Intro
For people who live within the GFW, accessing their own local network, like the home network and company or school network, is usually an annoying issue, because we normally want to access global services and local services at the same time. Whereas, the tools providing the local network accessing ability, famously like VPN, WireGuard, NAT traversal, port forwarding, would take over all your network traffic when you use them, which means you have to keep switching it on and off to access both local and global services, not to mention they’re usually complex to set up
But by using QX and SS you can take advantage of the followings:
- Seamlessly network experience when you access local and global services, which means you don’t have to turn the switch on and off
- Encrypted data transfer when using public Wi-Fi
- Easy to set up and easy to use
- Smooth Apple-platform experience, thanks for QX’s iCloud sync supported
- Multiple service protocol supported, you don’t have to set up port forwarding separately for each service, like FTP, SMB, Web, etc.
- Bonus one: IPv4 to IPv6 tunnel or IPv6 to IPv4 tunnel supported, but also requires extra settings
For people who live within the GFW, accessing their own local network, like the home network and company or school network, is usually an annoying issue, because we normally want to access global services and local services at the same time. Whereas, the tools providing the local network accessing ability, famously like VPN, WireGuard, NAT traversal, port forwarding, would take over all your network traffic when you use them, which means you have to keep switching it on and off to access both local and global services, not to mention they’re usually complex to set up
Briefly Intro for QX and SS
“SS Proxy Protocol” is really famous in the group of users who use it to bypass the GFW’s censorship, which is originally designed to use it in that way, basically everyone knows it. QX, formally Quantumult X, is a proxy client exclusively for Apple devices, providing cross-platform experience based on iCloud synced configuration file. Both of them have their alternative products, like v2ray or SSR for SS, and Surge, Loon or Shadowrocket for QX. Choose one you like, I will exemplify by using SS and QX in this article.
Censorship&Safety Concerns in the mainland China
Because of SS’s popularity, the Big Brother has already targeted on it. Moreover, the GFW has already had the capability to identify SS protocol and therefore to block it. But, according to the realistic considerations and the reasonable assumption based on the technology, the censorship reputedly only deploys on the gate of global networks traffic in some main cities, like Shanghai and She Zheng, which means it should be fine to deploy SS domestically, especially at your home.
Moreover, according to P.R.C.’s laws, it should and would have been totally legal to use SS for local network access, as you had been intentionally setting it to access local network, instead of global network. But you know what I mean. The concerns of security still remain in this land. But, to remember, once you read this, it should be concerning enough.
After all, according to my assessment and real experience, it wouldn’t be a problem. I’ve been using it for at least a half-year. But, if you still have concerns, please use other up-to-date and relatively less common proxy protocols, like Reality or hysteria. Because, if the GFW cannot catch you outside, it cannot be possible to identify your network access behavior domestically, unless you’re doing really really dangerous things.
So, Without further ado, let’s heading to the main section.
First: deploy SS Server
While I would like to help you to set up SS server step by step, there’re already enormous tutorials on the internet suitable for any operating systems, and I don’t think I can do better than them. The deploying script is extremely simple to use, usually just copy one command into your terminal, it would install automatically.
Linux: https://teddysun.com/486.html
macOS: Please use built-in SS Server in Quantumult X, located in “Setting – Misc Settings – VPN – SS Server”
Windows: https://www.librehat.com/three-minutes-to-set-up-shadowsocks-server-on-windows/
So, in this part, I would only point out some important requirements.
- Public IP Address Required: IPv4 or IPv6
- Unfortunately, in the mainland China, unless you are the users of China Telecom, the others, like China Mobile and China Unicom, usually wouldn’t provide a public IP address for you. Moreover, because of global IPv4 address shortage, even China Telecom would be unwilling to provide IPv4 address for customers in some areas.
- But, does that mean if you don’t have a public IPv4 address, you cannot reference my article? Not exactly. As I said before, it requires a public IP address, no matter it’s based on IPv4 or IPv6. So, that means you can use IPv6 instead. And this is a good news, because the Ministry of Industry and Information Technology in P.R.C is promoting IPv6, requiring ISPs to support IPv6 for home broadband users. So, if you find out that your network doesn’t have a public IPv4 address and don’t support IPv6, just call the ISP’s service number, and they will fix it for you. After all, considering the status quo, using IPv4 is still the best option.
- One thing needs to be very careful during the setup of SS if you use IPv6: Turn on IPv6 listening. Some script may not turn on this for you.
- Port Forwarding / Firewall
- After resolving public IP address problem, make sure you turn on public internet port listening
- If you deploy it on your OpenWRT being your gateway, port forwarding is unnecessary. SS server software is built in OpenWRT firmware in most cases, which means you don’t have to install it, you only need to turn it on.
- Deploy it elsewhere, like Linux or Apple TV
- Using IPv4: go into router’s settings to turn on port forwarding.
- Using IPv6: it usually doesn’t need to do so. But if you cannot access after deploying, maybe go to check both the gateway router and the server itself, especially if you’re using Windows being your SS server.
Bonus one: If you have Mac or Apple TV at home, then I would highly recommend you to “deploy” SS on them, as it’s the simplest way to do so. Just download QX in AppStore, go into the “Settings – Misc Settings – VPN – SS Server” and turn it on. No need for extra complex settings at all.
