When gateway changes, i.e. pppoe reconnection, the configuration provided default client_up.sh is broken.
The user have to restart shadowvpn.

We need to use a different approach:

1. Listen for pppoe reconnection and run up.sh again.
2. Or: Do not change default route. Only add routes we need. (Better)

W: Failed to fetch http://shadowvpn.org/debian/dists/wheezy/main/binary-i386/Packages 404 Not Found [IP: 192.30.252.153 80]

E: Some index files failed to download. They have been ignored, or old ones used instead

刚试了一下deb安装源，
apt-get update

提示错误：
Ign http://shadowsocks.org wheezy/main Translation-en
Err http://shadowvpn.org wheezy/main i386 Packages
404 Not Found [IP: 192.XX.XX.XX 80]
Ign http://shadowvpn.org wheezy/main Translation-en
W: Failed to fetch http://shadowvpn.org/debian/dists/wheezy/main/binary-i386/Packages 404 Not Found [IP: 192.XX.XX.XX 80]
E: Some index files failed to download. They have been ignored, or old ones used instead.

这是怎么回事？是不是32位的安装包还没弄好？

We have two approaches

1. Different clients binds different ports and have different IPs and tun devices
2. Same port, using builtin NAT (change src & dst IP in payload's IP header)

Also, we can generate pidfile, logfile, inft etc from conf filename automatically

有提到”很痛恨openvpn断了之后，半分钟才能重连“，我目前自用的是openvpn static模式，当网络变化的时候，主要的网络中断是耗在了chnroute上……
我（以及chnroute官网等大多数人）使用的方案是设置国内路由直连，之后将默认路由设置为VPN（通过设置0.0.0.0/1与128.0.0.0/1两条路由）的形式；优点是路由条目比较少，缺点是一旦出现问题VPN断开，国外网络就会直接断掉；
之前曾经想过一个思路，把路由表放到VPN程序内部做；系统级别，VPN连接着的时候所有数据走VPN，VPN断开时所有数据该怎么走怎么走；显然，这样会有性能问题。
@clowwindy 有什么好法子解决这个？

PS：有考虑过client的配置文件里写多个server，随机选择or顺序尝试第一个成功连接的？openvpn是有这个功能的，可以考虑用心跳之类的机制来保持stateless的情况下判断服务器是否连通？

客户端配置：

必须

• 独立密钥
• 服务端外网 IP & 服务端外网 Port
• 服务端 tun IP

可选

• 多用户情况下共享密钥 （如何区别两种密钥）
• 服务端的dns server (优化网络)

兼容系统考虑子网掩码可能是255.255.255.254
多用户的情况需要做手动NAT

我这里是光纤通过PPPOE拨号上网，实测MTU值是1480，

所以我在VPN配置里面由默认的1440改为1420 同时测速 speedtest，修改前是9Mbps左右提高到了16Mbps

the MTU of VPN device

#1492(Ethernet) - 20(IPv4, or 40 for IPv6) - 8(UDP) - 24(ShadowVPN)

mtu=1420

We should handle this problem on Windows.

http://support2.microsoft.com/kb/263823

Now that it works, we have the last few things to finish:

• Write post-init scripts
• Make make install install config files and post-init scripts as well
• Build deb package
• Build OpenWRT package
• Documentation and Wiki

由 #51 而来，up/down.sh更多的是应该提供给高级用户实现自定义功能的，而“设置MTU”、“变更默认网关”等等并不属于“自定义”的内容，它们还是由C语言直接调用系统命令、或者由shadowvpn根据配置文件自动生成一个shell脚本。
新开一个issue，是想把有需求移到conf中，简化配置难度的所有配置项都列出来，做一个整合。

• ip_forward

  服务器会一直开启该设置，客户端当作为“路由器”时，无论是否使用VPN都会一直开启，作为普通终端时都会关闭。

• ifconfig IP、MTU

  双端IP应当在conf中可以设置，至少像MTU一样设置一个变量，以保证修改不会遗漏；然后这两项都可以由C语言直接调用；
  在 #51 中提到“脚本里可以读所有配置变量，把脚本里的 IP 挪到配置文件里 ip=x.x.x.x，在脚本里读 $ip 变量就可以了。”，这个其实很有必要。

