根据官方文档：https://github.com/RMerl/asuswrt-merlin.ng/wiki/Addons-API，梅林384.15版本后支持自定义插件，如果能做个UI配置界面会方便很多。

So, I've faced a following issue now. It starts successfully, my traffic goes the right way, through the shadowsocks, but after a while it stops to go. If I do #ss-merlin stop && ss-merlin start, it goes ok. Any idea how to setup reconnect, or keep-alive or whatever else to keep the connection alive to my shadowsocks server ?

先前的问题自己解决了，通过清空GFWlist，以及自定义的list，成功做了回国代理。
感谢你的工具。

实在不好意思，还有一个问题：运行正常，国内网站没问题，但不能翻墙。
我Chrome是直接连接和1080端口代理都试了，还是不行。
请帮忙看看。
谢谢。

youtube,twitter是一个情况：
This site can’t be reachedwww.youtube.com refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

Google play　另外一种
This site can’t be reachedThe webpage at https://play.google.com/store might be temporarily down or it may have moved permanently to a new web address.
ERR_QUIC_PROTOCOL_ERROR

配置如下：
【ss-merlin.conf】

# Route mode
## 0: GFW list.
## 1: Bypass mainland China.
## 2: Global mode.
mode=0

# UDP support
## 0: Disable UDP.
## 1: Enable UDP, require server side support.
udp=0

# LAN IPs
## Configure which LAN IP will pass transparent proxy.
## Default is 0.0.0.0/0, means all LAN devices will affected.
## You can assign a LAN IP like 192.169.1.125 means only this device can pass transparent proxy.
lan_ips=0.0.0.0/0

# China DNS IP
## Default is 119.29.29.29
china_dns_ip=119.29.29.29

【config.json】

{
  "server": "****",
  "server_port": 16534,
  "password": "****",
  "method": "chacha20-ietf-poly1305",
  "local_address": "0.0.0.0",
  "local_port": 1080,
  "timeout": 600,
  "mode": "tcp_only"
  }

ipset / iptable 见附件。

我用的是公司内网，和这个有关系吗？公司是192.168.55.1网段，我路由器是192.168.0.1

etc.zip

Hi,
I've put just 3 domains to user_domain_name_gfwlist.txt, and then I started ss-merlin and noticed youtube and google used shadowsocks, could you please help me to understand what is wrong?

My configuration is:

Route mode

0: GFW list.

mode=0

UDP support

1: Enable UDP, require server side support.

udp=1

The script is working that’s amazing, It even supports DoT! I can say the author, whoever you are, are paying great efforts, hard workings to make this working, based on the original trusty Asuswrt-merlin, thanks a lot!!! I can’t appreciate it more. Problems are:
1.- Randomly lost connection, mostly happened at night, visiting shift from CN sites to outsides or family members' devices added in. Don’t know for sure. When these happened, have no idea which triggered, I either lost wan connection or even with obtaining wan IP but router shows disconnected in the network map, as well as lost ssh connection, both Mac & Android 10 phones. If I'd already login router, every commands resulted in “Segmentation fault”, if not the ssh login attempts would be refused by the router. Thus I cannot try to restart the script manually, only reboot. And I noticed almost every time, logs in the WebUI always contain these notices:

* “plugin service exit unexpectedly” 
* "error, plugin service exit unexpectedly”
* "nat: apply nat rules (/tmp/nat_rules_ppp0_eth0) error!”

2.- I was enabled router schedule reboot, but often doesn't work, the more reliable working procedures are manually shut fiber modern, reboot router, wait for all devices connected to the router then turn on modern to obtain WAN IP.
3.- Even in normal connections, the logs always show these abnormal notices:

"server recv: Connection reset by peer; "
"WLCEVENTD: eth2: Disassoc 70:E7:2C:……..; "

SOMETIMES:

"unbound: [10637:0] notice: init module 0: validator
May  5 13:15:00 unbound: [10637:0] notice: init module 1: iterator"

These wired things above, in my guessing, are proofs of this script that can be detected or what? What’s triggered router disconnection to devices and even ssh login to the router? Or is this my router firmware’s problems? I’d searched the WLCEVENTD: eth2: Assoc / Disassoc mean connecting / disconnecting device, but don’t know why these keep happening when no devices turn on and off at the time.

BTW: My condition is, rt-ac88u (fm: 384.13) PPPoE to China Mobile fiber modem, server use “quick” mode [once tried tls, server docker logs show tls failed]; client: TCP-Only, bypass mode; WAN DNS point to router/gateway, and LAN DNS as well, so all clients DNS query can be done by unbound listening port instead of DHCP server force pushed 114 along with router's IP.

Regarding DoT, I think maybe unbound isn't that stable for Entware? Can you consider supporting stubby that comes with the official firmware of Merlin? It’s listening to 127.0.1.1: 53;
Or 3rd party stubby script by Xentrk which supports custom designated ports. I’d tried to point stubby listening 15253, but most of time only UDP can be activated but TCP failed.

P.S. Is there any possibility to consider to support v2&ray runs on the router? V2ray seemed more stable and more future promising, only need client support, for its too hard to support vary protocols combinations, I’ve established a working v2 + ws + tls + Nginx + CDN server, just can’t figure out how to deploy onto original merlin. (384.13). For the koolshare’s modified firmware, I won’t comment, but I don’t use it even if I have to give up router's bypass GXX capability and manually setup clients for each platform. So if you can do that it’ll be something big! Thanks and hoping...

Have experienced long loading latency of images from zhihu.com (.zhimg.com) & qq.com (.gtimg.com)

Further looked dnsmasq & unbound configuration, seems all DNS request forwarded to dns.rubyfish.cn and responded some IPs not friendly to china hosts. China whitelist didn't work either.

unbound upstream query thru DoT rubbyfish

  forward-addr: 118.89.110.78@853
  forward-addr: 47.99.165.31@853
  forward-tls-upstream: yes

Below command is replacing 114.114.114.114 with 127.0.0.1 but I doubt it end up forwarding everything to unbound. (Not proved yet, I don't have the router now for testing)

Any request -> local 53 -> local unbound

sed "s#114\.114\.114\.114#${default_dns_ip}#" ${ACCELERATED_CONFIG}.bak > ${ACCELERATED_CONFIG}

dnsmasq forwarding all to unbound with wildcard "#"
server=/#/127.0.0.1#15253

Not sure if you have same problem, if yes I suggest to

1. China whitelist mode: keep 114.114.114.114 for DNS request forwarding, use unbound as local default
2. GFW mode: Remove default forwarding, forward only gfwlist domain to unbound service

According to the start script this piece of code deploys a transparent proxy (ss-redir) on the router to send all traffic thru remote ShadowSocks server.

But is it possible just to open SOCKS5 port on the router to redirect the traffic (ss-local)? I want to use such SOCKS5 not for all traffic but for a separate cases.

路由是R7000，固件是XWRT-VORTEX的384.13版本。
安装过程有连上github被refuse，uppacking失败等等，多试几次后终于安装成功。安装过程有个错误：
Error: could not open HSTS store at '/root/.wget-hsts'. HSTS will be disabled.这个应该不影响使用。

光猫路由用的电信默认设置，R7000的IP为192.168.1.100，有线连接到光猫扩展AP。浏览器访问www.google.com基本是TIMEOUT，有看到其他issue试了下电脑flushdns后有看到REFUSE的错误。

ss-merlin.conf没改或者尝试改过全局什么的，都一样。
config.json，服务器用的是justmysocks提供的域名，搬瓦工的机房

{
  "server": "xxxx.xxxxxx.net",
  "server_port": 32762,
  "local_address": "0.0.0.0",
  "local_port": 1080,
  "password": "xxxxxxx",
  "timeout": 600,
  "method": "aes-256-cfb",
  "mode": "tcp_and_udp",
  "plugin": "",
  "plugin_opts": ""
}

ipset list，看了其他issue，这边好多Number of entries为0，应该是哪里没设置对导致这个了。

Name: userwhitelist
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 316
References: 1
Number of entries: 0
Members:

Name: usergfwlist
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 316
References: 1
Number of entries: 0
Members:

Name: gfwlist
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 60
References: 1
Number of entries: 0
Members:

Name: localips
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 1380
References: 1
Number of entries: 19
Members:
224.0.0.0/4
172.16.0.0/12
192.168.0.0/16
203.0.113.0/24
192.88.99.0/24
192.175.48.0/24
127.0.0.0/8
198.51.100.0/24
10.0.0.0/8
192.52.193.0/24
0.0.0.0/8
198.18.0.0/15
100.64.0.0/10
192.31.196.0/24
169.254.0.0/16
255.255.255.255
192.0.0.0/24
240.0.0.0/4
192.0.2.0/24

Name: whitelist
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 220
References: 1
Number of entries: 4
Members:
176.122.134.73
119.29.29.29
118.89.110.78
47.96.179.163

admin@R7000-B25D:/tmp/mnt/sda1/entware/share/ss-merlin/etc/dnsmasq.d# ll
-rw-rw-rw-    1 admin    root       2399387 Mar  6 17:49 accelerated-domains.china.conf
-rw-rw-rw-    1 admin    root       2616752 Mar  5 21:25 accelerated-domains.china.conf.bak
-rw-rw-rw-    1 admin    root          5613 Mar  6 17:49 apple.china.conf
-rw-rw-rw-    1 admin    root          5982 Mar  5 21:25 apple.china.conf.bak
-rw-rw-rw-    1 admin    root        163860 Mar  6 17:49 dnsmasq_gfwlist_ipset.conf
-rw-rw-rw-    1 admin    root        163860 Mar  6 17:47 dnsmasq_gfwlist_ipset.conf.bak
-rw-rw-rw-    1 admin    root          2385 Mar  6 17:49 google.china.conf
-rw-rw-rw-    1 admin    root          2559 Mar  5 21:25 google.china.conf.bak
-rw-rw-rw-    1 admin    root            25 Mar  5 21:25 through_unbound.conf
admin@R7000-B25D:/tmp/mnt/sda1/entware/share/ss-merlin/etc/dnsmasq.d#

有运行gfwlist升级脚本，已经是新的。路由器有个设置网关设置为光猫的IP，会不会和这个有关系。因为房子网线原来就被固定死了，路由很大，放不进弱电箱，电视和R7000都是直接接光猫，为了让电视能访问R7000和连接R7000的电脑上的资源，所以设置成了AP模式。

像Google音箱 需要dns劫持才能用 是否可以添加？

如题,谢谢.

您好，
参照您的脚本已经完成了编译ss-local，
但是这个strip the binary file by arm-uclibc-strip是怎么编译安装的，能给点提示吗？

上一个版本可以正常安装使用，但是今天无意间发现有CPU2满载的问题，刚准备重装排障就遇到问题了，麻烦作者看看是不是今天的更新的问题

 Checking installation environment...
git version 2.22.0
opkg version dcbc142e51f5f5f2fb9e4e44657e013d3c36a52b (2019-06-14)
 Installing required packages...
Downloading http://bin.entware.net/armv7sf-k2.6/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware
Installing haveged (1.9.6-1) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/haveged_1.9.6-1_armv7-2.6.ipk
Installing libhavege (1.9.6-1) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/libhavege_1.9.6-1_armv7-2.6.ipk
Unknown package 'unbound'.
Installing ipset (7.3-1) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/ipset_7.3-1_armv7-2.6.ipk
Installing libmnl (1.0.4-2) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/libmnl_1.0.4-2_armv7-2.6.ipk
Installing libipset (7.3-1) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/libipset_7.3-1_armv7-2.6.ipk
Installing iptables (1.4.21-3) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/iptables_1.4.21-3_armv7-2.6.ipk
Configuring libmnl.
Configuring libhavege.
Configuring haveged.
Configuring libipset.
Configuring ipset.
Configuring iptables.
Collected errors:
 * opkg_install_cmd: Cannot install package unbound.
admin@R7000:/tmp/home/root#

环境：RT-AC68U+官方梅林固件384.12
问题：整个安装过程都很顺利，设置了shadowsocks配置config.json，shadowsocks的配置在ss客户端里是能翻墙的，默认ss-merlin.conf为GFW list模式，ss-merlin start正常启动，但是好像没办法翻墙，需要什么额外的配置么？

I'd like to add some other domains in /tmp/opt/share/ss-merlin/rules/user_domain_name_gfwlist.txt, so I tested baidu.com first to see if it works. After several failed attempts (baidu.com, *.baidu.com, ||baidu.com), I found it's difficult for users to guess out the correct format. I think a few examples will be really helpful, thanks a lot.

https://github.com/pymumu/smartdns
Hi,It can also run on entware, the resolution speed can be accelerated, is it possible to replace unbound as a built-in dns forwarding?

最近几天不知道为什么突然就不能用了，ping过自己的服务器IP，是正常的没有被封，但路由不能翻墙了，想更新一下发现下面这个错误，无法更新，请问是何问题 如何解决？

Updating source code...
Updating 4f554df..dc46bf1
error: Your local changes to the following files would be overwritten by merge:
tools/statistics.sh
Please commit your changes or stash them before you merge.
Aborting
There was an error updating. Try again later?

Hi, can you advice how to configure scripts to pass only a few domains ?
As long as I see it syncs to the global rules, and it overwrites my configs. I wiped everything out, from every rules files, and put my domains to gfw rules file. But after a while, it was overwritten by the default rules.

路由器RT-AC86U，最新Asus-Merlin固件384.19，按照https://github.com/Acris/shadowsocks-asuswrt-merlin 的方法配置完成后无法使用。
最初表现：VPS ping不通，显示timeout，连接WiFi后，手机连上SS也翻不出去。
之后：关闭路由器防火墙之后，可以ping通，并且手机连上SS可以翻出去，但是不连还是不能翻。

奇怪的是，ss-merlin启动之后，原本没有被墙的境外网站也上不去了，比如github。

参考#15 后的操作：

• 执行sh /opt/share/ss-merlin/scripts/update_gfwlist.sh，出现了/opt/share/ss-merlin/etc/dnsmasq.d/dnsmasq_gfwlist_ipset.conf

• 执行ipconfig /flushdns
  但还是无法实现透明代理，劳烦大佬帮忙看看。

iptables -t nat -L

ipset list

ipset list gfwlist

shadowsocks/config.json

ss-merlin.conf

I used to run SS on your acris merlin-ss, and it worked quite well. But my Proxy supplier changed the SS protocol into SSR protocol. So I'm wondering if it is possible to run SSR on acris merlin-SS. Thank you, and wish you a happy new year. Best regards.

请问启用插件以后怎么切换模式？例如全局，或者大陆白名单
无法访问GOOGLE，youtube正常
ip138还是显示国内的IP

  if ! command -v git > /dev/null 2>&1; then
    echo -e "$ansi_red Error: git is not installed, please install git first! $ansi_std"
    exit 1
  fi

  if ! command -v opkg > /dev/null 2>&1; then
    echo -e "$ansi_red Error: opkg is not found, please install Entware first! $ansi_std"
    exit 1
  fi

my 'RT-AC86U' router is installed git and opkg, but run install.sh is failed at these if.
run 'git --version' or 'opkg -v' is success.

We sincerely apologize for the configuration files lost that occurs after an automatic upgrade today.

