UDP fallback somewhat broken in 5.1.0+? #2571
Comments
|
I just did some test again. In 5.1.0 which is the first version where you guys switched to shadowsocks-rust, with SIP003 plugin enabled and UDP fallback disabled, everything works, but if I enable UDP fallback, then error occurs. The same could not be said for 5.1.2, which is expected since fbffc98 was introduced in 5.1.2. But I think it further proves that UDP fallback is broken, since UDP over socks5 proxy works for 5.1.0 (presumably 5.1.1 too). |
|
Just tested UDP fallback + plugin working as intended. The change you mentioned shouldn't be relevant as you are always either using both UDP fallback + plugin or neither. Did you test v5.1.1 too? |
|
5.1.1 behaves similarly to 5.1.0. In summary, in versions 5.1.0, 5.1.1, 5.1.2, with UDP fallback enabled, in proxy mode, Adguard's UDP over socks5 connectivity check fails. Whereas in 5.0.6, same check passes, and same check passes in 5.1.0, 5.1.1, 5.1.2, if UDP fallback is disabled. Can you please tell me how you tested UDP relay with socks5 proxy? If I can confirm that socks5 proxy works, maybe it's adguard's connectivity check that's at fault, and I can open an issue over there. |
|
There is no difference in UDP relay between different modes. I think it's due to Adguard. Please update this issue if there is any new progress. |
|
Hello! I'm AdGuard developer. I investigated issue. After I added to line 110 of com.github.shadowsocks.bg.ProxyInstance It was fixed, and UDP relay if up and working, and can use it with AdGuard outbound proxy functionality. Otherwise, AdGuard receives "command not supported" in reply to "UDP ASSOCIATE" command. ShadowSocks 5.0.6 has been passing this parameter to shadowsocks-libev's ss-local, but ShadowSocks 5.1 doesn't do it now :( |
|
@sfionov It should be enabled via here: Make sure you have disabled plugin? |
|
I investigated complaints from users which use v2ray-plugin, that UDP doesn't work. Without plugin, it works. And with plugin it works too when I enable UDP. Is it expected behaviour to disable UDP relay when plugin is enabled? Some users used this configuration successfully on SS 5.0.x. |
|
Intended behavior. UDP should be turned off with plugins to evade traffic analysis. To use it you need to use UDP fallback. |
|
But this configuration is not full replacement. UDP fallback configuration is listening only on UDP port for packets with UDP SOCKS5 header, but SOCKS5 protocol also requires established TCP SOCKS5 connection with udp association, before sending packets to that association. May be sslocal may have a mode "tcp in this process, but also reply to udp associate with this host:port" ? |
|
First of all, If you are talking about running concurrent TCP/UDP connections, I think if you run the UDP profile on the same server, you should not encounter any issue. |
Yes, in ShadowSocks case it is not real association. But SOCKS5 protocol requires that this command is called before UDP packets are sent. But in I suggest to add another flag (e.g. |
|
I want a fake UDP ASSOC working in UDP fallback mode just as it works in My only concern in this scheme is that misconfiguration may reduce security - one sslocal directs client to "some address" which may not be another sslocal. |
|
I am not quite getting the point of "fake UDP ASSOC". Please make sure that I understand this correctly: "fake UDP ASSOC" is to return an address (specified by It seems that this is related to a "udp fallback" mode, what is "udp fallback"? |
|
@zonyitoo I think the point is to support |
|
It can be achieved by removing these lines: https://github.com/shadowsocks/shadowsocks-rust/blob/988e69d4dab676df9a61daf692765c353f5eb6f9/src/relay/tcprelay/socks5_local.rs#L208-L214 . But is that really a good solution? :( |
|
I think it is a good remedy since we are not doing anything with the connection anyways. |
|
Alternatively, maybe we can add an option so that the user can choose to enable this function? |
Well, if a socks5 server doesn't support a command, it should always return |
|
Since there is no way around, I have added a command line option for It will reply with this address no matter UDP association is enabled or not. |
|
Since shadowsocks-rust has added the function to create fake UDP association, and shadowsocks-android has updated underlying shadowsocks-rust, can devs please add the UI option to enable this function? Many thanks! @Mygod |
|
Reopening this for visibility (i.e. so that I do not forget). |
|
@terrytw Sorry to bother, but I have encountered this problem as you were. I can see that devs changed something but I don`t know how to use it. |
|
@JhonHuGit This issue has been fixed by the devs in 5.1.7. No user configuration needed. I am not having problem with it anymore. Try your setup in 5.0.6 first, if it does not work, then your problem is unrelated with this issue, you need to double check if your setup is correct. |
|
@terrytw Version 5.0.6 works perfectly. Once upgraded to 5.1.3 or above, I can't connect to Google.com. Strangly, websites that are not blocked by gfw, such as gamersky.com can be connected without ads. |
|
@JhonHuGit If you have
Then your problem is completely unrelated to this particular issue I opened, my issue is solely about udp over socks5. I would suggest you look somewhere else, if it works for you in 5.1.2, but not 5.1.3, you should look into the changes that had been made between those 2 versions. Change your settings, try every version starting from 5.1.0, find out what works and what does not. If you have identified a new problem, maybe open a new issue about it.
From the limited info you have provided, there is no problem with this setting, just don't forget to point your DNS resolver to the shadowsocks port. (On a second thought, you said it worked for you in 5.0.6, so you must have the DNS settings right) In 5.1.0, shadowsocks-android switched underlying program from shadowsocks-libev to shadowsocks-rust, which led to numerous changes, along with some bugs that have been gradually fixed. Some old features like DNS over UDP were dropped, which could've caused problems for some. My point is that it is difficult to pinpoint out what exactly is the problem for you, since there are so many things that were changed. |
|
@terrytw I have set my dns server to 127.0.0.1:5450 in adguard and it works! Thank you! |
* Allow user to keep data when uninstalling (shadowsocks#2506) * Update README.md * Update dependencies * Add cargo clean task * Enable LTO * Speed up rebuild * Update issue templates with labels * Update dependencies * Fix output name second attempt * Update NDK * Ensure cargoBuild is ran before mergeJniLibFolders * Bump version * Refine release build process * Refine gradle files * Add RUST_BACKTRACE * Use rethrowAsSocketException * Suppress write errors to protect_path * Update shadowsocks-rust * Bump version * Improve accessibility * Rename cipher plain to none * Revert "Add RUST_BACKTRACE" This reverts commit fdff88e. ndk-stack should be used instead. * Use cp.cloudflare.com for connectivity test Credits: https://www.v2ex.com/t/656983#r_8748918 * Update dependencies * Remote DNS setting is enabled unconditionally * Show more information on conflicting plugins Because one of you feckers just cannot learn to be decent. * Add support for PTR queries * Prevent querying PTR on custom Network * Suppress network unspecified exceptions * Handle IOException while reading * Refine handling duplicate plugins * Use any address as default DNS * Suppress EACCES for ProtectWorker * Clean up unused code * Do not suppress IOException * Disable UDP relay if plugin is enabled and no fallback * Remove unnecessary isExperimental * Update dependencies * Fix unchecked cast * Do not use WorkManager in device storage * Remove unnecessary directBootAware overloading * Suppress BadConfigurationProvider * Disable RemoveWorkManagerInitializer lint for apps * Update to Android 11 beta 1 * Request QUERY_ALL_PACKAGES for mobile * Refine code style * Fix ambiguous coroutineContext * Downgrade coroutines * Update dependencies * Deprecate using Handler * Fix shadowsocks#2546 * Only match exported plugins * Update dependencies * Update dependencies * Migrate to ML kit for scanning QR code Fixes shadowsocks#2548. * Make scanner immersive * Lock orientation to prevent camera recreation * Fix missing Serializable declaration * Add missing serialVersionUID * Update dependencies * Partially migrate to ActivityResultContracts AlertDialogFragment will be migrated after the API goes stable. * Add ActionBar to oss activity * Add ActionBar to details activity * Refine Scanner * Bump version * Update dependencies * Suppress cancellation exceptions * Skip processing if EOS is reached * Refine PTR compat * Fix shadowsocks#2557 * Fix shadowsocks#2562 * Update Android gradle * Set VPN flag properly Refine shadowsocks#2562. * Drop support for Android Lollipop * Update dependencies * Remove UDP upstream DNS support. Fix shadowsocks#2564 shadowsocks#2518 * Update shadowsocks-rust * Update dependencies * Decouple main dependencies from plugin lib * Simplify code * Add missing type * Update dependencies * Deprecate old backup mechanism for Android 5- * Update leanback theme to appcompat * Use singleTask launchMode * Fix build * Bump version * Update dependencies * Update dependencies * Bump plugin lib version to 2.0.0 * Add isV2 to