How to tunnel OpenVPN over Shadowsocks with ExpressVPN

How to tunnel ExpressVPN (and other VPNs) over a Shadowsocks proxy (OpenVPN over SOCKS5). Instructions for Windows and Mac.

Import Update - June 2019

ExpressVPN is ending support for OpenVPN TCP manual configurations on June 30, 2019.

ExpressVPN Email - OpenVPN TCP support will end on June 30, 2019

As it's not possible to tunnel UDP over Shadowsocks, that means it will no longer be possible to tunnel ExpressVPN over Shadowsocks after June 30, 2019.

If you need to tunnel OpenVPN over Shadowsocks after June 30, then I recommend using one of these VPNs. They both fully support manual OpenVPN TCP connections.


Special Deal: Get 2 Years for $47


Special Deal: Get 3 Years for $107

I will leave this guide as-is for now and update it when I have some time closer to the end of June.

Please note that you can download the TCP configurations files directly with Surfshark and NordVPN, there is no need to modify a UDP file. You do not need to change the port number, add the proto-tcp line, or remove the fragment directive.

You will only need to make the following changes to the OpenVPN TCP file.

  • Add the line socks-proxy 1080 (or change the port to 1086 if using Mac)
  • Add the line block-outside-dns (if using Windows 10)

All of the other steps are exactly the same.

How to tunnel OpenVPN over Shadowsocks with ExpressVPN

How to tunnel ExpressVPN (and other VPNs) over a Shadowsocks proxy (OpenVPN over SOCKS5). Instructions for Windows and Mac.

NOTE - If you are just looking for fast internet connection in China, it is not necessary to do this.

Rather, you can carefully choose a one of the best VPNs to use in China. But that is not enough. You also need to choose the right server to connect to for high performance in China. Check the 2019 VPN in China blog page to see which servers can offer high performance in China.

Tunelling OpenVPN over shadowsocks is a great way to improve the speed of servers that are not normally fast in China, or can't be connected to from China at all.

For example, sometimes the USA servers that work for streaming Netflix in China are not fast enough for reliable streaming during peak bandwidth hours at night. This is a good example of when it's useful to tunnel OpenVPN over Shadowsocks.

Here is the speed of the ExpressVPN Los Angeles server during peak hours at night (9:30pm) when the international bandwidth in China is severely congested.

Here is the speed of the same server, just a few minutes later, after I tunneled the connection over my Aliyun Hong Kong Shadowsocks server.

In addition to providing better speed on servers that do not normally perform well in China, there is another use case for OpenVPN over Shadowsocks.

Shadowsocks, by itself, can offer really good speeds. But it lacks the security, privacy, and anonymity of a real VPN. 

By combining the speed of Shadowsocks with an actual VPN, you get the best of both worlds.

This tutorial was written using ExpressVPN, but should also work with other VPN providers, as long as they allow OpenVPN TCP connections using a third party OpenVPN client. Some VPN providers, such as VyprVPN, do not support TCP connections, and therefore, will not work.

I have done this with many different VPNs and shadowsocks servers and the best combination that I have found is ExpressVPN + Alibaba Cloud (Aliyun) Hong Kong.

A cheaper alternative if you don't already have an ExpressVPN subscription is NordVPN.

If you don't already have a Shadowsocks server, check my tutorial on how to set up your own shadowsocks server first. Alternatively, if you prefer to use a paid Shadowsocks service, I recommend WannaFlix (30% discount using this link).

Tip - Use the Hong Kong WannaFlix server for the best performance when tunneling an OpenVPN connection.

If you already have a Shadowsocks server set up and a VPN service that allows manual OpenVPN TCP connections, let's get started.

This tutorial is written for Windows users, but there are some notes at the bottom of the page for MacOS users.

Step 1 - Download and install a third party OpenVPN client

Although some VPN providers, such as TorGuard, have the function in their dedicated apps to tunnel an OpenVPN connection over a SOCKS5 proxy, most providers don't offer this. To tunnel an ExpressVPN connection over shadowsocks, we will need to use a third party OpenVPN client. Here are some options.

Windows - OpenVPN (free)

Mac - Tunnelbick (free)

Windows and Mac - Viscosity ($9, free trial for 1 month)

For this tutorial, I will be using the free OpenVPN client for Windows. I am using the newest version, which is version 2.4.1 at the time of writing this tutorial.

Step 2 - Download the manual OpenVPN config files

Go to the ExpressVPN website and click My Account to log into your account and then choose the link Set up ExpressVPN. Now choose Manual Config and download the .ovpn files for the server locations that you wish to connect to. For this tutorial, I will use the Los Angeles server. Keep this page open because you will need to copy the username and password later.

Download ExpressVPN OpenVPN ovpn config files from customer area

Step 3 - Modify the .ovpn file(s)

We will need to make some modifications to the .ovpn file.

First, we need to change the protocol to TCP because tunneling OpenVPN over shadowsocks will not work with UDP, even if you have enabled UDP forwarding on your shadowsocks server.

ExpressVPN doesn't officially support OpenVPN manual config files for TCP connections, but they do have TCP enabled on their servers on port 443, so we just need to make a few changes. 

On the line that starts with "remote", change the port number from 1195 to 443.

Add a new line with the text proto tcp-client.

Remove (or comment out with a # symbol) the line that says fragment 1300 (this option is for UDP only). 

If you are using another VPN provider that provides OpenVPN config files for TCP, then you can skip the above steps because the file will already be configured for TCP.

Next, we need to add some lines telling the OpenVPN client to tunnel the connection over our SOCKS5 proxy (shadowsocks server in this case). Add the following line.

socks-proxy 1080

If you have followed the instructions correctly, your .ovpn config file should look like this.

expressvpn over shadowsocks socks proxy modified ovpn config file

Update - After writing this tutorial, I got some feedback from someone who had a DNS leak using Windows 10. If you are using Windows 8 or Windows 10, you may need to add one more line to the config file to stop DNS leaks.

Add the following line (not shown in the above photo)


This paramter to block outside DNS requires OpenVPN version 2.3.9 or higher. You may need to update your OpenVPN client if you are using an older version. Alternatively, you can use this plugin for older versions.

Step 4 - Save the .ovpn file to the OpenVPN client config folder

If you are using the OpenVPN client for Windows, save the .ovpn file(s) to the config folder located in the OpenVPN installation directory. In my case, the folder is located here.

C:\Program Files\OpenVPN\config

I have also renamed the file so I can easily identify the connection. I have named it "ExpressVPN LA TCP over SS modified config.ovpn" so I don't confuse it with a normal OpenVPN connection. Whatever you name this file is what will be shown in the OpenVPN client.

If you are using Viscosity, then you can save the file anywhere and then right-click the saved .ovpn file and open it with Viscosity to import the connection profile.

Step 5 - Open the Shadowsocks client and choose a server

Open the Shadowsocks client and choose your desired server, but do not enable the system proxy. The shadowsocks proxy is always running when the client is open, even when the system proxy is disabled. We want to leave the system proxy disabled because we are using the VPN connection.

For example, I am using the ShadowsocksR client for Windows, and I have disabled the system proxy by choosing Mode --> Disable system proxy.

shadowsocksr client running system proxy disabled

Step 6 - Connect

The specific steps will depend on your OpenVPN client. For the OpenVPN Windows client, launch the OpenVPN GUI program, then right-click the icon in the taskbar, find the server name (name of the saved .ovpn file), and then choose connect.

OpenVPN client connection method

Note - If you only have one .ovpn file in your config folder, then just right-click the icon and choose connect, you won't see the name of the .ovpn file.

The first time you connect, you will be prompted to enter your username and password, which you can copy from the ExpressVPN setup page shown in step 2 (or the credentials area of your VPN provider)

If you want to share this very fast VPN over shadowsocks connection with other devices besides your computer, you can set up a virtual VPN router. That is what I am doing for Netflix on my Roku in China and the streaming speed is VERY FAST.

The below image shows my actual streaming speed on Netflix though the graph in my firewall software. On the left is the bandwidth graph before tunneling the ExpressVPN US server over my Aliyun HK shadowsocks server, and on the right is after.

China VPN streaming speed openvpn over shadowsocks


If you get any connection errors, you can find the connection log in the folder located here (for the Windows OpenVPN client).


If you are having trouble connecting, it might be a good idea to try the standard .ovpn config file first without making any changes in order to verify that you can successfully connect using the standard OpenVPN configuration from your provider. If you can't connect with the standard config, contact your VPN provider for assistance.

Instructions for MacOS?

It took a long time to figure out, but someone finally found the solution to do this on Mac and sent me an email. 

Here are all of the differences for Mac compared to Windows.

1. Enable the option "turn shadowsocks on" and set the mode to "manual mode".

Mac shadowsocks config for OpenVPN over SS

2. In the OpenVPN config file, the added line is "socks-proxy 1086" because the local proxy runs on port 1086 for Mac.

3. An additional line is required as shown below (big thanks to website visitor Michael for finding the solution)

route x.x.x.x net_gateway

Replace x.x.x.x with the IP address of your shadowsocks server. 

Your config file should look something like this.

VPN over shadowsocks openvpn config file for Mac