  同时，对于 #53 的情况，可考虑提供一个小utility，提供MTU的测量与设置功能。

• iptables

  iptables可以考虑提供一个开关，让用户选择是否需要NAT上网，或者只需要建立隧道；

• chnroute

  在 #1 与 #24 中，都提到了各种chnroute的设置，对于“普通用户”，尤其是安装在openwrt的用户，与chinadns、chnroute搭配是很高的需求；将其整合进主线，提供一个配置参数，设定该参数时指定一定的IP段或者一个包含IP段的文件（shadowXXX、chinadns系列软件最好能格式互通，共用同一个文件），自动处理chnroute的设置与释放，同时把ipset之类的优化也加上。

将设置项移入统一的conf，这样也方便shadowvpn对openwrt提供一个uci接口；至于设置路由之类，隐藏进程序内部后，可以直接调用route，也可以再反向调用openwrt的各种接口。

相关open状态的issue：
#1 关于chnroute
#24 chnroute讨论
#51 关于conf的，可以标记为合并入这个
#53 MTU值

帮忙看看那里出问题了？找不到头绪...

root@vmhost01:/etc/shadowvpn# uname -a
Linux vmhost01 3.2.0-4-amd64 #1 SMP Debian 3.2.57-3+deb7u2 x86_64 GNU/Linux

root@vmhost01:/etc/shadowvpn# tail -n 1 /etc/apt/sources.list
deb http://shadowvpn.org/debian wheezy main

root@vmhost01:/etc/shadowvpn# dpkg -l shadowvpn
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                    Version          Architecture     Description
+++-=======================-================-================-====================================================
ii  shadowvpn               0.1.4-1          amd64            A fast, safe VPN based on libsodium

root@vmhost01:/etc/shadowvpn# /etc/init.d/shadowvpn start
started

root@vmhost01:/etc/shadowvpn# tail /var/log/shadowvpn.log 
Thu Dec  4 13:21:45 2014 vpn.c:107 open: No such device
Thu Dec  4 13:21:45 2014 can not open /dev/net/tun
Thu Dec  4 13:21:45 2014 failed to create tun device

root@vmhost01:/etc/shadowvpn# ls -l /dev/net/tun 
crw-rw-rwT 1 root root 10, 200 Jun 30 10:47 /dev/net/tun

root@vmhost01:/etc/shadowvpn# cat /etc/shadowvpn/server.conf 
# ShadowVPN config example

# notice: do not put space before or after "="

# server listen address
server=0.0.0.0

# server listen port
port=8849

# password to use
# you can generate one by:
# dd if=/dev/urandom bs=64 count=1 | md5sum
password=ce32c258dff9be831fc87004456a70a7

# server or client
mode=server

# max source ports
# must be the SAME with client or won't work properly
concurrency=1

# the MTU of VPN device
#1492(Ethernet) - 20(IPv4, or 40 for IPv6) - 8(UDP) - 24(ShadowVPN)
mtu=1440

# tunnel device name
intf=tun0

# the script to run after VPN is created
# use this script to set up routes, NAT, etc
# configuration in this file will be set as environment variables
up=/etc/shadowvpn/server_up.sh

# the script to run before stopping VPN
# use this script to restore routes, NAT, etc
# configuration in this file will be set as environment variables
down=/etc/shadowvpn/server_down.sh

# PID file path
pidfile=/var/run/shadowvpn.pid

# log file path
logfile=/var/log/shadowvpn.log

Error opening registry key SYSTEM\CurrentControlSet\Con
trol\Class{4D36E972-E325-11CE-BFC1-08002BE10318}\Properties

tap 驱动已经装
tap网卡也设置了ip

怎末破？

• kmod-tun
• kmod-ipt-nat ?
• iptables ?
• ip
• udev ?

