0%

Setting Up Shadowsocks Service on an Ubuntu Server

This tutorial illustrates steps for setting up a Shadowsocks server on Ubuntu system. Time to embrace a bigger world! Shadowsocks is a secure socks5 proxy and was designed to protect your internet traffic. Well, what does "protect" mean here? If you are among its target users, you would know.

Installing Shadowsocks and Get it Running

There are multiple versions of Shadowsocks available, including the original Python based Shadowsocks, the Shadowsocks-libev, and ShadowsocksR. For the purpose of installing plugins for obfuscation (in the following section), the Shadowsocks-libev is chosen here. By following its README file, Shadowsocks-libev could be installed with the following two commands.

1
2
sudo apt update
sudo apt install shadowsocks-libev

By entering ss-server -h in the console, all the parameters of the command ss-server are given. You could definitely start a shadowsocks server via a single command by attaching all parameters to it, but it is also good to create a configuration file which helps you no longer need to enter the long parameter list manually. A configuration file looks like this.

1
2
3
4
5
6
7
{
"server_port":443,
"local_port":443,
"password":"yourpassword",
"timeout":600,
"method":"aes-256-gcm"
}

Once you've finished editing the config file (suppose the file name is config.json), you can start the shadowsocks server by executing the following command.

1
ss-server -c /path/to/config.json

Or, if you want the shadowsocks server run as a background process (as most people do), execute the following command instead.

1
nohup ss-server -c /path/to/config.json >> /path/to/log.txt &

If you would like to shut down the server, use ps -ef | grep ss-server to get the pid of your shadowsocks server, and then kill the process using kill.

Before this section is finished, I would like to talk more about some details about the configuration.

Port Choosing

By deploying the Shadowsocks server in 443 port, your Shadowsocks data stream looks more like a data stream for web browsing via HTTPS. It's also worth mentioning that some Wi-Fi networks have firewalls that stop connections to other ports except for normal ports such as 443, 80, 22, etc. But of course, you can select your favorite port from 0 to 65535, as long as they are not occupied by other services.

Encryption Method Choosing

This article discusses the details of why AEAD based encryption algorithms are safer than stream encryption + OTA algorithms. The available AEAD algorithms that Shadowsocks-libev currently supports includes the following.

  • aes-128-gcm
  • aes-192-gcm
  • aes-256-gcm
  • chacha20-ietf-poly1305
  • xchacha20-ietf-poly1305

Besides, this gist suggests AES based algorithm performs badly on ARM processors. Thus, it has been suggested that AES based algorithms shall be used for desktop clients, while chacha based algorithms shall be used for mobile clients.

Using Obfuscation

Obfuscation is another method that reduces the feature of your data stream, thus making it harder for GFW to determine whether your data stream is sent to a shadowsocks server. It pretends your data stream as you are accessing a normal website now. However, using obfuscation will reduce the speed of your shadowsocks. If you care about the speed a lot while feeling it's okay to change your server's IP some times when they are unluckily blocked, you don't need obfuscation.

In this section, the obfuscation configuration using v2ray-plugin will be introduced. First, you need to make sure you have go-lang on your server. If not, you can install it by following this instruction.

The following commands will help you to get v2ray ready on your server.

1
2
3
4
5
git clone git@github.com:shadowsocks/v2ray-plugin.git
cd v2ray-plugin
go build
cp v2ray-plugin /usr/bin/v2ray-plugin
setcap cap_net_bind_service+ep /usr/bin/v2ray-plugin

Now use the following command to start v2ray serving in a background process.

1
v2ray-plugin &

Then attach the following lines to your configuration file so that Shadowsocks-libev uses v2ray-plugin to obfuscate its data stream.

1
2
3
4
5
6
7
8
9
{
"server_port":443,
"local_port":443,
"password":"yourpassword",
"timeout":600,
"method":"aes-256-gcm",
"plugin":"v2ray-plugin",
"plugin_opts":"server"
}

Finally, the shadowsocks server can be started as the previous section mentioned. Note that you would need extra configuration on your client shadowsocks application so that obfuscation works. By assigning an URL to obfs-host parameter on the client, your data stream will look like data accessing the URL you defined.