As soon as I noticed the mistake, I fixed it immediately. Your configuration files It's not really lost, they are still in the same place and just suffixed .bak, which was renamed as ss-merlin.conf.bak and config.json.bak. You can recover them manually by cd /opt/share/ss-merlin/etc && mv ss-merlin.conf.bak ss-merlin.conf && mv shadowsocks/config.json.bak shadowsocks/config.json.

I will be more careful in the future and ensure this will cannot happen again.

我对在今天凌晨自动升级之后发生的配置文件丢失的情况感到抱歉。

在我发现这个问题之后马上进行了修复，但是没法主动推送到设备上。配置文件并没有真正的丢失，它们还在原来的地方，只是被加上了.bak后缀。你可以选择通过cd /opt/share/ss-merlin/etc && mv ss-merlin.conf.bak ss-merlin.conf && mv shadowsocks/config.json.bak shadowsocks/config.json手动恢复配置文件。

我之后会更加细心并且保证不会发生类似情况。

原先正常使用，升级到386.4后无法使用，ss-merlin upgrade/restart之后都不行，请问大佬有解决方案吗？

Router: Netgear R7000
Firmware: Xwrt-Vortex 384.13.0

Frequently appeared in router's log:

Aug 26 17:03:15 dnsmasq[5076]: read /etc/hosts - 5 addresses
Aug 26 17:03:15 dnsmasq[5076]: read /etc/hosts.dnsmasq - 3 addresses
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 127.0.1.1#53
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzzzmall.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzzzhong.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzzzaaaa.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzzyx.xyz (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzzyk.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzzyit.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzzyb.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzzsxx.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzzla.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzzj.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzzhisou.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzz4.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzyzphoto.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzyzan.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzyjsmba.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzyjs.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzyiquan.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzyilou.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzyftrade.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzyedu.org (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzydb.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzyb.org (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzyas.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzxw.net (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzxdc.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzx163.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzwyglxh.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzwro.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using nameserver 119.29.29.29#53 for domain zzwqqx.com (no DNSSEC)
Aug 26 17:03:15 dnsmasq[5076]: using 66241 more nameservers

cdn.jsdelivr.net 替换 fastly.jsdelivr.net

I tried to add software.sonymobile.com by following steps but not working as intended

1: vi /opt/share/ss-merlin/rules/user_domain_name_gfwlist.txt
2: add software.sonymobile.com to the list and save it
3: ss-merlin restart

Am I did something wrong or there is a specific format required when adding domain to this list?

Thank you for your excellent work!

Please help me out. I ran docker run -d --restart=always -p 8388:8388 -p 8388:8388/udp -v /etc/shadowsocks/shadowsocks.json:/etc/shadowsocks.json --name shadowsocks shadowsocks/shadowsocks-libev server. With the following shadowsocks.json config:

{
    "server":"0.0.0.0",
    "server_port":8388,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"xxxxxxxx",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open": false,
    "workers": 1
}

Server is up and running:

root@shadowserver:~# docker logs -f shadowsocks
 2024-05-17 13:16:29 INFO: UDP relay enabled
 2024-05-17 13:16:29 INFO: initializing ciphers... aes-256-gcm
 2024-05-17 13:16:29 INFO: using nameserver: 8.8.8.8,8.8.4.4
 2024-05-17 13:16:29 INFO: tcp server listening at 0.0.0.0:8388
 2024-05-17 13:16:29 INFO: udp server listening at 0.0.0.0:8388

I've configured shadowsocks as it mentioned in the manual here, and have the following config:

# Route mode
## 0: GFW list.
## 1: Bypass mainland China.
## 2: Global mode.
mode=0

# UDP support
## 0: Disable UDP.
## 1: Enable UDP, require server side support.
udp=1

# LAN IPs
## Configure which LAN IP will pass transparent proxy.
## Default is 0.0.0.0/0, means all LAN devices will affected.
## You can assign a LAN IP like 192.169.1.125 means only this device can pass transparent proxy.
lan_ips=0.0.0.0/0