In hotplug.d/iface/30-shadowvpn:
if $INTERFACE is wan or pppoe-wan, $ACTION is ifup, start shadowvpn
if $INTERFACE is wan or pppoe-wan, $ACTION is ifdown, stop shadowvpn

Update default client_up.sh and client_down.sh so that they will work better:
When default route is missing, read route of pppoe-wan or wan instead;
Do not remove default route if default route is missing.

command line:

-s start/stop/restart
-c config_file

config_file:

mode=服务器/客户端
mtu=MTU
inft=网卡名
pidfile=pidfile
server=服务器地址
port=服务器端口
key=密码
up=启动脚本
down=退出脚本

启动脚本是一个 bash 脚本，在创建好网卡之后会执行，以便用户可以灵活配置网卡
执行时用参数传递：是服务器还是客户端，网卡名字
默认的脚本会设置网卡 IP 和 MTU、MSSFIX
如果是服务器端，启动 IP 转发和 NAT
如果是客户端，包含一段注释掉的代码：启动 NAT，修改默认路由，并由用户自行决定如何配置该文件

退出脚本会包含注释掉的代码：关闭 NAT，修改默认路由，由用户自行决定如何配置该文件

@aa65535

看到0.1.3发布了，我怎么操作才是最合理的把server端0.1.2升级到0.1.3的方式？ 0.1.2我是从source code 编译安装的。

谢谢！

server为IPV6地址，测试在WIN下可以连接了，openwrt中需要如何设置

udp被封，不知道这种奇葩网络环境多不多。后期是否能够通过tcp来传输？还是说tcp不适合shadowvpn，所以不考虑使用它？

请问如何设置白名单呢?

@clowwindy #55 提到会对该项目进行大改，希望设计时候考虑能否加入这个特性。

当然能够做到负载均衡等一系列的特性更好。:smile:

• Support Android
• Print version
• When dropping invalid packet, print its address

我用的 0.11，用了这么长时间，几乎每隔两天就出现这个情况。我之前提过 #11，后来去做了手动设置，不知道跟这有木有关系。出问题的时候不管如何重启 shadowvpn、chindns、dnsmasq 都不行正常工作，只好去换个服务器，我有两台服务器，所以就每隔两天换个 IP 就正常了。

能判断是哪里出了问题么，还是升级最新就好了？最新的 openwrt 还是要手动去配置么？

Dowloaded latest shadowvpn-0.1.4 on OS X 10.10.1, compile and install using ./configure --enable-static --sysconfdir=/etc and make && make install.

After install /etc/shadowvpn/client_up.sh shows like below:

#!/bin/sh

# example client up script
# will be executed when client is up

# all key value pairs in ShadowVPN config file will be passed to this script
# as environment variables, except password

# turn on IP forwarding
sysctl -w net.ipv4.ip_forward=1

# configure IP address and MTU of VPN interface
ifconfig $intf 10.7.0.2 netmask 255.255.255.0
ifconfig $intf mtu $mtu

# get current gateway
echo reading old gateway from route table
old_gw_intf=`ip route show | grep '^default' | sed -e 's/.* dev \([^ ]*\).*/\1/'`
old_gw_ip=`ip route show | grep '^default' | sed -e 's/.* via \([^ ]*\).*/\1/'`

# if current gateway is tun, it indicates that our gateway is already changed
# read from saved file
if [ "$old_gw_intf" = "$intf" ]; then
  echo reading old gateway from /tmp/old_gw_intf
  old_gw_intf=`cat /tmp/old_gw_intf` || ( echo "can not read gateway, check up.sh" && exit 1 )
fi

echo saving old gateway to /tmp/old_gw_intf
echo $old_gw_intf > /tmp/old_gw_intf
echo $old_gw_ip > /tmp/old_gw_ip

# turn on NAT over VPN
iptables -t nat -A POSTROUTING -o $intf -j MASQUERADE
iptables -I FORWARD 1 -i $intf -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 1 -o $intf -j ACCEPT

# change routing table
echo changing default route
if [ pppoe-wan = "$old_gw_intf" ]; then
  route add $server $old_gw_intf
else
  route add $server gw $old_gw_ip
fi
route del default
route add default gw 10.7.0.1
echo default route changed to 10.7.0.1

echo $0 done

It seems a script for linux but not OS X, and run sudo shadowvpn -c /etc/shadowvpn/client.conf -s start only echo a started but nothing changed. Run sudo shadowvpn -c /etc/shadowvpn/client.conf -s stop would say not running, indicates previous start not successful.

