DEV Community: Mehdi mFat

Local port forwarding using shadowsocks-rust + openvpn over shadowsocks

Mehdi mFat — Fri, 08 Sep 2023 22:58:16 +0000

How to forward local port using shadowsocks

The purpose here is to forward local port 3080 to remote port 2.2.2.2:1194 (where an openvpn server is listening) using shadowsocks.

To do this we'll use shadowsocks-rust:

First we download the latest binaries for linux:

wget https://github.com/shadowsocks/shadowsocks-rust/releases/download/v1.16.1/shadowsocks-v1.16.1.x86_64-unknown-linux-gnu.tar.xz

and extract the files:

mkdir shadowsocks
tar xvf shadowsocks-v1.16.1.x86_64-unknown-linux-gnu.tar.xz -C shadowsocks

Now we cd into the folder and make the binaries executable and move them to /usr/local/bin:

cd shadowsocks/
chmod +x ss*
sudo mv ss* /usr/local/bin

Verify installation using this command:

sslocal --version

Now we are ready to create our local tunnel.

To do this we obviously need a shadowsocks server. There are many tutorials for setting up one. However here is how you can quickly set up a shadowsocks server on a debian/ubuntu VPS:

sudo apt install shadowsocks-libev simple-obfs

sudo nano /etc/shadowsocks-libev/config.json

with the following content:

{
   "server": "0.0.0.0",
   "server_port": DESIRED PORT,
   "password": "DESIRED PASSWORD",
   "timeout": 300,
   "method": "chacha20-ietf-poly1305",
   "mode": "tcp_only",
   "dns":"1.1.1.1",
   "plugin":"obfs-server",
   "plugin_opts": "obfs=http;obfs-host=cloudfront.net",
   "fast_open": false
}

*(Please note simple-obfs is obsolete and you should consider using a more secure pluging such as xray.)
*

sudo systemctl restart shadowsocks-libev.service

Now back to our local system, we create a shadowsocks tunnel configuration file:

nano sstunnel.json

and paste these lines. Make necessary adjustments based on your shadowsocks server configuration:

{
"locals": [
{
            "protocol": "tunnel",

            "local_address": "127.0.0.1",
            "local_port": 3080,
            "forward_address":"2.2.2.2",
            "forward_port": 1194,

}
],
            "server": "SHADOWSOCKS_SERVER_IP",
            "server_port": SHADOWSOCKS_SERVER_PORT,
            "password": "SHADOWSOCKS_SERVER_PASSWORD",
            "method": "chacha20-ietf-poly1305",
            "mode": "tcp_only",
            "plugin": "obfs-local",
            "plugin_opts": "obfs=http;obfs-host=cloudfront.net"

}

This file tells shadowsocks to forward connections to 127.0.0.1:3080 to the remote port 2.2.2.2:1194 which is our openvpn server, for example.

Now we can run the tunnel:

/usr/local/bin/sslocal -c sstunnel.json

This is the output on my system:

$ /usr/local/bin/sslocal -c sstest.json 
2023-09-09T02:08:53.356339957+03:30 INFO  shadowsocks local 1.16.1 build 2023-09-01T05:08:00.031376835+00:00
 2023-09-09 02:08:53 [simple-obfs] INFO: obfuscating enabled
 2023-09-09 02:08:53 [simple-obfs] INFO: obfuscation http method: GET
 2023-09-09 02:08:53 [simple-obfs] INFO: obfuscating hostname: cloudfront.net
 2023-09-09 02:08:53 [simple-obfs] INFO: tcp port reuse enabled
 2023-09-09 02:08:53 [simple-obfs] INFO: listening at 127.0.0.1:41681
2023-09-09T02:08:53.357713632+03:30 INFO  shadowsocks TCP tunnel listening on 127.0.0.1:3080

As you can see the last line
TCP tunnel listening on 127.0.0.1:3080
shows sslocal is listening at port 3080.

How to connect to openvpn over shadowsocks

Now let's assume we have an client.ovpn file for connecting to our 2.2.2.2:1194 openvpn server.

