v2ray + openvpn to unblock gfw and netflix

v2ray_openvpn_netflix.md

If you're using wireguard please refer to v2ray+wireguard to bypass GFW and netflix/spotify/hulu

Two things need to be paid

• vps(such as bandwagonhost)
  • If you are using China Telecom, a CN2 network is required, or you may get stuck when streaming video
  • For bandwagonhost, you need to login, click Client Area -> Services -> Order New Services to get CN2 server
• vpn vendor to unblock netflix(a openvpn connection that can unblock netflix)

The basic idea is setup a socks5 proxy to forawrd all network traffic from the socks5 to a specific openvpn, in v2ray, forward all the netflix traffic to the socks5 proxy

Why not connect to the openvpn directly ?

The openvpn connection is highly unstable or slow due to GFW

Why not connect to VPS directly ?

You can easily get a fast VPS(CN2) from various provider, but most of them can't combined the fast and stable connection from China && unblock from the netflix

So, I decide to do it myself

Steps

1. install v2ray

   bash <(curl -s -L https://git.io/v2ray.sh)
   

2. config openvpn connection inside a docker container

In most case the following command can't set up properly, please read the Notice part to change the configuration if there's something wrong

    git clone https://github.com/zpoint/openvpn_socks5_docker.git
    cd openvpn_socks5_docker
    ./build.sh
    ./start.sh
    launch *.ovpn

3. exit the docker container, change your v2ray configure file to forward the netflix traffic to the openvpn connection inside the container, this is part of my configure file located in /etc/v2ray/config.json

   "inbounds": [
    {
     "port": 8888,
     "protocol": "vmess",
     "settings": {
      "clients": [
       {
        // private config
       }
      ]
     },
     "streamSettings": {
      "network": "ws"
     },
     "sniffing": {
      "enabled": true,
      "destOverride": [
       "http",
       "tls"
      ]
     }
    }
   ]
   
   
   "outbounds": [
    {
     "protocol": "socks",
     "settings": {
      "servers": [{
       "port": 9050,
       "address": "localhost"
      }]
     },
     "streamSettings": {
      "tcpSettings": {
       "header": {
        "type": "none"
       }
      },
      "network": "tcp",
      "security": "none"
     },
     "tag": "streaming"
    }
   ]
   
   "routing": {
    "domainStrategy": "IPOnDemand",
    "rules": [
        {
      "type": "field",
      "domain": [
       "domain:btstatic.com",
       "domain:netflix.com",
       "domain:netflix.net",
       "domain:nflxext.com",
       "domain:nflximg.com",
       "domain:nflximg.net",
       "domain:nflxsearch.net",
       "domain:nflxso.net",
       "domain:nflxvideo.net",
       "domain:ipaddress.com"
      ],
      "outboundTag": "streaming"
     }
    ]
   }
   

does it possible to add launch command in start script ?

@mehdi198080 Yes, but the start script is not robust enough right now, some times the launch command may fail
If the default launch command fail, we still need some modification of configure file, such as manual change network interface name, check whether the proxy server works
The above steps can be automated and integrated to the start script, but I am busy recently, contribution/merge request is very welcome

@zpoint all working is very well except launch openvpn , just I want to ask you what line need to edit ?
You put launch in openvpn.sh but not working
Thank you

@mehdi198080

try modify the 25 line of start.sh to

/bin/bash -c 'cd /etc/openvpn; source ~/.bashrc; launch *.ovpn; exec "${SHELL:-sh}"'

@zpoint working great now, thank you so much , if you have pls advise us how to bring it in startup

is it any wat to reconnect openvpn connection ?

@mehdi198080

You can write a checkalive script to constantly check whether there's an alive vpn connection process inside your container(via ps -ef | grp xxx)
if not, run the command in start.sh

@zpoint
I run 6 container for routing and loadbalance , there is out with command ps -ef | grep /usr/bin/docker-proxy
root 2817 867 0 Dec06 ? 00:00:12 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 9030 -container-ip 172.17.0.5 -container-port 1030 root 3033 867 0 Dec06 ? 00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 9020 -container-ip 172.17.0.6 -container-port 1020 root 3889 867 0 Dec06 ? 00:00:11 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 9016 -container-ip 172.17.0.2 -container-port 1016 root 12391 867 0 Dec06 ? 00:03:25 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 9010 -container-ip 172.17.0.4 -container-port 1010 root 12816 867 0 Dec06 ? 00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 9015 -container-ip 172.17.0.3 -container-port 1015 root 32840 867 0 16:41 ? 00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 9025 -container-ip 172.17.0.7 -container-port 1025 root 33059 30971 0 16:44 pts/1 00:00:00 grep --color=auto /usr/bin/docker-proxy
I am not pro in linux , does it help me more ?

