Setting Up Shadowsocks-libev Proxy on Ubuntu 24.04

This guide explains how to set up a Shadowsocks proxy server on Ubuntu 24.04. Shadowsocks is a lightweight and secure SOCKS5 proxy designed to bypass internet censorship. The following will cover setting up the server and configuring a desktop client using Shadowsocks-libev. It is a popular choice due to:

  • Being written in C, it offers excellent performance even on low-end hardware.
  • It receives frequent updates and maintenance.
  • It provides an extensive set of features including TCP fast open, multi-user support, management API, redirect mode, tunnel mode, UDP relay, AEAD ciphers, and plugin support.

Requirements

You’ll need a VPS (Virtual Private Server) with unrestricted internet access.

Once you have a VPS running Ubuntu 24.04, proceed with the instructions below.

Step 1: Install Shadowsocks-libev Server on Ubuntu 24.04 VPS

Step 2: Configure Firewall on the VPS

Step 3: Configure Web Browser to Use the Socks Proxy

Step 4: Install and Configure Shadowsocks-libev Client

Step 1: Install Shadowsocks-libev Server on Ubuntu 24.04 VPS

SSH into your Ubuntu server. Install Shadowsocks-libev using the following commands:

sudo apt update
sudo apt install -y shadowsocks-libev

Edit the configuration file:

sudo nano /etc/shadowsocks-libev/config.json

The default configuration file looks like this:

{
    "server":["::1", "127.0.0.1"],
    "mode":"tcp_and_udp",
    "server_port":8388,
    "local_port":1080,
    "password":"ACRrobo9ymXb",
    "timeout":86400,
    "method":"chacha20-ietf-poly1305"
}

Modify 127.0.0.1 to 0.0.0.0 so the server listens on the public IP address. Change server_port to a different port, such as 8888. You can keep the randomly generated password.

Save the changes and restart the Shadowsocks-libev service:

sudo systemctl restart shadowsocks-libev.service

Enable auto-start on boot:

sudo systemctl enable shadowsocks-libev.service

Check the service status to ensure it’s running:

sudo systemctl status shadowsocks-libev.service

Example Output:

● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
     Loaded: loaded (/usr/lib/systemd/system/shadowsocks-libev.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-05-16 07:31:11 UTC; 11s ago
       Docs: man:shadowsocks-libev(8)
   Main PID: 8215 (ss-server)
      Tasks: 1 (limit: 629145)
     Memory: 424.0K (peak: 1.0M)
        CPU: 10ms
     CGroup: /system.slice/shadowsocks-libev.service
             └─8215 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json

If you encounter the following error:

This system doesn't provide enough entropy to quickly generate high-quality random numbers. The service will not start until enough entropy has been collected.

Install rng-tools to fix it:

sudo apt-get install rng-tools

Then run:

sudo rngd -r /dev/urandom

Now, start the Shadowsocks-libev service.

Step 2: Configure Firewall on the VPS

If you’re using iptables, allow traffic to the configured TCP and UDP ports. If Shadowsocks is using port 8888, run:

sudo iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 8888 -j ACCEPT

If using UFW firewall, use the following command:

sudo ufw allow 8888

Step 3: Configure Web Browser to Use the Socks Proxy

To use the SOCKS proxy, the application must support it. Firefox and Google Chrome provide built-in proxy settings.

Firefox

  1. Go to Edit > Settings > General (or ToolsSettingsGeneral).

  2. Scroll to the bottom and click Settings in Network Settings.

  3. In the Connection Settings window, select manual proxy configuration.

  4. Select SOCKS v5 since Shadowsocks is a SOCKS5 proxy.

  5. Enter 127.0.0.1 in the SOCKS Host field and 1080 in the Port field.

  6. Enable Proxy DNS when using SOCKS v5 or enable DNS over HTTPS.

  7. Click OK to save.

Google Chrome

It’s recommended to install the Proxy SwitchyOmega extension to manage proxy settings.

Once installed, configure a proxy server:

  • Choose the SOCKS5 protocol.

  • Set 127.0.0.1 as the server address.

  • Set 1080 as the port number.

Apply the changes, then click the extension icon and select Proxy SwitchyOmega. Change the settings from system proxy to proxy.

Step 4: Install and Configure Shadowsocks-libev Client

Ubuntu Desktop

The shadowsocks-libev package contains both the server and client software. Install it using:

sudo apt update
sudo apt install shadowsocks-libev

Stop the Shadowsocks server on your desktop:

sudo systemctl disable --now shadowsocks-libev

The Shadowsocks client binary is named ss-local. A systemd service unit template is available at /lib/systemd/system/shadowsocks-libev-local@.service. Create a client-side configuration file by copying the server config:

sudo cp /etc/shadowsocks-libev/config.json /etc/shadowsocks-libev/client01.json

Edit the client configuration file:

sudo nano /etc/shadowsocks-libev/client01.json

Change the server address to your server’s public IP and add the following line to specify that the client listens on 127.0.0.1:

"local_address":"127.0.0.1",

The client configuration file should look like this:

{
 "server":"your-server-ip-address",
 "mode":"tcp_and_udp",
 "server_port":8888,
 "local_address":"127.0.0.1",
 "local_port":1080,
 "password":"ACRrobo9ymXb",
 "timeout":60,
 "method":"chacha20-ietf-poly1305"
}

Save the file and start the client:

sudo systemctl start shadowsocks-libev-local@client01.service

Enable auto-start at boot time:

sudo systemctl enable shadowsocks-libev-local@client01.service

Check the service status to confirm it’s running:

systemctl status shadowsocks-libev-local@client01.service

The ss-local process is now listening on 127.0.0.1:1080 and connected to your Shadowsocks server. Proceed to configure your web browser.

Windows Desktop

Download a Shadowsocks client for Windows from a trusted source. Extract the ZIP file and run the executable. If Windows Defender blocks the application, click More Info and Run anyway.

Add a new server in the client software:

  • Enter the server IP address, server port (8888), and password.

  • Adjust the Timeout value (less than 20 seconds).

  • Leave other settings at their defaults.

Click Apply.

You can add multiple servers, but only one is active at a time.

DNS Leak Test

Go to dnsleaktest.com. If your Shadowsocks server’s IP address is shown, the proxy is working correctly. Run the Standard test and ensure that your local ISP is not present in the results.

Proxy in Command Line

Install tsocks:

sudo apt install tsocks

Edit the configuration file:

sudo nano /etc/tsocks.conf

Find the line:

server = 192.168.0.1

Change it to:

server = 127.0.0.1

Save the file. Now, you can use Shadowsocks proxy with command-line programs like this:

sudo tsocks apt update

A similar program called proxychains is also available.

Enable TCP Fast Open

TCP Fast Open (TFO) allows data to be exchanged before the three-way handshake is complete, potentially improving connection speed.

Check your kernel version:

uname -r

Check TCP Fast Open configuration:

cat /proc/sys/net/ipv4/tcp_fastopen

The command can return these values:

  • 0 means disabled.
  • 1 means enabled for outgoing connections (client).
  • 2 means enabled for incoming connections (server).
  • 3 means enabled for both outgoing and incoming connections.

To set tcp_fastopen to 3, edit the sysctl configuration file:

sudo nano /etc/sysctl.conf

Add the following line to the end of the file:

net.ipv4.tcp_fastopen=3

Reload sysctl settings:

sudo sysctl -p

Enable TCP Fast Open in the Shadowsocks configuration file:

sudo nano /etc/shadowsocks-libev/config.json

Add the following line:

"fast_open": true

The configuration file will resemble this:

{
 "server":"your-server-ip-address",
 "server_port":8388,
 "local_port":1080,
 "password":"focobguph",
 "timeout":60,
 "method":"chacha20-ietf-poly1305",
 "fast_open": true
}

Restart the Shadowsocks server:

sudo systemctl restart shadowsocks-libev

Check the service status. Repeat the process on the Shadowsocks client.

Enable TCP BBR

TCP BBR is a TCP congestion control algorithm that can improve connection speed. Refer to guides such as this one for instructions on how to enable it.

For more Shadowsocks usage information, check the manual:

man shadowsocks-libev

Troubleshooting

If Shadowsocks-libev stops working, and you see the following error on the server side:

ERROR: server recv: Connection reset by peer

And the client-side error is:

ERROR: remote_recv_cb_recv: Connection reset by peer

Restart the shadowsocks-libev service:

sudo systemctl restart shadowsocks-libev

To automate this, add a cron job:

sudo crontab -e

Add this line to the end of the file:

0 */3 * * * /bin/systemctl restart shadowsocks-libev

This will restart the service every 3 hours.

If you see this error in the Shadowsocks-libev log:

ERROR: unable to resolve www.youtube.com

The Shadowsocks-libev server cannot resolve DNS. Specify a DNS server in the /etc/shadowsocks-libev/config.json file:

"name_server":"1.1.1.1",

If you have your own DNS resolver, use:

"name_server":"127.0.0.1",

Following this guide should enable you to install and configure Shadowsocks-libev proxy on Ubuntu, enhancing your internet access. Remember to secure your server and client configurations for optimal performance and security.