# China DNS IP
## Default is 119.29.29.29
china_dns_ip=8.8.8.8

And shadowsocks/config.json:

{
  "server": "xx.xxx.xx.xx",
  "server_port": 8388,
  "local_address": "0.0.0.0",
  "local_port": 1080,
  "password": "xxxxxxxx",
  "timeout": 600,
  "method": "aes-256-cfb:",
  "mode": "tcp_and_udp",
  "plugin": "v2ray-plugin",
  "plugin_opts": "tls;host=cloudfront.net;path=/v2ray"
}

But when I do ss-merlin start it says:

admin@RT-AC68U-A500:/tmp/mnt/16GBFLASH/entware/share/ss-merlin/etc# ss-merlin start
 Start shadowsocks-asuswrt-merlin...
Initializing dnsmasq...
 Creating post-mount task...
Applying iptables rules...
Applying localips ipset rule...
LAN IPs are 192.168.1.0/24
Apply iptables rule done.
Starting all services...
 2024-05-17 14:21:40 INFO: plugin "v2ray-plugin" enabled
All service started.
Updating dnsmasq configuration file...

Done.
Creating cron jobs...
 Started.

But nothing happens in a logs of shadowsocks docker-container. I checked the port reachability - it's ok. Also, I'm unable to reach any WAN resource after the ss-merlin starts. No DNS resolve.
What did I do wrong ?

Hi all,

First I want to say thank you for providing this wonderful software.

Last night I was setting up this shadowsocks on my AC68U. The installation and configuration process succeeded, I didn't get any error through the terminal. However, I still can't connect to my shadowscoks server. I have tried all three modes, include the Global mode, and none of them worked.

I think there was some connecting issue but I don't know where to see the error log. The terminal output showed the service was running and the process was successful. So here comes my question, is there a way to check the error log? If there is a place to check the log it would be useful for the setting up process.

你把ip段设置死了，如果我路由器是192.168.1.1，流量就不能转发了...

#14

r7000刷了Vortex版384.13能够成功安装及配置，但是发现一个问题就是开机不能自动启动该程序。
都需要通过ssh手动输入ss-merlin start来启动，想问能不能有什么办法直接启动的？

您好。
我在AC3100+梅林原版384.14_2固件上面部署后，采取 1: Bypass mainland China方式，刚运行时一切都正常。
访问ip111.cn，显示是这样的：
从国内测试：国内ip
从国外测试: ss服务器ip
从谷歌测试： ss服务器ip

过不了多久就出现所有外网不能访问，内网不受影响的情况。
访问ip111.cn，显示是这样的：
从国内测试：国内ip
从国外测试: ss服务器ip
从谷歌测试：空白

（而且很奇怪，好像ssh也受到影响，再登录的时候输入完密码后直接闪退。）

只能重启路由器，再ssh过去，再启动又正常访问外网。

有没有日志可以检查是哪个环节出问题了吗？

谢谢。

{
"server": "c77s1.portablesubmarines.com",
"server_port": 5110,
"local_address": "0.0.0.0",
"local_port": 1080,
"password": "xxxxxxx",
"timeout": 600,
"method": "aes-256-gcm",
"mode": "tcp_and_udp"
}

not sure if installed correctly, sometimes I saw download fail while installing, but eventually it says install finished.
shadowsocks server is working on my cell phone

First of all thanks a lot for creating this project! really appreciate the work!

I recently installed this on my AC87U following your instruction. The issue I am seeing now is that once I did ss-merlin start, after several minutes, my ssh session will give me Segmentation Fault for whatever command I sent. And if log out, I cannot login via ssh again. The symptom is it will accept my password and show the welcome message and then kick me out. Feels like ssh daemon is somehow in trouble.

When this happen, I log into Merlin webUI, I can see both CPU and memory are normal. At the end I have to reboot the router from webUI and everything is back to normal. But if I restart ss-merlin, this will happen again.

