Installing Shadowsocks bypassing locks on Keenetic


I do not pretend to discover America in this publication, because it is a compilation of various comments and articles, incl. on Habr. Do not judge strictly, I hope for help in the development of this direction. I made this instruction for myself and specially from scratch, so that every beginner could repeat the same steps.


  • Any Keenetic with USB support. Can be installed on internal memory, but not recommended

  • The current version of KeeneticOs (currently 3.7.4)

  • A flash drive of any size (even 256MB is enough, but you won’t find such in 2022)

Section 1 Installing Entware

  1. Format flash drive to ext4. I used MiniTool Partition Wizard Free, you can use any other program

  1. Let’s use instruction on the official Keenetic website

  • Downloading mipsel

  • We insert the formatted USB flash drive into the router

  • We go to the section Management – Applications and select our flash drive

    AT The router settings must first enable the application “SMB Server” to access connected USB drives over the network.

  • In the router settings, go to the Manage – OPKG section, select our USB flash drive and delete the script, if any, and click the Save button

  • After about a minute, we go back to Management – Applications and select our flash drive. We see that we have installed entware by the presence of a certain number of folders.

  • Downloading Putty (currently putty-64bit-0.76-installer.msi is relevant) and run it. Simple settings (if they can be saved with the Save button)

With possible warnings, we agree (Accept button)

  • We enter the login “root” (without quotes), press Enter, the password is “keenetic” (also without quotes) (the cursor does not move when entering the password – this is normal), also Enter. Should display:

enter the command


and enter the password twice. The cursor does not move when entering a password.

PS here and below – to copy a command to the command line, you must copy the text on this site and paste it into the command line using the right mouse button

opkg update

Section 2: Installing Shadowsocks and Required Packages

This section is based on this guide.

  1. We install the necessary components using the router settings: General settings> Change the set of components

  • IPv6 protocol

  • Then, after updating and rebooting the router, “Netfilter subsystem kernel modules” and, just in case, “Xtables-addons extension package for Netfilter” reboot the router again

  1. Let’s start setting up our Entware

  • To do this, connect to Putty (see the previous section)

  • Enter the login and password (if the login and password did not change, then root-keenetic)

  • We enter the command

opkg install mc bind-dig cron dnsmasq-full ipset iptables shadowsocks-libev-ss-redir shadowsocks-libev-config
  1. Initialize ipset, create multiple unblock IP addresses (

  • Check that your router system has support for the hash:net set (as it turned out, not all Keenetic routers have it):

ipset create test hash:net
  • If the command did not give any errors and messages, then there is support, and just follow the instructions further. Otherwise (there is an error) in the following script you need to replace hash:net on the hash:ip. In doing so, you will lose the ability to unlock by range and CIDR.
    Most likely you won’t get any errors.

  • Create an empty address set named unblock when the router boots up. To do this, create the /opt/etc/ndm/fs.d/ file:

mcedit /opt/etc/ndm/fs.d/

Paste content using keyboard shortcuts Shift+Insert. Later in this tutorial, we will also use this keyboard shortcuts.

[ "$1" != "start" ] && exit 0
ipset create unblock hash:net -exist
exit 0

After that click saveF2 key), we agree (Enter) and exit (F10 key). These combinations will also be used later.

chmod +x /opt/etc/ndm/fs.d/
  1. Setting up Shadowsocks by example Highload VPN. Is not an advertisement. While everything is free there, they promise free access with a few restrictions, and soon there will be information about paid access, but, they say, not too expensive. You can use any other service, or set up Shadowsocks on your own server, for example, by this instructions. Only now I don’t know how to pay for my server abroad)))). This paragraph is based on this instruction.

  • After registration, log in to the site and go to Control Panel

  • I have a key automatically generated. Click on the “Show” button

  • We will also use the blue and green parts, but later. So far, we are interested in the part highlighted in red (from the beginning to the “dog”). Copy it to the clipboard. It is base64 encoded, so we need to decode it. We can use this website

  • Paste our link into the top field and press the Decode button. The decoded string will appear. We will be interested in the password that is after the colon

mcedit /opt/etc/shadowsocks.json
  • Editing our file. We change the server line (in my case to the ip address (or domain name) from the key that we received on the site (see the second picture above). This is the “blue” part of our key. We copy the “green” part of our key to server_port (in my case 666). In the password field, we copy the password from the decoded string (previous picture, text highlighted in red, but after the colon). change local_port to any free port. You can leave this

    "local_address": "::",
    "local_port": 1082,
    "timeout": 300,
    "fast_open": false,
    "ipv6_first": true

Save and exit (remember F2, F10)

mcedit /opt/etc/init.d/S22shadowsocks

Save and exit

  1. List of domains (and not only) to bypass blocking (unblock.txt)

mcedit /opt/etc/unblock.txt

Each line can contain a domain name, IP address, range, or CIDR. You can use the # symbol to comment lines.

###Каталоги медиаконтента для программ


###Пример разблокировки по IP (убрать # в начале строки)
###Пример разблокировки по CIDR (убрать # в начале строки)
###Пример разблокировки по диапазону (убрать # в начале строки)

With the help of this file on twitter, facebook and instagram, it now calmly enters through my router. 2ip site will be used to check ip

Save and exit

  1. Script to populate the unblock set with IP addresses from a given list of domains ( and an additional dnsmasq configuration file from a given list of domains (

mcedit /opt/bin/
until ADDRS=$(dig +short @localhost) && [ -n "$ADDRS" ] > /dev/null 2>&1; do sleep 5; done
while read line || [ -n "$line" ]; do
  [ -z "$line" ] && continue
  [ "${line:0:1}" = "#" ] && continue
  cidr=$(echo $line | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}')
  if [ ! -z "$cidr" ]; then
    ipset -exist add unblock $cidr
  range=$(echo $line | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}-[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
  if [ ! -z "$range" ]; then
    ipset -exist add unblock $range
  addr=$(echo $line | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
  if [ ! -z "$addr" ]; then
    ipset -exist add unblock $addr
  dig +short $line @localhost | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{system("ipset -exist add unblock "$1)}'
done < /opt/etc/unblock.txt
chmod +x /opt/bin/
mcedit /opt/bin/
cat /dev/null > /opt/etc/unblock.dnsmasq
while read line || [ -n "$line" ]; do
  [ -z "$line" ] && continue
  [ "${line:0:1}" = "#" ] && continue
  echo $line | grep -Eq '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' && continue
  echo "ipset=/$line/unblock" >> /opt/etc/unblock.dnsmasq
done < /opt/etc/unblock.txt
chmod +x /opt/bin/
cat /opt/etc/unblock.dnsmasq

The picture will look something like this

  1. Script for manual forced system update after editing the list of domains (

mcedit /opt/bin/
ipset flush unblock
/opt/etc/init.d/S56dnsmasq restart
/opt/bin/ &
chmod +x /opt/bin/
  1. Script to automatically fill the unblock set when the router boots (S99unblock)

mcedit /opt/etc/init.d/S99unblock
[ "$1" != "start" ] && exit 0
/opt/bin/ &
chmod +x /opt/etc/init.d/S99unblock
  1. Forwarding packets with destinations from unblock to Shadowsocks

mcedit /opt/etc/ndm/netfilter.d/
[ "$type" == "ip6tables" ] && exit 0
if [ -z "$(iptables-save 2>/dev/null | grep unblock)" ]; then
    ipset create unblock hash:net family inet -exist
    iptables -I PREROUTING -w -t nat -i br0 -p tcp -m set --match-set unblock dst -j REDIRECT --to-port 1082
    iptables -I PREROUTING -w -t nat -i br0 -p udp -m set --match-set unblock dst -j REDIRECT --to-port 1082
if [ -z "$(iptables-save 2>/dev/null | grep "udp \-\-dport 53 \-j DNAT")" ]; then
    iptables -w -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to
if [ -z "$(iptables-save 2>/dev/null | grep "tcp \-\-dport 53 \-j DNAT")" ]; then
    iptables -w -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to
exit 0
chmod +x /opt/etc/ndm/netfilter.d/
  1. Setting up dnsmasq and connecting an additional configuration file to dnsmasq

cat /dev/null > /opt/etc/dnsmasq.conf
mcedit /opt/etc/dnsmasq.conf
  1. Adding a cron task to periodically update the contents of the unblock set

mcedit /opt/etc/crontab
00 06 * * * root /opt/bin/
  • If desired, the rest of the lines can be commented out by putting a hash mark at the beginning. Then save and close

# ---------- ---------- Default is Empty ---------- ---------- #
#*/1 * * * * root /opt/bin/run-parts /opt/etc/cron.1min
#*/5 * * * * root /opt/bin/run-parts /opt/etc/cron.5mins
#01 * * * * root /opt/bin/run-parts /opt/etc/cron.hourly
#02 4 * * * root /opt/bin/run-parts /opt/etc/cron.daily
#22 4 * * 0 root /opt/bin/run-parts /opt/etc/cron.weekly
#42 4 1 * * root /opt/bin/run-parts /opt/etc/cron.monthly
00 06 * * * root /opt/bin/
  1. Disabling the regular DNS server and rebooting the router

  • Run the command line in Windows (open start and start writing “Command Prompt”)

  • We write (ip router change if different)

  • We enter the login with a password from the router, not entware (most likely admin, and the password is yours personally)

  • We enter 3 commands in turn

opkg dns-override
system configuration save
system reboot
exec sh

and then

su - root

and you can use any Entware commands like the ones we entered in this manual.


I look forward to feedback and improvement instructions.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *