ShadowsocksX-NG doesn't work on desktop macOS 10.12.2 with Digital Ocean

[ortonomy]

Opened an issue here: #149 but @qiuyuzhou closed it. Not sure why

@qiuyuzhou said:

Can't use pac url like 'file:///' on 10.12.2

1. I'm NOT using PAC url file://. PAC file URL is: https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt

Use new version or global mode.

2. I'm using global
3. I'm using version 1.3.2 which is the latest

The app doesn't work, but it does on my iOS with Potatso. There is something not working with this app. What steps do I have for debug.

[ortonomy]

This doesn't work with any website on Desktop. even Github

[vayn]

I've compiled a new release which is up to the latest commit, you can try to use it.

https://github.com/Vayn/ShadowsocksX-NG/releases/latest

[qiuyuzhou]

raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt
is not a valid pac file. It's a base64 text file.
Pac file should be a javascript file.

[ortonomy]

@qiuyuzhou raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt was the default in Shadowsocks-NG when I downloaded it...

Perhaps a link to the correct PAC file would be helpful? Thanks!

[ortonomy]

@vayn - same issue. simply says 'No internet connection' when Shadowsocks is on.

[vayn]

Hmm, that's strange. Would you mind sending your shadowsocks account to me?

[ortonomy]

Shadowsocks account? I have a private server I rolled on Digital Ocean, that shall we say, will remain private.

And I know that the proxy works, because it works on mobile on Potatso.

[vayn]

Does Potatso work on both wifi and mobile networks?

[ortonomy]

Yes. And just tested to confirm.

[vayn]

ShadowsocksX is just a frontend of ShadowSocks, you could install it with homebrew and config it with this tutorial. Let's investigate it.

Update: Try global mode first please.

Update 2 : Hi @ortonomy do you try other browsers like Safari, Firefox besides Chrome?

[rizwankce]

I have the same set up as yours @ortonomy

• Mac OS 10.2.2
• ShdowsocksX-NG version 1.3.2 (1)
• Digital ocean servers
• GFW list url as https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt
  It is working fine on all the mode. That is PAC, GLOBAL and MANUAL modes.

[ortonomy]

@rizwankce - that's great for you, but there's something not working this end. And especially as Potatso is working, you can see why I'd be looking at ShadowsocksX-NG as being the problem 👎

[ortonomy]

@vayn - I installed the CLI for Shadowsocks and configured with this JSON:

{
 "server" : "162.243.154.137",
"server_port":8530,
"local_address": "127.0.0.1",
"local_port":1080,
"password": //redacted,
"timeout":600,
"method":"aes-256-cfb",
"auth":true
}

And then try to access the service:

furious-purpose:etc gregoryorton$ sslocal -c /etc/shadowsocks.json
INFO: loading config from /etc/shadowsocks.json
2017-01-11 18:04:21 INFO     loading libcrypto from /usr/lib/libcrypto.dylib
2017-01-11 18:04:21 INFO     starting local at 127.0.0.1:1080
2017-01-11 18:04:46 INFO     connecting api.pinterest.com:443 from 127.0.0.1:60733
2017-01-11 18:04:46 INFO     connecting api.momentumdash.com:443 from 127.0.0.1:60735
2017-01-11 18:04:46 INFO     connecting query.yahooapis.com:443 from 127.0.0.1:60737
2017-01-11 18:04:46 INFO     connecting api.momentumdash.com:443 from 127.0.0.1:60739
2017-01-11 18:04:46 INFO     connecting google.com:80 from 127.0.0.1:60741
2017-01-11 18:04:46 INFO     connecting google.com:80 from 127.0.0.1:60742

No response...

[GuyMcCaldin]

After a few hours of struggling with the same issue as ortonomy, I'm now able to successfully connect via ShadowsocksX-NG. Frustratingly, I'm not sure exactly what was the key configuration that was stopping it from working, so I thought posting everything here might help other users.

I'm using a private VPS setup on vultr. My JSON config file looks like this:

{
"server":"xxx.xxx.xxx.xxx",
"server_port":8000,
"local_port":1080,
"password":"xxxxxxxxxx",
"timeout":600,
"method":"chacha20"
}

I was able to connect via other clients, so I was confident it wasn't a server issue.

The version of ShadowsocksX-NG I'm using is 1.3.2 (1)
It only appears to work in Global mode. I'm using the default rules PAC rules:

! Put user rules line by line in this file.
! See https://adblockplus.org/en/filter-cheatsheet

I have Auto configure enabled for Advanced Proxy Preferences.

I have my server address, port, encryption standard, and password set up in my Server Preferences. Enable OTA is left unchecked.

In Advanced Preferences, I use the following settings:

Socks5 Listen Address = 127.0.0.1
Local Socks5 Listen Port = 1080
Local PAC Listien [sic] Port = 8090
Timeout = 600 Seconds
Udp Replay is not enabled
Verbose Mode is not enabled
GFW List URL = https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt

For my browser, I'm using Chrome with SwitchyOmega. I have a SOCKS5 profile with a server address of 127.0.0.1, using Port 1080.

I'm confident the issues I was experiencing were not related to my server setup, nor were they the result of a bug in ShadowsocksX-NG. I have a feeling one of the default settings was off (maybe Socks5 Listen Port?), and fixing this configuration was how I was able to make it work.

[ortonomy]

@GuyMcCaldin - thanks - I'll try to get as close to your 'defaults' as I can. I fear that it's something to do with my Mac's network configuration. I may just reinstall macOS (as it's been a while since I did) and see if I can get it working. Shadowsocks-NG worked on macOS Sierra when it was first released, but something recently has changed and it stopped working.

[GuyMcCaldin]

@ortonomy Before you reinstall everything, see if this works:

Go to System Preferences > Network > Advanced. Select the Proxies tab, then enable SOCKS Proxy from the list. Use 127.0.0.1 as the server address, and 1080 for the port (assuming you've set it up to use 1080). Leave 'Proxy server requires password' unchecked.

I've found this to be more reliable than SwitchyOmega. I added some bypass settings for Chinese websites that I use, but you can just leave this as '127.0.0.1, localhost'.

[GuyMcCaldin]

@ortonomy Oh, and one more thing. Shadowsocks only accepts a single connection per port, so you'll need to modify your JSON.conf if you want to connect both your computer and mobile at the same time. e.g.

{
 "server" : "162.243.154.137",
 "port_password": {
	"8388": "computer",
        "8387": "mobile"
     },
 "method": "aes-256-cfb",
 "timeout": 600
 "auth": true
 }

Where 'computer' is the password for 8388, and 'mobile' is the password for 8387. You can keep adding users using the same format "[portNumber]": "[password].

[rizwankce]

@GuyMcCaldin AFAIK shadowsocks-libev, Shadowsocks Python and GO versions does support multiple connection on same port. The port_password method is meant to configure multiple user on same server. Correct me if i am wrong

@ortonomy as @GuyMcCaldin suggests please check with your network configurations and let us know the result

[ortonomy]

We may be a little closer to the solution - but I don't know how to investigate @rizwankce @GuyMcCaldin @vayn .

I installed Shadowsocks-NG on a fresh mac, never connected to my DO Shadowsocks before.

Set up with everything, including OTA. Set to global mode. It worked and I could access everything! Then 5 minutes later it stopped. Back to google.com closed the connection.

And no it won't work at all. Sounds like NG with DO Streisand has issues - maybe too many connections? Streisand opens too many connections to proxy website - that blocks it? What explanation? That's twice I've seen the same effect on two different macs...

[rizwankce]

@ortonomy As i can see from Streisand it is using Shadowsocks-libev version to deploy a SS server on DO. Shadowsocks-libev support multiple con current connections in single server and it is the light weight server when compare to other ports. I would suggest to make some advanced settings in your DO droplet to increase the maximum number of open file descriptors and fine tune your kernal parameters.

Alternatively you can install standalone SS-lIbev in your droplet first and make some tests with it

[ortonomy]

I would suggest to make some advanced settings in your DO droplet to increase the maximum number of open file descriptors and fine tune your kernal [sic] parameters.

This.

This sounds amazing.

Happy to do myself - but how do I go about that? I've no idea what parameters or variables I'd change...

[GuyMcCaldin]

@ortonomy You might have missed the link @rizwankce embedded, but you can find the instructions on the Shadowsocks website: https://shadowsocks.org/en/config/advanced.html

@rizwankce Regarding multiple connections, yeah you're absolutely right for Shadowsocks-libev. I was basing my comments on my understanding of an older implementation, and hadn't realised this feature had been added. Thanks for letting me know.

[ortonomy]

Great, done the opitmizations on my DO Server over SSH. Should I reboot it?
Or can I just restart ssocks?

[rizwankce]

@ortonomy restart the SS and please verify the version of SS-libev. From @GuyMcCaldin comment i can see SS-libev supports multiple concurrent connections recently. So compare the version from HERE. There is a install guide as well in README file

[ortonomy]

shadowsocks-libev 2.4.0

[ortonomy]

service ss-server restart
Failed to restart ss-server.service: Unit ss-server.service not found.

👎

[ortonomy]

Sorry, I do appreciate that you're all trying to help a lot! I'm not stupid when it comes to finding stuff, but the documentation for when you have problems here are thin on the ground.

[rizwankce]

@ortonomy we understand. Documentation is not meant for regular users and even i find pretty hard at initial stage but that is how we learn new stuffs isn't?. Looks like Streisand won't start SS by services.

• Try to find where is your ss-server executable
  Typically it will be in /usr/bin/ss-server but you can run the below commend to get the exact location

whereis ss-server

• Once you got it. manually run the server by giving the config.json as parameter.

ss-server -c config.json -v

[ortonomy]

Found it, and found the executable. I did a bad thing and killed it with killall -9 ss-server which definitely killed the server.
Tried running the server with just ss-server before I saw your last post @rizwankce. And it worked! for 5 minutes... then it died again...

There's definitely a server issues - or the GFW is just really good any blocking this over residential connections!

[rizwankce]

Try with below ss server and see after 5 mins is it still working or not? Then we will know is it a server issue or GFW is blocking.

P.S:- I will delete this QR code in some time. scan it asap.

[ortonomy]

@rizwankce - thanks, yeah. That doesn't even connect at all.

This site can’t be reached

www.google.com unexpectedly closed the connection.

[ortonomy]

@rizwankce - so strange that it works on Mobile though. mobile app can't be doing anything different.

[rizwankce]

@ortonomy then it is not the problem with your residential connection as your mobile just works fine .I suspect your mac firewall, chrome (may be) .. But can not dig through everything here in Repo issue. So as we know already it is not a issue with SSx-NG client (mostly). we can close this issue here.

[ortonomy]

@rizwankce - Agreed - and yes, I want to spend more time on it. This needs to be fixed! haha.

[ortonomy]

@rizwankce - joined the telegram channel
can't send any messages though - I though channels were for announcements in Telegram.

[lobstergy]

Hi, guys. I've got the problem as same as @rizwankce. My ss-server setup on bandwagon VPS, ss client on all platforms except the latest version of shadowsockX-NG 1.3.2.(1) on my macbook pro 2016 Sierra 10.12.2 are working, like an android 6.0 phone+shadowsocks (both via wifi and mobile data ), iPad Pro with Surge, and an OpenWRT router-wndr4300, using shadowsocks-spec+dnsmasq-full+pdnsd+dnscrypt-proxy for all devices at home are working like a charm, youtube at 1080p; The same setting of shadowsockX-NG on my wife's macbook on Sierra 10.12.1 are working, too.
So, can I draw the conclusion that the current latest shadowsockX-NG isn't compatible with mac osx 10.12.2? Please figure it out what's happening, and big thanks for all your people's great efforts!

[rizwankce]

@lobstergy it is compatible with the macOS 10.2.2. I didn't quite get your problem

[PeterRistCMS]

I'm experiencing exactly the same problem with AWS.

Also using Streisand, Android 6.0 with Shadowsocks is working fine, but all shadowsocksX-NG version don't work. Installed 1.4.0, 1.3.1 and 1.2.1 with the same result.

Running MacOS 10.12.2. Tried in multiple browsers (Safari, Chrome and Firefox) and also running in global mode

Is there anything i can provide to solve this issue? Sadly it seems i'm not the only one :/

Update: I can share my QR-Code, if needed

[qiuyuzhou]

Some suggestions:

• Check if there is a file "com.qiuyuzhou.shadowsocksX-NG.local.plist" in folder "
  ~/Library/LaunchAgents"
• Enable verbose mode then check your log file: ~/Library/Logs/ss-local.log
• Try in global mode.

[PeterRistCMS]

@qiuyuzhou Thank you. I could have thought about that.

After checking the logs, i'm getting the following error:

 2017-01-19 20:22:24 ERROR: bind: Address already in use
 2017-01-19 20:22:24 ERROR: Could not bind
 2017-01-19 20:22:24 ERROR: bind() error

I have found some old files from a previous installation, thus reinstalling a new version didn't help at all, and somehow that prevented shadowsocks-NG from binding the address correctly.

I've cleaned my system from any previous shadow socks installation and did a clean installation with the latest version. After that it worked without any problem. 👍

[ortonomy]

@PeterRistCMS - how did you 'clean' your system?

[ortonomy]

@rizwankce @PeterRistCMS @qiuyuzhou @vayn @GuyMcCaldin - I SOLVED IT.

Mac Shadowsocks is working. Seems that my DO Streisand instance requires port 1080 for local SOCKS 5 proxy port. And for some reason, even when I imported the server from the QR generated by Streisand, it had set the local listening port to 1896 or something.

I think...

Although I did delete the files (there were 2) @:
com.qiuyuzhou.shadowsocksX-NG.local.plist" in folder in ~/Library/LaunchAgents

Set the port and it's all working! AWWW YEAH. Thanks for ALL your help trying to sort this out for me. Happy customer now though.

[klaek]

Its a small bug. when you scan a qrcode, sometimes you get the encrytion is Capital, maybe looks like AES-256-CFB, pls manully change it to aes-256-cfb. little trick n works.

[sirkyuubi]

I have a similar problem too. looking at the ss-local.log reveals...

 2017-12-04 22:32:50 INFO: initializing ciphers... chacha20-ietf-poly1305
 2017-12-04 22:32:50 ERROR: bind: Address already in use
 2017-12-04 22:32:50 ERROR: bind() error

It seems that something is already using the port 1086 that I have set for SS.
Let's take a closer look at what's going on here.

sudo lsof -i tcp:1086

COMMAND   PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
ss-local 4032 admin    6u  IPv4 0xfxxxxxxxxx05      0t0  TCP localhost:cplscrambler-lg (LISTEN)

ss-local is listening on port 1086... That seems normal so I quit SSX-NG and ran the check again. Now this is odd... ss-local is still running and listening on port 1086. So let's kill the process...

sudo kill 4032

Surprisingly ss-local instantly starts itself back up after it's been killed... Annoying... I'll get back to that later...

If I switch the SSX-NG listening port to 1080 then the service starts working as you can see below. However port 1086 is still being used by ss-local too, but with a different PID. So there are 2 ss-local processes running.

sudo lsof -i tcp:1080

COMMAND   PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
Chromium  529 admin   64u  IPv4 0xfxxxxxxxxxxxxxx5      0t0  TCP localhost:50921->localhost:socks (CLOSE_WAIT)
Chromium  529 admin  122u  IPv4 0xfxxxxxxxxxxxxxx5      0t0  TCP localhost:50924->localhost:socks (CLOSE_WAIT)
ss-local 4459 admin    6u  IPv4 0xfxxxxxxxxxxxxxx5      0t0  TCP localhost:socks (LISTEN)

sudo lsof -i tcp:1086

COMMAND   PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
ss-local 4032 admin    6u  IPv4 0xfxxxxxxxxx05      0t0  TCP localhost:cplscrambler-lg (LISTEN)

To close on this... I haven't yet dug deep enough to figure out why ss-local restarts on it's own after being killed. The ERROR: bind: Address already in use seems to be caused by 2 ss-local processes running. How a second process came to start is still a mystery, but after switching socks to port 1080 the service has come back even though that shouldn't have been necessary .

I'll keep digging.