Any idea why ss-merlin will break ssh?

你好。很感谢你为原版merlin开发了这个功能。没有找到相关的教程，只好在这里请教下几个问题：

1、v2ray插件怎么配置？
2、客户端需要设置socks的1080端口吗？
3、gfwlist是自动维护的吧，那whitelist怎么办？
非常感谢。

问题描述：
运行ss-merlin start后，存在如下错误提示：

 Start shadowsocks-asuswrt-merlin... 
Initializing dnsmasq...
 Creating post-mount task... 
Applying iptables rules...
modprobe: module ip_set not found in modules.dep
modprobe: module ip_set_hash_net not found in modules.dep
modprobe: module ip_set_hash_ip not found in modules.dep
modprobe: module xt_set not found in modules.dep
LAN IPs are 192.168.50.0/24
iptables v1.4.21: Kernel module xt_set is not loaded in.

iptables v1.4.21: Kernel module xt_set is not loaded in.

iptables v1.4.21: Kernel module xt_set is not loaded in.

iptables v1.4.21: Kernel module xt_set is not loaded in.

iptables v1.4.21: Kernel module xt_set is not loaded in.

Apply iptables rule done.
Starting all services...
 2020-04-22 14:06:23 INFO: plugin "v2ray-plugin" enabled
All service started.
Updating dnsmasq configuration file...

Done.
Creating cron jobs...
 Started. 

启动完成后，无法访问外网。目前使用的是原厂固件，之前刷梅林固件的时候，安装后是可以正常使用的，不会出现上述错误，不知道是什么问题。

机器型号：ac68u
内核：2.6.36
固件版本：3.0.0.4.385

Installation is OK.
but after running server with ss-merlin start on 192.168.2.1:8388
connecting will fail, unless making port forwarding rule (from external 8388 to local 192.168.2.1:1080) and disable firewall.
then i am able to connect to server, but not getting internet.

I followed the instructions in your post, started the ss-merlin

So far, I could not use the ASUS Router to bypass the GFW.

My Config file is like this.

{
  "server": "X.X.X.X",
  "server_port": 8388,
  "local_address": "0.0.0.0",
  "local_port":1080,
  "password": "passwd",
  "timeout": 60,
  "method": "aes-256-cfb",
  "mode": "tcp_only"
}

I did not setup any plugins on my VPS SERVER.
So, please help, Why does the "Illegal instruction" always occur? What should I do?

I can use the shadowsocks-libev on my cell phone via Shadowrocket and it works well.

Many Thanks.

checking for thread local storage (TLS) class... __thread
checking for mbedtls_cipher_setup in -lmbedcrypto... no
configure: error: mbed TLS libraries not found.

你好，感谢开发这个功能，有以下问题请教：

ss-merlin start
启动服务，不能正常翻墙。

ss-redir -c /opt/share/ss-merlin/etc/shadowsocks/config.json
有报错：

 2020-03-01 11:41:00 ERROR: bind: Address already in use
 2020-03-01 11:41:00 ERROR: bind() error

config.json 文件如下：

{
  "server": "xxx.xxx.xxx",
  "server_port": 11368,
  "local_address": "0.0.0.0",
  "local_port": 1080,
  "password": "xxxxxxxx",
  "timeout": 600,
  "method": "chacha20-ietf-poly1305",
  "mode": "tcp_and_udp",
}

请问是什么原因？谢谢！

Hi Acris,
Thanks for your project.
After I entered this command, I got this error:

I tried couple times but it doesn't work, what should I do to solve this?