"git submodule update --init"这一句前面好像少了"cd ShadowVPN"这一句 :）

BTW, Wiki上面也有类似错误， 还少了"git clone https://github.com/clowwindy/ShadowVPN.git"

目前TCP MSS设置是在server的shell脚本中，设置了全局MSS；
是否应该用-o指定VPN的tun接口？

In case some users need to create /dev/net/tun

Hi Clowwindy,

And congrats for ShadowVPN and ChinaDNS-C.

I noticed that you are generating a random nonce for each packet. This is fine, but using a simple counter would be perfectly fine as well. This also makes it practically impossible for a nonce to be reused.

感觉1.4的版本有点问题，用着用着就什么国外的页面都打不开了。关闭VPN，启动SS，马上就好了。说明应该不是国内到VPS和VPS本身线路问题吧。但是因为问题太复杂，暂时还不知道什么原因，希望能够降级多版本比较试试。

希望DEB源能够保留历史版本，一个版本才几十K，很小啊

openwrt版本：
OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530)
硬件：
Asus RT-N16
ShadowVPN版本：
ShadowVPN - 0.1.2

具体现象为：

启动ShadowVPN后，CPU占用超过50%，同时有如下报错：
Sat Oct 11 18:27:16 2014 vpn.c:223 sendto: Operation not permitted
Sat Oct 11 18:27:16 2014 vpn.c:223 sendto: Operation not permitted

ping server地址10.7.0.1不通，ping VPS可以通。

WARNING: The following packages cannot be authenticated!
shadowvpn
Install these packages without verification [y/N]? y

解决这个问题。

网络环境为江苏移动，拨号获得地址为100.98..
据http://sourceforge.net/p/openwrt-dist/wiki/Plan6/部署，其原文如下
方案六:
下载 ChinaDNS-C + ShadowVPN 并安装
编辑 /etc/init.d/chinadns
注释或者删除其中的两条 iptables 命令
编辑 /etc/dnsmasq.conf
添加 no-resolv 和 server=127.0.0.1#5353 并删除其他 server=
使用 /etc/init.d/shadowvpn start 命令启动 ShadowVPN
使用 /etc/init.d/chinadns start 命令启动 ChinaDNS-C
使用 /etc/init.d/dnsmasq restart 命令重启 dnsmasq

我根据操作删除了两条iptables命令
在/etc/dnsmasq.conf中添加了
server=127.0.0.1#5353
no-resolv
因为无server=项，未操作

shadowvpn 另行配置了，暂不提

然后启动了Chinadns
启动后，依然有dns污染现象，火狐页面会reset。或者如图所示的标签情况，内页为空

再启动shadowvpn，此时几乎不能上网。PC ping不通外网。

按照wiki https://github.com/clowwindy/ShadowVPN/wiki/FAQ所示排查如下
1.从路由能ping通vps
2.从路由能ping通10.7.0.1
3.使用openwrtluci界面网络诊断
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 38 byte packets
1 10.7.0.1 199.357 ms
2 198.35.46.8 199.884 ms
3 65.19.129.153 201.588 ms
4 184.105.222.86 216.755 ms
5 72.14.211.86 210.680 ms
6 64.233.174.41 217.247 ms
7 72.14.238.0 240.765 ms
8 72.14.239.159 239.900 ms
9 216.239.48.167 240.263 ms
10 *
11 8.8.8.8 240.285 ms

4.从路由ping 8.8.8.8，vps收到
root@vps:~# tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
05:51:43.949310 IP 10.7.0.2 > google-public-dns-a.google.com: ICMP echo request, id 41249, seq 0, length 64
05:51:43.989251 IP google-public-dns-a.google.com > 10.7.0.2: ICMP echo reply, id 41249, seq 0, length 64

6.VPS netstat -nr 和ifconfig 分别如下
root@vps:~# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.7.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 venet0

此处因为之前发现网卡为venet0，非eth0，我已经在server_*.sh中修改过来了

root@vps:~# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.7.0.1 P-t-P:10.7.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1440 Metric:1
RX packets:817 errors:0 dropped:0 overruns:0 frame:0
TX packets:784 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:64866 (64.8 KB) TX bytes:65676 (65.6 KB)

venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:42935 errors:0 dropped:0 overruns:0 frame:0
TX packets:10583 errors:0 dropped:184 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:58296024 (58.2 MB) TX bytes:1041926 (1.0 MB)

venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:服务器IP P-t-P:服务器IP Bcast:服务器IP Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

