How to setup Shadowsocks on Debian 9 Stretch
November 15, 2018 7 minutesShadowsocks is a socks5 proxy with the main purpose of bypassing internet censorship. Shadowsocks was originally written in python, but since the original release there have been made many different implementations of Shadowsocks. I'll be showing you how to install and setup Shadowsocks-libev, an implementation written in C. It's very resource light and can run on very low-end hardware.
Table of Contents
Installation
To get the latest version of Shadowsocks-libev we first need to enable the backports repository for Debian Stretch
echo "deb http://ftp.debian.org/debian stretch-backports main" | sudo tee /etc/apt/sources.list.d/backports.listFollowed by
sudo apt updateNow we need to install the shadowsocks-libev package from the backports repository instead of the default repository.
sudo apt -t stretch-backports install shadowsocks-libevThere is a systemd service file included with shadowsocks-libev, so it can be completely managed by systemd.
Now that you should be up and running with a fairly recent version of shadowsocks-libev, let's take a look at some configuration.
Configuration
Let's start by opening up the shadowsocks configuration file. You'll find that located in /etc/shadowsocks-libev/config.json
sudo nano /etc/shadowsocks-libev/config.jsonNow let's go over some of the many configuration options you have.
| Option | Description |
|---|---|
| "server": "" | The IP address or URL of the shadowsocks server |
| "server_port": "" | The server port to use |
| "local_address": "" | The local listening address |
| "local_port": "" | The local port to use |
| "password": "" | The password for the shadowsocks server |
| "method": "" | The encryption method to use |
| "timeout": "" | Timeout in seconds |
| "fast_open": true/false | |
| "nameserver": "" | Choose a different nameserver than the server's default |
| "mode": "" | Choose if you want to use TDP("tcp_only"), UDP("udp_only") or both(tcp_and_udp). Default is TCP only. |
The local address and port are only relevant for shadowsocks configurations on your client machines.
For encryption methods, I recommend using the default as it is very secure and also quite fast.
For best performance is it generally a good idea to set TCP fast open to true, but to use it you also need to enable it on the system, which I'll show in the next section of the guide.
Here is an example Shadowsocks server configuration:
{
"server": "0.0.0.0",
"server_port": 8388,
"password": "thisisapassword",
"timeout": 60,
"method": "chacha20-ietf-poly1305"
}After you have setup shadowsocks to your liking remember to do restart it
sudo systemctl restart shadowsocks-libev
Performance tuning
There are some changes you can make to your system to optimize shadowsocks. If you are interested in a bit more info on these optimizations have at look at shadowsocks.org
Increase maximum number of open file descriptors
First open up the following file
sudo nano /etc/security/limits.confAnd add the following 2 lines
* soft nofile 51200
* hard nofile 51200Then before starting shadowsocks run
ulimit -n 51200
Tune kernel parameters
Open up the following
sudo nano /etc/sysctl.confAnd add the following
fs.file-max = 51200
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_congestion_control = hyblaWhen you can done that run the following to apply the changes
sudo sysctl -pAmong the changes are TCP fast open which I talked about earlier. So you can now proceed with enabling TCP fast open in your shadowsocks config by adding the following to the config file
"fast_open": true
TCP BBR
If you have kernel 4.9 or newer you can use TCP BBR for congestion control. It should give a noticeable improvement to performance. Debian 9 ships with kernel 4.9 by default. If you are unsure which kernel version you have you can run uname -r in your terminal to check.
To enable TCP BBR open up the sysctl.conf
sudo nano /etc/sysctl.confAnd add the following 2 lines to it
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbrAnd afterwards run the following to apply the changes
sudo sysctl -p
Clients
Android
To use shadowsocks on android you can download the offical app from either the Play store or directly from github
The setup should be quite simple, just input the information you setup in the server config file, into the app and it should be ready to go. The shadowsocks app works like a VPN on android so everything gets routed through it so no special configuration should be needed.
Linux
To use shadowsocks on linux you can follow the same installation instructions as on for the server, as the shadowsocks-libev packages contains both the server and client component. Now to run shadowsocks you can either create a config file or just use command-line options. I recommend creating a config file in somewhere in your home directory. Below you can see an example config file that works with the server config I showed previously. This config assumes you have enabled TCP Fast open, if not please delete the last line.
{
"server": "0.0.0.0,
"server_port": 8388,
"method": "chacha20-ietf-poly1305",
"password": "thisisapassword",
"local_address": "127.0.0.1",
"local_port": "1080",
"timeout": 60,
"fast_open": true
}Let's assume you name the file config.json. To start shadowsocks you simply type the following in a terminal window.
ss-local -c /path/to/file/config.jsonNow to actually use shadowsocks you need to tell the programs you use to connect through the proxy. For example with Firefox you need to go into your network settings and tell it to use the proxy.
Depending on your reasons for using shadowsocks it might be a good idea to have DNS queries go through it as well. If you're not quite sure, I would recommend enabling it, like shown above.
Plugins - Simple-obfs
Depending on your usage scenario it might be a good idea to use obfuscation. Luckily there is a nice plugin made for shadowsocks called simple-obfs.
For Debian 9, there are 2 ways to install simple-obfs. The first is to install it from the stretch-backports repository, the same way we installed shadowsocks-libev.
sudo apt -t stretch-backports install simple-obfsThe second way is to compile it from source. This method works on any distro, but there are slight difference in which packages, and their names, you need to install on your system before hand. Below I'll show you how to do it on debian 9, if you're using any other distro I recommend checking out the simple-obfs github
First we need to install the following packages
sudo apt install --no-install-recommends build-essential autoconf libtool libssl-dev libpcre3-dev libev-dev asciidoc xmlto automake gitNext we need to clone the github repository and compile simple-obfs using the following commands.
git clone https://github.com/shadowsocks/simple-obfs.git
cd simple-obfs
git submodule update --init --recursive
./autogen.sh
./configure && make
sudo make installNext we need to configure shadowsocks to actually use simple-obfs. To do so add the following to the bottom of your shadowsocks config file.
"plugin": "obfs-server",
"plugin_opts": "obfs=tls;fast-open"The next step is to enable it in your clients.
Android
On android you need to download the simple-obfs app. You can get the app from the Play store or directly from github
After you have installed the app, you then proceed to the shadowsocks app. At the bottom of the settings for an individual server of find plugin options where you can enable simple-obfs
You can then change the settings for the simple-obfs plugin. If you're following this guide I recommend using tls compared to http. The domain to use for disguising traffic can be anything you really like but bing.com is a good default.
Linux
The install process for the client on linux is the same as for installing it on the server, as it includes both the server and client component. To enable the use of simple-obfs, add the following lines to your shadowsocks config.
"plugin": "obfs-local",
"plugin_opts": "obfs=tls;obfs-host=www.bing.com"