@mehdi198080

try google search shell restart process

here is my shell and I put in crontab but start stuck in last line as I check in log

`#!/bin/sh

ps auxw | grep usa | grep -v grep > /dev/null

if [ $? != 0 ]
then
bash /root/usa/start.sh > /dev/null
fi`

this is the error
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/ root/config/danted.conf" to rootfs at "/etc/danted.conf" caused: mount through procfd: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specifi ed host path exists and is the expected type. the input device is not a TTY

@mehdi198080

I think you should put your shell script and crontab inside the container

There're only two command in start.sh, start the container and enter it

If you're already inside the container, what would you expect start.sh to do ?

try replace the run start.sh with the command your manual launch openvpn

And your question is "how to write a checkalive shell script inside the container", It's far away from the topic of this article

I think you should ask in stackoverflow or google your answer, Since I am not good at shell script either, I am afraid I can't help more

is it possible make openvpn+v2ray ? not v2ray+openvn !

@tkmw1985

is it possible make openvpn+v2ray ? not v2ray+openvn !

Not sure about the meaning, can you provide a use case?

Hello
I am from Iran
We are under the strictest internet censorship
Can your script work around this limitation?

@silvermoon1400
Not sure if it will work in Iran, The plan is only tested in China.
You should probably search reddit / google to get other's experience.

My team and I want to publish a free vpn on Google Play for Iranian people Are you willing to cooperate? Cooperation will be paid در تاریخ یکشنبه ۱۹ فوریهٔ ۲۰۲۳،‏ ۵:۵۷ zpoint ***@***.***> نوشت:

…

***@***.**** commented on this gist. ------------------------------ @silvermoon1400 <https://github.com/silvermoon1400> Not sure if it will work in Iran, The plan is only tested in China. You should probably search reddit <https://www.reddit.com/r/PrivateInternetAccess/search/?q=iran&restrict_sr=1&sr_nsfw=> / google to get other's experience. — Reply to this email directly, view it on GitHub <https://gist.github.com/df2483c6beb97816e34ddbde3f62f5d8#gistcomment-4475667> or unsubscribe <https://github.com/notifications/unsubscribe-auth/A57N3PBGRUXDPP627K4CZSTWYGAHRBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTAMBQGYYDANJZU52HE2LHM5SXFJTDOJSWC5DF> . You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

please answer me I need to talk to you more در تاریخ یکشنبه ۱۹ فوریهٔ ۲۰۲۳،‏ ۱۳:۵۱ مجتبی علی خانی < ***@***.***> نوشت:

…

My team and I want to publish a free vpn on Google Play for Iranian people Are you willing to cooperate? Cooperation will be paid در تاریخ یکشنبه ۱۹ فوریهٔ ۲۰۲۳،‏ ۵:۵۷ zpoint ***@***.***> نوشت: > ***@***.**** commented on this gist. > ------------------------------ > > @silvermoon1400 <https://github.com/silvermoon1400> > Not sure if it will work in Iran, The plan is only tested in China. > You should probably search reddit > <https://www.reddit.com/r/PrivateInternetAccess/search/?q=iran&restrict_sr=1&sr_nsfw=> > / google to get other's experience. > > — > Reply to this email directly, view it on GitHub > <https://gist.github.com/df2483c6beb97816e34ddbde3f62f5d8#gistcomment-4475667> > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/A57N3PBGRUXDPP627K4CZSTWYGAHRBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTAMBQGYYDANJZU52HE2LHM5SXFJTDOJSWC5DF> > . > You are receiving this email because you were mentioned. > > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> > . > >

@silvermoon1400 Please contact my personal email zp0int@qq.com

I seem to having an issue with the v2ray outbound to socks connection on server side

The OpenVPN socks docker container works fine when I try connecting directly thru curl

e.g.
curl --socks5 [::1]:9050 <domain> curl --socks5 localhost:9050 <domain> or curl --socks5 127.0.0.1:9050 <domain>

all return 200 OK, and it is indeed using the IP of the openvpn server

However when I try to connect through v2ray it doesn't work and I get a bunch of these in the v2ray error logs:

2023/04/06 10:43:35 [Warning] [246023724] app/proxyman/outbound: failed to process outbound traffic > proxy/socks: failed to establish connection to server > proxy/socks: server rejects request: 4

