89x298.png --interface tun0
** Resuming transfer from byte position 18418
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   190  100   190    0     0    114      0  0:00:01  0:00:01 --:--:--   114

On another PC with this configuration ip: 144.100.1.5 gateway: 144.100.1.30 netmask: 255.255.255.255 or 255.255.248.0

that PC 1.5, does not have internet, or tun0 is not working for the network :(

[xjasonlyu]

you're not doing it right, see this how to config routes and others: https://github.com/xjasonlyu/tun2socks/blob/main/docker/entrypoint.sh

[AnonymousWebHacker]

Mi subred de red es 10.0.0.0/16y mi tun2socks se está ejecutando en un espacio de nombres aislado (eth0 es 10.0.0.2/16, tun0 es 198.18.0.1/15)

If any of your machines on your 10.0.0.0/16 network want to go internet? Can you use eth0 10.0.0.2/16 as a gateway? If so, how would the routes or rules of iptables look like?

[xjasonlyu]

If any of your machines on your 10.0.0.0/16 network want to go internet? Can you use eth0 10.0.0.2/16 as a gateway?

Of course, that's the whole purpose

If so, how would the routes or rules of iptables look like?

I believe it's pretty much obvious in the entrypoint.sh script, there're two tables and it uses fwmark to prevent route loop. And you can even use the script to setup your own environment without docker.

[AnonymousWebHacker]

What happens in my case is that this VM has an interface eth0 and tun0

To browse the internet, there is a captive portal that you have to set up an account, that captive portal, I get to it through eth0 and gateway of 144.100.3.9.

According to the tutorials that I have seen, they eliminate the route by defualt, and add the one of the tun, example https://rucore.net/en/tun2socks-vpn-via-proxy/

ip route del default
ip route add default dev tun

I cannot delete my default route, because it would not reach the captive portal

root@outline:/tmp# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         144.100.3.9     0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.248.0   U     0      0        0 tun0
144.100.0.0     0.0.0.0         255.255.248.0   U     0      0        0 eth0

[xjasonlyu]

You can add your portal ip as an exception, e.g. ip route add $portal_ip via 144.100.3.9 dev eth0

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days