We open the client.ovpn file and make two changes:

We change remote line to 127.0.0.1 3080
We also tell openvpn to route the shadowsocks server IP through default gateway, not through the vpn tunnel:

route SHADOWSOCKS_SERVER_IP 255.255.255.255 net_gateway

This is how my openvpn client configuration looks now:

client
proto tcp-client
remote 127.0.0.1 3080
route SHADOWSOCKS_SERVER_IP 255.255.255.255 net_gateway
....

The rest of the configuration file remains intact.

Now I can connect to openvpn using this command:

sudo openvpn --config client.ovpn

P.S: instead of creating a shadowsocks tunnel configuration file we can also use the following command:

sslocal --protocol tunnel -b "127.0.0.1:3080" -f "2.2.2.2:1194"  --server-url "ss://...."

/usr/local/bin/sslocal --protocol tunnel -b "127.0.0.1:3080" -f "2.2.2.2:1194" -s "SHADOWSOCKS_SERVER_IP:PORT" -m "chacha20-ietf-poly1305" -k "SHADOWSOCKS_SERVER_PASSWORD" --plugin "obfs-local" --plugin-opts "obfs=http;obfs-host=cloudfront.net"

Tunnel any port over shadowsocks in openwrt using ss-tunnel

Mehdi mFat — Sat, 02 Sep 2023 15:12:32 +0000

When you install luci-app-shadowsocks-libev on openwrt, there is a mudule called ss-tunnel.

SS-Tunnel is also part of any standard shadowsocks-libev or shadowsocks-rust installation in linux.

But what does it do?

SS-Tunnel can forward any local port over shadowsocks.

For example if you have an openvpn server somewhere with ip address of 214.43.76.543 listening on port 1194, you can easily connect to it over shadowsocks by setting 214.43.76.543:1194 as tunnel address in ss-tunnel.

Now if ss-tunnel is listening on local port 1085, you can use it as your remote server ip in your openvpn config like this:

remote 127.0.0.1 1085

This is very useful if openvpn is blocked on your network.

Cloak is another alternative.

How to use Cloudflare Warp as a socks proxy on your local computer

Mehdi mFat — Thu, 31 Aug 2023 23:05:28 +0000

Cloudflare Warp is a wonderful VPN. It's very fast and with the Plus account you can enjoy virtually unlimited traffic.

One great thing about Warp is that you can run it in proxy mode. This is useful if you don't want your entire traffic to go through the Warp network.

In order to use Cloudflare warp in socks proxy mode you can use Wireproxy.

Wireproxy is a wireguard client that exposes itself as a socks5/http proxy or tunnels.

There is a very handy script to automatically install and configure Wireproxy with Cloudflare Warp on either a vps or your local machine.

wget -N https://gitlab.com/fscarmen/warp/-/raw/main/api.sh && bash api.sh [option]

Just run and follow the steps. In the end you'll have a locally running socks proxy that you can use in your web browsers, Telegram and other apps.

The default host:port is 127.0.0.1:40000.

The script creates a systemd service for controlling wireproxy.

To change Wireguard/warp parameters you can edit this files:

nano /etc/wireguard/proxy.conf

For example you can change the dns to 162.159.36.1 (recommended) and modify the endpoint as well.

To find a fast endpoint you can run this script as root:

wget -N https://gitlab.com/Misaka-blog/warp-script/-/raw/main/files/warp-yxip/warp-yxip.sh && bash warp-yxip.sh

If you prefer to run warp in VPN mode instead of proxy mode, check out the following:

https://gitlab.com/Misaka-blog/warp-script

WGCF：https://replit.com/@misaka-blog/wgcf-profile-generator
WARP-GO：https://replit.com/@misaka-blog/warpgo-profile-generator
Sing-box：https://replit.com/@misaka-blog/warpgo-sbfile-generator