PluginManager.InitResult * Pass a value with the VPN option, if plugin version < 2.0 * Switch to __android_vpn * Remove unnecessary parentheses * Update shadowsocks-rust * Bump version * Clean up and bump version * Revert camera-view back to alpha17 * Bump version * Update dependencies * Migrate away from deprecated APIs with core 1.3.0-alpha05 * Clean up code * Refine code style * Remove old ciphers. Fix shadowsocks#2621 * Enable single-threaded * Update shadowsocks-rust to 1.8.23 * Use Parcelize for TrafficStats * Fix platform insets on API 29- * Fix shadowsocks#2623 * Update barcode-scanning * Fix shadowsocks#2571 * Refine error message * Refine shadowsocks#2571 * Limit open sockets to 256 in UDP association. Fix shadowsocks#2625 * Bump version * Fix little problem of profile switching * Update shadowsocks-rust to 1.9.0 (shadowsocks#2622) * Fix shadowsocks#2638 * Bump version * Switch to local UDP DNS resolver (shadowsocks#2635) * Switch to the local UDP DNS resolver * Update shadowsocks-rust * Revert the rustup commands * Fix shadowsocks#2642 * Fix the ByteBuffer allocation * Update shadowsocks-rust * Revert to local UDS resolver Fix shadowsocks#2650 * Check deprecated ciphers (shadowsocks#2651) * Bump version * Fix shadowsocks#2301 * Bump version * Remove the non-ietf chacha20 and salsa20 ciphers * Fix shadowsocks#2665 * Update dependencies * Fix deprecation of kotlin extensions * Remove unused gcm work library for API 23+ * Use work-multiprocess * Refine code style * Update dependencies (shadowsocks#2672) * Update dependencies * Refine code style * Bump gradle to 6.8.2 * Drop packet if out of buffer * Refine error message * Enlarge the buffer size of a UDP connection * Bump version * Ignore all exceptions whilst updating subscriptions * Refine the JSON config file for ss-rust 1.10 * Refine the code style * Update shadowsocks-rust to v1.10.3 * Fix shadowsocks#2679 * Update dependencies Fixes shadowsocks#2699. * Fix deprecation of adapterPosition * Bump plugin to 2.0.1 * Migrate AlertDialogFragment to fragment result API * Remove useless dependency update * Migrate the rest to fragment result API * Remove unused field * Prevent crashing on shitty ROMs * Add search tool for profiles (shadowsocks#2682) * Suppress logging unsupported query type errors * Ignore if connection was prematurely closed * Use default udp_timeout=300 instead Refine shadowsocks#2625. * Mark underlyingNetwork as volatile Attempts at addressing shadowsocks#2667. * Fixed required targetFragments for preference * Downgrade gradle plugin * Update shadowsocks-rust and add back some ciphers Fix shadowsocks#2705 and shadowsocks#2663. * Update dependencies * Check plugin properly Fix shadowsocks#2667. * Check crypto before init * Make code style more Kotlin * Update core and remove workaround * Refine search to respect locale * Double fixes touch target * Resolve server name dynamically always (shadowsocks#2731) Fixes shadowsocks#2722. * Bump version * Downgrade fragment to 1.3.2 Fixes shadowsocks#2733. * Make plugin library depend on minimum version instead * Enable Parallel GC * Set useLegacyPackaging * Update the maven publish plugin (shadowsocks#2734) 1. Remove the unnecessary custom URL 2. Replace jcenter with mavenCentral * Handle illegal profiles properly * Fix windows build failed shadowsocks#2666 shadowsocks#2711 * Allowed build under msys2 or cygwin * Update dependencies * Bring back semitransparent TV app via build variants (shadowsocks#2741) This creates two variants for tv, freedom containing the original design, and google containing one matching Google's nonsense guideline. The former should be published on GitHub and elsewhere. Revert "Revert "Revert "Revert "Revert "Make app fullscreen to match guidelines""""" This reverts commit 0c67ac6. * Fix typo * Show full