Checking the danted logs in the docker container, I see:

Apr  6 10:43:51 (1680777831.161874) danted[442]: info: block(1): tcp/connect ]: 172.17.0.1.46706 172.17.0.2.1080: could not resolve hostname "<domain>": Temporary failure in name resolution

for every single domain I try to connect to. But this doesn't happen when I directly do curl --socks5

e.g. doing curl to ipinfo.io via socks5

Apr  6 10:57:26 (1680778646.797127) danted[528]: info: pass(1): tcp/accept [: 172.17.0.1.40830 172.17.0.2.1080
Apr  6 10:57:27 (1680778647.073033) danted[477]: info: pass(1): tcp/connect [: 172.17.0.1.40830 172.17.0.2.1080 -> 100.65.8.4.40830 34.117.59.81.80
Apr  6 10:57:28 (1680778648.342735) danted[477]: info: pass(1): tcp/connect ]: 708 -> 172.17.0.1.40830 172.17.0.2.1080 -> 73, 73 -> 100.65.8.4.40830 34.117.59.81.80 -> 708: local client closed.  Session duration: 2s
Apr  6 10:57:28 (1680778648.342842) danted[477]: info: pass(1): tcp/accept ]: 708 -> 172.17.0.1.40830 172.17.0.2.1080 -> 73: local client closed.  Session duration: 2s

So it seems to be something do to with DNS, but I'm not clear at which level

Here is my v2ray conf

{
  "log": {
    "loglevel": "info",
    "access": "/var/log/v2ray/access.log",
    "error": "/var/log/v2ray/error.log"
  },
  "inbounds": [
    {
      "port": 10000,
      "listen":"127.0.0.1",
      "protocol": "vmess",
      "settings": {
        "clients": [
          ...
        ]
      },
      "streamSettings": {
        "network": "ws",
        "wsSettings": {
        "path": "/ray"
        }
      }
    }
  ],
  "outbounds": [
	  {
		  "protocol": "socks",
		  "settings": {
			  "servers": [{
				  "port": 9050,
				  "address": "127.0.0.1"
			  }]
		  }
	  }
  ]
}

I have tried with and without routing in config

Any ideas? :)

@ackl From the log

could not resolve hostname "<domain>"

It seems that "<domain>" is not a valid hostname that can be resolved, Does v2ray send the wrong host to the sock5 proxy(which is unlikely)?

With the routing config, do part of your connection succeed with direct routing, and the other fails with socks5 proxy routing, Or do all connection fails?

Sorry, should've made it clearer, I have redacted the domain name in my logs, replacing them with <domain>

With the routing config, the direct routing succeeds, just the socks5 proxy routed ones fail.

e.g. if I put domain:netflix.com in the domain list for the outboundTag used in the socks outbound, in the danted logs:

Apr  6 15:06:15 (1680793575.224527) danted[644]: info: block(1): tcp/connect ]: 172.17.0.1.58482 172.17.0.2.1080: could not resolve hostname "netflix.com": Temporary failure in name resolution
Apr  6 15:06:15 (1680793575.225733) danted[644]: info: block(1): tcp/accept ]: 172.17.0.1.58482 172.17.0.2.1080: request was not performed due to error: could not resolve hostname "netflix.com": Temporary failure in name resolution

@ackl Does nslookup netflix.com success inside the container that runs dated?

thanks, that helped me fix the issue.

No, I couldn't do DNS queries inside the container when connected to my ovpn profile while I had redirect-gateway def1 in the config. I'm not too sure why, since I have no issues with DNS when I use that config to connect directly to the openvpn server on my local.

As for the curl commands working, turns out the --socks5 option doesn't proxy DNS lookups

 --socks5 <host[:port]>
              Use the specified SOCKS5 proxy - but resolve the host name locally. If the port number is not specified, it is assumed at port 1080.

 --socks5-hostname <host[:port]>
              Use the specified SOCKS5 proxy (and let the proxy resolve the host name). If the port number is not specified, it is assumed at port 1080.

I asked How to config v2ray to proxy netflix to a sock5 proxy and other traffic to other server side proxy

GPT4 generated answer:

To configure V2Ray for proxying Netflix traffic to a SOCKS5 proxy and other traffic to a different server-side proxy, you need to set up routing rules in your V2Ray configuration file. The following is a step-by-step guide to help you achieve this:

1. Install V2Ray: If you haven't already, install V2Ray on your device by following the official installation guide: https://www.v2ray.com/en/welcome/install.html

2. Create a V2Ray configuration file: Create or modify your V2Ray configuration file (config.json). This file is usually located in /etc/v2ray/config.json or /usr/local/etc/v2ray/config.json, depending on your installation.

3. Setup the V2Ray configuration: In the config.json file, create or modify the configuration with the following structure:

{
  "inbounds": [
    {
      "port": 1080,
      "protocol": "socks",
      "listen": "0.0.0.0",
      "settings": {
        "auth": "noauth",
        "udp": true,
        "ip": "127.0.0.1"
      },
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {},
      "tag": "direct"
    },
    {
      "protocol": "socks",
      "settings": {
        "servers": [
          {
            "address": "your_socks5_proxy_ip",
            "port": your_socks5_proxy_port,
            "users": [
              {
                "user": "your_socks5_username",
                "pass": "your_socks5_password"
              }
            ]
          }
        ]
      },
      "tag": "socks5"
    },
    {
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "your_other_proxy_ip",
            "port": your_other_proxy_port,
            "users": [
              {
                "id": "your_user_id",
                "alterId": your_alter_id,
                "security": "auto"
              }
            ]
          }
        ]
      },
      "tag": "other_proxy"
    }
  ],
  "routing": {
    "rules": [
      {
        "type": "field",
        "domain": ["geosite:netflix"],
        "outboundTag": "socks5"
      },
      {
        "type": "field",
        "ip": ["geoip:private"],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "network": "udp,tcp",
        "outboundTag": "other_proxy"
      }
    ]
  }
}

4. Configure the settings: Replace the placeholders in the configuration file with your actual proxy settings:

• your_socks5_proxy_ip: Replace with your SOCKS5 proxy IP address.
• your_socks5_proxy_port: Replace with your SOCKS5 proxy port number.
• your_socks5_username: Replace with your SOCKS5 proxy username, if required.
• your_socks5_password: Replace with your SOCKS5 proxy password, if required.
• your_other_proxy_ip: Replace with the IP address of your other server-side proxy.
• your_other_proxy_port: Replace with the port number of your other server-side proxy.
• your_user_id: Replace with your user ID for the other server-side proxy.
• your_alter_id: Replace with your alter ID for the other server-side proxy.

5. Restart V2Ray: Restart your V2Ray service to apply the new configuration. Depending on your system, you can use one of the following commands:

sudo systemctl restart v2ray

or

sudo service v2ray restart

Now, your V2Ray client is configured to proxy Netflix traffic to your specified SOCKS5 proxy, and other traffic is routed to your other server-side proxy.

Hi, I am in China and have surfshark openvpn files. it works good. but after few hours vpn just stop. So I am thinking to use it with v2ray. should I change anything in v2ray configure file ?

@zpoint @ALL
Hi,
Can I use Trojan instead of v2ray?
If it's possible, could you provide me with a guide?

I believe v2ray already supports the use of trojan (https://github.com/v2fly/v2ray-core/tree/master/proxy/trojan), so you can still follow the original guide on this gist, but use trojan instead of vmess protocol on the inbound config block for your server. And on your client v2ray, use trojan on the outbound config. https://www.v2fly.org/en_US/v5/config/proxy/trojan.html

thank you so much^^

@zpoint @ackl @mehdi198080

Hi,
I tried to test, OK. no problem.
curl --socks5 [::1]:9050

But, I seem to having an issue with the v2ray config
help me !

Here is my v2ray conf

---

`

{
"log" : {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
},

"inbound": {
"port": 20478,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "2ccbe244-96e4-4ae1-b761-3d86666f6a93",
"encryption": "aes-128-gcm",
"level": 1,
"alterId": 64
}
]
},
"streamSettings": {
"network": "ws"
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
},

"outbound": [
{
"protocol": "socks",
"settings": {
"servers": [{
"port": 9050,
"address": "localhost"
}]
},
"streamSettings": {
"tcpSettings": {
"header": {
"type": "none"
}
},
"network": "tcp",
"security": "none"
},
"tag": "streaming"
}
],

"routing": {
"domainStrategy": "IPOnDemand",
"rules": [
{
"type": "field",
"domain": [
"domain:btstatic.com",
"domain:netflix.com",
"domain:netflix.net",
"domain:nflxext.com",
"domain:nflximg.com",
"domain:nflximg.net",
"domain:nflxsearch.net",
"domain:nflxso.net",
"domain:nflxvideo.net",
"domain:ipaddress.com"
],
"outboundTag": "streaming"
}
]
}
}

`