How to Set Up Shadowsocks-libev Proxy Server on Ubuntu 24.04

This tutorial is going to show you how to set up Shadowsocks proxy server on Ubuntu 24.04. Shadowsocks is a lightweight, fast, and secure Socks5 proxy to bypass Internet censorship. We will learn how to set up the server-side and how to configure the desktop client. There are many implementations of Shadowsocks, writtern in different programming languages. This tutorial shows you how to use Shadowsocks-libev, because:

• It’s written in C, very fast even on low-end machines.
• It’s well-maintained.
• It’s the most feature-rich implementation. TCP fast open, multiuser, management API, redirect mode, tunnel mode, UDP relay, AEAD ciphers, and plugins are all supported.

Requirements

To follow this tutorial, you will need a VPS (Virtual Private Server) that can access blocked websites freely (Outside of your country or Internet filtering system). I recommend Kamatera VPS, which features:

• 30 days free trial.
• Starts at $4/month (1GB RAM)
• High-performance KVM-based VPS
• 9 data centers around the world, including the United States, Canada, UK, Germany, The Netherlands, Hong Kong, and Isreal.

Follow the tutorial linked below to create your Linux VPS server at Kamatera.

• How to Create a Linux VPS Server on Kamatera

Once you have a VPS running Ubuntu 24.04, follow the instructions below.

Step 1: Install Shadowsocks-libev Server on Ubuntu 24.04 VPS

SSH into your remote Ubuntu server. Shadowsocks-libev is included in Ubuntu repository, so you can install it with:

sudo apt update

sudo apt install -y shadowsocks-libev

Once it’s installed, edit the configuration file with the nano command line text editor.

sudo nano /etc/shadowsocks-libev/config.json

The default contents of the file are as follows.

{
    "server":["::1", "127.0.0.1"],
    "mode":"tcp_and_udp",
    "server_port":8388,
    "local_port":1080,
    "password":"ACRrobo9ymXb",
    "timeout":86400,
    "method":"chacha20-ietf-poly1305"
}

We need to change 127.0.0.1 to 0.0.0.0, so Shadowsocks-libev server will listen on the public IP address. Then change server_port to other port numbers like 8888. The password was randomly generated, so you can leave it as it is.

Save and close the file. Then restart shadowsocks-libev service for the changes to take effect.

sudo systemctl restart shadowsocks-libev.service

Enable auto-start at boot time.

sudo systemctl enable shadowsocks-libev.service

Check its status. Make sure it’s running.

sudo systemctl status shadowsocks-libev.service

Sample output:

● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
     Loaded: loaded (/usr/lib/systemd/system/shadowsocks-libev.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-05-16 07:31:11 UTC; 11s ago
       Docs: man:shadowsocks-libev(8)
   Main PID: 8215 (ss-server)
      Tasks: 1 (limit: 629145)
     Memory: 424.0K (peak: 1.0M)
        CPU: 10ms
     CGroup: /system.slice/shadowsocks-libev.service
             └─8215 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json

If you see the following error.

This system doesn't provide enough entropy to quickly generate high-quality random numbers. The service will not start until enough entropy has been collected.

You can fix this error by installing rng-tools.

sudo apt-get install rng-tools

Then run

sudo rngd -r /dev/urandom

Now you can start Shadowsocks-libev service.

Step 2: Configure Firewall on the VPS

If you are using iptables firewall on your server, then you need to allow traffic to the TCP and UDP port Shadowsocks is listening on. For example, if port 8888 is being used by Shadowsocks, then run the following command:

sudo iptables -I INPUT -p tcp --dport 8888 -j ACCEPT

sudo iptables -I INPUT -p udp --dport 8888 -j ACCEPT

If you are using UFW firewall, then run the following commands:

sudo ufw allow 8888

Step 3: Install and Configure Shadowsocks-libev Client

Ubuntu Desktop

The shadowsocks-libev package contains both the server software and client software. On Ubuntu desktop, run the following commands to install Shadowsocks-libev.

sudo apt update

sudo apt install shadowsocks-libev

Shadowsocks-libev (the server) will automatically start after being installed. You need to stop Shadowsocks server on Ubuntu desktop.

sudo systemctl disable --now shadowsocks-libev

The Shadowsocks client binary is named ss-local. There’s a template systemd service unit for it: /lib/systemd/system/[email protected]. Before starting the client, we need to create the client-side configuration file. We can copy the Shadowsocks-libev server config to the client config file.

sudo cp /etc/shadowsocks-libev/config.json /etc/shadowsocks-libev/client01.json

Then edit the client config file.

sudo nano /etc/shadowsocks-libev/client01.json

Change the server address to the public IP address of your server, and add the following line to tell the client to listen on 127.0.0.1.

"local_address":"127.0.0.1",

So the client config file will look like this:

{
 "server":"your-server-ip-address",
 "mode":"tcp_and_udp",
 "server_port":8888,
 "local_address":"127.0.0.1",
 "local_port":1080,
 "password":"ACRrobo9ymXb",
 "timeout":60,
 "method":"chacha20-ietf-poly1305"
}

Save and close the file. Then we can start the client with:

sudo systemctl start [email protected]

And enable auto-start at boot time.

sudo systemctl enable [email protected]

Check its status. Make sure it’s running.

systemctl status [email protected]

Now the ss-local process listens on 127.0.0.1:1080 on your Ubuntu desktop and it’s connected to your Shadowsocks server. Go to step 4 to configure your web browser to use Shadowsocks proxy.

Windows Desktop

Windows users can download this Shadowsocks client. Download the ZIP file and extract it. Then double-click the shadowsocks executable. If the Windows Defender program prevents Shadowsocks from running, click More Info and select Run it anyway.

Next, you need to add a new server in the client software.

• Specify the server IP address, server port (8888), and password.
• You can also change the Timeout value (It should be less than 20 seconds).
• Leave other settings as default.

Click Apply button

If you have several proxy servers, you can click the Add button to add more proxy servers. Note that you use only one proxy server at a time.

Step 4: Configure Web Browser to Use the Socks Proxy

To make your program use a socks proxy, the program must support socks proxy. Programs like Firefox, Google Chrome and Dropbox allows users to use proxy. I will show you how to configure Firefox and Google Chrome.

Firefox

1. In Firefox, go to Edit > Settings> General (or Tools -> Settings -> General).
2. Then scroll down to the bottom and click Settings button in Network Setting.
3. In the Connection Settings window, select manual proxy configuration.
4. Then select SOCKS v5 because Shadowsocks is a Socks5 proxy.
5. Enter 127.0.0.1 in the SOCKS Host field and 1080 in the port field.
6. You can enable Proxy DNS when using SOCKS v5 , or enable DNS over HTTPS. Both are fine.
7. Click OK to apply these modifications.

Google Chrome

While you can configure proxy for Google Chrome and Chromium browser from the command line, I recommend installing the Proxy SwitchyOmega extension to manage proxies.

Once the extension is installed in Google Chrome, configure a proxy server as follows:

• Choose the SOCKS5 protocol.
• Set 127.0.0.1 as the server address.
• Set 1080 as the port number.

Apply the changes. Then click the extensions icon on the upper-right corner and click Proxy SwithyOmega.

By default, SwithyOmega uses the operating system’s proxy settings. We need to change it from system proxy to proxy.

Now your proxy should be working.

Step 5: DNS Leak Test

Go to dnsleaktest.com. You will see your Shadowsocks server’s IP address, which indicates that your proxy is working.

Click the Standard test. Make sure your local ISP isn’t in the test results.

Proxy in Command Line

To let your command line programs use the proxy, you can install tsocks.

sudo apt install tsocks

Then edit the configuration file.

sudo nano /etc/tsocks.conf

Find the following line:

server = 192.168.0.1

Change it to

server = 127.0.0.1

Save and close the file. Now you can allow you command-line program to use Shadowsocks proxy like this:

sudo tsocks apt update

There’s also a similar program called proxychains.

Enable TCP Fast Open

You can speed up Shadowsocks by enabling TCP fast open. TCP is a connection-oriented protocol, which means data can only be exchanged after a connection is established, which is done via the three-way handshake. In other words, traditionally, data can only be exchanged after the three-way handshake is complete. TCP fast open (TFO) is a mechanism that allows data to be exchanged before three-way handshake is complete, saving up to 1 round-trip time (RTT).

TCP fast open support is merged to Linux kernel since version 3.7 and enabled by default since version 3.13. You can check your kernel version by running:

uname -r

To check TCP fast open configuration on your Ubuntu server, run

cat /proc/sys/net/ipv4/tcp_fastopen

It can return 4 values.

• 0 means disabled.
• 1 means it’s enabled for outgoing connection (as a client).
• 2 means it’s enabled for incoming connection (as a server).
• 3 means it’s enabled for both outgoing and incoming connection.

All my Ubuntu VPS (Virtual Private Server) returned 1 after running the above command. We want tcp_fastopen set to 3 on our server. To achieve that, we can edit the sysctl configuration file.

sudo nano /etc/sysctl.conf

Then paste the following line at the end of the file.

net.ipv4.tcp_fastopen=3

Reload sysctl settings for the change to take effect.

sudo sysctl -p

Then you will also need to enable TCP fast open in Shadowsocks configuration file.

sudo nano /etc/shadowsocks-libev/config.json

Add the following line.

"fast_open": true

So your Shadowsocks server configuration file will look like this:

{
 "server":"your-server-ip-address",
 "server_port":8388,
 "local_port":1080,
 "password":"focobguph",
 "timeout":60,
 "method":"chacha20-ietf-poly1305",
 "fast_open": true
}

Note that the last config line has no comma. Save and close the file. Then restart Shadowsocks server.

sudo systemctl restart shadowsocks-libev

Check if it’s running. (An error in the configuration file can prevent it from restarting.)

systemctl status shadowsocks-libev

You also need to edit the Shadowsocks client configuration file and restart it to enable TCP fast open on Ubuntu desktop.

Enable TCP BBR

TCP BBR is a TCP congestion control algorithm that can drastically improve connection speed. Check out the following tutorial.

• How to Easily Boost Ubuntu Network Performance by Enabling TCP BBR

For more usage on Shadowsocks, check the manual.

man shadowsocks-libev

Troubleshooting

Every now and then, my Shadowsocks-libev proxy stops working and the following error is displayed on the server side when I check the status with systemctl.

ERROR: server recv: Connection reset by peer

On the client-side, the error returned by systemctl is:

ERROR: remote_recv_cb_recv: Connection reset by peer

I don’t know why it happens, but restarting the shadowsocks-libev service on the server can fix this issue.

sudo systemctl restart shadowsocks-libev

I don’t want to manually restart the service every time, so I add a cron job to do it for me periodically.

sudo crontab -e

Put the following line at the end of the file.

0 */3 * * * /bin/systemctl restart shadowsocks-libev

This will restart the service every 3 hours. That is to say, restart happens at 12am, 3am, 6am, 9am and so forth. Note that the time is determined by cron. It is not determined by calculating how long the service has been running.

If you see the following error in Shadowsocks-libev log.

ERROR: unable to resolve www.youtube.com

This means the Shadowsocks-libev server can’t successfully resolve DNS. It’s helpful to specify a DNS server in the /etc/shadowsocks-libev/config.json file. Just add the following line in the file and restart the shadowsocks-libev service.

"name_server":"1.1.1.1",

If you have your own DNS resolver running on the Shadowsocks server, you can specify 127.0.0.1 as the name server.

"name_server":"127.0.0.1",

Remember that in the JSON file, the last line doesn’t end with a comma.

Wrapping Up

That’s it! I hope this tutorial helped you install Shadowsocks-libev proxy on Ubuntu. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks 🙂

Shadowsocks is a forward proxy. Want to know what’s a forward proxy? Please read the following article:

• Differences Between Forward Proxy and Reverse Proxy