Unable to connect to server using UDP

[PS1TD]

Setting up my own outline server I stumbled upon an issue with connecting to the server via UDP traffic.
When the server boots up i can see that it is listening for connection with both tcp and udp on same port.

I2024-08-05T22:58:12.161Z 47 main.go:81] Shadowsocks TCP service listening on 0.0.0.0:40000
I2024-08-05T22:58:12.161Z 47 main.go:87] Shadowsocks UDP service listening on 0.0.0.0:40000

However, if disallow tcp traffic and only allow udp, the client won't be able to connect at all.
I am 100% certain this is not a configuration issue on my side as I have deployed a container to test udp connectivity and it works. (Using exact configuration as showcased below)
Maybe I am missing something and outline is not meant to connect using UDP or using UDP at all. (Which is a bit misleading then)
In my proxy(traefik) I can see that the stream gets forwarded but the connection does not get established

Handling UDP stream from [REDACTED]:41694 to 10.152.183.183:40000

Below is my full k8s configuration:

Traefik Deployment

kind: Deployment
apiVersion: apps/v1
metadata:
    name: traefik-deployment
    labels:
        app: traefik

spec:
    replicas: 2
    selector:
        matchLabels:
            app: traefik
    template:
        metadata:
            labels:
                app: traefik
        spec:
            serviceAccountName: traefik
            containers:
                - name: traefik
                  image: traefik:v3.1
                  args:
                      - --log.level=DEBUG
                      - --accesslog
                      - --providers.kubernetesingress # Ingress
                      - --providers.kubernetescrd # IngressRoute
                      - --providers.kubernetescrd.allowCrossNamespace=true
                      # - --entrypoints.outline-access-tcp.address=:40000
                      - --entrypoints.outline-access-udp.address=:40000/udp
                      - --entrypoints.outline-api.address=:60000
                  ports:
                      # - name: outline-acc-tcp
                      #   containerPort: 40000
                      - name: outline-acc-udp
                        containerPort: 40000
                        protocol: UDP
                      - name: outline-api
                        containerPort: 60000

Traefik Service

apiVersion: v1
kind: Service
metadata:
    name: traefik

spec:
    type: LoadBalancer
    externalTrafficPolicy: Local
    ports:
        # - protocol: TCP
        #   name: outline-acc-tcp
        #   port: 40000
        #   targetPort: outline-acc-tcp
        - protocol: UDP
          name: outline-acc-udp
          port: 40000
          targetPort: outline-acc-udp
        - protocol: TCP
          name: outline-api
          port: 60000
          targetPort: outline-api
    selector:
        app: traefik

Outline Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
    name: outline
spec:
    replicas: 1
    selector:
        matchLabels:
            app: outline
            name: outline
    template:
        metadata:
            labels:
                app: outline
                name: outline
        spec:
            volumes:
                - name: cache
                  emptyDir: {}
                - name: persistance
                  persistentVolumeClaim:
                      claimName: outline
                - name: tls
                  secret:
                      secretName: redacted.com
                      items:
                          - key: tls.crt
                            path: shadowbox.crt
                          - key: tls.key
                            path: shadowbox.key
                      defaultMode: 420
            containers:
                - name: outline
                  image: quay.io/outline/shadowbox:stable
                  ports:
                      # - name: access-tcp
                      #   containerPort: 40000
                      #   protocol: TCP
                      - name: access-udp
                        containerPort: 40000
                        protocol: UDP
                      - name: api
                        containerPort: 60000
                        protocol: TCP
                  env:
                      - name: SB_API_PORT
                        value: "60000"
                      - name: SB_API_PREFIX
                        value: redacted
                      - name: SB_CERTIFICATE_FILE
                        value: /tmp/shadowbox.crt
                      - name: SB_PRIVATE_KEY_FILE
                        value: /tmp/shadowbox.key
                  volumeMounts:
                      - name: cache
                        mountPath: /cache
                      - name: persistance
                        mountPath: /opt/outline
                      - name: persistance
                        mountPath: /root/shadowbox
                      - name: tls
                        readOnly: true
                        mountPath: /tmp/shadowbox.crt
                        subPath: shadowbox.crt
                      - name: tls
                        readOnly: true
                        mountPath: /tmp/shadowbox.key
                        subPath: shadowbox.key
                  lifecycle:
                      postStart:
                          exec:
                              command:
                                  - /bin/sh
                                  - "-c"
                                  - >-
                                      echo
                                      '{"rollouts":[{"id":"single-port","enabled":true}],"portForNewAccessKeys":40000,"hostname":"redacted.com"}'
                                      >
                                      /root/shadowbox/persisted-state/shadowbox_server_config.json;

Outline Service

apiVersion: v1
kind: Service
metadata:
    name: outline
    labels:
        app: outline
spec:
    selector:
        app: outline
    type: ClusterIP
    ports:
        # - name: access-tcp
        #   protocol: TCP
        #   port: 40000
        #   targetPort: access-tcp
        - name: access-udp
          protocol: UDP
          port: 40000
          targetPort: access-udp
        - name: api
          protocol: TCP
          port: 60000
          targetPort: api

Outline IngressRouteUDP

apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
    name: outline-access-udp
spec:
    entryPoints:
        - outline-access-udp
    routes:
        - services:
              - name: outline
                port: 40000
                nativeLB: true

Uncommenting everything and adding IngressRouteTCP makes it work again but using TCP, but thats not the point since I am trying to make UDP work aswell.
It is also pretty hard to debug this sort of stuff as I have not found a way to enable more detailed logging on the ss-server
Any help would be much appriciated)

[sbruens]

Can you check your firewall settings to see if you might be blocking UDP traffic?

[PS1TD]

I am 100% certain this is not a configuration issue on my side as I have deployed a container to test udp connectivity and it works. (Using exact configuration as showcased below)

I tested using iperf3 in UDP mode as well as with ksdn117/tcp-udp-test and it works so I assume UDP is not blocked.
Can't really check for sure as it is hosted on a VPS.

Handling UDP stream from [REDACTED]:41694 to 10.152.183.183:40000

Also i can see in traefik logs that a UDP connection is trying to be established

[PS1TD]

Could it be because quay.io/outline/shadowbox:stable container does not properly forward UDP to the underlying outline-ss-server container?

[sbruens]

Shadowbox should work for UDP. Did you test the ingress and egress for UDP on your VPS?
Are you able to test it on a different VPS to confirm whether it's something specific to your VPS? Or can you try a raw Docker run (without k8s) to reduce the complexity and isolate the issue?