你好，Telegram 客户端出现无法连接情况，请问该如何设置？
其他网站，App，包括 Telegram Web 都是正常的。
感谢！

Hi
i installed your plugin and started the service and everythings seems to working but none my lans device use shadowsocks, all device connect directly to internet even ss-merlin are started!
here is ip tables:
`Chain PREROUTING (policy ACCEPT)
target prot opt source destination
SS_PREROUTING all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
SS_OUTPUT all -- anywhere anywhere

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain SHADOWSOCKS_TCP (2 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere match-set localips dst
RETURN tcp -- anywhere anywhere match-set whitelist dst
RETURN tcp -- anywhere anywhere match-set userwhitelist dst
REDIRECT tcp -- 192.168.4.0/24 anywhere redir ports 1080
REDIRECT tcp -- 192.168.4.0/24 anywhere match-set usergfwlist dst redir ports 1080

Chain SS_OUTPUT (1 references)
target prot opt source destination
SHADOWSOCKS_TCP tcp -- anywhere anywhere

Chain SS_PREROUTING (1 references)
target prot opt source destination
SHADOWSOCKS_TCP tcp -- 192.168.4.0/24 anywhere `

i use global mode
and lan ips are default for all lans devices!
and here is shadowsocks config json file info
{ "server": "us-buf.wbnet.cf", "server_port": 35938, "local_address": "0.0.0.0", "local_port": 1080, "password": "XXXXXXXXXX", "timeout": 600, "method": "aes-256-gcm", "mode": "tcp_only", "plugin": "v2ray-plugin", "plugin_opts": "tls;host=cloudfront.net;path=/v2ray" }

您好。现在标准的SS已经配置好了，想加上v2ray plugin。我仔细研究了您的回复（服务端配置参见：https://github.com/Acris/docker-shadowsocks-libev#enable-v2ray-plugin ，如果不需要开启tls可以去掉证书相关配置，客户端（即路由器上）配置保持与服务端一致。）也去https://github.com/Acris/docker-shadowsocks-libev#enable-v2ray-plugin研究了半天，实在没搞明白。

下面是我的v2ray客户端配置，config.json应该如何写？谢谢。

  "outbounds": [
        {
            "protocol": "vmess",
            "settings": {
                "vnext": [
                    {
                        "address": "X.X.X.X",
                        "port": 443,
                        "users": [
                            {
                                "id": "0ffe665c-.......7269",
                                "level": 1,
                                "alterId": 4
                            }
                        ]
                    }
                ]
            }
        }
    ],

情况是：服务器1-n支持ss，另外一个服务器x支持v2ray连接。这种情况下，这样配置config.json只要注明两个服务器就没问题吧？

另外，我不太理解ss的v2ray plugin的场景。如果加上v2ray，流量就全按v2ray走，不再走ss吗？谢谢

This is the best solution for AC86U, thank you Acris!!!

There is an issue during my setup: I have a server that the IP will be changed regularly, and I am using DDNS to bind a domain to this server.
When I tried to config the ss I found that I had to put the domain into user_domain_name_gfwlist.txt to force it passing through proxy, otherwise the proxy won't work, however I can dig the domain with correct IP without proxy. Not sure if it is an issue.

The shadowsocks configuration file location is: /opt/share/ss-merlin/etc/shadowsocks/config.json, ensure local_address is your router's IP address.

Can the local_address be set as 127.0.0.1?
Suppose all traffic will be re-directed to router itself and localhost should work as well.
But actually it didn't work.

i tried this on XWRT-VORTEX and it works ,thank you very much.
i also want to use kcptun to speed up, and i tried to install kcptun and failed.
so cound you please add kcptun in this or separately create a new repository or tell me how to install kcptun on asus-merlin thanks very much. only ss on router makes me feel slow.
i surf all the internet there is only this scrip working on asus-merlin easily. dont want to use koolshare merlin.

great software! setp up on my ac86u and its working. however I would like to specify some device in my lan to go through ss and others not, is there a way to do that? fore example, my ps4 is at 192.168.0.1 Mac: xx:xx:xx:xx:13 and my pc is at 192.168.0.2, Mac: xx:xx:xx:xx:14 and I would like to let my ps4 to go through ss only. much appreciate your help!