![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2023-10-03
目錄
- shadowsocks 介紹
-
Install & Complie
- Install by Package
- Compile from source - Configure
- System Tuning
- Firewall Setting
- Startup
-
Client
- Windows - obfs-server
- v2ray-plugin
- ss-manager
- Troubleshoot
- Android apk
- Other
shadowsocks 介紹
Homepage: https://shadowsocks.org/en/index.html
Server Implementation: python / C / Perl / Go
- shadowsocks - Python version
- shadowsocks-libev - C libev version
- shadowsocks-go - Go version
Install & Complie
Install by Package
[1] Centos6
yum installl python2-pip
pip install shadowsocks
[2] Debian 9 / Ubuntu 16.10
apt install shadowsocks-libev
[3] Openwrt 18.06
Compile from source
Debain 準備
apt-get install --no-install-recommends build-essential autoconf libtool \
libssl-dev gawk debhelper dh-systemd init-system-helpers pkg-config asciidoc \
xmlto apg automake \
libpcre3-dev zlib1g-dev libev-dev libudns-dev libsodium-dev libmbedtls-dev libc-ares-dev
Centos7 準備
yum groupinstall "Development Tools"
yum install epel-release -y
yum install gcc gettext autogen autoconf libtool automake make pcre-devel \
asciidoc xmlto c-ares-devel libev-devel libsodium-devel mbedtls-devel
Download Source
mkdir /usr/src/shadowsocks
cd $_
VER=3.3.5 # 2020-09-15
wget https://github.com/shadowsocks/shadowsocks-libev/releases/download/v${VER}/shadowsocks-libev-${VER}.tar.gz
tar -zxf shadowsocks-libev-${VER}.tar.gz
Compile
cd shadowsocks-libev-${VER}
./autogen.sh
./configure --prefix=/opt/shadowsocks
make -j && make install
獲得:
核心組件
- ss-server - shadowsocks server
- ss-local - shadowsocks client as socks5 proxy
可選用
- ss-redir - shadowsocks client as transparent proxy
- ss-tunnel - shadowsocks tools for local port forwarding
- ss-nat - helper script to setup NAT rules for transparent proxy
- ss-manager - controller for multi-user management and traffic statistics
Notes
# 用 git download source 的方法
git clone https://github.com/shadowsocks/shadowsocks-libev.git
git submodule update --init
# submodule:
working on one project, you need to use another project from within it
Configure
JSON format configs
# 建立 user 去 run shadowsocks
useradd -s /bin/false ss && passwd -l ss
mkdir /opt/shadowsocks/etc/ss -p
/opt/shadowsocks/etc/ss/config.json
{
"user": "ss",
"local_address": "192.168.123.10",
"server_port": 8443,
"password": "????",
"timeout": 600,
"method": "aes-256-gcm"
}* 由於這 File 有 password, 所以 Permission 要是 600 !!
非必要 settings: "local_address"
chown ss. /opt/shadowsocks/etc/ss/config.json
chmod 600 /opt/shadowsocks/etc/ss/config.json
Encryption:
recommended: aes-256-gcm
Other stream ciphers are implemented but do not provide integrity and authenticity.
aes-256-ctr=>StreamOpenSSLEncryptor
aes-256-gcm=>AEADOpenSSLEncryptor
Start Server
# 在 Foreground 執行
ss_bin=/opt/shadowsocks/bin/ss-server
ss_config=/opt/shadowsocks/etc/ss/config.json
$ss_bin -c $ss_config
URI:
ss://method:password@hostname:port
OR
ss://BASE64-ENCODED-STRING-WITHOUT-PADDING
System Tuning
# Increase the maximum number of open file descriptors (TCP connections)
vi /etc/security/limits.conf
ss soft nofile 51200 ss hard nofile 51200
# Choose the TCP congestion algorithm for large latency and high throughput.
/etc/sysctl.conf
net.ipv4.tcp_congestion_control = hybla
# Reuse ports and conections as soon as possible
net.ipv4.tcp_fin_timeout = 15
# Allow to reuse TIME-WAIT sockets for new connections when it is safe from protocol viewpoint.
# Default value is 0.
# It should not be changed without advice/request of technical experts.
net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 0
Firewall Settings
# Open port for ss
firewall-cmd --add-port=8443/tcp --permanent
firewall-cmd --reload
# Firewall rules to limit connections from each user:
iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} \
-m connlimit --connlimit-above 32 \
-j REJECT --reject-with tcp-reset
Startup
Startup By
- script
- systemd
Script: start_ss.sh
#!/bin/bash _ss_bin=/opt/shadowsocks/bin/ss-server _config=/opt/shadowsocks/etc/ss/config.json _pid=/var/run/ss-server.pid _obfs=/opt/simple-obfs/bin/obfs-server if [ -e $_pid ]; then PID=$(cat $_pid) kill $PID rm $_pid fi touch $_pid; chown ss $_pid # start daemon $_ss_bin --plugin $_obfs --plugin-opts "obfs=http" -c $_config -f $_pid echo "PID: $(cat $_pid)"
Opts:
- -a <user_name> # Run as a specific user
- -f <pid_file> # Start shadowsocks as a daemon with specific pid file
- -u # Enable UDP relay
- -n <number> # Specify max number of open files
Performance settings
- --fast-open # Enable TCP fast open
- --no-delay # Enable TCP_NODELAY
- --reuse-port # Enable port reuse
Manager settings
# Specify UNIX domain socket address for the communication between ss-manager
--manager-address <path_to_unix_domain>
Checking:
ps aux | grep -e ss-server -e obfs-server
systemd
Log
-v # Enable verbose mode
i.e.
# Start connection ... : accept a connection ... : [1101] connect to datahunter.org:22 ... : found address name v4 address datahunter.org ... : failed to lookup v6 address DNS server returned answer with no data ... : successfully resolved datahunter.org ... : remote connected # End connection ... : server_recv close the connection ... : current remote connection: 0 ... : current server connection: 0
Client
Widnows
https://github.com/shadowsocks/shadowsocks-windows/releases
需要安装 .NET Framework 4.6.2 及 Visual C++ 2015 Redistributable
Settings
右 click notification tray 裡的 Shadowsocks icon
System Proxy
- - Disable (灰)
- - PAC (白)
- - Global (藍色 )
You can also configure your browser proxy manually if you don't want to enable system proxy.
Set Socks5 or HTTP proxy to 127.0.0.1:1080
PAC
You can change PAC rules by editing the pac.txt file.
When you save the PAC file with any editor,
Shadowsocks will notify browsers about the change automatically
* update PAC file from GFWList # 這功能要 ss 成功連線後才 update 到.
Start on Boot
Server Auto Switching
- Load balance: choosing server randomly
- High availability: choosing the best server (low latency and packet loss)
Help -> Updates
obfs-server
simple-obfs (Deprecated), 建議使用 v2ray-plugin
Diagram
+------------+ +---------------------------+
| SS Client +-- Local Loopback --+ Plugin Client (Tunnel) +--+
+------------+ +---------------------------+ |
|
Public Internet (Obfuscated/Transformed traffic) ==> |
|
+------------+ +---------------------------+ |
| SS Server +-- Local Loopback --+ Plugin Server (Tunnel) +--+
+------------+ +---------------------------+
Homage
https://github.com/shadowsocks/simple-obfs
Install
準備
# Debian / Ubuntu
apt-get install --no-install-recommends build-essential autoconf libtool libssl-dev libpcre3-dev libev-dev asciidoc xmlto automake
# CentOS / Fedora / RHEL
yum install gcc autoconf libtool automake make zlib-devel openssl-devel asciidoc xmlto
# Get Source
git clone https://github.com/shadowsocks/simple-obfs.git
cd simple-obfs
git submodule update --init --recursive
./autogen.sh
./configure --prefix=/opt/simple-obfs
make
make install
獲得
- obfs-local
- obfs-server
Plugin mode with shadowsocks
On the client:
ss-local -c config.json --plugin obfs-local --plugin-opts "obfs=http;obfs-host=www.microsoft.com"
On the server:
ss-server -c config.json --plugin /opt/simple-obfs/bin/obfs-server --plugin-opts "obfs=http"
Window
https://github.com/shadowsocks/simple-obfs/releases
下載 obfs-local.zip 放到 Shadowsocks.exe 相同目錄
log
2018-01-16 09:58:22 [simple-obfs] INFO: obfuscating enabled 2018-01-16 09:58:22 [simple-obfs] INFO: tcp port reuse enabled 2018-01-16 09:58:22 [simple-obfs] INFO: listening at 0.0.0.0:7777 2018-01-16 09:58:22 [simple-obfs] INFO: running from root user
package.cap
0x0000: 4500 0159 daad 4000 3706 322c 0e00 ec12 [email protected],.... 0x0010: c0a8 7b0a 845a 1e61 3e74 1a3b df07 ed41 ..{..Z.a>t.;...A 0x0020: 8018 0157 a371 0000 0101 080a 0007 c099 ...W.q.......... 0x0030: 10b1 dc50 4745 5420 2f20 4854 5450 2f31 ...PGET./.HTTP/1 0x0040: 2e31 0d0a 486f 7374 3a20 7777 772e 6d69 .1..Host:.www.mi 0x0050: 6372 6f73 6f66 742e 636f 6d3a 3737 3737 crosoft.com:7777 0x0060: 0d0a 5573 6572 2d41 6765 6e74 3a20 6375 ..User-Agent:.cu 0x0070: 726c 2f37 2e32 302e 310d 0a55 7067 7261 rl/7.20.1..Upgra 0x0080: 6465 3a20 7765 6273 6f63 6b65 740d 0a43 de:.websocket..C 0x0090: 6f6e 6e65 6374 696f 6e3a 2055 7067 7261 onnection:.Upgra 0x00a0: 6465 0d0a 5365 632d 5765 6253 6f63 6b65 de..Sec-WebSocke 0x00b0: 742d 4b65 793a 204f 7731 376e 6f64 6a31 t-Key:.Ow17nodj1 0x00c0: 4b4c 756d 6963 6f65 6430 6f43 413d 3d0d KLumicoed0oCA==. 0x00d0: 0a0d 0a26 1cb2 0b15 9d54 4738 b369 e252 ...&.....TG8.i.R 0x00e0: 6a1f 34e0 fff8 c269 fb54 615e eac8 aed5 j.4....i.Ta^.... 0x00f0: 2904 7db1 4ca1 0569 1777 6755 06dd fe95 ).}.L..i.wgU.... 0x0100: facb fa78 17e8 1a25 e0e1 e1cd 669d ed1c ...x...%....f... 0x0110: bbcf 2fc3 2198 6763 cc3f 2e39 f181 c9b8 ../.!.gc.?.9.... 0x0120: 7c73 13f5 b5b7 53ce 4590 92e1 4881 05e5 |s....S.E...H... 0x0130: ff7c 2379 2092 97ab 9742 99fe 2484 9959 .|#y.....B..$..Y 0x0140: de70 114d 3764 6d2e f037 aa65 de94 9002 .p.M7dm..7.e.... 0x0150: 9e04 f9a6 e28a 7f33 fa .......3.
v2ray-plugin
v2ray-plugin 下載 (Linux / Window)
https://github.com/shadowsocks/v2ray-plugin/releases
Plugin on Server
cd /usr/src/shadowsocks
VER=v1.3.2
wget https://github.com/shadowsocks/v2ray-plugin/releases/download/$VER/v2ray-plugin-linux-amd64-${VER}.tar.gz
tar -zxvf v2ray-plugin-linux-amd64-${VER}.tar.gz
chown root: v2ray-plugin_linux_amd64
file v2ray-plugin_linux_amd64
v2ray-plugin_linux_amd64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
mv v2ray-plugin_linux_amd64 /opt/shadowsocks/bin/v2ray-plugin
/opt/shadowsocks/bin/v2ray-plugin -version
v2ray-plugin v1.3.2 Go version go1.16.15 Yet another SIP003 plugin for shadowsocks
[設定1] Shadowsocks over websocket (HTTP)
On your server
# -server # Run in server mode
# -path # URL path for websocket.
ss-server -c config.json -p 8080 --plugin v2ray-plugin --plugin-opts "server;path=/sspath"
On your client
ss-local -c config.json -p 8080 --plugin v2ray-plugin --plugin-opts "path=/sspath"
Checking
# Server Side
ps aux | grep ^ss
ss 22423 0.0 0.6 27236 3312 ? Ss 17:58 0:00 /opt/shadowsocks/bin/ss-server ... ss 22424 0.0 1.5 713668 7952 ? Sl 17:58 0:00 /opt/shadowsocks/bin/v2ray-plugin
# Client Side
Browser 訪問 http://server:8080/sspath 會出 "400 Bad Request"
Response header 有 "Sec-Websocket-Version: 13"
Notes
v2ray-plugin 的 CPU usage 比 ss-server 厲害
[設定2] Over nginx
Diagram: ss-local -> (443)Nginx -> (8080)ss_server
ss-server config
ss.json # 基於 "設定1" 的成功, 改用 json 設定
{
"server_port": 8080,
"password": "????",
"timeout": 600,
"method": "aes-128-gcm",
"plugin": "/opt/shadowsocks/bin/v2ray-plugin",
"plugin_opts":"server;path=/sspath;loglevel=none"
}
說明
-loglevel string # loglevel for v2ray. debug, info, warning (default), error, none
nginx config
location /sspath {
proxy_redirect off;
proxy_pass http://shadowsocks:10443;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}* "path=" 需要與 nginx 的 "location" 配置一致
說明
Client Settings
# -tls Enable TLS.
# -host string Hostname for server. (default "cloudfront.com")
ss-local -c config.json -p 443 --plugin v2ray-plugin --plugin-opts "tls;host=mydomain.me;path=/sspath"
Other Opts
- -mux int Concurrent multiplexed connections (websocket client mode only). (default 1)
- -mode string # Transport mode: websocket(default), quic (enforced tls)
P.S.
Shadowsocks over HTTPS directly
On your server
... --plugin v2ray-plugin --plugin-opts "server;tls;host=mydomain.me"
On your client
... --plugin v2ray-plugin --plugin-opts "tls;host=mydomain.me"
P.S.
- -cert path
- -key path
ss-manager
ss-server 實現多用戶 ss (1 個用戶 1 個 port) 及 traffic statistics
shadowsocks-manager -> ss-manager -> ss-server
It provides several APIs through UDP protocol
Usage
start_ss.sh
#!/bin/bash _user=ssuser _home=/home/ssuser _ssmanager=/opt/shadowsocks/bin/ss-manager _ssserver=/opt/shadowsocks/bin/ss-server _config=$_home/config.json _pid=$_home/ss-manager.pid _sock=$_home/manager.sock if [ -e $_pid ]; then PID=$(cat $_pid) kill $PID rm -f $_pid $_sock $_sock fi # start daemon sudo -u $_user $_ssmanager -v -c $_config -f $_pid \ --manager-address $_sock \ --executable $_ssserver
連接 manager 的方式
- -U, --unixsock Use Unix domain sockets only
- -u, --udp Use UDP instead of default TCP
config.json
{
"server":"0.0.0.0",
"port_password":{
"1101":"xxx",
"1102":"xxx",
},
"timeout":900,
"method":"aes-192-gcm",
"acl":"/home/ssuser/server_block_local.acl",
"verbose":1
}Connect manager
nc -Uu /tmp/manager.sock
ss-manager protocol
command 要 [JSON data]
- add: {"server_port": 8001, "password":"????"}
- remove: {"server_port": 8001}
- ping
stat: {"1101":0,"1102":0,"1103":0}
ACL
--acl <acl_config>
config
{
...
"acl":"/home/ssuser/server_block_local.acl",
"verbose":1
}outbound block list
server_block_local.acl
127.0.0.0/8 ::1/128 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fc00::/7
Troubleshoot
[1]
2018-01-15 13:27:02 ERROR: failed to handshake with 192.168.123.200: authentication error
要 check check Server/Client Side 是否用相同的 Encryption method
"method":"aes-256-gcm"
Android apk
Link
https://github.com/shadowsocks/v2ray-plugin-android/releases
- v2ray-arm64-v8a-1.3.3.apk
- v2ray-armeabi-v7a-1.3.3.apk
Other