DDNS
Hypothetically assuming you’d already acquired a public IPv4/IPv6 address, the next thing you should do is setting a DDNS service, because even if you have a public IP address, it usually wouldn’t be a permanent one, which means it would change automatically and irregularly, unless you pay a bunch of money to your ISP. By setting a DDNS service, you would access the real-time IP address indirectly. Anyway, if you’re interested in more informative details, you can find more on YouTube. After all, it’s necessary for home broadband, but, if you’re a commercial broadband user, it would usually be a static IP address, then use the IP address directly.
DDNS is not always free for using. Some of them are free, and some are not. I would highly recommend you to use free ones, it’s unnecessary to pay for it. But, unfortunately, the choice is limited to the current the law in the mainland China, because most of domestic DDNS services now require Chinese citizens identification of users. Instead, you can use global DDNS services. Although they mostly don’t get blocked by the GFW, it’s getting blocked. So, pick the right one and make sure you have several for backing up.
Here’s my personal recommendation for DDNS service providers, according to the principles: free of using, free of identification and accessible in the mainland China:
- QNAP DDNS (QNAP NAS required, but the simplest one)
- Dynv6
The process of deployment shouldn’t be tough, just follow the instructions that DDNS service provides provide you.
QX’s Configuration
Step 1: Add the Server(SS)
Import your SS proxy server here.
After importing the server, make sure that you have a IPv6 address on your client device before you test it, if you’re using IPv6 address on your proxy server.
Step 2: Add Policy
QX provides several policy methods, allowing users to select different proxy servers
Option 1 (Basic)
Manually switch between “direct” and “proxy”
Add the following
static="YOUR POLICY NAME", direct, "YOUR SS PROXY SERVER's NAME", img-url=homekit.system
Or if you have multiple servers
static="YOUR POLICY NAME", direct, "YOUR SS PROXY SERVER01's NAME", "YOUR SS PROXY SERVER02's NAME", "YOUR SS PROXY SERVER03's NAME", img-url=homekit.system
Explanation:
- static
- Indicates the policy type in QX
- direct
- Direct access
- YOUR SS PROXY SERVER’s NAME”
- Proxy servers, as many as you want. You can also add a policy here. So, when you choose it, it would use the same server as the this policy.
- img-url=homekit.system
- The icon showing in the QX. You can later change it in the QX by right clicking the policy and selecting icon to modify it.
Option 2 (Advanced)
Manually switch between “direct” and “proxy” & automatically select available SS proxy server from multiple SS servers(if you have several ones for backups)
Add the following
static="YOUR POLICY NAME 01", direct, "YOUR SECOND POLICY NAME SUCH AS 'available proxy' ", img-url=homekit.system
available= "AVAILABLE PROXY", "YOUR SS PROXY SERVER01's NAME", "YOUR SS PROXY SERVER02's NAME", "YOUR SS PROXY SERVER03's NAME", img-url=homekit.system
Explanation:
- The “static” policy named “YOUR POLICY NAME 01” allows you to select manually between “proxy your network traffic via your home SS server” and “direct access”.
- While, the “available” policy named “AVAILABLE PROXY” would automatically switch to an available proxy server sequentially if one of them is down. “AVAILABLE PROXY” shouldn’t be appeared in the following filter part, if you do not have special needs.
More Options(More advanced)
You can modify it, based on your own needs and referencing to the example above.
Notice: Please replace the part in the double quotation marks, including the double quotation marks – “” themselves.
Step 3: Modify Filter
If your local network is ranged from “192.168.2.0” to “192.168.2.255”, then add this. Modify the part suitable for you, if it is not. And replace the part in the double quotation marks, including the double quotation marks – “” themselves.
ip-cidr, 192.168.2.0/24, "YOUR POLICY NAME 01"
Explanation:
- The first part: “ip-cidr”
- Used for judging what type of address it is, a IPv4 address, a IPv6 address or a URL. And “ip-cidr” is used for IPv4 address.
- The second part: “192.168.2.0/24”
- The part before a slash presents a IPv4 address, while the part behind the splash identifies the subnet mask. If you don’t know what subnet mask is, the quick introduction: it’s used for defining a range of local network. You can use an online subnet mask calculator to help you decide what subnet mask you should use. Check out this: https://www.calculator.net/ip-subnet-calculator.html
- If you want to proxy a specific ip address, like 192.168.2.233, then you should modify it like this- “192.168.2.233/32”, instead of “192.168.2.233/24”.
- You probably notice in my screenshot, there’s a rule “ip-cidr, 192.168.0.0/16, direct”, which shows a larger local network range than “192.168.2.0/24”. But, in the QX, “192.168.2.0/24″‘s rule prioritize than “192.168.0.0/16″‘s rule. So, it’s okay. But if you run into a problem, maybe you can modify this part to fix your problem.
- The third part “YOUR POLICY NAME 01”
- In this part, you should use your own policy name that you define before. And whatever advanced policy you configure, the policy should be able to select between proxy and direct, unless you would only be allowed to proxy your network traffic all the time.
