How to Install Shadowsocks-Libev Proxy Server on Debian 9 Stretch VPS
This tutorial will be showing you how to install Shadowsocks proxy server on a Debian 9 VPS (Virtual Private Server). Shadowsocks is a lightweight , super fast and secure Socks5 proxy that can be used to bypass Internet censorship. You will also learn how to set up Shadosocks-libev client on Debian 9 desktop.
There are many implementations of Shadowsocks, this tutorial shows you how to use Shadowsocks-libev, because
- It’s written in C, very fast even on low-end machine.
- It’s well-maintained.
- It’s the most feature-rich implementation. TCP fast open, multiuser, management API, redirect mode, tunnel mode, UDP relay, AEAD ciphers and plugins are all supported.
Prerequisites
To complete this tutorial, you will need:
- A VPS (Virtual Private Server). I recommend Vultr. They offer 512M memory high performance KVM VPS for just $2.5 per month, which is perfect for your private proxy server.
- Then install Debian 9 on your VPS.
How to Install Shadowsocks-libev Server on Debian 9 VPS
Once you have installed Debian 9 on your VPS. Log into your server via SSH. Shadowsocks-libev is included in the default Debian 9 repository, but it’s outdated. As a matter of fact, the outdated version doesn’t work on my server anymore. I recommended installing it from Debian 9 stretch-backports repository, which contains the latest version of Shadowsocks-libev, so that you get security updates and bug fixes.
To enable stretch-backports repository, you need to edit sources.list file.
sudo nano /etc/apt/sources.list
Add the following line at the bottom of this file.
deb http://ftp.debian.org/debian stretch-backports main
Save and close the file. Then update local package index.
sudo apt update
After that, install Shadowsocks-libev from stretch-backports repository.
sudo apt -t stretch-backports install shadowsocks-libev
To check the version number, run
ss-server -v
Sample output:
shadowsocks-libev 3.1.3
The sodium crypto library (libsodium) will be installed along with shadowsocks-libev. It’s a requirement if you want to use the secure and fast ChaCha20-Poly1305 encryption method. Once it’s installed, Shadowsocks-libev will automatically start with the default configuration file. You can check its status with:
systemctl status shadowsocks-libev
Output:
● shadowsocks-libev.service - Shadowsocks-libev Default Server Service Loaded: loaded (/lib/systemd/system/shadowsocks-libev.service; enabled; vendor preset: enabled Active: active (running) since Wed 2018-04-25 06:18:55 UTC; 3min 47s ago Docs: man:shadowsocks-libev(8) Main PID: 28728 (ss-server) CGroup: /system.slice/shadowsocks-libev.service └─28728 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -u
As you can see, it is running and auto-start at boot time is enabled. If it’s not running, you can start it with:
sudo systemctl start shadowsocks-libev
To enabled auto-start at boot time, run:
sudo systemctl enable shadowsocks-libev
Now we need to edit the default configuration file.
sudo nano /etc/shadowsocks-libev/config.json
Default contents of the file are as follows.
{
"server":"127.0.0.1",
"server_port":8388,
"local_port":1080,
"password":"focobguph",
"timeout":60,
"method":null
}
Replace 127.0.0.1 with your Debian server’s public IP address. You can change server_port to other port number, but don’t use port 8388. Then set your preferred password, which is used to encrypt traffic. It is recommended that you replace null with chacha20-ietf-poly1305 as the encryption method. Here’s an example of my configuration.
Save and close the file. Then restart Shadowsocks-libev for the changes to take effect.
sudo systemctl restart shadowsocks-libev
Install and Configure Shadowsocks-libev Client on Debian 9 Desktop
The shadowsocks-libev package contains both the server software and client software. So just use the method mentioned above to install Shadowsocks-libev on Debian 9 desktop.
Note: On Debian 9, Shadowsocks-libev (the server) will automatically start after being installed. You need to stop Shadowsocks server on Debian 9 desktop.
sudo systemctl stop shadowsocks-libev
Also disable auto-start at boot time.
sudo systemctl disable shadowsocks-libev
The Shadowsocks client binary is named ss-local. There’s a template systemd service unit for it: /lib/systemd/system/[email protected]. Before starting the client, we need to create the client side configuration file.
sudo nano /etc/shadowsocks-libev/location-of-your-server.json
You can replace location-of-your-server with something like SFO, LAX. Copy the Shadowsocks-libev server config to the client config file, then add the following line to tell the client to listen on 127.0.0.1.
"local_address":"127.0.0.1",
So the client config file will look like this:
{
"server":"your-server-ip-address",
"server_port":8388,
"local_address":"127.0.0.1",
"local_port":1080,
"password":"focobguph",
"timeout":60,
"method":"chacha20-ietf-poly1305"
}
Save and close the file. Then we can start the client with:
sudo systemctl start shadowsocks-libev-local@location-of-your-server.service
And enable auto-start at boot time.
sudo systemctl enable shadowsocks-libev-local@location-of-your-server.service
Check its status. Make sure it’s running.
systemctl status shadowsocks-libev-local@location-of-your-server.service
Now the ss-local process listens on 127.0.0.1:1080 on your Ubuntu desktop and it’s connected to your Shadowsocks server.
Configure Web Browser to Use the Socks Proxy
To let your program use a socks proxy, the program must support socks proxy. Programs like Firefox quantum, Google Chrome and Dropbox allows users to use proxy. I will show you how to configure Firefox and Google Chrome.
Firefox
In Firefox, go to Edit > Preferences > General. Then scroll down to the bottom and click Settings in Network Proxy. In the Connection Settings window, select manual proxy configuration. Then select SOCKS v5 because Shadowsocks is a Socks5 proxy. Enter 127.0.0.1 in the SOCKS Host field and 1080 in the port field. Make sure Proxy DNS when using SOCKS v5 is enabled. Click OK to apply these modifications.
Google Chrome
Google Chrome and Chromium Linux version don’t have a GUI to configure proxy, but you can use command line options like below.
google-chrome --proxy-server="socks5://127.0.0.1:1080"
or
chromium-browser --proxy-server="socks5://127.0.0.1:1080"
You can also install and use the SwitchOmega extension configure proxy so you don’t have to type command in the terminal window.
DNS Leak Test
Go to dnsleaktest.com. You will see your Shadowsocks server’s IP address, which indicates that your proxy is working.
Click Standardard test. Make sure your local ISP isn’t in the test results.
Enable TCP BBR
TCP BBR is a TCP congestion control algorithm that can drastically improve connection speed. Follow the tutorial below to enable TCP BBR on Debian 9 server. You don’t have to enable it on Debian 9 desktop. The tutorial linked below is for Ubuntu, but also applies to Debian.
Enable TCP Fast Open
You can speed up Shadowsocks a little bit more by enabling TCP fast open. TCP is connection-oriented protocol, which means data can only be exchanged after a connection is established, which is done via the three-way handshake. In other words, traditionally, data can only be exchanged after the three-way handshake is complete. TCP fast open (TFO) is a mechanism that allows data to be exchanged before three-way handshake is complete, saving up to 1 round-trip time (RTT).
TCP fast open support is merged to Linux kernel since version 3.7 and enabled by default since version 3.13. You can check your kernel version by running:
uname -r
To check TCP fast open configuration on your Debian server, run
cat /proc/sys/net/ipv4/tcp_fastopen
It can return 4 values.
- 0 means disabled.
- 1 means it’s enabled for outgoing connection (as a client).
- 2 means it’s enabled for incoming connection (as a server).
- 3 means it’s enabled for both outgoing and incoming connection.
All my debian servers returned 1 after running the above command. We want tcp_fastopen set to 3 on our server. To achieve that, we can edit the sysctl configuration file.
sudo nano /etc/sysctl.conf
Then paste the following line at the end of the file.
net.ipv4.tcp_fastopen=3
Reload sysctl settings for the change to take effect.
sudo sysctl -p
Then you will also need to enable TCP fast open in Shadowsocks configuration file.
sudo nano /etc/shadowsocks-libev/config.json
Add the following line.
"fast_open": true
So your Shadowsocks server configuration file will look like this:
{
"server":"your-server-ip-address",
"server_port":8388,
"local_port":1080,
"password":"focobguph",
"timeout":60,
"method":"chacha20-ietf-poly1305",
"fast_open": true
}
Note that last config line has not comma. Save and close the file. Then restart Shadowsocks server.
sudo systemctl restart shadowsocks-libev
Check if it’s running. (An error in configuration file can prevent it from restarting.)
systemctl status shadowsocks-libev
You also need to edit the Shadowsocks client configuration file and restart it to enable TCP fast open on Debian 9 desktop.
For more usage on Shadowsocks, check the manual.
man shadowsocks-libev
That’s it! I hope this tutorial helped you install Shadowsocks-libev proxy on Debian 9 server and desktop. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care.
Excuse me, why is there a Main PID: 3174 (code=exited, status=218/CAPABILITIES) error? how to solve this problem!My VPS is Debian 9
Thanks!
The status says “invalid argument”. I suggest checking the
/etc/default/shadowsocks-libevand/etc/shadowsocks-libev/config.jsonfile to see if there’s any syntax error.Hello I found that the SS service works fine when I execute the following command, but when I quit, I get an error from shadowsocks-libev.service: Failed at step CAPABILITIES spawning /usr/bin/ss-server: Invalid argument , how can I do it next? What is the cause of this problem?
root@hostname:~# /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -u
2019-02-15 15:18:22 INFO: UDP relay enabled
2019-02-15 15:18:22 INFO: initializing ciphers… chacha20-ietf-poly1305
2019-02-15 15:18:22 INFO: tcp server listening at 12*.**5.2**.1*:*0*0
2019-02-15 15:18:22 INFO: udp server listening at 12*.**5.2**.1*:*0*0
2019-02-15 15:18:22 INFO: running from root user
Thanks!
Perhaps you need to check if the Shadowsocks listening port has already been used by another process.
on vps
/etc/systemd/system/multi-user.target.wants/shadowsocks-libev.service
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE
Hi My VPS is OPenVZ 2.6.32 Debian 9
Run prompt
-bash: /etc/systemd/system/multi-user.target.wants/shadowsocks-libev.service: Permission denied
but i am root ,so what is wrong?
thanks !
OpenVZ … ouch. Many things do not work on OpenVZ.