7.此处的lan是指？192.168.1.1对应的端口？另外client_*.sh没有看到eth0相关的内容？
路由器netstat -nr 和ifconfig分别如下
root@OpenWrt:~# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.7.0.1 0.0.0.0 UG 0 0 0 tun0
1.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 pppoe-wan

下面均为chnroute路由表，不粘贴了

root@OpenWrt:~# ifconfig -a
br-lan Link encap:Ethernet HWaddr 00:86:33:50:11:86
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::286:33ff:fe50:1186/64 Scope:Link
inet6 addr: fd27:c7cd:3d5::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:123243 errors:0 dropped:0 overruns:0 frame:0
TX packets:133248 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13392571 (12.7 MiB) TX bytes:59433448 (56.6 MiB)

eth0 Link encap:Ethernet HWaddr 00:86:33:50:11:86
inet6 addr: fe80::286:33ff:fe50:1186/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:94455 errors:0 dropped:3 overruns:0 frame:0
TX packets:92179 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:35027898 (33.4 MiB) TX bytes:15937576 (15.1 MiB)
Interrupt:5

eth0.1 Link encap:Ethernet HWaddr 00:86:33:50:11:86
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:38461 errors:0 dropped:0 overruns:0 frame:0
TX packets:35533 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3042165 (2.9 MiB) TX bytes:8613571 (8.2 MiB)

eth0.2 Link encap:Ethernet HWaddr 00:86:33:50:11:86
inet6 addr: fe80::286:33ff:fe50:1186/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:55869 errors:0 dropped:1 overruns:0 frame:0
TX packets:56641 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:30274140 (28.8 MiB) TX bytes:7322514 (6.9 MiB)

gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-30-40-00-00-00-00-00-00-00-00
NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

gretap0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ifb0 Link encap:Ethernet HWaddr 1E:C1:CE:65:94:0F
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ifb1 Link encap:Ethernet HWaddr 92:B7:BA:67:FB:90
BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ip6gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1448 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

ip6tnl0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1452 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:24000 errors:0 dropped:0 overruns:0 frame:0
TX packets:24000 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1863986 (1.7 MiB) TX bytes:1863986 (1.7 MiB)

pppoe-wan Link encap:Point-to-Point Protocol
inet addr:100.98.175.208 P-t-P:112.0.229.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:45685 errors:0 dropped:0 overruns:0 frame:0
TX packets:47564 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:29279711 (27.9 MiB) TX bytes:6003453 (5.7 MiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.7.0.2 P-t-P:10.7.0.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1440 Metric:1
RX packets:65 errors:0 dropped:0 overruns:0 frame:0
TX packets:99 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:5298 (5.1 KiB) TX bytes:4554 (4.4 KiB)

wlan0 Link encap:Ethernet HWaddr 00:86:33:50:11:86
inet6 addr: fe80::286:33ff:fe50:1186/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:85381 errors:0 dropped:0 overruns:0 frame:0
TX packets:105918 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11582948 (11.0 MiB) TX bytes:54415036 (51.8 MiB)

请教个问题，如何将p2p流量禁止从代理走？否则vps没两天就封了。

另外请教个问题，现在有个比较奇葩的情况。
使用有线无法上网，无线开始的时候不可以，等一段时间才行，
后来我发现，有线原本接入的网络是路由器默认的“网络4”，但是后来变成了和无线一样的网络，比如123。这有可能是什么原因导致的？

不会使用mark编辑，比较难看。
谢谢。

还有什么需要的信息可以告诉我贴出来。

关于隧道IP，在shell中修改一是复杂，而是难以扩展；
关于NAT，一个VPN应当注重于建立隧道，而不是把各项系统设置都一键安装成一个VPN代理。
具体到我个人的情况，我的服务器上同时运行了shadowvpn和openvpn、l2tp等其他VPN服务器；
当/etc/init.d/shadowvpn stop时，所有VPN用户都会崩溃，经过检查是server_stop中自动关闭了iptable的NAT功能导致。
修改sh脚本当然是处理方法，但是这和修改源代码已经没有太大的区别；提供一个开关设置、或者默认不修改iptables、而是在教程中提供手动设置的方法可能都是更好的选择。
注：常见的pptp/l2tp openvpn ipsec均为用户自行设置NAT，在不设置NAT的情况下VPN就是一个内网隧道，同样有使用场景；对于需要安装脚本来自动维护iptables的初级用户来说，“停止VPN时自动关闭NAT功能”这样一个安全设置也并没有太大的需求。

Ubuntu 14.04 sh 链接到了dash，dash运行if语句有问题，将 sh 链接到 bash 后解决

我想直接在网络接口里配置连接，就像pptp一样的界面有吗？

I had to manually execute the following command after restarting shadowvpn. As Shadowvpn didn't correctly add the route to the shadowvpn server via the original external gateway.

This was the command i had to execute manually:
sudo ip route add $shadow_vpn_ip/32 via 192.168.1.1

I think maybe this part is having issues client_up.sh:

if [ pppoe-wan = "$old_gw_intf" ]; then
  route add $server $old_gw_intf
else
  route add $server gw $old_gw_ip
fi

shadowvpn.log

Usage: inet_route [-vF] del {-host|-net} Target[/prefix] [gw Gw] [metric M] [[dev] If]
       inet_route [-vF] add {-host|-net} Target[/prefix] [gw Gw] [metric M]
                              [netmask N] [mss Mss] [window W] [irtt I]
                              [mod] [dyn] [reinstate] [[dev] If]
       inet_route [-vF] add {-host|-net} Target[/prefix] [metric M] reject
       inet_route [-FC] flush      NOT supported
default route changed to
/etc/shadowvpn/client_down.sh done
net.ipv4.ip_forward = 1
reading old gateway from route table
saving old gateway to /tmp/old_gw_intf
changing default route
Usage: inet_route [-vF] del {-host|-net} Target[/prefix] [gw Gw] [metric M] [[dev] If]
       inet_route [-vF] add {-host|-net} Target[/prefix] [gw Gw] [metric M]
                              [netmask N] [mss Mss] [window W] [irtt I]
                              [mod] [dyn] [reinstate] [[dev] If]
       inet_route [-vF] add {-host|-net} Target[/prefix] [metric M] reject
       inet_route [-FC] flush      NOT supported
SIOCDELRT: No such process
default route changed to 10.7.0.1
/etc/shadowvpn/client_up.sh done

服务器确认木有问题，但有奇怪的日志，客户端 start 的时候服务器没有日志

> netstat -nlptu | grep 1123
udp        0      0 0.0.0.0:1123            0.0.0.0:*                           -

> tail /var/log/shadowvpn.log
Sun Oct  5 16:24:49 2014 dropping invalid packet, maybe wrong password
Sun Oct  5 16:24:50 2014 dropping invalid packet, maybe wrong password
Sun Oct  5 16:25:42 2014 dropping invalid packet, maybe wrong password
/etc/shadowvpn/server_down.sh done
net.ipv4.ip_forward = 1
/etc/shadowvpn/server_up.sh done
Sun Oct  5 17:10:24 2014 dropping invalid packet, maybe wrong password
Sun Oct  5 17:10:25 2014 dropping invalid packet, maybe wrong password
Sun Oct  5 17:11:00 2014 dropping invalid packet, maybe wrong password
Sun Oct  5 17:11:02 2014 dropping invalid packet, maybe wrong password

客户端现在的路由：

> route
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.7.0.1        0.0.0.0         UG    0      0        0 tun0
10.7.0.0        *               255.255.255.0   U     0      0        0 tun0
180.157.232.1   *               255.255.255.255 UH    0      0        0 pppoe-wan
xxx.xxx.xxx.xxx  180.157.232.1   255.255.255.255 UGH   0      0        0 pppoe-wan
192.168.190.0   *               255.255.255.0   U     0      0        0 br-lan

#27

On some OS default sh is dash, we should check bash existence and use bash instead.

按照你的方法，git clone到 package目录，但是在终端中执行make menuconfig 和 make时，一开始出现
package/Makefile:173: warning: overriding commands for target package/openwrt/clean' package/Makefile:173: warning: ignoring old commands for targetpackage/openwrt/clean'
package/Makefile:173: warning: overriding commands for target package/openwrt/download' package/Makefile:173: warning: ignoring old commands for targetpackage/openwrt/download'
package/Makefile:173: warning: overriding commands for target package/openwrt/prepare' package/Makefile:173: warning: ignoring old commands for targetpackage/openwrt/prepare'
package/Makefile:173: warning: overriding commands for target package/openwrt/compile' package/Makefile:173: warning: ignoring old commands for targetpackage/openwrt/compile'
package/Makefile:173: warning: overriding commands for target package/openwrt/install' package/Makefile:173: warning: ignoring old commands for targetpackage/openwrt/install'
package/Makefile:173: warning: overriding commands for target package/openwrt/update' package/Makefile:173: warning: ignoring old commands for targetpackage/openwrt/update'
package/Makefile:173: warning: overriding commands for target package/openwrt/refresh' package/Makefile:173: warning: ignoring old commands for targetpackage/openwrt/refresh'
package/Makefile:173: warning: overriding commands for target package/openwrt/prereq' package/Makefile:173: warning: ignoring old commands for targetpackage/openwrt/prereq'
package/Makefile:173: warning: overriding commands for target package/openwrt/dist' package/Makefile:173: warning: ignoring old commands for targetpackage/openwrt/dist'
package/Makefile:173: warning: overriding commands for target package/openwrt/distcheck' package/Makefile:173: warning: ignoring old commands for targetpackage/openwrt/distcheck'
package/Makefile:173: warning: overriding commands for target package/openwrt/configure' package/Makefile:173: warning: ignoring old commands for targetpackage/openwrt/configure'
这段信息一共连续出现2次.
还有个奇怪的现象是,我在menuconfig里选上chinadns-c和shadowvpn,生成的img里没有shadowvpn的文件,bin/pacakage目录下有shadowvpn.ipk，只选择shadowvpn时也报上面警告，但img没有问题，我重新下源码编译一遍，还是这样。
openwrt版本是BB正式版，路由是wndr4300，请问是哪里出问题了

debian/changelog 忘记更新了？

另外可否取消 gitmodules 形式的 libsodium，使用直接包含的方式，
目前 releases 中上传的 tar.gz 源码包没有包含 debian 目录，不能直接用于 dpkg-buildpackage 打包，
如果直接下载 releases 中的 Source code 的话，libsodium 是空目录，只能使用 git clone 的方式获取源码。

Is it possible to configure an OpenWRT router as a ShadowVPN server? Thanks a lot!

• Updateconfigure.ac, add check for OS X
• Update vpn.c, write OS X compat code
• Write client_up.sh and client_down.sh sample files for OS X since it doesn't support iptables

我在VPS安装最新版shadowvpn。wndr3700v4路由器上跑shadowvpn。路由器设置是用luci。设置好后，测试ping vps ip和ping 10.7.0.2都成功。但是浏览国外网站没法打开。请问哪里错了？有什么办法能确定原因？

server端日志没有问题的样子，客户机ubuntu在路由下面，client.conf我去掉了intf的注释，也就是intf=tun0,运行之后日志如下：
net.ipv4.ip_forward = 1
reading old gateway from route table
/etc/shadowvpn/client_up.sh: 29: [: eth0: unexpected operator
saving old gateway to /tmp/old_gw_intf
changing default route
/etc/shadowvpn/client_up.sh: 40: [: pppoe-wan: unexpected operator
default route changed to 10.7.0.1
/etc/shadowvpn/client_up.sh done
甚至不能ping通10.7.0.1和vps的ip，不知道什么原因

你好.

我在路由器上试了下 ShadowVPN, 发现CPU占用率很高, 打开一个 YouTube 页面, ShadowVPN 进程 CPU 使用率就超过50-60%, 系统平均负载很快就超过1了. 而同样场景下用 OpenVPN (static key) 时的 CPU 占用率「只有」30-50% (而且我配置的 openvpn cipher 还是 aes-256-cbc).

请问这种情况可能是什么原因呢?

路由器是 asus RT-N16 (BCM4718 @ 480MHz), 使用的是 brcm47xx 的预编译 ipk.

Nice to have: It would make it easier for users to have integration with networkmanager. The same way that you can configure an PPTP vpn through networkmanager.

Maybe this should be done as a seperate project and not be part of this repo though.

Just like ss.