ShadowSocks, RedSocks2 and ChinaDNS on OpenWrt

Shadowsocks, RedSocks2 and ChinaDNS on OpenWrt

In this post, I will set up Shadowsocks, RedSocks2 and ChinaDNS on OpenWrt, install PandoraBox on Xiaomi MiWiFi Mini.


A secure socks5 proxy, designed to protect your Internet traffic. Server side setup reference ShadowSocks Setup Guide.

Official Website


OpenWrt is described as a Linux distribution for embedded devices.

Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application. For developer, OpenWrt is the framework to build an application without having to build a complete firmware around it; for users this means the ability for full customization, to use the device in ways never envisioned.

Official Website


The buildsystem for the OpenWrt Linux distribution. Powered by LuCI, the initial reason for this project was the absence of a free, clean, extensible and easily maintainable web user interface for embedded devices. While most similar configuration interfaces make heavy use of the Shell-scripting language LuCI uses the Lua programming language and splits up the interface into logical parts like models and views, uses object-oriented libraries and templating. That ensures a higher performance, smaller installation size, faster runtimes and what is even more important: better maintainability.

Official Website


Transparent redirector of any TCP connection to proxy (Customized for Anti-GFW), a modified version of original redsocks. The name is changed to REDSOCKS2 to distinguish with original redsocks. This variant is useful for anti-GFW (Great Fire Wall). REDSOCKS2 contains several new features besides many bug fixes to original redsocks.

Project on GitHub


ChinaDNS automatically queries local DNS servers to resolve Chinese domains and queries foreign DNS servers to resolve foreign domains. It is smart enough to work only with a Chinese IP range file, which doesn't change often.

Project on GitHub

Hardware information and software version in this post

Xiaomi MiWiFi Router

Board   :  Xiaomi mini Board
CPU     :  MTK MT7620A (1 Core 580MHz)

Router Setting

Plug in power and Ethernet cable to one of the Ethernet ports.

Direct browser to or

The first screen will appear. Press blue button (开始) to get to next screen.

The next screen sets up the wifi network name and password. Note that the wifi password is also used later for access to the browser page (

Once you have set this up, plug in WAN cable for access to internet. Internet access also enables the Chrome translation and you can confirm that the router works properly before proceeding.

The next few steps involve first loading the development version of the firmware, then loading a firmware version which provides SSH access with the last step being loading the OpenWrt firmware onto the router.

Apparently loading the development version ofthe firmware voids warranty, so beware. Development version can be obtained from Point to the mini router to get the correct firmware/software. At the same time you can also download the PC Client (although I don't recommend this) and also one of either iOS or Android app. You will NEED one of these to complete the steps. The development ROM that I downloaded was named miwifi_r1cm_firmware_4156a_2.5.22.bin. Apparently the development ROM that is used is important because some of the ROMs may not allow the next step of flashing the SSH firmware. The older ROMs can be found here Try to use the development ROM that has been proven to allow the next step of the process.

Shadowsocks, RedSocks2 and ChinaDNS on OpenWrt

The above downloads the Chinese versions of PC Client and iOS/Android apps. To get the translated software follow these links. The iOS/Android are necessary because they are used to link the hardware to the miwifi account that you are about to set up. Without the link, the SSH version of the ROM (and SSH password) will not be available.

Create and activate a new account at Xiaomi When you have setup the account and logged in, remember the User ID. You will note that there is no device associated with the account. The association has to be done via theiOS/Android app. Unfortunately there does not seem to be a way to do that via the PC Client, which is why I do not recommend installing this.

Using your iOS or Android device, open the app. Login using the ID and password in the step above. The account then recognises the Xiaomi mini router device. This is required for the SSH firmware.

To get the SSH firmware proceed to Halfway down the page there is a SSH button.

Shadowsocks, RedSocks2 and ChinaDNS on OpenWrt

Click on the button and sign into the Xiaomi account when requested. After signing in you will be presented with a page to download the SSH firmware. Also note the SSH password for root user in the middle of the page. The SSH firmware will have the name miwifi_ssh.bin

Shadowsocks, RedSocks2 and ChinaDNS on OpenWrt

Now that you have all the firmware, it is just a matter of flashing in the correct sequence. First off, get an empty USB drive and format to FAT or FAT32.

Copy the development firmware into the USB drive.

The development firmware and SSH firmware flash both follows the same procedure

  • Pull the power from router, at the router
  • Plug USB drive into router.
  • Press reset button (in the hole to the left ofthe USB drive)
  • While holding down the reset button, plug in the power. The orange light in front of the router will remain steady for a short while before it starts flashing
  • Once the orange light starts flashing, releasethe reset button and sit back until the light in front of the router turns blue. Also if there are indicator lights on your USB drive, they will flash as the drive is being read. If the orange light does not flash, try with another USB drive and confirm that the drive is formatted to FAT or FAT32.

The router can be re-set up between each flash just to confirm that it is working, but I generally just flash the firmwares one after the other.

The SSH firmware do not have to be renamed for the flash. Just keep the name as miwifi_ssh.bin.

Once the SSH firmware has been successfully flashed, confirm SSH via port 22, username root and password as noted from download download the SSH firmware page.

The OpenWRT firmware will need to be downloaded from I used the latest version PandoraBox-ralink-mt7620-xiaomi-mini-squashfs-sysupgrade-r1216-20150721.bin.

Transfer PandoraBox-ralink-mt7620-xiaomi-mini-squashfs-sysupgrade-r1216-20150721.bin to the /tmp directory in the root of the router drive using, Port 22

$ scp PandoraBox-ralink-* [email protected]:/tmp

Connect to the router using, Port 22, via SSH or putty (Microsoft Windows).

Change to the /tmp directory and confirming that the PandoraBox-ralink-mt7620-xiaomi-mini-squashfs-sysupgrade-r1216-20150721.bin file is listed.

# ls -l /tmp

Finally flash the OpenWRT firmware.

# mtd -r write /tmp/PandoraBox-ralink-* OS1


# mtd -r write /tmp/PandoraBox-ralink-* firmware

The router will reboot once it has been successfully flashed.

Re-connect Wifi AP named PandoraBox_* and access the OpenWRT router via on your browser. Default account username will be root and password admin.

BusyBox v1.22.1 (2015-07-09 13:52:12 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

 |    ____                 _                 ____               |
 |   |  _ \ __ _ _ __   __| | ___  _ __ __ _| __ )  _____  __   |
 |   | |_) / _` | '_ \ / _` |/ _ \| '__/ _` |  _ \ / _ \ \/ /   |
 |   |  __/ (_| | | | | (_| | (_) | | | (_| | |_) | (_) >  <    |
 |   |_|   \__,_|_| |_|\__,_|\___/|_|  \__,_|____/ \___/_/\_\   |
 |                                                              |
 |                  PandoraBox SDK Platform                     |
 |                  The Core of SmartRouter                     |
 |       Copyright 2013-2015 D-Team Technology Co.,Ltd.SZ       |
 |                        |
  Base on OpenWrt BARRIER BREAKER (14.09, r1216)
[[email protected]_57B7:/root]#

Setup opkg Source

Backup config file

# mv /etc/opkg.conf /etc/opkg.conf.bak

Edit opkg config file

# vim /etc/opkg.conf

Add following source

dest root /
dest ram /tmp
lists_dir ext /etc/opkg-lists
option overlay_root /overlay
# notice
dest usb /mnt/sdb1/opkg

arch all 100
arch ramips_24kec 200
arch ramips 300
arch mips 400
arch unkown 500

src/gz barrier_breaker_base
src/gz barrier_breaker_luci
src/gz barrier_breaker_management
src/gz barrier_breaker_oldpackages
src/gz barrier_breaker_packages
src/gz barrier_breaker_routing
src/gz barrier_breaker_telephony

src/gz openwrt_dist
src/gz openwrt_dist_luci

Save and update source list and install curl, wget, libpolarssl and redsocks2

# opkg update
# opkg install curl wget libpolarssl redsocks2

Download and install following package with curl or download from website


# cd /tmp
# wget
# wget
# wget
# wget
# wget
# opkg install shadowsocks-libev-spec*
# opkg install ChinaDNS*
# opkg install luci-app-chinadns*
# opkg install redsocks2*
# opkg install luci-app-redsocks2*

Setup ShadowSocks Client

Config ShadowSocks client config file /etc/shadowsocks.json like this

    "server"        : "X.X.X.X",
    "server_port"   : 8388,
    "local"         : "",
    "local_port"    : 1080,
    "password"      : "password",
    "timeout"       : 60,
    "method"        : "rc4-md5"

Enable and restart ShadowSocks service

# /etc/init.d/shadowsocks enable
# /etc/init.d/shadowsocks start

Setup UDP Relay: Relay Mode disable, UDP: Forward enable, UDP Local Port 1053, Forwarding Tunnel on Luci → Services → ShadowSocks and click Save & Apply button.

Shadowsocks, RedSocks2 and ChinaDNS on OpenWrt

Setup Redsocks2

Luci → Services → Redsocks2, config params like following and click Save & Apply button.

Enable          : Checked
Local Port      : 12345
Proxy Type      : SOCKS5
Proxy IP        :
Proxy Port      : 1080
Auto Proxy      : Enable
Wait Timeout    : 5

Redsocks2 config file /etc/init.d/redsocks2, if we wanna to only allow 80 and 443 port connection via redsocks2 service, replace -A REDSOCKS2 -p tcp -j REDIRECT --to-ports $local_port with

-A REDSOCKS2 -p tcp --dport 80 -j REDIRECT --to-ports $local_port
-A REDSOCKS2 -p tcp --dport 443 -j REDIRECT --to-ports $local_port

in config file, and restart service

# /etc/init.d/redsocks2 restart

Shadowsocks, RedSocks2 and ChinaDNS on OpenWrt

Setup ChinaDNS

Luci → Services → ChinaDNS, config params like following

Enable                      : Checked
Enable Bidirectional Filter : Checked
Local Port                  : 5353
CHNRoute File               : /etc/chinadns_chnroute.txt
Upstream Servers            :,

Click Save & Apply button, if service not running, using chinadns command and check config file /etc/init.d/chinadns.

/etc/init.d/chinadns enable
/etc/init.d/chinadns start

Shadowsocks, RedSocks2 and ChinaDNS on OpenWrt

Setup DHCP and DNS

Luci → Network → DHCP and DNS, config params like following and click Save & Apply button.

General settings
DNS forwardings :

Resolv and Hosts Files
Ignore resolve file : Checked

Shadowsocks, RedSocks2 and ChinaDNS on OpenWrt

Shadowsocks, RedSocks2 and ChinaDNS on OpenWrt

ShadowSocks, RedSocks2 and ChinaDNS on OpenWrt
64 votes, 4.79 avg. rating (95% score)