This guide explains how to set up a Shadowsocks proxy server on Ubuntu 24.04. Shadowsocks is a lightweight and secure SOCKS5 proxy designed to bypass internet censorship. The following will cover setting up the server and configuring a desktop client using Shadowsocks-libev. It is a popular choice due to:
- Being written in C, it offers excellent performance even on low-end hardware.
- It receives frequent updates and maintenance.
- It provides an extensive set of features including TCP fast open, multi-user support, management API, redirect mode, tunnel mode, UDP relay, AEAD ciphers, and plugin support.
Requirements
You’ll need a VPS (Virtual Private Server) with unrestricted internet access.
Once you have a VPS running Ubuntu 24.04, proceed with the instructions below.
Step 1: Install Shadowsocks-libev Server on Ubuntu 24.04 VPS
Step 2: Configure Firewall on the VPS
Step 3: Configure Web Browser to Use the Socks Proxy
Step 4: Install and Configure Shadowsocks-libev Client
Step 1: Install Shadowsocks-libev Server on Ubuntu 24.04 VPS
SSH into your Ubuntu server. Install Shadowsocks-libev
using the following commands:
sudo apt update
sudo apt install -y shadowsocks-libev
Edit the configuration file:
sudo nano /etc/shadowsocks-libev/config.json
The default configuration file looks like this:
{
"server":["::1", "127.0.0.1"],
"mode":"tcp_and_udp",
"server_port":8388,
"local_port":1080,
"password":"ACRrobo9ymXb",
"timeout":86400,
"method":"chacha20-ietf-poly1305"
}
Modify 127.0.0.1
to 0.0.0.0
so the server listens on the public IP address. Change server_port
to a different port, such as 8888
. You can keep the randomly generated password.
Save the changes and restart the Shadowsocks-libev service:
sudo systemctl restart shadowsocks-libev.service
Enable auto-start on boot:
sudo systemctl enable shadowsocks-libev.service
Check the service status to ensure it’s running:
sudo systemctl status shadowsocks-libev.service
Example Output:
● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
Loaded: loaded (/usr/lib/systemd/system/shadowsocks-libev.service; enabled; preset: enabled)
Active: active (running) since Thu 2024-05-16 07:31:11 UTC; 11s ago
Docs: man:shadowsocks-libev(8)
Main PID: 8215 (ss-server)
Tasks: 1 (limit: 629145)
Memory: 424.0K (peak: 1.0M)
CPU: 10ms
CGroup: /system.slice/shadowsocks-libev.service
└─8215 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json
If you encounter the following error:
This system doesn't provide enough entropy to quickly generate high-quality random numbers. The service will not start until enough entropy has been collected.
Install rng-tools
to fix it:
sudo apt-get install rng-tools
Then run:
sudo rngd -r /dev/urandom
Now, start the Shadowsocks-libev service.
Step 2: Configure Firewall on the VPS
If you’re using iptables
, allow traffic to the configured TCP and UDP ports. If Shadowsocks is using port 8888
, run:
sudo iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 8888 -j ACCEPT
If using UFW firewall
, use the following command:
sudo ufw allow 8888
Step 3: Configure Web Browser to Use the Socks Proxy
To use the SOCKS proxy, the application must support it. Firefox and Google Chrome provide built-in proxy settings.
Firefox
-
Go to Edit > Settings > General (or Tools → Settings → General).
-
Scroll to the bottom and click Settings in Network Settings.
-
In the Connection Settings window, select manual proxy configuration.
-
Select SOCKS v5 since Shadowsocks is a SOCKS5 proxy.
-
Enter
127.0.0.1
in theSOCKS Host
field and1080
in thePort
field. -
Enable Proxy DNS when using SOCKS v5 or enable DNS over HTTPS.
-
Click OK to save.
Google Chrome
It’s recommended to install the Proxy SwitchyOmega extension to manage proxy settings.
Once installed, configure a proxy server:
-
Choose the
SOCKS5
protocol. -
Set
127.0.0.1
as the server address. -
Set
1080
as the port number.
Apply the changes, then click the extension icon and select Proxy SwitchyOmega
. Change the settings from system proxy
to proxy
.
Step 4: Install and Configure Shadowsocks-libev Client
Ubuntu Desktop
The shadowsocks-libev
package contains both the server and client software. Install it using:
sudo apt update
sudo apt install shadowsocks-libev
Stop the Shadowsocks server on your desktop:
sudo systemctl disable --now shadowsocks-libev
The Shadowsocks client binary is named ss-local
. A systemd service unit template is available at /lib/systemd/system/shadowsocks-libev-local@.service
. Create a client-side configuration file by copying the server config:
sudo cp /etc/shadowsocks-libev/config.json /etc/shadowsocks-libev/client01.json
Edit the client configuration file:
sudo nano /etc/shadowsocks-libev/client01.json
Change the server address to your server’s public IP and add the following line to specify that the client listens on 127.0.0.1
:
"local_address":"127.0.0.1",
The client configuration file should look like this:
{
"server":"your-server-ip-address",
"mode":"tcp_and_udp",
"server_port":8888,
"local_address":"127.0.0.1",
"local_port":1080,
"password":"ACRrobo9ymXb",
"timeout":60,
"method":"chacha20-ietf-poly1305"
}
Save the file and start the client:
sudo systemctl start shadowsocks-libev-local@client01.service
Enable auto-start at boot time:
sudo systemctl enable shadowsocks-libev-local@client01.service
Check the service status to confirm it’s running:
systemctl status shadowsocks-libev-local@client01.service
The ss-local
process is now listening on 127.0.0.1:1080
and connected to your Shadowsocks server. Proceed to configure your web browser.
Windows Desktop
Download a Shadowsocks client for Windows from a trusted source. Extract the ZIP file and run the executable. If Windows Defender blocks the application, click More Info and Run anyway.
Add a new server in the client software:
-
Enter the server IP address, server port (
8888
), and password. -
Adjust the
Timeout
value (less than 20 seconds). -
Leave other settings at their defaults.
Click Apply
.
You can add multiple servers, but only one is active at a time.
DNS Leak Test
Go to dnsleaktest.com. If your Shadowsocks server’s IP address is shown, the proxy is working correctly. Run the Standard test and ensure that your local ISP is not present in the results.
Proxy in Command Line
Install tsocks
:
sudo apt install tsocks
Edit the configuration file:
sudo nano /etc/tsocks.conf
Find the line:
server = 192.168.0.1
Change it to:
server = 127.0.0.1
Save the file. Now, you can use Shadowsocks proxy with command-line programs like this:
sudo tsocks apt update
A similar program called proxychains is also available.
Enable TCP Fast Open
TCP Fast Open (TFO) allows data to be exchanged before the three-way handshake is complete, potentially improving connection speed.
Check your kernel version:
uname -r
Check TCP Fast Open configuration:
cat /proc/sys/net/ipv4/tcp_fastopen
The command can return these values:
0
means disabled.1
means enabled for outgoing connections (client).2
means enabled for incoming connections (server).3
means enabled for both outgoing and incoming connections.
To set tcp_fastopen
to 3
, edit the sysctl
configuration file:
sudo nano /etc/sysctl.conf
Add the following line to the end of the file:
net.ipv4.tcp_fastopen=3
Reload sysctl
settings:
sudo sysctl -p
Enable TCP Fast Open in the Shadowsocks configuration file:
sudo nano /etc/shadowsocks-libev/config.json
Add the following line:
"fast_open": true
The configuration file will resemble this:
{
"server":"your-server-ip-address",
"server_port":8388,
"local_port":1080,
"password":"focobguph",
"timeout":60,
"method":"chacha20-ietf-poly1305",
"fast_open": true
}
Restart the Shadowsocks server:
sudo systemctl restart shadowsocks-libev
Check the service status. Repeat the process on the Shadowsocks client.
Enable TCP BBR
TCP BBR is a TCP congestion control algorithm that can improve connection speed. Refer to guides such as this one for instructions on how to enable it.
For more Shadowsocks usage information, check the manual:
man shadowsocks-libev
Troubleshooting
If Shadowsocks-libev stops working, and you see the following error on the server side:
ERROR: server recv: Connection reset by peer
And the client-side error is:
ERROR: remote_recv_cb_recv: Connection reset by peer
Restart the shadowsocks-libev
service:
sudo systemctl restart shadowsocks-libev
To automate this, add a cron job:
sudo crontab -e
Add this line to the end of the file:
0 */3 * * * /bin/systemctl restart shadowsocks-libev
This will restart the service every 3 hours.
If you see this error in the Shadowsocks-libev log:
ERROR: unable to resolve www.youtube.com
The Shadowsocks-libev server cannot resolve DNS. Specify a DNS server in the /etc/shadowsocks-libev/config.json
file:
"name_server":"1.1.1.1",
If you have your own DNS resolver, use:
"name_server":"127.0.0.1",
Following this guide should enable you to install and configure Shadowsocks-libev proxy on Ubuntu, enhancing your internet access. Remember to secure your server and client configurations for optimal performance and security.