How to bypass wireguard client for local network on openwrt

Mehdi mFat — Sat, 19 Aug 2023 16:00:26 +0000

Assuming your local network is 192.168.0.0/24, you should do this:

nano /etc/config/network

and add the following to your wireguard peer config section:

        list allowed_ips '0.0.0.0/1'
        list allowed_ips '128.0.0.0/2'
        list allowed_ips '192.0.0.0/9'
        list allowed_ips '192.128.0.0/11'
        list allowed_ips '192.160.0.0/13'
        list allowed_ips '192.168.1.0/24'
        list allowed_ips '192.168.2.0/23'
        list allowed_ips '192.168.4.0/22'
        list allowed_ips '192.168.8.0/21'
        list allowed_ips '192.168.16.0/20'
        list allowed_ips '192.168.32.0/19'
        list allowed_ips '192.168.64.0/18'
        list allowed_ips '192.168.128.0/17'
        list allowed_ips '192.169.0.0/16'
        list allowed_ips '192.170.0.0/15'
        list allowed_ips '192.172.0.0/14'
        list allowed_ips '192.176.0.0/12'
        list allowed_ips '192.192.0.0/10'
        list allowed_ips '193.0.0.0/8'
        list allowed_ips '194.0.0.0/7'
        list allowed_ips '196.0.0.0/6'
        list allowed_ips '200.0.0.0/5'
        list allowed_ips '208.0.0.0/4'
        list allowed_ips '224.0.0.0/3'
        option route_allowed_ips '1

You can calculate allowed IPs using the following calculators:

Wireguard's AllowedIPs calculator
by Savely Krasovsky's

Pro Custodibus calculator

How to access a local service over the internet using bore

Mehdi mFat — Tue, 30 May 2023 12:26:54 +0000

Bore is a modern, simple TCP tunnel written in Rust that exposes local ports to a remote server, bypassing standard NAT connection firewalls.

The advantage of Bore over some popular services such as ngrok is that it can be hosted on your own server. The CLI is also very straightforward and intuitive.

Installing Bore is very easy:

cargo install bore-cli

# On your local machine
bore local 8000 --to bore.pub

This command gives you a public URL that points to your local port 8000. No need for opening ports on your router or using dynamic DNS!

Instead of using bore servers you can use your own VPS to route traffic to your home.

Self-hosting bore is as simple as installing it on your server and running:

bore server

Now if my server's ip address is 2.2.2.2 this is what I need to run on my home computer to access a service running on port 9981 of my home PC through my VPS:

bore local 9981 --to 2.2.2.2

Bore server assigns a random port to this tunnel. Now I can access my local service running on port 9981 of my home PC using 2.2.2.2:PORT

How to enable battery charge limit on Linux

Mehdi mFat — Sun, 28 May 2023 08:16:52 +0000

Some laptops allow you to set a limit on the battery charge level. This feature is known as a charge threshold. For instance, you can choose to stop charging the battery when it reaches 60%, which may help to prolong the battery's lifespan.

On my Lenovo Thinkbook 14s Yoga it's very easy to do this. Here are the steps:



sudo dnf install tlp tlp-rdw



sudo nano /etc/tlp.conf

add this line to the file:



STOP_CHARGE_THRESH_BAT0=1

save and close.



sudo systemctl enable tlp.service
sudo systemctl start tlp.service

Done! Now your laptop should stop charging the battery beyond 60%.

As you can see in the screenshot, the battery is charged until it reaches 59% and then stops charging above that limit.

To check if your laptop supports this feature run:
sudo tlp-stat -b
On my laptop the output is this:



$sudo tlp-stat -b
--- TLP 1.5.0 --------------------------------------------

+++ Battery Care
Plugin: lenovo
Supported features: charge threshold
Driver usage:
* vendor (ideapad_laptop) = active (charge threshold)
Parameter value range:
* STOP_CHARGE_THRESH_BAT0: 0(off), 1(on) -- battery conservation mode

/sys/bus/platform/drivers/ideapad_acpi/VPC2004:00/conservation_mode = 1 (60%)

+++ Battery Status: BAT1
/sys/class/power_supply/BAT1/manufacturer                   = Celxpert
/sys/class/power_supply/BAT1/model_name                     = L19C4PDB
/sys/class/power_supply/BAT1/cycle_count                    =    316
/sys/class/power_supply/BAT1/energy_full_design             =  60000 [mWh]
/sys/class/power_supply/BAT1/energy_full                    =  52800 [mWh]
/sys/class/power_supply/BAT1/energy_now                     =  31380 [mWh]
/sys/class/power_supply/BAT1/power_now                      =      0 [mW]
/sys/class/power_supply/BAT1/status                         = Not charging

Charge                                                      =   59.4 [%]
Capacity                                                    =   88.0 [%]

This line:

Supported features: charge threshold
shows that my laptop supports charge threshold.

