Skip to content

Instantly share code, notes, and snippets.

@zpoint
Last active September 2, 2024 13:34
Show Gist options
  • Save zpoint/df2483c6beb97816e34ddbde3f62f5d8 to your computer and use it in GitHub Desktop.
Save zpoint/df2483c6beb97816e34ddbde3f62f5d8 to your computer and use it in GitHub Desktop.
v2ray + openvpn to unblock gfw and netflix

If you're using wireguard please refer to v2ray+wireguard to bypass GFW and netflix/spotify/hulu

Two things need to be paid

  • vps(such as bandwagonhost)
    • If you are using China Telecom, a CN2 network is required, or you may get stuck when streaming video
    • For bandwagonhost, you need to login, click Client Area -> Services -> Order New Services to get CN2 server
  • vpn vendor to unblock netflix(a openvpn connection that can unblock netflix)

vpn

The basic idea is setup a socks5 proxy to forawrd all network traffic from the socks5 to a specific openvpn, in v2ray, forward all the netflix traffic to the socks5 proxy

detail

Why not connect to the openvpn directly ?

The openvpn connection is highly unstable or slow due to GFW

Why not connect to VPS directly ?

You can easily get a fast VPS(CN2) from various provider, but most of them can't combined the fast and stable connection from China && unblock from the netflix

So, I decide to do it myself

Steps

  1. install v2ray

    bash <(curl -s -L https://git.io/v2ray.sh)
    
  2. config openvpn connection inside a docker container

In most case the following command can't set up properly, please read the Notice part to change the configuration if there's something wrong

    git clone https://github.com/zpoint/openvpn_socks5_docker.git
    cd openvpn_socks5_docker
    ./build.sh
    ./start.sh
    launch *.ovpn
  1. exit the docker container, change your v2ray configure file to forward the netflix traffic to the openvpn connection inside the container, this is part of my configure file located in /etc/v2ray/config.json

    "inbounds": [
     {
      "port": 8888,
      "protocol": "vmess",
      "settings": {
       "clients": [
        {
         // private config
        }
       ]
      },
      "streamSettings": {
       "network": "ws"
      },
      "sniffing": {
       "enabled": true,
       "destOverride": [
        "http",
        "tls"
       ]
      }
     }
    ]
    
    
    "outbounds": [
     {
      "protocol": "socks",
      "settings": {
       "servers": [{
        "port": 9050,
        "address": "localhost"
       }]
      },
      "streamSettings": {
       "tcpSettings": {
        "header": {
         "type": "none"
        }
       },
       "network": "tcp",
       "security": "none"
      },
      "tag": "streaming"
     }
    ]
    
    "routing": {
     "domainStrategy": "IPOnDemand",
     "rules": [
         {
       "type": "field",
       "domain": [
        "domain:btstatic.com",
        "domain:netflix.com",
        "domain:netflix.net",
        "domain:nflxext.com",
        "domain:nflximg.com",
        "domain:nflximg.net",
        "domain:nflxsearch.net",
        "domain:nflxso.net",
        "domain:nflxvideo.net",
        "domain:ipaddress.com"
       ],
       "outboundTag": "streaming"
      }
     ]
    }
    

image title

@ackl
Copy link

ackl commented Apr 6, 2023

Sorry, should've made it clearer, I have redacted the domain name in my logs, replacing them with <domain>

With the routing config, the direct routing succeeds, just the socks5 proxy routed ones fail.

e.g. if I put domain:netflix.com in the domain list for the outboundTag used in the socks outbound, in the danted logs:

Apr  6 15:06:15 (1680793575.224527) danted[644]: info: block(1): tcp/connect ]: 172.17.0.1.58482 172.17.0.2.1080: could not resolve hostname "netflix.com": Temporary failure in name resolution
Apr  6 15:06:15 (1680793575.225733) danted[644]: info: block(1): tcp/accept ]: 172.17.0.1.58482 172.17.0.2.1080: request was not performed due to error: could not resolve hostname "netflix.com": Temporary failure in name resolution

@zpoint
Copy link
Author

zpoint commented Apr 10, 2023

@ackl Does nslookup netflix.com success inside the container that runs dated?

@ackl
Copy link

ackl commented Apr 11, 2023

thanks, that helped me fix the issue.

No, I couldn't do DNS queries inside the container when connected to my ovpn profile while I had redirect-gateway def1 in the config. I'm not too sure why, since I have no issues with DNS when I use that config to connect directly to the openvpn server on my local.

As for the curl commands working, turns out the --socks5 option doesn't proxy DNS lookups

 --socks5 <host[:port]>
              Use the specified SOCKS5 proxy - but resolve the host name locally. If the port number is not specified, it is assumed at port 1080.
 --socks5-hostname <host[:port]>
              Use the specified SOCKS5 proxy (and let the proxy resolve the host name). If the port number is not specified, it is assumed at port 1080.

@zpoint
Copy link
Author

zpoint commented Apr 20, 2023

I asked How to config v2ray to proxy netflix to a sock5 proxy and other traffic to other server side proxy

GPT4 generated answer:

To configure V2Ray for proxying Netflix traffic to a SOCKS5 proxy and other traffic to a different server-side proxy, you need to set up routing rules in your V2Ray configuration file. The following is a step-by-step guide to help you achieve this:

  1. Install V2Ray: If you haven't already, install V2Ray on your device by following the official installation guide: https://www.v2ray.com/en/welcome/install.html

  2. Create a V2Ray configuration file: Create or modify your V2Ray configuration file (config.json). This file is usually located in /etc/v2ray/config.json or /usr/local/etc/v2ray/config.json, depending on your installation.

  3. Setup the V2Ray configuration: In the config.json file, create or modify the configuration with the following structure:

{
  "inbounds": [
    {
      "port": 1080,
      "protocol": "socks",
      "listen": "0.0.0.0",
      "settings": {
        "auth": "noauth",
        "udp": true,
        "ip": "127.0.0.1"
      },
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {},
      "tag": "direct"
    },
    {
      "protocol": "socks",
      "settings": {
        "servers": [
          {
            "address": "your_socks5_proxy_ip",
            "port": your_socks5_proxy_port,
            "users": [
              {
                "user": "your_socks5_username",
                "pass": "your_socks5_password"
              }
            ]
          }
        ]
      },
      "tag": "socks5"
    },
    {
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "your_other_proxy_ip",
            "port": your_other_proxy_port,
            "users": [
              {
                "id": "your_user_id",
                "alterId": your_alter_id,
                "security": "auto"
              }
            ]
          }
        ]
      },
      "tag": "other_proxy"
    }
  ],
  "routing": {
    "rules": [
      {
        "type": "field",
        "domain": ["geosite:netflix"],
        "outboundTag": "socks5"
      },
      {
        "type": "field",
        "ip": ["geoip:private"],
        "outboundTag": "direct"
      },
      {
        "type": "field",
        "network": "udp,tcp",
        "outboundTag": "other_proxy"
      }
    ]
  }
}
  1. Configure the settings: Replace the placeholders in the configuration file with your actual proxy settings:
  • your_socks5_proxy_ip: Replace with your SOCKS5 proxy IP address.
  • your_socks5_proxy_port: Replace with your SOCKS5 proxy port number.
  • your_socks5_username: Replace with your SOCKS5 proxy username, if required.
  • your_socks5_password: Replace with your SOCKS5 proxy password, if required.
  • your_other_proxy_ip: Replace with the IP address of your other server-side proxy.
  • your_other_proxy_port: Replace with the port number of your other server-side proxy.
  • your_user_id: Replace with your user ID for the other server-side proxy.
  • your_alter_id: Replace with your alter ID for the other server-side proxy.
  1. Restart V2Ray: Restart your V2Ray service to apply the new configuration. Depending on your system, you can use one of the following commands:
sudo systemctl restart v2ray

or

sudo service v2ray restart

Now, your V2Ray client is configured to proxy Netflix traffic to your specified SOCKS5 proxy, and other traffic is routed to your other server-side proxy.

@Shakil7654
Copy link

Hi, I am in China and have surfshark openvpn files. it works good. but after few hours vpn just stop. So I am thinking to use it with v2ray. should I change anything in v2ray configure file ?

@itfriend360
Copy link

@zpoint @ALL
Hi,
Can I use Trojan instead of v2ray?
If it's possible, could you provide me with a guide?

@ackl
Copy link

ackl commented Jun 20, 2023

I believe v2ray already supports the use of trojan (https://github.com/v2fly/v2ray-core/tree/master/proxy/trojan), so you can still follow the original guide on this gist, but use trojan instead of vmess protocol on the inbound config block for your server. And on your client v2ray, use trojan on the outbound config. https://www.v2fly.org/en_US/v5/config/proxy/trojan.html

@itfriend360
Copy link

thank you so much^^

@itfriend360
Copy link

itfriend360 commented Jun 27, 2023

@zpoint @ackl @mehdi198080

Hi,
I tried to test, OK. no problem.
curl --socks5 [::1]:9050

But, I seem to having an issue with the v2ray config
help me !

Here is my v2ray conf


`

{
"log" : {
"access": "/var/log/v2ray/access.log",
"error": "/var/log/v2ray/error.log",
"loglevel": "warning"
},

"inbound": {
"port": 20478,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "2ccbe244-96e4-4ae1-b761-3d86666f6a93",
"encryption": "aes-128-gcm",
"level": 1,
"alterId": 64
}
]
},
"streamSettings": {
"network": "ws"
},
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
]
}
},

"outbound": [
{
"protocol": "socks",
"settings": {
"servers": [{
"port": 9050,
"address": "localhost"
}]
},
"streamSettings": {
"tcpSettings": {
"header": {
"type": "none"
}
},
"network": "tcp",
"security": "none"
},
"tag": "streaming"
}
],

"routing": {
"domainStrategy": "IPOnDemand",
"rules": [
{
"type": "field",
"domain": [
"domain:btstatic.com",
"domain:netflix.com",
"domain:netflix.net",
"domain:nflxext.com",
"domain:nflximg.com",
"domain:nflximg.net",
"domain:nflxsearch.net",
"domain:nflxso.net",
"domain:nflxvideo.net",
"domain:ipaddress.com"
],
"outboundTag": "streaming"
}
]
}
}

`

@oops10101
Copy link

redirect-gateway def1

hey there I'm having the same problem but I don't know how to check for the redirect-gateway def1 option in my OpenVPN config can you help me with this?

@ackl
Copy link

ackl commented Aug 16, 2024

@oops10101 You just need to open the ,ovpn config file and try CTRL-F for the string 'redirect-gateway def1'

@oops10101
Copy link

oops10101 commented Aug 16, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment