TCP over UDP Proxy

How It Works

  • GFW
    • allow: dns (53/udp)
    • deny: all
  • Server:
    • eth0: 1.2.3.4
  • OpenWrt:
    • br-lan: 192.168.1.1
  • Client:
    • eth0: 192.168.1.102
+--------+    +---------+    +--------+
| Client | -> | OpenWrt | -> | Server |
+--------+    +---------+    +--------+
                kcptun     ...  kcptun (53/udp)
    ssh  ...  shadowsocks  ... shadowsocks (8388/tcp)
            dnscrypt-proxy ... cisco-port53 (53/udp)
                dnsmasq    ... localhost#5353 (5353/udp)

kcptun (server)

shadowsocks (server)

kcptun (openwrt)

$ cat /etc/config/kcptun
config kcptun shadowsocks  
    option enabled '1'
    option localaddr ':8388'
    option remoteaddr '1.2.3.4:53'
$ /etc/init.d/kcptun restart

shadowsocks (openwrt)

$ cat /etc/config/shadowsocks
config transparent_proxy  
    option local_port '1234'
    option udp_relay_server 'same'
    option main_server 'jp'

config socks5_proxy  
    option local_port '1080'
    option server 'jp'

config port_forward  
    option local_port '5300'
    option destination '8.8.4.4:53'
    option enable '0'
    option server 'jp'

config access_control  
    option lan_target 'SS_SPEC_WAN_AC'
    option wan_bp_list '/dev/null'
    list wan_bp_ips '1.2.3.4'

config servers 'jp'  
    option timeout '60'
    option alias 'jp'
    option auth '1'
    option server '127.0.0.1'
    option server_port '8388'
    option password '********'
    option encrypt_method 'chacha20'
$ /etc/init.d/shadowsocks restart

dnscrypt-proxy (openwrt)

$ opkg install dnscrypt-proxy
$ cat /etc/config/dnscrypt-proxy
config dnscrypt-proxy ns1  
    option address '0.0.0.0'
    option port '5353'
    option resolver 'cisco-port53'
$ /etc/init.d/dnscrypt-proxy restart

dnsmasq (openwrt)

$ cat /etc/config/dhcp
...
config dnsmasq  
    option noresolv '1'
    list server '127.0.0.1#5353'
...
$ /etc/init.d/dnsmasq start

ssh (client)

Host jp  
    HostName 1.2.3.4
    User root
    ProxyCommand nc -x 192.168.1.1 %h %p