Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Shadowsocks is not SOCKS5 #245

Closed
wolph opened this issue Sep 17, 2020 · 12 comments
Closed

Bug: Shadowsocks is not SOCKS5 #245

wolph opened this issue Sep 17, 2020 · 12 comments
Assignees

Comments

@wolph
Copy link
Contributor

wolph commented Sep 17, 2020

TLDR: The documentation says that shadowsocks takes care of SOCKS5 support. It does not

As explained by the Shadowsocks site, the protocol is loosely based on SOCKS5 but it certainly is no SOCKS5: https://shadowsocks.org/en/spec/Protocol.html

To test:

 curl --proxy socks5h://localhost:8388 -vvv google.com
@wolph
Copy link
Contributor Author

wolph commented Sep 17, 2020

To add SOCKS5 support I would suggest Privoxy :)

@wolph
Copy link
Contributor Author

wolph commented Sep 17, 2020

Actually... even when using proxychains it's not working with a roughly stock configuration. I think the shadowsocks server might simply be broken.

# docker run --name surfshark --rm --cap-add=NET_ADMIN -e VPNSP=surfshark -p 8888:8888/tcp -p 8388:8388/tcp -p 8388:8388/udp -p 8001:8000/tcp -e EXTRA_SUBNETS='192.168.0.0/24,127.0.0.0/8' -e TINYPROXY=on -e SHADOWSOCKS=on -e SHADOWSOCKS_LOG=on -e REGION='Netherlands Amsterdam' qmcgaw/private-internet-access:latest
# proxychains curl -vvv ifconfig.me                    
ProxyChains-3.1 (http://proxychains.sf.net)
*   Trying 216.239.38.21:80...
* TCP_NODELAY set
|D-chain|-<>-127.0.0.1:8388-<><>-216.239.38.21:80-<--timeout
* Immediate connect fail for 216.239.38.21: Connection refused
*   Trying 216.239.36.21:80...
* TCP_NODELAY set
|D-chain|-<>-127.0.0.1:8388-<><>-216.239.36.21:80-<--timeout
* Immediate connect fail for 216.239.36.21: Connection refused
*   Trying 216.239.34.21:80...
* TCP_NODELAY set
|D-chain|-<>-127.0.0.1:8388-<><>-216.239.34.21:80-<--timeout
* Immediate connect fail for 216.239.34.21: Connection refused
*   Trying 216.239.32.21:80...
* TCP_NODELAY set
|D-chain|-<>-127.0.0.1:8388-<><>-216.239.32.21:80-<--timeout
* Immediate connect fail for 216.239.32.21: Connection refused
* Closing connection 0
curl: (7) Couldn't connect to server

proxychains config:

[ProxyList]
socks5 127.0.0.1 8388

When using this config it does work:

[ProxyList]
http 127.0.0.1 8888

@qdm12
Copy link
Owner

qdm12 commented Sep 17, 2020

Indeed thanks! Also see #234 to support that feature.

@wolph
Copy link
Contributor Author

wolph commented Sep 17, 2020

Excellent! That would make it a lot more versatile.

@qdm12 qdm12 closed this as completed Sep 18, 2020
@wolph
Copy link
Contributor Author

wolph commented Sep 18, 2020

@qdm12 regarding the test with proxychains though... am I doing something wrong or is the current shadowsocks implementation broken?

@qdm12
Copy link
Owner

qdm12 commented Sep 18, 2020

It's simply because shadowsocks is not a socks5 proxy (my bad). I even coded it from scratch for gluetun, I should had updated the documentation 😄 Anyway, it uses the socks5 protocol but adds an extra stream encryption layer on top. So with a socks5 client it will just reject you because you don't have the encryption nor the password to connect. Let me know, maybe I'm missing something out.

@wolph
Copy link
Contributor Author

wolph commented Sep 18, 2020

The thing is... the example from the Shadowsocks wiki shows exactly this example: https://github.com/shadowsocks/shadowsocks/wiki/Using-Shadowsocks-with-Command-Line-Tools

So I would expect it to work.

@qdm12 qdm12 reopened this Sep 18, 2020
@qdm12
Copy link
Owner

qdm12 commented Sep 18, 2020

Interesting. Although that wiki page has nothing about encryption nor password, which confuses me now 😕

@wolph
Copy link
Contributor Author

wolph commented Sep 18, 2020

Perhaps the wiki is just wrong. Can't say I've ever used shadowsocks beyond a random test so I'm not sure what to expect

@qdm12
Copy link
Owner

qdm12 commented Sep 18, 2020

It seems to work with different Shadowsocks client, so my guess is it's fine. (although initially it was eating all your CPU but that's another silly story of mine haha!). I'd however be curious to run the same command in a socks5 proxy without encryption.

@wolph
Copy link
Contributor Author

wolph commented Sep 19, 2020

It must be due to proxychains not using encrypted connections in that case

@qdm12
Copy link
Owner

qdm12 commented May 28, 2021

@wolph I believe it works, see my comment with steps how to reproduce. Maybe you are mistaking the Shadowsocks server listening port (usually 8388) with the Shadowsocks client listening port (usually 1080).

Proxychains seems to work for SOCKS5 proxies, not Shadowsocks. The Shadowsocks client exposes a SOCKS5 proxy server on port 1080 though. I'm about to start work on a SOCKS5 proxy built-in gluetun, so you should be able to use that directly with proxychains in the future... although careful, SOCKS5 IS NOT encrypted vs Shadowsocks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants