background

It's been quite a while since my first article, but I'm finally writing the main article. There wasn't much information in Japanese, so I hope this article will be useful to others. This time, we created a coexistence environment for ShadowSocks and Softether. To give you an overview, HAProxy listens on port 443 and distributes communication between ShadowSocks and Softether depending on the communication content. Since Softether's client application supports SNI, it is determined using HAProxy. Also, since HAProxy does not support UDP communication, Softether's UDP acceleration function cannot be used with this method. (Personally, I don't remember having much benefit from it...The reason I wanted to use port 443 in the first place was when I could only use 443 for security reasons, so it might not be much of a problem...) By the way, it seems that you can do something similar by adding an extension to ShadowSocks libev, but it didn't work in my environment. By the way, I heard from an acquaintance later that some package names have changed in SentOS8, and it may not work properly due to dependencies, so that may have been the cause. This article will proceed based on the following assumptions. If you want to build it from scratch, please refer to other articles. CentOS8 ShadowSocks is installed Softether is installed Domain is associated with the server If you have not yet installed it, please refer to the article below to install it.

type: entry-hyperlink id: mOaOQmvrgcY2L6zukrdFM

type: entry-hyperlink id: 6sZUS2lqayJXk2KXDGf2mP

To link the domain, use the normal method to link the server IP and domain name without paying attention to SNI, and as long as you can do a forward lookup of the IP, you should be fine.

SetUp HAProxy

We will install and configure HAProxy, which is the main character of this article. If you installed using the link above, ShadowSocks and Softether are already using port 443. If this continues, there will be a port conflict when starting up, so stop both software once. You can stop it with the following command. (If configured in the above article)

#ShadowSocksの停止
systemctl stop ss.service
systemctl disable ss.service
#softetherの停止
systemctl stop vpnserver.service
systemctl disable vpnserver.service
#必要であれば停止の確認をする
systemctl status ss.service
systemctl status vpnserver.service

After stopping the app, install HAProxy using the following command.

dnf -y install haproxy

After installation, rewrite the HAProxy configuration file and set it.

vi /etc/haproxy/haproxy.cfg

The additional information is below.

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend https    
 mode	tcp    
 bind   	*:443   
 tcp-request inspect-delay 5s    
 tcp-request content accept if { req.ssl_hello_type 1 }   
 acl vpn-server req_ssl_sni -i <サーバーのドメイン名>#ShadowSocksにドメイン名で接続する場合削除   
 acl vpn-server req_ssl_sni -i <サーバーのドメイン名>/tcp#NAT-T mode    
 use_backend bk-vpn-server if vpn-server        
  default_backend     bk-ss-server

frontend ssl    
 mode tcp    
 bind *:443    
 tcp-request inspect-delay 5s   
 tcp-request content accept  if  HTTP   
 tcp-request content accept if { req.ssl_hello_type 1 }    
 acl vpn-server req_ssl_sni -i <サーバーのドメイン名>#ShadowSocksにドメイン名で接続する場合削除    
 acl vpn-server req_ssl_sni -i <サーバーのドメイン名>/tcp#NAT-T mode   
 use_backend bk-vpn-server if vpn-server     

 default_backend bk-ss-server
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend bk-vpn-server    
 mode 	tcp    
 server      default 127.0.0.1:3000#Softetherのポート
backend bk-ss-server    
 mode        tcp    
 server      default 127.0.0.1:2000#ShadowSocksのポート

In the distribution settings, Softether notifies the server of the connected domain name, so if the specified domain name is obtained, the communication is sent to Softether, otherwise it is sent to ShadowSocks. By the way, when connecting, Softether seems to connect using https and then communicate using SSL, so if you don't make it possible to determine both types of communication, you will be disconnected midway. Also, as mentioned above, HAProxy does not support UDP communication, so Softether's UDP acceleration function cannot be used. Therefore, normal communication becomes the same communication as NAT-T mode. If you want to connect to ShadowSocks by domain name, you can communicate by deleting the specified line in the config, but this is not recommended as it will make the Softether settings difficult to understand. I won't write defaults or global because I don't remember changing them and they differ depending on the version.

Setting Shadowsocks

Change the connection port number from the ShadowSocks configuration file. Please make the changes using the command below. (This is the path if you have the same settings as me)

vi /snap/bin/config.json
{
   "server"["[::1]", "127.0.0.1"],
   "mode":"tcp_and_udp",
   "server_port":2000,
   "password":"password",
   "timeout":60,
   "method":"chacha20-ietf-poly1305",
   "nameserver":"1.1.1.1",
   "reuse_port": true,
   "no_delay": true,
   "fast_open": true,
   "ipv6_first": true
}

The changed part is “server_port”. Please specify any port for “server_port”. When specifying it, please make sure it is the same as the HAProxy ShadowSocks port number.

Setting Softether

Softether can be configured by connecting to the server from the management manager, deleting the port at the bottom left of the top screen, and specifying TCP port 3000 from the additional items. At this time, please disable or delete the TCP443 port to avoid conflicts.

StartUP

Once all settings are complete, start it up. You don't need to worry too much about the order, The best is HAProxy → ShadowSocks → Softether. Please use the following command to start and register automatic startup.

#HAProxyの起動
systemctl start haproxy
systemctl enable haproxy
#ShadowSocksの起動
systemctl stop ss.service
systemctl disable ss.service
#softetherの起動
systemctl stop vpnserver.service
systemctl disable vpnserver.service
#起動の確認をする
systemctl status haproxy
systemctl status ss.service
systemctl status vpnserver.service

If the status does not show anything like failde and you can connect from each client at the same time, the settings are successful. If there is a mistake in the settings, unexpected communications or conflicts may occur. (Actually, there have been times when the internet has become intermittent due to conflicts.) In such a case, you can investigate the cause by checking the log to see which communication was allocated where, so I will write it down for your reference. Rewrite the settings with the following command.

vi /etc/rsyslog.conf
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once #ここと
#input(type="imudp" port="514") #ここのコメントを外す

Set the log output destination.

vi /etc/rsyslog.d/haproxy.conf

Please enter the following information.

local2.info                       /var/log/haproxy.log
local2.* ~

Finally, restart HAProxy and you're done.

service rsyslog restart 
service haproxy restart

ログは以下に保存されます。

cat /var/log/haproxy.log

brief Summary

This coexistence server of Softether and ShadowSocks is something I've wanted to do for a while, and since there wasn't much information in Japanese, it was quite difficult for me since I can't read English. I hope this article is useful to someone.