How to setup Shadowsocks on Debian 9 Stretch

November 15, 2018 7 minutes

Shadowsocks is a socks5 proxy with the main purpose of bypassing internet censorship. Shadowsocks was originally written in python, but since the original release there have been made many different implementations of Shadowsocks. I'll be showing you how to install and setup Shadowsocks-libev, an implementation written in C. It's very resource light and can run on very low-end hardware.

Table of Contents

Installation

To get the latest version of Shadowsocks-libev we first need to enable the backports repository for Debian Stretch

echo "deb http://ftp.debian.org/debian stretch-backports main" | sudo tee /etc/apt/sources.list.d/backports.list

Followed by

sudo apt update

Now we need to install the shadowsocks-libev package from the backports repository instead of the default repository.

sudo apt -t stretch-backports install shadowsocks-libev

There is a systemd service file included with shadowsocks-libev, so it can be completely managed by systemd.

Now that you should be up and running with a fairly recent version of shadowsocks-libev, let's take a look at some configuration.

Configuration

Let's start by opening up the shadowsocks configuration file. You'll find that located in /etc/shadowsocks-libev/config.json

sudo nano /etc/shadowsocks-libev/config.json

Now let's go over some of the many configuration options you have.

Option Description
"server": "" The IP address or URL of the shadowsocks server
"server_port": "" The server port to use
"local_address": "" The local listening address
"local_port": "" The local port to use
"password": "" The password for the shadowsocks server
"method": "" The encryption method to use
"timeout": "" Timeout in seconds
"fast_open": true/false
"nameserver": "" Choose a different nameserver than the server's default
"mode": "" Choose if you want to use TDP("tcp_only"), UDP("udp_only") or both(tcp_and_udp). Default is TCP only.

The local address and port are only relevant for shadowsocks configurations on your client machines.

For encryption methods, I recommend using the default as it is very secure and also quite fast.

For best performance is it generally a good idea to set TCP fast open to true, but to use it you also need to enable it on the system, which I'll show in the next section of the guide.

Here is an example Shadowsocks server configuration:

{
    "server": "0.0.0.0",
    "server_port": 8388,
    "password": "thisisapassword",
    "timeout": 60,
    "method": "chacha20-ietf-poly1305"
}

After you have setup shadowsocks to your liking remember to do restart it

sudo systemctl restart shadowsocks-libev

Performance tuning

There are some changes you can make to your system to optimize shadowsocks. If you are interested in a bit more info on these optimizations have at look at shadowsocks.org

Increase maximum number of open file descriptors

First open up the following file

sudo nano /etc/security/limits.conf

And add the following 2 lines

* soft nofile 51200
* hard nofile 51200

Then before starting shadowsocks run

ulimit -n 51200

Tune kernel parameters

Open up the following

sudo nano /etc/sysctl.conf

And add the following

fs.file-max = 51200

net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_congestion_control = hybla

When you can done that run the following to apply the changes

sudo sysctl -p

Among the changes are TCP fast open which I talked about earlier. So you can now proceed with enabling TCP fast open in your shadowsocks config by adding the following to the config file

"fast_open": true

TCP BBR

If you have kernel 4.9 or newer you can use TCP BBR for congestion control. It should give a noticeable improvement to performance. Debian 9 ships with kernel 4.9 by default. If you are unsure which kernel version you have you can run uname -r in your terminal to check.

To enable TCP BBR open up the sysctl.conf

sudo nano /etc/sysctl.conf

And add the following 2 lines to it

net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

And afterwards run the following to apply the changes

sudo sysctl -p

Clients

Android

To use shadowsocks on android you can download the offical app from either the Play store or directly from github

The setup should be quite simple, just input the information you setup in the server config file, into the app and it should be ready to go. The shadowsocks app works like a VPN on android so everything gets routed through it so no special configuration should be needed.

Linux

To use shadowsocks on linux you can follow the same installation instructions as on for the server, as the shadowsocks-libev packages contains both the server and client component. Now to run shadowsocks you can either create a config file or just use command-line options. I recommend creating a config file in somewhere in your home directory. Below you can see an example config file that works with the server config I showed previously. This config assumes you have enabled TCP Fast open, if not please delete the last line.

{
    "server": "0.0.0.0,
    "server_port": 8388,
    "method": "chacha20-ietf-poly1305",
    "password": "thisisapassword",
    "local_address": "127.0.0.1",
    "local_port": "1080",
    "timeout": 60,
    "fast_open": true
}

Let's assume you name the file config.json. To start shadowsocks you simply type the following in a terminal window.

ss-local -c /path/to/file/config.json

Now to actually use shadowsocks you need to tell the programs you use to connect through the proxy. For example with Firefox you need to go into your network settings and tell it to use the proxy.

firefox-settings

Depending on your reasons for using shadowsocks it might be a good idea to have DNS queries go through it as well. If you're not quite sure, I would recommend enabling it, like shown above.

Plugins - Simple-obfs

Depending on your usage scenario it might be a good idea to use obfuscation. Luckily there is a nice plugin made for shadowsocks called simple-obfs.

For Debian 9, there are 2 ways to install simple-obfs. The first is to install it from the stretch-backports repository, the same way we installed shadowsocks-libev.

sudo apt -t stretch-backports install simple-obfs

The second way is to compile it from source. This method works on any distro, but there are slight difference in which packages, and their names, you need to install on your system before hand. Below I'll show you how to do it on debian 9, if you're using any other distro I recommend checking out the simple-obfs github

First we need to install the following packages

sudo apt install --no-install-recommends build-essential autoconf libtool libssl-dev libpcre3-dev libev-dev asciidoc xmlto automake git

Next we need to clone the github repository and compile simple-obfs using the following commands.

git clone https://github.com/shadowsocks/simple-obfs.git
cd simple-obfs
git submodule update --init --recursive
./autogen.sh
./configure && make
sudo make install

Next we need to configure shadowsocks to actually use simple-obfs. To do so add the following to the bottom of your shadowsocks config file.

"plugin": "obfs-server",
"plugin_opts": "obfs=tls;fast-open"

The next step is to enable it in your clients.

Android

On android you need to download the simple-obfs app. You can get the app from the Play store or directly from github

After you have installed the app, you then proceed to the shadowsocks app. At the bottom of the settings for an individual server of find plugin options where you can enable simple-obfs

enable-simple-obfs

You can then change the settings for the simple-obfs plugin. If you're following this guide I recommend using tls compared to http. The domain to use for disguising traffic can be anything you really like but bing.com is a good default.

simple-obfs-settings

Linux

The install process for the client on linux is the same as for installing it on the server, as it includes both the server and client component. To enable the use of simple-obfs, add the following lines to your shadowsocks config.

"plugin": "obfs-local",
"plugin_opts": "obfs=tls;obfs-host=www.bing.com"