It would be great if Shadowsocks support was added to ROS because it can masquerade VPN traffic as HTTPS. Does anyone else think so? It seems relatively simple to implement and is a great selling point. Otherwise, I’d have to mess with dst-nat rules to forward it to some server in the network.
I would also appreciate this feature.
Containers may help, when released.
Not the expert here: But I’ve seen others use WireGuard as VPN over RouterOS’s SOCKS5 support to do this. You do need v7.2rcX for SOCKS5 to work. See: http://forum.mikrotik.com/t/socks5-not-working-in-routeros7/153414/1
I might be wrong, so please excuse me if I am, but in my understanding the topic you linked to (by @soheilsh) is about just forwarding the traffic that came [from the local network clients] to the SOCKS proxy [on a MikroTik router] into the WireGuard tunnel [between this MikroTik and a remote WireGuard server peer at a remote location] (previously – PPTP tunnel).
Whereas in this topic comrades ask about wrapping VPN traffic to obfuscate it [likely because in the comrades’ circumstances, unlike @soheilsh’s, that VPN protocol is not allowed / passed through]. Or, generally, tunnelling traffic at a MikroTik router via SOCKS to a remote SOCKS proxy server (what the Shadowsocks protocol does with encryption).
Also there is a way to tunnel Wireguard (or other VPN) using Xray-core from Project X, it supports various obfuscating protocols including Shadowsocks, but now others are more popular like VLESS+REALITY (XTLS) which is more sophisticated and secure. Xray-core can run in container and forward ports using its Dokodemo-Door inbound protocol.
I configured Xray-core for PoC in ROS container (with this image directly from hub) to obfuscate ROS Wireguard for my custom BTH VPN solution for connecting to home LAN and for using internet over home WAN from remote location. Xray-core in container is forwarding port to <router_ip>:<wireguard_port>, Wireguard setup and rules in ROS are common as any other custom BTH VPN. Setup is similar to example from here.
This kind of BTH VPN tunneling cannot work on mobile OS (Android, iOS) because they are limited to single VPN connection, Xray app brings up VPN on device and then Wireguard VPN app when tries to connect shutdowns exiting VPN which closes then tunneled port on localhost created by Xray app, but for eg. on my MacOS this is working without problem using xray from MacPorts and official WireGuard app from App Store.
For site-to-site router connection this can be possible to setup where on each ROS site Xray-core can run in container and forward port to local Wireguard port, Wireguard can be configured as any site-to-site VPN setup depending on needs just with some lower MTU because of tunnel.
Is there any update on this? Internet censorship is becoming increasingly common worldwide, so we urgently need a reliable solution to bypass it. I’ve started using OpenWRT instead of RouterOS, but that’s not feasible on all my Mikrotik routers. It would be great to have this feature in RouterOS; otherwise, I may have to switch hardware across the board.
Just a note: Google also realizes that such solutions are required, so I’m using Outline to configure Shadowsocks servers, and it’s blazingly simple!
It is possible to run it now in ROS containers, I previously had Shadowsocks setup (shadowsocks-libev implementation) in container before switching to Xray.
Brief description about anti-censorship software and protocols: https://hostry.com/blog/evolution-of-internet-censorship-circumvention-tools-shadowsocks-v2ray-xray-and-their-protocols-vmess-vless-xtls/?d=1
optio, thank you for sharing all this knowledge and experience!
Did I understand correctly that in the ROS container you’re running a server? Can I ask if you have some advice or guide to share regarding running a client instead [in a ROS container]? Or the steps are very similar? (Excuse me, haven’t had experience with the containers yet).
P.S.: the Hostry blog post seems unavailable 
And the Wayback Machine struggles to load its only snapshot… Maybe you know any other location of that article?
Could someone please, by any chance, tell me the reason they need not just a Shadowsocks or VLESS/VMESS connection, but to tunnel a WireGuard connection through it? AFAIK those protocols clients are available for many OSes including the mobile platforms. I’m sorry to be missing something.
Xray can run as server or client from its executable in container, difference is how is configured, peer configuration approach, similar to WG but far more flexible.
Here is exampe configuration of server and client side for Xray with WG tunnel, Xray on client side in this case is not running in container, but it could, configuration must be on same path as is for server described in that post.
Idk, maybe is temporary down, there was nothing technical there, just brief comparison and evolution of anti-censorship tools and protocols.
In case you need transparent connection and routing over it on client side (no need to manually set Xray proxy in network client browser/os) - then the easiest way is to create VPN (for eg. WG) tunnel inside Xray but in this case you need server side under control (site-to-site tunnel), if is not under control, for eg. if is some public/commercial Xray exit node, there are ways to create routing inside client container but it is more complex.
optio, I can’t thank you enough!
Extremely valuable for the public-DPI times.