Friday, October 27, 2017

HOW TO: Install Shadowsock-libev using APT on Ubuntu 16.04 LTS

Introduction and Summary:

Shadowsocks is an encrypted proxy for circumventing firewalls and geo-location restrictions.  Some Linux server repositories do not have packages or if they do, the packages might be old since the server and client are under constant development.  I've written another post on how to build the packages from source, but this should only be done if you are willing to troubleshoot issues and want to maintain updating the builds by yourself.  A much easier way to install shadowsocks-libev on an Ubuntu server is to add the PPA to your server and install with APT.

Note: These packages are considered "unsupported" and "untrusted" by Ubuntu.

Prerequisites:

  • Linux Ubuntu 16.04.3 LTS Server
  • Console Access
  • Root level permission

Instructions:

1. When logged into the server, run the following commands:

sudo add-apt-repository ppa:max-c-lv/shadowsocks-libev

2. Update your local APT library with the new packages

sudo apt-get update

3. Install the packages:

sudo apt install libsodium mbedtls shadowsocks-libev

Note: You can run all three of these commands in one line by entering the following string:

sudo add-apt-repository ppa:max-c-lv/shadowsocks-libev && sudo apt-get update && sudo apt install libsodium mbedtls shadowsocks-libev

Blog Formatting Guide:


  • Commands written in Consolas in BLUE are LOCAL Client Shell Commands (I'm running an Ubuntu local client)
  • Commands written in Consolas in RED are REMOTE Server Shell Commands (usually in SSH)
  • All commands in BOLD are CUSTOM user variables that your should change for your configuration.

Helpful References, for Shadowsocks:

Shadowsocks-libev on Github


Simple-obfs on Github

Thursday, October 26, 2017

HOW TO: Enable rng-tools on Ubuntu VPS Server 16.04 for more "random" data

Introduction and Summary:

Headless VPS servers can suffer from a lack of random data inputs since there is little if any hardware to pull truly random data from (mouse, keyboard, webcams, entropy keys, etc.).  A hack for semi-random data to be generated in software is possible with rng-tools.  These instructions will help you install rng-tools on your VPS and hack the config to pull from the urandom file.

Note: This random data is not truly random and it is generally not considered secure for highly sensitive applications.  I'll be using it for generating obfuscation data, so true randomness is not important to me. Also, my paranoia level is in the mid to low range - if you're requiring higher security solutions, please skip this article.

Prerequisites:


  • Linux Ubuntu 16.04 LTS Server
  • Console Access
  • Root level permissions


Instructions:

1. Connect to the server console (local or SSH)
2. Install the rng-tools package:

  sudo apt update && apt install rng-tools

Note: If you start the service, you will see that it fails:
systemctl status rng-tools
● rng-tools.service
   Loaded: loaded (/etc/init.d/rng-tools; bad; vendor preset: enabled)
   Active:
failed (Result: exit-code) since Thu 2017-10-26 04:11:02 EDT; 36min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 299 ExecStart=/etc/init.d/rng-tools start (code=exited, status=1/FAILURE)
Oct 26 04:11:02 ubuntuvps systemd[1]: Starting rng-tools.service...
Oct 26 04:11:02 ubuntuvps rng-tools[299]: Starting Hardware RNG entropy gatherer daemon: (Hardware RNG device inode not found)
Oct 26 04:11:02 ubuntuvps rng-tools[299]: /etc/init.d/rng-tools: Cannot find a hardware RNG device to use.
Oct 26 04:11:02 ubuntuvps systemd[1]: rng-tools.service: Control process exited, code=exited status=1
Oct 26 04:11:02 ubuntuvps systemd[1]: Failed to start rng-tools.service.
Oct 26 04:11:02 ubuntuvps systemd[1]: rng-tools.service: Unit entered failed state.
Oct 26 04:11:02 ubuntuvps systemd[1]: rng-tools.service: Failed with result 'exit-code'.
3. Add the /dev/urandom path to the rng config file:

  sudo echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools

4. Start the service again

  systemctl start rng-tools

5. Check the status of rng-tools

  systemctl status rng-tools
● rng-tools.service
   Loaded: loaded (/etc/init.d/rng-tools; bad; vendor preset: enabled)
   Active:
active (exited) since Thu 2017-10-26 04:47:45 EDT; 2s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 562 ExecStart=/etc/init.d/rng-tools start (code=exited, status=0/SUCCESS)
Oct 26 04:47:45 ubuntuvps systemd[1]: Starting rng-tools.service...
Oct 26 04:47:45 ubuntuvps rng-tools[562]: Starting Hardware RNG entropy gatherer daemon: rngd.
Oct 26 04:47:45 ubuntuvps systemd[1]: Started rng-tools.service.
Oct 26 04:47:45 ubuntuvps rngd[564]: RNDADDENTROPY failed: Operation not permitted

Blog Formatting Guide:


  • Commands written in Consolas in BLUE are LOCAL Client Shell Commands (I'm running an Ubuntu local client)
  • Commands written in Consolas in RED are REMOTE Server Shell Commands (usually in SSH)
  • All commands in Courier and BOLD are CUSTOM user variables that your should change for your configuration.
  • All text written in Courier and PURPLE are file contents as shown in a text editor.


Helpful References:

Jon Stephen's post. Thank's Jon!

Tuesday, October 24, 2017

HOW TO: Use BBR TCP Congestion for Improved Shadowsocks Performance on Ubuntu Server 16.04 LTS

Introduction and Summary:

Shadowsocks uses the TCP protocol for transmitting information over the Internet.  A new "congestion algorithm" has been released by Google that shows good potential for increasing maximum speeds for Shadowsocks, TCP BBR. Newer Linux Kernels support BBR natively, so the basic instructions below update your server to a recent kernel and then switch the TCP congestion controls to BBR.  This only needs to be done on the server side; the client will receive TCP traffic control information from the server automatically.

Note: This only works on servers that you have full control of, like a dedicated server or a KVM VPS. It will not work on OpenVZ VPS's or similar types of virtualization environments since you cannot modify most networking settings or the core OS.

Prerequisites:

  • Linux Ubuntu 16.04 LTS Server
  • Console Access
  • Root level permissions
  • The following Ubuntu packages (some might be obsolete or unnecessary, send me a message if you discover an improvement): wget

Instructions:

1. Update the Ubuntu Linux Kernel to the most recent generic release (Note: The minimum kernel is v4.9 - feel free to use newer or older kernels if you want. You can browse the current kernel builds here: http://kernel.ubuntu.com/~kernel-ppa/mainline/)

sudo apt install linux-image-generic-hwe-16.04-edge

2. The server will reboot. Sign-in to the server again (console, ssh, etc.)
3. Enable BBR congestion algorithm

echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

4. Now check the results; you should see bbr as the current congestion control setting.

sysctl net.ipv4.tcp_available_congestion_control
sysctl net.ipv4.tcp_congestion_control
lsmod | grep bbr

5. Reboot the server to finalize the new settings

sudo reboot

Blog Formatting Guide:

  • Commands written in Consolas in BLUE are LOCAL Client Shell Commands (I'm running an Ubuntu local client)
  • Commands written in Consolas in RED are REMOTE Server Shell Commands (usually in SSH)
  • All commands in Courier and BOLD are CUSTOM user variables that your should change for your configuration.
  • All text written in Courier and PURPLE are file contents as shown in a text editor.

Helpful References, for Shadowsocks:

Shadowsocks-libev on Github
Ubuntu Server documentation on Mainline Kernel implementations
Google's BBR code on Github
Google blog post on BBR
ACM.org blog post on BBR

HOW TO: Create a System Service for Shadowsocks-libev on Ubuntu 16.04 LTS

Introduction and Summary:

After making and installing Shadowsocks from source code, you may want to create a service that starts and stops with the server and behaves like a Daemon.  The following instructions are one way that this can be accomplished.  (Note: The installation via APT will create a service during the installation process and there is no need to create this service manually)

UPDATED 2018 March to use echo commands to manually enter the service text and also the service commands were edited to more closely follow the defaults for debian on shadowsocks on github.

Prerequisites:

  • Linux Ubuntu 16.04.3 LTS Server
  • Console Access
  • Root level permissions
  • The following Ubuntu packages (some might be obsolete or unnecessary, send me a message if you discover an improvement): vim

Instructions:

1. Create a file called ss-server.service under /usr/lib/systemd/system/ and edit it with vim.

sudo mkdir /usr/lib/systemd/system && sudo vim /usr/lib/systemd/system/shadowsocks.service

2. Enter the following text into the new file using a series of echo commands.

echo “[Unit]” > /usr/lib/systemd/system/shadowsocks.service
echo “Description=Shadowsocks Server Daemon /usr/local/bin/ss-server” >> /usr/lib/systemd/system/shadowsocks.service
echo “After=network.target network-online.target” >> /usr/lib/systemd/system/shadowsocks.service
echo “” >> /usr/lib/systemd/system/shadowsocks.service
echo “[Service]” >> /usr/lib/systemd/system/shadowsocks.service
echo “Type=simple” >> /usr/lib/systemd/system/shadowsocks.service
echo “ExecStart=/usr/local/bin/ss-server” >> /usr/lib/systemd/system/shadowsocks.service
echo “Group=nogroup” >> /usr/lib/systemd/system/shadowsocks.service
echo “LimitNOFILE=32768” >> /usr/lib/systemd/system/shadowsocks.service
echo “” >> /usr/lib/systemd/system/shadowsocks.service
echo “[Install]” >> /usr/lib/systemd/system/shadowsocks.service
echo “WantedBy=multi-user.target” >> /usr/lib/systemd/system/shadowsocks.service
echo “” >> /usr/lib/systemd/system/shadowsocks.service


3. Enable the service and check its status

sudo systemctl enable shadowsocks && sudo systemctl start shadowsocks && sudo systemctl status shadowsocks

Note: The command to stop the service is: sudo systemctl stop shadowsocks
This can be useful when troubleshooting. You can stop the service and run "ss-server" manually to watch for error messages.
Note: The command to start the service is: sudo systemctl start shadowsocks

Blog Formatting Guide:

  • Commands written in Consolas in BLUE are LOCAL Client Shell Commands (I'm running an Ubuntu local client)
  • Commands written in Consolas in RED are REMOTE Server Shell Commands (usually in SSH)
  • All commands in Courier and BOLD are CUSTOM user variables that your should change for your configuration.
  • All text written in Courier and PURPLE are file contents as shown in a text editor.

Helpful References, for Shadowsocks:

Shadowsocks-libev on Github
Simple-obfs on Github
Digital Ocean Forum, starting services for Ubuntu Server

HOW TO: Build Libsodium from source on Ubuntu 16.04 LTS

Introduction and Summary:

Shadowsocks supports various ciphers that require the LibSodium plug-in, like CHACHA20-IETF-POLY1305.  Some Linux server repositories do not have the package or if they do, the packages might be old since the server and client are under constant development.  These commands will help to download and build the latest Libsodium plug-in from source.

WARNING: The build from source version of libsodium CANNOT exist on the same server with the packages installed from APT sources.  Shadowsocks will often fail to load the ciphers properly and you will get errors.  If you have installed both the APT and the source-code versions of libsodium, remove the APT version with a command like sudo apt remove libsodium

Prerequisites:

  • Linux Ubuntu 16.04 LTS Server
  • Console Access
  • Root level permissions
  • The following Ubuntu packages (some might be obsolete or unnecessary, send me a message if you discover an improvement): build-essential autoconf automake libtool git 

Instructions:

When logged into the server, run the following commands:

cd /tmp
git clone https://github.com/jedisct1/libsodium.git
cd libsodium
git submodule update --init --recursive && ./autogen.sh
./configure
make
sudo make install
cd ..
rm libsodium -r -f

NOTE: The entire set of commands can be chained together in one long command:
cd /tmp && git clone https://github.com/jedisct1/libsodium.git && cd libsodium && git submodule update --init --recursive && ./autogen.sh && ./configure && make && sudo make install && cd .. && rm libsodium -r -f

Blog Formatting Guide:

  • Commands written in Consolas in BLUE are LOCAL Client Shell Commands (I'm running an Ubuntu local client)
  • Commands written in Consolas in RED are REMOTE Server Shell Commands (usually in SSH)
  • All commands in BOLD are CUSTOM user variables that your should change for your configuration.

Helpful References, for Shadowsocks:

Shadowsocks-libev on Github
Simple-obfs on Github
Libsodium on Github

HOW TO: Build Simple-obfs from source on Ubuntu 16.04 LTS

Introduction and Summary:

Simple-obfs was written primarily for use with Shadowsocks to obfuscate encrypted traffic.  Some Linux server repositories do not have packages or if they do, the packages might be old since the server and client are under constant development.  These commands will help to download and build the latest Simple-obfs plug-in from source.

Prerequisites:


  • Linux Ubuntu 16.04.3 LTS Server
  • Console Access
  • Root level permissions
  • The following Ubuntu packages (some might be obsolete or unnecessary, send me a message if you discover an improvement):
build-essential autoconf libtool libssl-dev libpcre3-dev zlib1g-dev libev-dev libsodium-dev git automake libmbedtls-dev libc-ares-dev


Instructions:

When logged into the server, run the following commands:

cd /tmp
git clone https://github.com/shadowsocks/simple-obfs.git
cd simple-obfs
git submodule update --init --recursive
./autogen.sh
./configure
make
sudo make install
cd ..
rm simple-obfs -r -f

NOTE: The entire set of commands can be chained together in one long command:
cd /tmp && git clone https://github.com/shadowsocks/simple-obfs.git && cd simple-obfs && git submodule update --init --recursive && ./autogen.sh && ./configure && make && sudo make install && cd .. && rm simple-obfs -r -f


Blog Formatting Guide:


  • Commands written in Consolas in BLUE are LOCAL Client Shell Commands (I'm running an Ubuntu local client)
  • Commands written in Consolas in RED are REMOTE Server Shell Commands (usually in SSH)
  • All commands in BOLD are CUSTOM user variables that your should change for your configuration.


Helpful References, for Shadowsocks:

Shadowsocks-libev on Github


Simple-obfs on Github

HOW TO: Build Shadowsock-libev from source on Ubuntu 16.04 LTS | Latest Nightly Version

Introduction and Summary:

Shadowsocks is an encrypted proxy for circumventing firewalls and geo-location restrictions.  Some Linux server repositories do not have packages or if they do, the packages might be old since the server and client are under constant development.  These commands will help to download and build the latest Shadowsocks-libev server from source.

UPDATE: Recently the latest editions of shadowsocks (versions 3.2 and higher) have not worked properly on my servers (service does not start, udp does not redirect properly, etc.).  If you would like to build a specific version of shadowsocks-libev, please see this other post for those instructions [LINK]

Prerequisites:


  • Linux Ubuntu 16.04 LTS Server
  • Console Access
  • Root level permissions
  • The following Ubuntu packages (some might be obsolete or unnecessary, send me a message if you discover an improvement):
build-essential autoconf libtool libssl-dev libpcre3-dev zlib1g-dev libev-dev git automake init-system-helpers pkg-config asciidoc xmlto libmbedtls-dev libc-ares-dev

Instructions:

When logged into the server, run the following commands:

cd /tmp
git clone https://github.com/shadowsocks/shadowsocks-libev.git
cd shadowsocks-libev
git submodule update --init --recursive
./autogen.sh
./configure
make
sudo make install
cd ..
rm shadowsocks-libev -r -f

NOTE: The entire set of commands can be chained together in one long command:
cd /tmp && git clone https://github.com/shadowsocks/shadowsocks-libev.git && cd shadowsocks-libev && git submodule update --init --recursive && ./autogen.sh && ./configure && make && sudo make install && cd .. && rm shadowsocks-libev -r -f

Blog Formatting Guide:

  • Commands written in Consolas in BLUE are LOCAL Client Shell Commands (I'm running an Ubuntu local client)
  • Commands written in Consolas in RED are REMOTE Server Shell Commands (usually in SSH)
  • All commands in BOLD are CUSTOM user variables that your should change for your configuration.

Helpful References, for Shadowsocks:

Shadowsocks-libev on Github
Simple-obfs on Github

Friday, October 13, 2017

HOW TO: Setup Shadowsocks on LEDE Router with Snapshot ROM and Snapshot Packages (PLAINTEXT EDITION)

## LEDE SNAPSHOT (2017 SEPT OR HIGHER) ROUTER INSTALLATION GUIDE WITH SHADOWSOCKS
## HARDWARE: Xiaomi Mini Wifi Router
## ROM SNAPSHOT DOWNLOAD LINK: https://downloads.lede-project.org/snapshots/targets/ramips/mt7620/
## 

## LEDE SNAPSHOT BASE INSTALLATION ##

## 1. ROUTER CONFIGURATION - GENERIC PACKAGES FOR VPN
## Flash a clean ROM on the router, connect via SSH, then set a password for router...the following command is just to set the password for the router since flashing the ROM is covered in other articles and connecting via SSH should already be in your tool bag of knowledge.

passwd

## Install Packages for Shadowsocks, OpenVPN, and Wireguard.

opkg update && opkg install luci luci-ssl-openssl luci-app-shadowsocks-libev shadowsocks-libev-config shadowsocks-libev-ss-local shadowsocks-libev-ss-redir shadowsocks-libev-ss-rules shadowsocks-libev-ss-server shadowsocks-libev-ss-tunnel iptables-mod-conntrack-extra kmod-ipt-tproxy iptables-mod-tproxy dnscrypt-proxy luci-app-dnscrypt-proxy rng-tools ca-certificates wget luci-app-uhttpd luci-app-wifischedule

## OPTIONAL: Manually install Shadowsocks Simple-OBFS onto the router
## Note: Must be behind a VPN because China blocks sourceforge.net

LEDE=http://openwrt-dist.sourceforge.net/packages/LEDE/base/mipsel_24kc && SIMPLEOBFS=simple-obfs_0.0.3-2_mipsel_24kc.ipk && wget $LEDE/$SIMPLEOBFS && opkg install $SIMPLEOBFS && rm $SIMPLEOBFS


## Backup Default Configs 

mkdir /usr/share/default-configs && cp /etc/config/dnscrypt-proxy /usr/share/default-configs/default.dncrypt-proxy && cp /etc/config/shadowsocks-libev /usr/share/default-configs/default.shadowsocks-libev && cp /etc/config/dhcp /usr/share/default-configs/default.dhcp && cp /etc/config/network /usr/share/default-configs/default.network

## Set Router HOSTNAME, TIMEZONE, NTP, and CUSTOMIZE LED (Indicates Modification) 

uci set system.@system[0].hostname='LEDE' && uci set system.@system[0].timezone='HKT-8' && uci set system.@system[0].zonename='Asia/Hong Kong' && uci set system.ntp.enable_server='1' && uci delete system.ntp.server && uci add_list system.ntp.server='stdtime.gov.hk' && uci add_list system.ntp.server='time.nist.gov' && uci add_list system.ntp.server='us.pool.ntp.org' && uci add_list system.ntp.server='time.google.com'

uci set system.led_power=led && uci set system.led_power.name='power' && uci set system.led_power.sysfs='miwifi-mini:blue:status' && uci set system.led_power.default='1' && uci commit


service rngd enable


## Configure Wireless Network
## NOTE: Update SSID and Password to your preferred name

uci set wireless.radio0.hwmode='11a' && uci set wireless.radio0.channel='40' && uci set wireless.radio0.country='00' && uci set wireless.default_radio0.ssid='LEDE-AC' && uci set wireless.default_radio0.encryption='psk2' && uci set wireless.default_radio0.key='PASSWORD'

uci set wireless.radio1.hwmode='11g' && uci set wireless.radio1.channel='11' && uci set wireless.radio1.country='00' && uci set wireless.default_radio1.ssid='LEDE' && uci set wireless.default_radio1.encryption='psk2' && uci set wireless.default_radio1.key='*PASSWORD'


uci delete wireless.radio0.disabled && uci delete wireless.radio1.disabled && uci commit && service network restart

## Configure LAN IP, Reboot (192.168.99.1 used here)

uci set network.lan.ipaddr='192.168.99.1' && uci commit && reboot && exit


## ENABLE HTTPS FOR LUCI WEB CONSOLE 
## Create the myconfig.conf 

cat > /etc/ssl/myconfig.conf

## Paste the following contents: 

[req]
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req
prompt              = no
[req_distinguished_name]
C           = US
ST          = CA
L           = LEDE
O           = Home
OU          = Router
CN          = 192.168.99.1
[v3_req] 
keyUsage           = keyEncipherment, dataEncipherment
extendedKeyUsage   = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = 192.168.99.1
IP.1 = 192.168.99.1

## Ctrl+d to exit and commit the text.

## Generate the keys 

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/mycert.key -out /etc/ssl/mycert.crt -config /etc/ssl/myconfig.conf && uci set uhttpd.main.redirect_https='1' && uci set uhttpd.main.cert='/etc/ssl/mycert.crt' && uci set uhttpd.main.key='/etc/ssl/mycert.key' && uci commit && service uhttpd restart

## Setup DNSCRYPT-PROXY for DNS Resolution
## Updates Resolver List (/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv) 

mv /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv /usr/share/dnscrypt-proxy/default.dnscrypt-resolvers ; wget -O- 'https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv' > /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv && cp /etc/config/dnscrypt-proxy /etc/config/default.dncrypt-proxy

## Add Server #1 

uci set dnscrypt-proxy.ns1=dnscrypt-proxy && uci set dnscrypt-proxy.ns1.address='127.0.0.1' && uci set dnscrypt-proxy.ns1.port='5353' && uci set dnscrypt-proxy.ns1.resolver='cisco' && uci set dnscrypt-proxy.ns1.resolvers_list='/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' && uci set dnscrypt-proxy.ns1.syslog='1' && uci commit dnscrypt-proxy

## Add Server #2 

uci set dnscrypt-proxy.ns2=dnscrypt-proxy && uci set dnscrypt-proxy.ns2.address='127.0.0.1' && uci set dnscrypt-proxy.ns2.port='5454' && uci set dnscrypt-proxy.ns2.resolver='fvz-anyone' && uci set dnscrypt-proxy.ns2.resolvers_list='/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv' && uci set dnscrypt-proxy.ns2.syslog='1' && uci commit dnscrypt-proxy

## Enable and Start the Service

service dnscrypt-proxy enable && service dnscrypt-proxy start

## Configure DNSMASQ 
## Server list 

uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5353' && uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#5454' && uci add_list dhcp.@dnsmasq[0].server='127.0.0.1#1100' && uci set dhcp.@dnsmasq[0].noresolv='1' && uci set dhcp.@dnsmasq[0].nohosts='1' && uci commit dhcp && reboot && exit

## SHADOWSOCKS-LIBEV CONFIGURATION ##

## REMOVE UN-NEEDED CONFIGS

uci delete shadowsocks-libev.@ss_local[0]
uci delete shadowsocks-libev.@ss_tunnel[0]
uci delete shadowsocks-libev.hj
uci delete shadowsocks-libev.ss_rules
uci delete shadowsocks-libev.@ss_server[0]
uci commit shadowsocks-libev

## UPDATE CONFIG SS-HI (CUSTOM, CHECK THE FAST OPEN AND MODE SETTINGS ESPECIALLY)

uci set shadowsocks-libev.hi.server='sss0'
uci set shadowsocks-libev.hi.local_address='0.0.0.0'
uci set shadowsocks-libev.hi.local_port='1100'
uci set shadowsocks-libev.hi.mode='tcp_and_udp'
uci set shadowsocks-libev.hi.timeout='480'
uci set shadowsocks-libev.hi.fast_open='1'
uci set shadowsocks-libev.hi.verbose='1'
uci set shadowsocks-libev.hi.reuse_port='1'
uci delete shadowsocks-libev.hi.disabled
uci commit shadowsocks-libev

## CONFIG SS REMOTE SERVER (CUSTOM, YOUR REMOTE SERVER)

uci set shadowsocks-libev.sss0.server='###.###.###.###'
uci set shadowsocks-libev.sss0.method='rc4-md5'
uci set shadowsocks-libev.sss0.password='**************************'
uci set shadowsocks-libev.sss0.server_port='443'
uci delete shadowsocks-libev.sss0.disabled
uci commit shadowsocks-libev

## Optional - Settings for OBFS

uci set shadowsocks-libev.sss0.plugin='obfs-local'
uci set shadowsocks-libev.sss0.plugin_opts='obfs=http;obfs-host=cloudflare.net'
uci commit shadowsocks-libev

## CONFIG SS FORWARDING RULES (UNIVERSAL)

uci set shadowsocks-libev.ss_rules=ss_rules

uci set shadowsocks-libev.ss_rules.src_ips_forward='192.168.99.0/24'
uci set shadowsocks-libev.ss_rules.redir_tcp='hi'
uci set shadowsocks-libev.ss_rules.redir_udp='hi'
uci set shadowsocks-libev.ss_rules.local_default='forward'
uci set shadowsocks-libev.ss_rules.ifnames='br-lan'
uci set shadowsocks-libev.ss_rules.src_default='forward'
uci set shadowsocks-libev.ss_rules.dst_default='forward'
uci delete shadowsocks-libev.ss_rules.disabled
uci commit shadowsocks-libev
service shadowsocks-libev reload

## Download China bypass list (For Future Enhancement)

wget -O- 'https://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/chinadns_chnroute.txt

## Add some Scheduled Tasks to CRONTABS
## Add these in the LUCI webapp…until I figure out the command line

0 5 * * * sleep 70 && touch /etc/banner && reboot
0 */2 * * * /etc/init.d/shadowsocks-libev reload
5 4 * * 0 wget -O- 'https://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/chinadns_chnroute.txt
10 5 1 * * wget -O- 'https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv' > /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv