Socks proxy Troubleshooting

This document describes SocksProxy troubleshooting steps, focusing on configuration verification and checking the connection status from the CE and PE sides. In this case, users cannot connect to the SocksProxy. The causes could include a slow connection in terms of speed, failure to access given resources, or complete failure of connectivity. The whole troubleshooting process involves checking the Shadowsocks configuration both at the CE and PE, as well as checking for the status of network connections and also searching for error logs.

---

Troubleshooting Steps

Cloud

Cloud Configuration Verification

This section details how to check the configurations made in the cloud. The commands below can be used to verify the cloud configuration.

Verify CE Configuration

Log into the CE and inspect the Shadowsocks configuration file. The location may be different but common locations include /etc/config/shadowsocks-libev. Run the following command.

sudo cat /etc/config/shadowsocks-libev

Example Response

 config server 'vtun56_3_server'
    option disabled '0'
    option server '103.78.41.23'
    option server_port '30021'
    option password 'IEUGVQl5a8wiGiBYujkDvtun56_3'
    option method 'chacha20'

This command shows the configuration file contents. Carefully check the settings, especially the server address, port, and password.

Verify PE Configuration

In the PE, log in and check the Shadowsocks configuration file. A common phrase for this is /etc/shadowsocks-libev/vtun56_3.json. The command to run the configuration in a pretty print format is:

cat /etc/shadowsocks-libev/vtun56_3.json | json_pp

Example Response

{
   "password" : "IEUGVQl5a8wiGiBYujkDvtun56_3",
   "reuse_port" : true,
   "method" : "chacha20",
   "local_port" : "40021",
   "server_port" : "30021",
   "timeout" : 60,
   "fast_open" : true,
   "server" : "0.0.0.0"
}

json_pp formats the JSON output for better readability. Check also that the port and password are set correctly in the settings.

Check for Configuration Errors

Review both configuration files for syntax errors, typos, or wrong characters. Even a tiny error can keep shadowsocks from working correctly. For the PE's JSON configuration, validate the file with a JSON validator, either online or command line tools. Invalid JSON will prevent Shadowsocks from starting.

Q:1 What is a common example of a configuration file found in CE?

A common Shadowsocks configuration file on the CE device is: /etc/config/shadowsocks-libev This file contains key parameters such as the server IP, server port, password, and encryption method. You can view it using: sudo cat /etc/config/shadowsocks-libev

Q:2 How do I verify Shadowsocks configuration on PE (Provider Edge)?

To verify the Shadowsocks configuration on the PE device: Log in to the PE. Check the JSON configuration file, typically located at: /etc/shadowsocks-libev/vtun56_3.json. Use the following command to display it in a readable (pretty print) format: cat /etc/shadowsocks-libev/vtun56_3.json | json_pp. This allows you to confirm important settings such as: server_port, local_port, password, method, JSON syntax validity

UCI

UCI Configuration Verification

This section focuses on verifying the socksproxy configuration stored in the UCI system.

Check Network UCI Configuration

To check network-related UCI configurations for "socks," use the following command:

uci show netwrok | grep socks

Example Response

socks.vtun_50024=ssh
socks.vtun_50024.localport='50024'
socks.vtun_50024.key_file='/etc/dropbear/vtun38_2.key'
socks.vtun_50024.user='edge'
socks.vtun_50024.server='117.186.234.99'
socks.vtun_50024.server_port='25321'
socks.vtun_50024.enabled='1'

Q:1 What output should be displayed after running the command?

When you run: uci show netwrok | grep socks. you should see entries related to the SocksProxy configuration. These typically include: The socks instance name , Local port , Key file path , Username , Server IP , Server port , Enabled status. For example, lines similar to: socks.vtun_xxxxx.localport='50024' , socks.vtun_xxxxx.server='117.186.234.99' , socks.vtun_xxxxx.server_port='25321', socks.vtun_xxxxx.enabled='1'. This confirms that the SocksProxy configuration exists in the UCI system.

Q:2 What to do if the output is empty after running a command?

If the command returns no output, it means: No SocksProxy configuration exists in the UCI system, or The configuration is stored under a different section name, or There is a typo in the command (e.g., netwrok instead of network). Actions to take: Re‑run the command with the correct spelling: uci show network | grep socks. Verify that the SocksProxy service was created and enabled on the CE. Check if the configuration file exists under /etc/config/ (e.g., shadowsocks-libev or custom socks config). If still empty, the SocksProxy may not be configured properly and needs to be re‑created.

Q:3 What is the simplest method to verify Socks server IP and port?

The simplest and most direct method is to: Check the UCI output itself, which displays the server IP and server port fields: socks.vtun_xxxxx.server='117.186.234.99', socks.vtun_xxxxx.server_port='25321'. This instantly confirms: The Socks server IP, The Socks server port , Whether the configuration is enabled. It avoids deeper file inspection and gives a quick validation of the core connection parameters.

Run-Time

Run Time Configuration Verification

This section details how to check the run-time status and manage the SocksProxy and firewall services.

Check SocksProxy Service Status

To check the current status of the SocksProxy service:

/etc/init.d/socks status

View Start SocksProxy Service

To start the SocksProxy service if it's not running:

/etc/init.d/socks start

View Stop SocksProxy Service

To stop the SocksProxy service:

/etc/init.d/socks stop

Q:1 What to do if the SocksProxy service is not starting?

• If the SocksProxy service is not starting, first check the logs to see the error • Then fix the configuration or port issue and restart the service

Testing

Testing Verification

Check the Connection Status on the CE

Use netstat on the CE to check the connection status. The following command can determine whether the CE tried to connect the PE on the configured port, such as port 30021:

netstat -ntualp | grep 30021

Example Response

tcp        0      0 172.20.10.9:37772       103.78.41.23:30021      ESTABLISHED 19873/ss-local

This command filters the netstat output for lines containing the word "30021". Use this command to find Established connections from the CE that successfully connected to the PE. If no line is found or if the connection is in the SYN_SENT state, then the CE cannot establish a connection with the PE.

Check the Connection Status on the PE

Use netstat on the PE to see if there are incoming connections on the Shadowsocks port:

sudo netstat -ntualp | grep 30021

Example Response

tcp        0      0 0.0.0.0:30021           0.0.0.0:*               LISTEN      15817/ss-server 
tcp        0      0 103.78.41.23:30021      223.189.65.74:52905     ESTABLISHED 15817/ss-server 

This command verifies that the PE is listening on the given port and if there are connections established. If the PE is not listening on the port, then something is wrong with Shadowsocks. If connections are Seen, then it means the CE is successfully connecting to the PE.

Q:1 How to check connection status on PE?

To check the connection status on the PE, run the following command: sudo netstat -ntualp | grep port. For example, if the Shadowsocks server is configured on port 30021, use: sudo netstat -ntualp | grep 30021. This command helps you verify two things: PE is listening on the port You should see a line with LISTEN, such as: tcp 0 0 0.0.0.0:30021 0.0.0.0:* LISTEN ss-server. This confirms that the Shadowsocks service is running properly on the PE. Incoming connections from CE If the CE is successfully connected, you will see an ESTABLISHED entry, for example: tcp 0 0 103.78.41.23:30021 CE-IP:port ESTABLISHED ss-server

Log

Log Verification

Checking logs can help you diagnose specific issues, such as failed authentication attempts or service errors.

Check Shadowsocks Logs

The Shadowsocks logs on the CE and PE for errors or warnings. The log location varies depending on the system. For systems that use logread, run the following command:

logread | grep socks

Example Response

Jun 19 11:42:58 hiCLOUDS hiclouds_config.sh[21789]: execute post config command "/etc/init.d/socks start vtun_50024"
Jun 19 11:49:17 hiCLOUDS hiclouds_config.sh[13492]: restarting shadowsocks-libev
Jun 19 11:49:18 hiCLOUDS hiclouds_config.sh[13492]: execute post config command "/etc/init.d/socks stop vtun_50024"
Jun 19 11:49:43 hiCLOUDS procd: Instance shadowsocks-libev::ss_local.vtun38_2_local s in a crash loop 6 crashes, 1 seconds since last crash
Jun 19 11:53:29 hiCLOUDS openvpn(vtun38_2)[24865]: ERROR: recv_socks_reply: empty response from socks server
Jun 19 11:53:29 hiCLOUDS openvpn(vtun38_2)[24865]: SIGUSR1[soft,socks-error] received, process restarting
Jun 19 11:53:36 hiCLOUDS openvpn(vtun38_2)[24865]: ERROR: recv_socks_reply: empty response from socks server
Jun 19 11:53:36 hiCLOUDS openvpn(vtun38_2)[24865]: SIGUSR1[soft,socks-error] received, process restarting
Jun 19 11:53:37 hiCLOUDS openvpn(vtun38_2)[24865]: ERROR: recv_socks_reply: empty response from socks server
Jun 19 11:53:37 hiCLOUDS openvpn(vtun38_2)[24865]: SIGUSR1[soft,socks-error] received, process restarting
Jun 19 11:53:38 hiCLOUDS openvpn(vtun38_2)[24865]: ERROR: recv_socks_reply: empty response from socks server
Jun 19 11:53:38 hiCLOUDS openvpn(vtun38_2)[24865]: SIGUSR1[soft,socks-error] received, process restarting
Jun 19 11:53:39 hiCLOUDS openvpn(vtun38_2)[24865]: ERROR: recv_socks_reply: empty response from socks server
Jun 19 11:53:39 hiCLOUDS openvpn(vtun38_2)[24865]: SIGUSR1[soft,socks-error] received, process restarting
Jun 19 11:53:40 hiCLOUDS openvpn(vtun38_2)[24865]: ERROR: recv_socks_reply: empty response from socks server
Jun 19 11:53:40 hiCLOUDS openvpn(vtun38_2)[24865]: SIGUSR1[soft,socks-error] received, process restarting
Jun 19 11:53:41 hiCLOUDS openvpn(vtun38_2)[24865]: ERROR: recv_socks_reply: empty response from socks server
Jun 19 11:53:41 hiCLOUDS openvpn(vtun38_2)[24865]: SIGUSR1[soft,socks-error] received, process restarting
Jun 19 11:53:43 hiCLOUDS procd: Instance shadowsocks-libev::ss_local.vtun38_2_local s in a crash loop 7 crashes, 0 seconds since last crash
Jun 19 11:54:04 hiCLOUDS hiclouds_config.sh[30254]: restarting shadowsocks-libev
Jun 19 12:00:54 hiCLOUDS hiclouds_config.sh[21699]: execute post config command "/etc/init.d/socks start vtun_50024"
Jun 19 12:02:56 hiCLOUDS hiclouds_config.sh[31899]: restarting shadowsocks-libev
Jun 19 12:02:57 hiCLOUDS hiclouds_config.sh[31899]: execute post config command "/etc/init.d/socks stop vtun_50024"

This will print the system logs. Check for messages concerning Shadowsocks, particularly error messages regarding failed startups or connection attempts. Pay attention to the timestamps to associate the log entries with the attempted connections.