shadowsocks / go-shadowsocks2 Goto Github PK

Currently the project seems to have most of its functions unexported, so it's quite difficult to use it as a library (embed into another project).

Are there any plans on this?

go-shadowsocks2 currently supports Netfilter TCP redirect, it would be terrific if it can support UDP redirect.

shadowsocks-libev already has it supported, and it only works on Linux kernels with TPROXY enabled. But TPROXY has one big shortcoming: it can only be used in PREROUTING chain of mangle table. This means that TPROXY can only redirect UDP packets sent from other machines, for example you can use TPROXY on a LAN gateway to forward all LAN UDP packets to SS server.

For iptables configuration example, please check https://github.com/shadowsocks/shadowsocks-libev#advanced-usage

continue riobard#1

谢谢

Hi
I could not install and got these:

# github.com/shadowsocks/go-shadowsocks2
./tcp_linux.go:58: undefined: syscall.SYS_GETSOCKOPT
./tcp_linux.go:76: undefined: syscall.SYS_GETSOCKOPT

OS is debian and go version 1.7.4

Because i am in a corporation network, i run shadowsocks with HTTP_PROXY=192.168.1.100:80 go-shadowsocks2 -verbose -socks :1081 -c server:port -cipher aes-256-cfb -password xxxxxx, but the system proxy HTTP_PROXY=192.168.1.100:80 not work. Hope shadowsocks can support system proxy.

看到很多 Shadowsocks 的实现，但基本架构没有变。
仍然是中心化的，一个服务端，一个或多个客户端。

要么就实现了负载均衡，服务端有多个 ss server，对外一个访问地址。
但这仍是中心化的。

这存在一些弊端：

1. 由于中心化，个人自建 ss 昂贵，合租又麻烦；
2. 由于中心化，组织创建的提供 ss 帐号的网站，声势大了会被当局整治，尤其是在新网络安全法生效后，监管将更加严格；
3. 配置繁琐，而且不能一劳永逸。

最近在看 Bitcoin（区块链） 的架构，受到一些启发，在想是否能够实现一套具备下面特征的 ss 网络。

1. 分布式（防止被当局一锅端）；
2. P2P（加入网络即可，无需复杂服务端客户端配置，小白和女友都会）；
3. 节点之间互信互联，传输仍然加密；
4. 匿名的（相当于具备了 Tor 网路）；
5. 费用？能翻墙的赚钱，贡献多赚的多；需要翻墙的花钱，用的多花的多。

我想，这样的 ss 可以称作 Next-generation Shadowsocks 吧。

个人认知有限，轻喷！

因为 net.Listener 没法 SetDeadline，而且应该加上这个 Deadline 配置参数。

在do上部署了服务端，在win下使用客户端时，过一段时间会出现断流问题，以下为错误日志：

请问如何解决该问题？

go官方自带了几种完善的压缩算法，所以在数据relay的时候对数据进行压缩/解压是否有意义？等效于降低线路丢包率？

Please write something in the readme.
Thanks.

In the shadowsocks/shadowsocks-libev#1248 @madeye suggest me to use go-shadowsocks2 in windows instead of ss-libev, And I use go get -u -v github.com/shadowsocks/go-shadowsocks2 to install it in my mingw64. So now.. How can I build It into a static exe file? Because I found that It going wrrong if I move the "go-shadowsocks2.exe" to another path. so I think it is using some other link files?

项目内用到了几个golang.org的包。
因为众所周知的原因，国内访问不了。
这就会陷入死循环，来弄shadowsocks就是为了翻墙，然而要弄shadowsocks就需要先翻墙才能拉下来相应的包……
幸好golang官方在github上做了mirror。建议采用mirror方式。
比如，用 github.com/golang/crypto 代替 golang.org/x/crypto，这样的话只要github还活着就不会遇见类似的问题。

May 21 00:43:30 vultr.guest go-shadowsocks2[14381]: 2017/05/21 00:43:30 failed to get target address: cipher: message authentication failed
May 21 00:43:31 vultr.guest go-shadowsocks2[14381]: 2017/05/21 00:43:31 failed to get target address: EOF

I found that the io.Copy(left, right) can be blocked. So the tcp connection will not be released. Have you found that?@riobard

fino@cts-154:~$ go get -u -v github.com/shadowsocks/go-shadowsocks2
github.com/shadowsocks/go-shadowsocks2 (download)
Fetching https://golang.org/x/crypto/chacha20poly1305?go-get=1
https fetch failed: Get https://golang.org/x/crypto/chacha20poly1305?go-get=1: dial tcp 216.239.37.1:443: i/o timeout
package golang.org/x/crypto/chacha20poly1305: unrecognized import path "golang.org/x/crypto/chacha20poly1305" (https fetch: Get https://golang.org/x/crypto/chacha20poly1305?go-get=1: dial tcp 216.239.37.1:443: i/o timeout)
Fetching https://golang.org/x/crypto/hkdf?go-get=1
https fetch failed: Get https://golang.org/x/crypto/hkdf?go-get=1: dial tcp 216.239.37.1:443: i/o timeout
package golang.org/x/crypto/hkdf: unrecognized import path "golang.org/x/crypto/hkdf" (https fetch: Get https://golang.org/x/crypto/hkdf?go-get=1: dial tcp 216.239.37.1:443: i/o timeout)
github.com/Yawning/chacha20 (download)

################################################################################
it seems golang.org/x/crypto is not there,
my PC is ubuntu 14.04, go version is 1.8.3, 1 month ago when I just installed go-shadowsocks2 on my server and it works fine. any one meet the same issue?

BR fino

which cipher will add to shadowsocks2 ?
shadowsocks2接下来准备兼容哪些加密算法

Hi,

thanks a lot for this outstanding implementation.
The only way I can connect to my Shadowsocks-libev server is using this command:
-c ss://AEAD_CHACHA20_POLY1305:PASSWORD@XXX:SERVER_PORT -verbose -socks :LOCAL_PORT
after adding this line:
-udptun :8053=8.8.8.8:53,:8054=8.8.4.4: -tcptun :8053=8.8.8.8:53,:8054=8.8.4.4:53
I can no longer open pages.
What does this line do? and where do I have to enter the two ports 8053 and 8054?
And another problem is I have DNS Leak, some websites, like Facebook, and Twitter return another IP, (not the actual IP - hence DNS Leak).

VPS (OpenVZ): CentOS 7 running Shadowsocks-libev
Client: Windows 10
Connecting using CMD.

Thanks a lot.

Ver: c2e7710

Server
go-shadowsocks2 -s ss://AEAD_CHACHA20_POLY1305:TEST@:8088 -verbose

Client
go-shadowsocks2 -c ss://AEAD_CHACHA20_POLY1305:TEST@[SERVER]:8088 -verbose -u -socks :2000

Test
curl --socks5-hostname 127.0.0.1:2000 ip.gs

Error
curl: curl: (7) Failed to receive SOCKS5 connect request ack.
server: failed to get target address: SOCKS error: 7

I'd like to contribute to this repo but don't know where to start.

Features are freezed? TODO list in README doesn't have any new features.

Running go get -u -v github.com/shadowsocks/go-shadowsocks2 returns;

user@na01:~# go get -u -v github.com/shadowsocks/go-shadowsocks2
github.com/shadowsocks/go-shadowsocks2 (download)
github.com/Yawning/chacha20 (download)
Fetching https://golang.org/x/crypto/chacha20poly1305?go-get=1
Parsing meta tags from https://golang.org/x/crypto/chacha20poly1305?go-get=1 (status code 200)
get "golang.org/x/crypto/chacha20poly1305": found meta tag main.metaImport{Prefix:"golang.org/x/crypto", VCS:"git", RepoRoot:"https://go.googlesource.com/crypto"} at https://golang.org/x/crypto/chacha20poly1305?go-get=1
get "golang.org/x/crypto/chacha20poly1305": verifying non-authoritative meta tag
Fetching https://golang.org/x/crypto?go-get=1
Parsing meta tags from https://golang.org/x/crypto?go-get=1 (status code 200)
golang.org/x/crypto (download)
Fetching https://golang.org/x/crypto/hkdf?go-get=1
Parsing meta tags from https://golang.org/x/crypto/hkdf?go-get=1 (status code 200)
get "golang.org/x/crypto/hkdf": found meta tag main.metaImport{Prefix:"golang.org/x/crypto", VCS:"git", RepoRoot:"https://go.googlesource.com/crypto"} at https://golang.org/x/crypto/hkdf?go-get=1
get "golang.org/x/crypto/hkdf": verifying non-authoritative meta tag
Fetching https://golang.org/x/crypto?go-get=1
Parsing meta tags from https://golang.org/x/crypto?go-get=1 (status code 200)
golang.org/x/crypto/chacha20poly1305/internal/chacha20
golang.org/x/crypto/poly1305
# golang.org/x/crypto/poly1305
go/src/golang.org/x/crypto/poly1305/sum_amd64.s:8 6a: No such file or directory: textflag.h
golang.org/x/crypto/hkdf
github.com/Yawning/chacha20
# github.com/Yawning/chacha20
go/src/github.com/Yawning/chacha20/chacha20_amd64.s:936 redeclaration of rounds_loop4_begin
go/src/github.com/Yawning/chacha20/chacha20_amd64.s:1077 redeclaration of rounds_loop2_begin
github.com/shadowsocks/go-shadowsocks2/socks

All seems well, but there is no runable binary in my $GOPATH.

Go Version: go version go1.3.3 linux/amd64

Hello,

It seems there is no option to create a configuration file (e.g. Config.json) like there is for shadowsocks-libev. This would make it much easier to run instead of always typing the details each time you run shadowsocks2.

Best regards,

I'm actually addressing an outstanding issue: #27 (Feature Request: HTTP proxy)

Based on my experience with Android, https://play.google.com/store/apps/details?id=com.github.shadowsocks covers every need on a per app basis. So there is no need for HTTP proxy Android platform.

On Windows and Linux systems, there is the excellent privoxy. It can server as a HTTP proxy and connect upstream to go-shadowsocks2. In fact, some windows shadowsocks client come with privoxy bundled to alleviate the need for HTTP proxy. Anyone who is smart enough to know how good go-shadowsocks2 is should also be smart enough to configure and use privoxy, right?

Personally, I'd like to see go-shadowsocks2 maintain its edge in providing cutting-edge shadowsocks feature, such as support for latest cryptos. I am very happy to say that I very impressed by the fact that when I uploaded the some 2MB go-shadowsocks2.exe to a nano server, it just worked as a server (in addition to being a client) and supported AEAD_CHACHA20_POLY1305.

My appreciations to the developer(s)!

能不能像go版一样提供二进制预编译好的服务器版啊，很有用啊。

Is that possible to give some instructions/guides on how to setup iptable rules for Netfilter TCP redirect?
I plan to make a router based on debian. (there are many online tutorials/docs about how to do this). I would like to know how to setup iptable rules to use go-shadowsocks2 on this debian router. similar to openwrt version shadowsocks-libev: Route non-china IPs (IPs not in ignore.list) through go-shadowsocks2. I am new to iptables and wondering if it's possible to get some instructions. Thank you very much.

Hi! Please add ability run SOCK and HTTP proxy at the same time.

nm := newNATmap(config.UDPTimeout)

There is no change to remove key-values from nm.
And the keys are only made from remote addresses. If there are two clients which send-receive udp packet from the same remote address, it will be a problem.

nm.Add(raddr, c, pc, false)

func (m *natmap) Add(peer net.Addr, dst, src net.PacketConn, srcIncluded bool) {
m.Set(peer.String(), src)

go func() {
timedCopy(dst, peer, src, m.timeout, srcIncluded)
if pc := m.Del(peer.String()); pc != nil {
pc.Close()
}
}()
}

Every udp packet need a goroutine.

you want to export one such interface

type ObfuPlugin func (conn net.Conn) (obfsConn net.Conn, err error)

see shadowsocks/shadowsocks-org#28

would you please support shadowsocks-libev 's udp relay?

minor

The cache2go is a good choice for caching dns-results.

go-shadowsocks2 -s ss://aes-128-gcm:your-password@:8488 -verbose >>ss.log
这样是不能记录日志的，该怎么处理才能记录日志到ss.log？

另外
go-shadowsocks2 -s :8488 -cipher aes-256-cfb -key LlUmH_yMgh4YNhvayBQrs6aQHBThNpWjz1yHz0U-ePA= -verbose
服务端这么使用的情况下，客户端没密码？怎么使用？

感觉命令和其他ss版本差距太大，具体怎么使用还是没看懂，为什么不推出配置文件夹在的方法？还有顺便问下TFO什么时候推出？

In windows, I find this go2 is the only client that support AEAD. Is it also support simple-obfs ？

when I copy left buffer manually at first, it is woking.

func relay(left, right net.Conn) (int64, int64, error) {
	type res struct {
		N   int64
		Err error
	}

	ch := make(chan res)

	buf := make([]byte, 1024)
	for {
		nread, _ := left.Read(buf)
		if nread > 0 {
			right.Write(buf[0:nread])
		}
		if nread != 1024 {
			break
		}
	}

	go func() {
		n, err := io.Copy(right, left)
		right.SetDeadline(time.Now()) // wake up the other goroutine blocking on right
		left.SetDeadline(time.Now())  // wake up the other goroutine blocking on left
		ch <- res{n, err}
	}()

	n, err := io.Copy(left, right)
	right.SetDeadline(time.Now()) // wake up the other goroutine blocking on right
	left.SetDeadline(time.Now())  // wake up the other goroutine blocking on left
	rs := <-ch

	if err == nil {
		err = rs.Err
	}
	return n, rs.N, err
}

I wanna to implement the kcpserver and kcplocal to use the kcp protocal more easily by using kcp-go.I wonder if I can add this feature to the project? :D

感觉这个是个硬需求。感觉挺多都是合租的，应该都希望可以控制下

Windows 10 1607, x64 anniversary update.
Go installed today 1.8.1
Git installed today
go-shadowsocks2 from today

I just changed my server IP and password, and copy paste the command indicated in readme, i.e. using default cipher:
go-shadowsocks2 -c ss://AEAD_CHACHA20_POLY1305:[email protected]:8xxx -verbose -socks :1080 -udptun :8053=8.8.8.8:53,:8054=8.8.4.4:53 -tcptun :8053=8.8.8.8:53,:8054=8.8.4.4:53
Gives me error: cipher not supported

// Handshake fast-tracks SOCKS initialization to get target address to connect.
func Handshake(rw io.ReadWriter) (Addr, error) {
	// Read RFC 1928 section 4 for request and reply structure and sizes
	buf := make([]byte, MaxReqLen)

	_, err := rw.Read(buf) // SOCKS version and auth methods
	if err != nil {
		return nil, err
	}

	_, err = rw.Write([]byte{5, 0}) // SOCKS v5, no auth required
	if err != nil {
		return nil, err
	}

	n, err := rw.Read(buf) // SOCKS request: VER, CMD, RSV, Addr
	if err != nil {
		return nil, err
	}
	buf = buf[:n]

	if buf[1] != CmdConnect {
		return nil, ErrCommandNotSupported
	}

	_, err = rw.Write([]byte{5, 0, 0, 1, 0, 0, 0, 0, 0, 0}) // SOCKS v5, reply succeeded
	return buf[3:], err                                     // skip VER, CMD, RSV fields
}

上面SOCKS5握手的代码是不是太简单了，Read的时候没有判断是不是已经读到了想要的数据量，比如可以用io.ReadFull。

According to the document about AEAD in shadowsocks.org. HKDF_SHA1 is strong enough even if the in put key is weak.

But I get the code in ss-go2 that hashing and expanding the input key to requested key length first, then get the hashed key do the HKDF_SHA1 again to get the subkey for AEAD.

Why do this? And I can't see the document request for re-hashing & expanding for the key.

Only once HKDF operation is leaking safty?

Thx dude, waiting for reply.

@riobard

github.com/shadowsocks/go-shadowsocks2/socks.Addr.String(0x188d9680, 0x2, 0x103, 0x2, 0x103)

Currently go-shadowsocks2 uses an ss:// URL as the way to import config, which is simplistic in desktop cases while not in server cases. Config file support enables us to write a universal systemd (or equivalents on other platforms) service that is good for distribution.

不知道有人遇到没, 放局域网不行, 放公网也不行

https://ws2.sinaimg.cn/large/6f8c134agy1fdgm80h3e7j20mv07f763.jpg
下载不了需要的其它资源

Is there any plan to support Xchacha20?

运行
go get -u -v github.com/shadowsocks/go-shadowsocks2
后，运行
go-shadowsocks2 -s ss://AEAD_CHACHA20_POLY1305:***@:*** -verbose
显示
-bash: go-shadowsocks2: command not found
请帮忙，谢谢！

操作系统：Windows 10
Firefox版本: 54.0.1 (64-bit)
启动命令：go-shadowsocks2 -c ss://AES-256-CFB:your-password@[server_address]:[server_port] -verbose -socks :1080
错误信息：failed to get target address: SOCKS error: 7

备注
Chrome使用go-shadowsocks2没有问题
Firefox使用shadowsocks-windows也没有问题