Saturday, August 12, 2017

Step-by-Step: Shadowsocks Client on LEDE (OpenWRT) Router - Config with LUCI

UPDATE: I am writing a SSH version of this document since it's much easier to run commands that way.  Please see that document HERE.

PREREQUISITES
A. A computer with a web browser.
B. Router running LEDE or OpenWRT (Xiaomi Mini w/ LEDE 17.01.2, r3435)
     Note: For instructions on installing OpenWRT on a the Xiaomi, please see this article HERE.
C. Shadowsocks account from provider (I'm testing Catswall.net)
D. Router should be connected to an unrestricted Internet connection to reach LEDE package repositories, aka NOT filtered internet

SETUP ROUTER
Reset the router to defaults if it has been used for something else before.  Also consider updating it to the current "stable" release of LEDE if you're running an older OpenWRT or LEDE build.  (I've tested the snapshot versions of LEDE and the necessary packages are not available yet; you'll have to know how to compile your own software if you don't use the stable release...if you know how to do that, you're probably don't need this post.)

  • A. To upgrade your router to the LEDE 17.01.2 release: Sign into the router web console, navigate to System | Backup/Flash Firmware | Uncheck the "Keep settings" option, click Choose File, find the .bin file on your computer that you've already downloaded (see point C for a download link), click FLASH IMAGE..., and then when the verification window appears, click PROCEED.
  • B. To reset your router to all defaults: Sign into the router web console, navigate to System | Backup/Flash Firmware | click PERFORM RESET, and click OK at the pop-up.

NOTES:

  • For more instructions on setting up a new Xiaomi Mini router with OpenWRT or LEDE, please see my article on that subject HERE.
  • For more instructions on setting all base software on a LEDE/OpenWRT router, please see my article on the Base Installation for a VPN Client Router HERE.


INSTALL SOFTWARE AND ADD SERVER
After installing all necessary software packages as outlined in the Base Install Guide for Routers, we need to setup the Shadowsocks client options.

1. Under the Services menu option, select ShadowSocks-libev.

2. Enter the correct Shadowsocks server information, port, password, Encrypt Method, etc. from your provider, then save and restart the service by clicking SAVE & APPLY.

3. To force DNS resolution through the Shadowsocks tunnel (SS-TUNNEL) by selecting the "Enable" option under UDP Forward.  The UDP Local Port should be 5300, and the Forward Tunnel can be any valid DNS server, but we'll use Google's in this example and enter 8.8.8.8:53.
4. Add this UDP port address to the Network | DHCP and DNS | General Settings option for "DNS Forwardings" in this format:
127.0.0.1#5300
5. Select the Non-wildcard option and click SAVE & APPLY.
6. Select the Resolve and Hosts Files menu option.  Select the Ignore resolve file and the Ignore /etc/hosts options.  Click SAVE & APPLY.

If the VPN server information is correct you should now be connected to your server and DNS lookups should be going through the tunnel as well.  For best results... reboot the router.  I just unplug the little monster and plug it back in to make sure it's a nice "hard" reboot.

To check if you are browsing the Internet thought your SS connection go to a website like ipinfo.io or ipleak.net.  The IP adress shown on these websites should be the server address you entered in the ShadowSocks menu.

OPTION: ADD A SECONDARY DNS SERVICE FOR BACKUP; DNSCRYPT-PROXY
I'm writing another guide to setup a backup DNS server in-case the Shadowsocks lookups fail or are delayed. The link will be here later!