proxied apps mode to compensate for missing title * Use MaterialAlertDialogBuilder * Add progress indicator to ServiceButton * Remove elevation from progress * Only show progress for connecting * Only show progress when connecting is taking too long * Bump version * Update dependencies * Update sdk to S * Use registerBestMatchingNetworkCallback * Use OsConstants.ENONET * Deal with new requirements * Use main thread for default network callback on API 26+ * Remove unused code * Fix duplicate authentication * Update dependencies * Bump version * More stupid Android 6 bugs * Update dependencies * Downgrade leanback-preference * Update to API 31 * Remove STORAGE permission on Android 10+ * Update dnsjava * Ensure that redirects are always followed Fixes shadowsocks#2786, shadowsocks#2791. * Update dependencies * Update to AGP 7.0.2 * Fix lint * Update dependencies * Fix shadowsocks#2803 * Remove extra file * v5.2.6 * Revert "Show full proxied apps mode to compensate for missing title" This reverts commit d21cf7b. Fixes shadowsocks#2806. * Add linkedin.com to gfwlist * Fix Codacy badge * Update dependencies * Update .gitignore ignore DS_Store * Just to satisfy the obsessive-compulsive disorder :-) * Update shadowsocks-rust Update rust dependency * add new ciphers feature, and reorder cipher name * Modify acl rules * Update config.yml try to fix up the rust build error * enable armv8, neon feathures for hardware acceleration. * Fix the missing springAnimator * Update shadowsocks-rust to v1.15.0-alpha.5 * Bump version * Update translations Fixes shadowsocks#2867. * Add German and Ukrainian translations * Misc fixes * Fix order * Use system resolver * Update dependencies * Declare POST_NOTIFICATIONS * Protect sensitive profile information when copied * Add support for monochrome icons (not recommended) * Declare supported languages * Require authentication for closing service * Support skipping animation in StatsBar * Downgrade AGP * Misc fixes * Turn on fun switch * Remove useless code * Bump version * Fix the compile error shadowsocks#2930 (shadowsocks#2935) Make checking python version code compatible with windows and *nix Redefine the python version detection code Co-authored-by: Mygod <contact-github@mygod.be> Co-authored-by: Mygod <contact-git@mygod.be> Co-authored-by: Max Lv <max.c.lv@gmail.com> Co-authored-by: cyber386 <62885475+cyber386@users.noreply.github.com> Co-authored-by: Goooler <wangzongler@gmail.com> Co-authored-by: SquallATF <squallatf@gmail.com> Co-authored-by: dev4u <dev4u@users.noreply.github.com>
Describe the bug
As someone already mentioned: #2555
I did a little test, it seems to be related to UDP fallback.
Adguard has a function which allows user to name a socks5 proxy as upstream proxy. It also supports UDP over socks5.
So what people do is that they use adguard in VPN mode, and shadowsocks in transparent mode, and in adguard, set 127.0.0.1:1080 as upstream socks5 proxy, and tick "UDP over socks5" if UDP relay is supported by server and UDP fallback is enabled by shadowsocks client together with SIP003 plugin. Everything was working as intended up until 5.0.6.
From 5.1.0, something seems to be broken. With the same aforementioned setup, Adguard gave a "UDP over socks5 not supported by this proxy" error message, with UDP fallback enabled. However if you disable UDP fallback and SIP003 plugin, then the error message goes away. I think it performs a connectivity test upon connection, and the result suggests UDP over socks5 is unreachable, when UDP fallback is enabled.
So I suspect something is wrong is the UDP fallback function. Oddly though, when I tested UDP relay in VPN mode, it seems to be working. But I don't know how to test the socks5 proxy.
The text was updated successfully, but these errors were encountered: