Configure the ShadowsocksR Plus+ server to access home services outside

/ Allen Hua

Original link: https://hellodk.cn/post/1130

There are really several ke learning software on OpenWrt:

  • ShadowsocksR Plus+
  • OpenClash
  • PassWall
  • Shell Clash

I liked to use PassWall before, and I also used OpenClash for a while, but now I like ShadowsocksR Plus+, which will be referred to as ssrplus+ in the future. The transparent proxy that has deployed clash core should not be too different, but it is encapsulated and there may be fewer places where users need to manually operate. In this article, let’s focus on the server deployment of ssrplus+.

You are not at home, and you want to access the router management page at home? Access qBittorrent for remote downloads? Access various other intranet services?

In fact, there are really too many solutions that can realize this requirement. I will briefly list a few, although some of them have not been used by me.

  1. frp, this is very famous, easy to use and efficient, I am using it
  2. ngrok, the same as above, but the spread and users should not be as many as frp
  3. peanut shells
  4. If your home broadband has a dynamic public IP, you can configure ddns to meet the requirements
  5. public IP + OpenWrt + firewall port forwarding + nginx proxy_pass
  6. VPN solutions such as OpenVPN (also PPTP L2TP, etc.)
  7. WireGuard, the same upstairs, belongs to the VPN solution, but the protocol is updated and more suitable for use
  8. Tailscale zerotier and other networking solutions
  9. other…

I won’t go into details about the basic use of ssrplus+. There are a lot of tutorials on the Internet. This article is just some sharing of the ssr-server I use. Now I start to deploy ssr-server on my OpenWrt, I can see its binary file is located in /var/etc/ssrplus/bin/ssr-server

ssrplus1.jpg

ssrplus3.jpg

ssr-server mainly needs the following configurations (similar to how you configure ss-server on vps)

  • The server address to listen to, which is not in the luci page, and listens to all ipv4 and ipv6 source addresses by default
  • Listening port, this is important, it is recommended to set an unconventional port, a high port, at least 10000 or more, I am more used to using ports between 20000-50000
  • Password is very important. It is recommended to use bitwarden/vaultwarden and other password generation tools to generate complex random passwords, at least 10 characters, including numbers, uppercase and lowercase English letters, and special symbols. The password is stronger and more secure to use
  • Timeout, such as 60s
  • Encryption method, my soft router was self-assembled in 2018, the CPU is N3150, which supports AES instructions, so I chose the compromise encryption method of aes-256-cfb , there are more others, you can learn more to see which one is better suitable for your cpu
  • tcp fast open, I usually open
  • Obfuscation and plugins remain default

Finally, OpenWrt generated this file /var/etc/ssrplus/ssr-server1.json

 { "server": "0.0.0.0", "server_ipv6": "::", "server_port": 1234, "mode": "tcp_and_udp", "password": "123456", "timeout": 60, "method": "aes-256-cfb", "protocol": "origin", "protocol_param": "", "obfs": "plain", "obfs_param": "", "fast_open": true }

Here I found that after filling in the relevant configuration on the page, clicking保存并应用, the ssr-server did not start, and did not work directly, and then I directly restarted the ssrplus+ main program to solve the problem.

Execute the following command in the openwrt terminal to restart the main program

 /bin/sh /etc/rc.common /etc/init.d/shadowsocksr restart

It can be seen that the status is normal

ssrplus2.jpg

There is also related log information

ssrplus3.jpg

At this time, I turned on the iPhone, switched to mobile data, and then opened Shadowrocket or Quantumult X, and I added a configuration file for each.

Since I have a public IP, I can directly use this ssr server. After adding the configuration, hang up the proxy, open the browser, visit google, and it will take effect successfully.

google home page 1.jpg

During this period, I encountered a problem, and this article focuses on recording this problem. At that time, I also asked about ChatGPT, and I posted the question and answer

Message from you:

I set up a shadowsocksr global proxy on my mobile phone to my home server, and I can access some services at home through the domain name, but why can’t I access them through the ip and port number? Accessing through ip+port will report an error, err_connection_timed_out , for example, when my router is at home, I can access it through http://10.10.10.1:88 or http://home.to:88 , but now the mobile phone is connected to the global proxy It can only be accessed through http://home.to:88 , and if it is accessed through http://10.10.10.1:88 , an error of err_connection_timed_out will be reported. Please help me analyze why?

Message from ChatGPT:

This situation may be caused by the fact that your router has not enabled the NAT reverse proxy function. When you visit through http://home.to:88 , the request will be sent to the home server first, and then the server will forward the request to the router’s 10.10.10.1:88 port. During this process, the server will replace the source IP address of the request with its own IP address, so that the router can correctly return the response to your phone.

However, when you visit directly through http://10.10.10.1:88 , the request will be sent directly to the 10.10.10.1:88 port of the router, because the source IP address of this request is the IP address of your mobile phone, not the server at home IP address, so the router cannot properly return the response to your phone, resulting in a connection timed out error.

To solve this problem, you can install NAT reverse proxy software on your home server, such as Nginx, and then forward the request to the router’s 10.10.10.1:88 port. In this way, whether you visit through http://home.to:88 or http://10.10.10.1:88 , the request will be correctly forwarded to the router, and the router can also correctly return the response to your mobile phone.

Message from you:

I have installed nginx on the router, but what should I do? In addition, I thought, is this a NAT loopback problem?

Message from ChatGPT:

If you have already installed Nginx on your router, then you need to do the following:

  1. Configure Nginx reverse proxy: Add reverse proxy rules in the Nginx configuration file to forward the request to the port of the home server. For example, if you want to forward requests to port 80 of your home server, you can add the following rule to the Nginx configuration file:
 location / { proxy_pass http://家中服务器IP:80; }
  1. Configure router port forwarding: enable the port forwarding function in the management interface of the router, and forward the request to the Nginx port. For example, if you configure Nginx on port 8080 of the router, then you need to forward port 80 of the router to port 8080.

As for the NAT loopback problem, it usually refers to the problem that occurs when accessing local services through public IP in the same LAN. In this case, you can try to solve the problem by modifying the router’s NAT reverse proxy settings. However, if you are accessing home services through the shadowsocksr global proxy, then this problem may not apply.

Message from you:

Okay, now I probably understand that it should be solved by adding nginx configuration, so please help me generate this nginx configuration. I will briefly talk about the needs

  • The program uses http to access resources
  • Listen on port 88
  • The router web interface is listening at http://10.10.10.1:88 and providing web services
  • Other default settings you help me add

Message from ChatGPT:

Ok, according to your needs, the following is a simple Nginx configuration that you can add to your Nginx configuration file:

 server { listen 88; server_name localhost; location / { proxy_pass http://10.10.10.1:88; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } }

This configuration will listen on port 88 and forward all requests to http://10.10.10.1:88 . Among them, proxy_set_header is used to set the request header so as to correctly transmit the client’s IP address and Host header information.

Note that if your router web interface is accessed via HTTPS, you need to change proxy_pass to https://10.10.10.1:443 and add SSL configuration in Nginx.

In the end, I thought about it again and again, and felt that the problem did not lie with the router and the ssr-server server side, but with the shadowrocket client configuration on the phone side. I used Quanx to add the same configuration, and then I saw that the policy routing is used by default here, so I thought that I should use the IP CIDR rule to add a 10.10.10.0/24 , so that the request from this target network also goes through the proxy. Yes, the domain name was able to succeed before because the global proxy can put the dns request on my OpenWrt’s dnsmasq.

then

Diversion Rules 1.jpg

After adding this shunt rule, you can successfully access the home device through ip+port on the external network

External access to the soft routing management page through the ip form.jpg

Then I went back to shadowrocket and added the same cidr proxy rule, but it didn’t work.

Finally, it was found that a general rule in the default default.conf first跳过代理for the request from 10.10.10.1 . This ip cidr writes 10.0.0.0/8 , and 10.10.10.0/24 is the included relationship. So the proxy is skipped directly, and the new additions I added later will no longer take effect.

default conf1.jpg

This is very important. I deleted the original 10.0.0.0/8 and then added 10.10.10.0/24 to go through the proxy, which also solved the problem encountered on shadowrocket.

skip proxy 1.jpg

So far, my needs have been fulfilled perfectly.

This article is transferred from: https://hellodk.cn/post/1130
This site is only for collection, and the copyright belongs to the original author.