Shadowsocks-libev: SS-TUNNEL can't forward my local dns

Created on 11 Nov 2016 · 14Comments · Source: shadowsocks/shadowsocks-libev

My server setting in the foreign vps:
ss-server -s 0.0.0.0 -p 80 -l 1088 -k password -m chacha20-ietf -t 600 -A -u

My local setting in centos7 inside China:
ss-tunnel -s myvpsip -p 80 -l 53 -k password -m chacha20-ietf -t 600 -A -L 8.8.8.8:53 -v -u

Local inputing:
dig www.google.com @127.0.0.1 -p 53

And Local SS shows:
2016-11-11 09:41:42 INFO: onetime authentication enabled
2016-11-11 09:41:42 INFO: initializing ciphers... chacha20-ietf
2016-11-11 09:41:42 INFO: tcp port reuse enabled
2016-11-11 09:41:42 INFO: UDP relay enabled
2016-11-11 09:41:42 INFO: udp port reuse enabled
2016-11-11 09:41:52 INFO:[udp] server receive a packet
2016-11-11 09:41:52 INFO: [udp] cache miss: 8.8.8.8:53 <-> 127.0.0.1:37054
2016-11-11 09:41:57 INFO: [udp] server receive a packet
2016-11-11 09:41:57 INFO: sockaddr_cmp: sin_family equal? 1
2016-11-11 09:41:57 INFO: sockaddr_cmp: sin_port equal? 1
2016-11-11 09:41:57 INFO: [udp] cache hit: 8.8.8.8:53 <-> 127.0.0.1:37054
2016-11-11 09:42:02 INFO: [udp] server receive a packet
2016-11-11 09:42:02 INFO: sockaddr_cmp: sin_family equal? 1
2016-11-11 09:42:02 INFO: sockaddr_cmp: sin_port equal? 1
2016-11-11 09:42:02 INFO: [udp] cache hit: 8.8.8.8:53 <-> 127.0.0.1:37054

And local dig shows:
;; global options: +cmd
;; connection timed out; no servers could be reached

All ports were opened and SS-local is Successful in test with same setting.
Please Help Me! Thx!

question

Source

santaclausbaby

Most helpful comment

ss-server 没带上-u 参数吧，要开启udp relay ss-tunnel才能转发udp

wancaibida on 6 Mar 2019

👍3

All 14 comments

As the log said, no remote udp packet received. Double check your firewall rules on your server.

madeye on 11 Nov 2016

I checked and no error message in my server with "-v" option, nothing show. The 80 port is open and no blocking by GFW and ISP becasue I use the the port successfully with my local "ss-local".

The error I posted above was in my local machine. The ports are open, too. no blocking. You mean that there is a blocking from my vps server to my local ? In my understanding, the process should be:

original local dns request (udp53)---- ss_tunnel listening udp53 ---- forwad udp53 request by converting to tcp and via SS to my remote server ---- resolved ip via SS back to my local server -- ss_tunnel receive the ip and convert to udp53 ---- forward to original request.

Is that correct？

santaclausbaby on 11 Nov 2016

You can add -v to your server's command line, and post the log here.

madeye on 11 Nov 2016

2016-11-11 12:08:18 INFO: onetime authentication enabled
2016-11-11 12:08:18 INFO: UDP relay enabled
2016-11-11 12:08:18 INFO: initializing ciphers... chacha20-ietf
2016-11-11 12:08:18 INFO: tcp port reuse enabled
2016-11-11 12:08:18 INFO: udp port reuse enabled
2016-11-11 12:08:18 INFO: listening at 0.0.0.0:80

Sorry Boss, nothing showed uncommon

santaclausbaby on 11 Nov 2016

It means no UDP packets arrived at your server. Double check your firewall settings, make sure UDP traffic are allowed.

If no problem detected with your own settings, contact your VPS provider or ISP to make sure no UDP blocking rules on your network.

madeye on 11 Nov 2016

👍1

OK boss，I open the udp port in my server and It works.
But as I understanding, the SS use TCP protocol to implement its function such as confusion and encryption. If my client and server use udp port to communicate, is the SS effective? In other words just a udp forwarder without confusion and encryption?

Forgive my rookie words:) Thx

santaclausbaby on 11 Nov 2016

The forwarding UDP packets are also encrypted. Refer to spec for more details: https://shadowsocks.org/en/spec/protocol.html

madeye on 11 Nov 2016

Got it! Thanks BOSS!

santaclausbaby on 11 Nov 2016

@santaclausbaby Hi,I encountered the same problem,then I check the iptables's rule , has opened the UDP port(same as the tcp port of ss-server),but not work.
Can you tell me how do you fix it? thx.