GL-MT1300 + Wireguard + Shadowsocks

Does anyone have general advise on how to setup a GL-MT1300 to connect to a Wireguard server running on a cloud service and implement some sort of traffic obfuscation technique such as Shadowsocks?

Getting the GL-MT1300 router to connect to a Wireguard server using a client configuration is the easy part. How and where should Shadowsocks be implemented?

For example, in the advanced setup of the GL-MT1300 configuration interface (http://192.168.8.1/cgi-bin/luci/admin/system/opkg), there appear to be a number of software packages available for the router, including:

shadowsocks-libev
shadowsocks-libev-server
luci-app-shadowsocks
luci-app-shadowsocks-libev
luci-app-shadowsocks-without-ipset

What’s the use case for these packages? And how are they used?

I suppose I should instead run a Shadowsocks server on a cloud server service like Linode and then figure out how to get the GL-MT1300 router to connect to that server?

Three times the same Question? Which answer will be next?

I assume the answer will be something like: ‘Shadowsock is not supported’.

2 Likes

I am trying to ask variations of the following question: how can I use a GL-MT1300 router to directly connect to a server that I control and have the communication protected and obfuscated.

The question may be repetitive because I do not understand the available options and possibilities: Xray-core, OutlineVPN, Shadowsocks are all new terms to me.

And I refuse to believe there isn’t a way to achieve this goal. I am hoping others might suggest some setup that I’m unfamiliar with. These topics aren’t common.

Step by step.

Please say goodby to ShadowSock. It seems to be a dead project. Maybe great at its time, bit if noone is maintaining it, it is more a security hole, than a solution.
Maybe there are other solutions, that are in active development and/or maintined. I don’t use/need obfuscation. So I can’t say much about this topic.

You have an own server. Great.
You’d want a VPN. Great.

Google, look out for a suitable solution that is supported by GL.iNet, search for a how to with some grade of explanation, do it.
If anything is different from the manual (I hope a recent one, not from 1998), than ask a specific question here. A lot of people want to help.

I did it myself this way.
For my setup I have chosen Wireguard. Just a little Debian in a Proxmox Container, used a Setup script and it is working. I’ve tried to replace the script with a own way, doesn’t working (because of some Virtualization techniques, I’m not familiar right now).
Now I have 3 GL.iNet devices and 2 Android Phones, that are connecting in my VPN… I am happy.

Because I have some spare time at the moment, I also set up a OpenVPN Container… And deleted it. Don’t like the look and feel. The speed was drastic lower with no security benefits.

Next I’m replacing the login within the VPN with 2FA (Yubikey based)…

Bit even if I’ve not write all this, let’s assume I translate my Wiki article on English, so you can follow my way, it doesn’t need to be yours.
My intention was, to show you there are a lot of possible setups, not ‘one way to success’. It depends on environment, goal, user abilities, support by devices, …
You are asking for the holy grail. I doubt you’ll find it here. If I am front, please show me the direction.

@LupusE

Thank you for sharing your setup. You could probably simplify the process by just using GitHub - trailofbits/algo: Set up a personal VPN in the cloud to securely install a WireGuard server on a cloud provider (there’s still some light logging to disable see the wiki).

You’re correct that OpenVPN is slower. Another downside to OpenVPN is that if you configure it yourself, there’s like 2-3 locations where you should disable logging. Otherwise someone could compromise your server and learn about your traffic.

However, the goal is to take it much further than a basic WireGuard or OpenVPN server. The goal is to add more advanced traffic obfuscation.

There are maintained versions of Shadowsocks, such as GitHub - shadowsocks/shadowsocks-rust: A Rust port of shadowsocks

I suspect that those who do know here would prefer to stay quiet. I gather much of this crowd is from Hong Kong or China, where the stakes are higher. For them, revealing various security setups in detail could induce crackdowns and have consequences on real lives.