And this section gives me the line I need to add to /etc/tlp.conf:



Parameter value range:
* STOP_CHARGE_THRESH_BAT0: 0(off), 1(on) -- battery conservation mode

How to encrypt DNS requests using cloudflared

Mehdi mFat — Wed, 24 May 2023 10:38:14 +0000

cloudflared has many functions. When it comes to DNS, it can work as an encrypted DNS proxy. By default it listens for DNS requests and forwards them to Cloudflare DNS server over HTTPS.

But cloudflared can work with any upstream DoH server, including your self-hosted servers.

Let's for example see how to forward DNS queries to Google's encrypted DNS server using cloudflared:

cloudflared proxy-dns --upstream https://dns.google/dns-query --port 53

This command tells cloudflared to listen on local port 53 (127.0.0.1:53) for DNS queries. It then encrypts and forwards DNS requests to https://dns.google/dns-query.

To use this system-wide, you need to either set 127.0.0.1:53 as your default DNS resolver or make your system resolver forward DNS queries to 127.0.0.1:53.

Most modern linux distributions use systemd-resolved as their main resolver. In my other tutorial I have explained how you can make systemd-resolved forward DNS requests to any other resolver.

How to enable system-wide DNS-over-HTTPS on linux

Mehdi mFat — Tue, 23 May 2023 17:25:32 +0000

In this tutorial we learn how to enable system-wide DNS-over-HTTPS on linux to protect all queries. DNS-over-HTTPS, or simply DOH, encrypts DNS traffic by passing DNS queries through https.

This howto was tested on Fedora 38 but should work on other linux distributions too.

First we need to install dnscryp-proxy. It works as a client for DOH servers:

sudo dnf install dnscrypt-proxy

Now we need to edit its config file using:

sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml

In this example, we are adding 2 servers:

server_names = ['adfilter', 'ahadns']
listen_addresses = ['127.0.0.1:53']

You can also add more popular servers like 'cloudflare' or 'google' to server_name.

Now we scroll down to the [static] section and add these:

[static]

   [static.'adfilter']
   stamp= 'sdns://AgMAAAAAAAAADjE2My40Ny4xMTcuMTc2oMwQYNOcgym2K2-8fQ1t-TCYabmB5-Y5LVzY-kCPTYDmIEROvWe7g_iAezkh6TiskXi4gr1QqtsRIx8ETPXwjffOEGFkbC5hZGZpbHRlci5uZXQKL2Rucy1xdWVyeQ'

   [static.'ahadns']
   stamp= 'sdns://AgMAAAAAAAAACTUuMi43NS43NQARZG9oLm5sLmFoYWRucy5uZXQKL2Rucy1xdWVyeQ'

For any DOH server you need to find the "stamp". It's usually on the DNS provider website.

Now we can save the file and exit nano editor.

We should restart the service:

sudo systemctl restart dnscrypt-proxy.service

Now we need to make our system use this configuration. The default dns server on modern linux systems is called systemd-resolved.

We should tell systemd-resolved to forward all DNS queries to
dnscrypt-proxy, which is listening on 127.0.0.1:53.

To do so we create a so-called drop-in file for systemd-resolved using this command:

sudo cat <<EOF | sudo tee /etc/systemd/resolved.conf.d/dns_servers.conf
[Resolve]
DNS=127.0.0.1
Domains=~.
EOF

We also need to make sure all lines in /etc/systemd/resolved.conf file are commented out.

Now we can restart the systemd resolver:

sudo systemctl restart systemd-resolved.service

If everything has been set correctly, our DNS queries should be encrypted and sent via https.