How to tunnel OpenVPN over shadowsocks with ExpressVPN


NOTE - If you are just looking for fast internet connection in China, it is not necessary to do this. 


You can just connect directly to good Asian server with direct peering to Chinese ISPs such as ExpressVPN Hong Kong 1 or Hong Kong 3 servers (see other recommended servers for your ISP on the 2018 VPN in China blog page).


Tunelling OpenVPN over shadowsocks is a great way to improve the speed of servers that are not normally fast in China (or can't be connected to from China).


For example, sometimes the US servers that work for Netflix are not fast enough for reliable streaming, so then I will tunnel those servers over shadowsocks.


For example, here is the speed of the ExpressVPN Los Angeles server during peak hours at night (9:30pm) when the international bandwidth in China is severely congested.




Here is the speed of the same server, just a few minutes later, after I tunneled the connection over my Aliyun Hong Kong shadowsocks server.




Shadowsocks can offer really good speed from China, but it lacks the security, privacy, and anonymity of a VPN connection. 


By combining the speed of shadowsocks with the security, privacy, and anonymity of a real VPN, you get the best of both worlds.


This tutorial was written using ExpressVPN, but should also work with other VPN providers, as long as they allow OpenVPN TCP connections using a third party OpenVPN client. Some VPN providers, such as VyprVPN, do not support TCP connections, and therefore, will not work.


I have done this with many different VPNs and shadowsocks servers and the best combination that I have found is ExpressVPN + Alibaba Cloud (Aliyun) Hong Kong.


If you don't already have a shadowsocks server, check my tutorial on how to set up your own shadowsocks server first.


If you already have a shadowsocks server set up and a VPN service that allows manual OpenVPN TCP connections, let's get started.


This tutorial is written for Windows users, but there are some notes at the bottom of the page for MacOS users.


Step 1 - Download and install a third party OpenVPN client


Although some VPN providers, such as TorGuard, have the function in their dedicated apps to tunnel an OpenVPN connection over a SOCKS5 proxy, most providers don't offer this. To tunnel an ExpressVPN connection over shadowsocks, we will need to use a third party OpenVPN client. Here are some options.


Windows - OpenVPN (free)

Mac - Tunnelbick (free)

Windows and Mac - Viscosity ($9, free trial for 1 month)


For this tutorial, I will be using the free OpenVPN client for Windows. I am using the newest version, which is version 2.4.1 at the time of writing this tutorial.


Step 2 - Download the manual OpenVPN config files


Go to the ExpressVPN website and click My Account to log into your account and then choose the link Set up ExpressVPN. Now choose Manual Config and download the .ovpn files for the server locations that you wish to connect to. For this tutorial, I will use the Los Angeles server. Keep this page open because you will need to copy the username and password later.

Download ExpressVPN OpenVPN ovpn config files from customer area

Step 3 - Modify the .ovpn file(s)


We will need to make some modifications to the .ovpn file.


First, we need to change the protocol to TCP because tunneling OpenVPN over shadowsocks will not work with UDP, even if you have enabled UDP forwarding on your shadowsocks server.


ExpressVPN doesn't officially support OpenVPN manual config files for TCP connections, but they do have TCP enabled on their servers on port 443, so we just need to make a few changes. 


On the line that starts with "remote", change the port number from 1195 to 443.


Add a new line with the text proto tcp-client.


Remove (or comment out with a # symbol) the line that says fragment 1300 (this option is for UDP only). 


If you are using another VPN provider that provides OpenVPN config files for TCP, then you can skip the above steps because the file will already be configured for TCP.


Next, we need to add some lines telling the OpenVPN client to tunnel the connection over our SOCKS5 proxy (shadowsocks server in this case). Add the following line.


socks-proxy 127.0.0.1 1080


If you have followed the instructions correctly, your .ovpn config file should look like this.

expressvpn over shadowsocks socks proxy modified ovpn config file

Update - After writing this tutorial, I got some feedback from someone who had a DNS leak using Windows 10. If you are using Windows 8 or Windows 10, you may need to add one more line to the config file to stop DNS leaks.


Add the following line (not shown in the above photo)


block-outside-dns


This paramter to block outside DNS requires OpenVPN version 2.3.9 or higher. You may need to update your OpenVPN client if you are using an older version. Alternatively, you can use this plugin for older versions.

Step 4 - Save the .ovpn file to the OpenVPN client config folder


If you are using the OpenVPN client for Windows, save the .ovpn file(s) to the config folder located in the OpenVPN installation directory. In my case, the folder is located here.


C:\Program Files\OpenVPN\config


I have also renamed the file so I can easily identify the connection. I have named it "ExpressVPN LA TCP over SS modified config.ovpn" so I don't confuse it with a normal OpenVPN connection. Whatever you name this file is what will be shown in the OpenVPN client.


If you are using Viscosity, then you can save the file anywhere and then right-click the saved .ovpn file and open it with Viscosity to import the connection profile.


Step 5 - Open the Shadowsocks client and choose a server


Open the Shadowsocks client and choose your desired server, but do not enable the system proxy. The shadowsocks proxy is always running when the client is open, even when the system proxy is disabled. We want to leave the system proxy disabled because we are using the VPN connection.


For example, I am using the ShadowsocksR client for Windows, and I have disabled the system proxy by choosing Mode --> Disable system proxy.

shadowsocksr client running system proxy disabled

Step 6 - Connect


The specific steps will depend on your OpenVPN client. For the OpenVPN Windows client, launch the OpenVPN GUI program, then right-click the icon in the taskbar, find the server name (name of the saved .ovpn file), and then choose connect.

OpenVPN client connection method

Note - If you only have one .ovpn file in your config folder, then just right-click the icon and choose connect, you won't see the name of the .ovpn file.


The first time you connect, you will be prompted to enter your username and password, which you can copy from the ExpressVPN setup page shown in step 2 (or the credentials area of your VPN provider)


If you want to share this very fast VPN over shadowsocks connection with other devices besides your computer, you can set up a virtual VPN router. That is what I am doing for Netflix on my Roku in China and the streaming speed is VERY FAST.


The below image shows my actual streaming speed on Netflix though the graph in my firewall software. On the left is the bandwidth graph before tunneling the ExpressVPN US server over my Aliyun HK shadowsocks server, and on the right is after.

China VPN streaming speed openvpn over shadowsocks

Troubleshooting


If you get any connection errors, you can find the connection log in the folder located here (for the Windows OpenVPN client).


%USERPROFILE%/openvpn/log


If you are having trouble connecting, it might be a good idea to try the standard .ovpn config file first without making any changes in order to verify that you can successfully connect using the standard OpenVPN configuration from your provider. If you can't connect with the standard config, contact your VPN provider for assistance.

Instructions for MacOS?


It took a long time to figure out, but someone finally found the solution to do this on Mac and sent me an email. 


Here are all of the differences for Mac compared to Windows.


1. Enable the option "turn shadowsocks on" and set the mode to "manual mode".

Mac shadowsocks config for OpenVPN over SS

2. In the OpenVPN config file, the added line is "socks-proxy 127.0.0.1 1086" because the local proxy runs on port 1086 for Mac.


3. An additional line is required as shown below (big thanks to website visitor Michael for finding the solution)


route x.x.x.x 255.255.255.255 net_gateway


Replace x.x.x.x with the IP address of your shadowsocks server. 


Your config file should look something like this.

VPN over shadowsocks openvpn config file