How to Set Up Shadowsocks-libev Proxy Server on Ubuntu 22.04/20.04

This tutorial is going to show you how to set up Shadowsocks proxy server on Ubuntu. Shadowsocks is a lightweight, fast, and secure Socks5 proxy to bypass Internet censorship. We will learn how to set up the server-side and how to configure the desktop client on Ubuntu. There are many implementations of Shadowsocks, this tutorial shows you how to use Shadowsocks-libev, because

  • It’s written in C, very fast even on low-end machines.
  • It’s well-maintained.
  • It’s the most feature-rich implementation. TCP fast open, multiuser, management API, redirect mode, tunnel mode, UDP relay, AEAD ciphers, and plugins are all supported.

Prerequisites

To follow this tutorial, you will need a VPS (Virtual Private Server) that can access blocked websites freely (Outside of your country or Internet filtering system). I recommend Kamatera VPS, which features:

  • 30 days free trial.
  • Starts at $4/month (1GB RAM)
  • High-performance KVM-based VPS
  • 9 data centers around the world, including the United States, Canada, UK, Germany, The Netherlands, Hong Kong, and Isreal.

Follow the tutorial linked below to create your Linux VPS server at Kamatera.

Once you have a VPS running Ubuntu, follow the instructions below.

Step 1: Install Shadowsocks-libev Server on Ubuntu 22.04/20.4

SSH into your remote Ubuntu server. Shadowsocks-libev is included in Ubuntu repository, so you can install it with:

sudo apt update

sudo apt install shadowsocks-libev

The sodium crypto library (libsodium) will be installed along with shadowsocks-libev. It’s a requirement if you want to use the secure and fast ChaCha20-Poly1305 encryption method. Once it’s installed, edit the configuration file.

sudo nano /etc/shadowsocks-libev/config.json

The default contents of the file are as follows.

{
    "server":["::1", "127.0.0.1"],
    "mode":"tcp_and_udp",
    "server_port":8388,
    "local_port":1080,
    "password":"ACRrobo9ymXb",
    "timeout":60,
    "method":"chacha20-ietf-poly1305"
}

We need to change 127.0.0.1 to 0.0.0.0, so Shadowsocks-libev server will listen on the public IP address. Then change server_port to other port numbers like 8888. The password was randomly generated, so you can leave it as it is.

Save and close the file. Then restart shadowsocks-libev service for the changes to take effect.

sudo systemctl restart shadowsocks-libev.service

Enable auto-start at boot time.

sudo systemctl enable shadowsocks-libev.service

Check its status. Make sure it’s running.

systemctl status shadowsocks-libev.service

If you see the following error.

This system doesn't provide enough entropy to quickly generate high-quality random numbers. The service will not start until enough entropy has been collected.

You can fix this error by installing rng-tools.

sudo apt-get install rng-tools

Then run

sudo rngd -r /dev/urandom

Now you can start Shadowsocks-libev service.

Step 2: Configure Firewall

If you are using iptables firewall on your server, then you need to allow traffic to the TCP and UDP port Shadowsocks is listening on. For example, if port 8888 is being used by Shadowsocks, then run the following command:

sudo iptables -I INPUT -p tcp --dport 8888 -j ACCEPT

sudo iptables -I INPUT -p udp --dport 8888 -j ACCEPT

If you are using UFW firewall, then run the following commands:

sudo ufw allow 8888

If you are using AWS or Google Cloud, then you need to configure firewall at the web-based control panel.

Step 3: Install and Configure Shadowsocks-libev Client

Ubuntu Desktop

The shadowsocks-libev package contains both the server software and client software. On Ubuntu 22.04, 20.04 desktop, run the following commands to install Shadowsocks-libev.

sudo apt update

sudo apt install shadowsocks-libev

Shadowsocks-libev (the server) will automatically start after being installed. You need to stop Shadowsocks server on Ubuntu desktop.

sudo systemctl stop shadowsocks-libev

Also, disable auto-start at boot time.

sudo systemctl disable shadowsocks-libev

The Shadowsocks client binary is named ss-local. There’s a template systemd service unit for it: /lib/systemd/system/[email protected]. Before starting the client, we need to create the client-side configuration file. We can copy the Shadowsocks-libev server config to the client config file.

sudo cp /etc/shadowsocks-libev/config.json /etc/shadowsocks-libev/client01.json

Then edit the client config file.

sudo nano /etc/shadowsocks-libev/client01.json

Change the server address to the public IP address of your server, and add the following line to tell the client to listen on 127.0.0.1.

"local_address":"127.0.0.1",

So the client config file will look like this:

{
 "server":"your-server-ip-address",
 "mode":"tcp_and_udp",
 "server_port":8888,
 "local_address":"127.0.0.1",
 "local_port":1080,
 "password":"ACRrobo9ymXb",
 "timeout":60,
 "method":"chacha20-ietf-poly1305"
}

Save and close the file. Then we can start the client with:

sudo systemctl start [email protected]

And enable auto-start at boot time.

sudo systemctl enable [email protected]

Check its status. Make sure it’s running.

systemctl status [email protected]

Now the ss-local process listens on 127.0.0.1:1080 on your Ubuntu desktop and it’s connected to your Shadowsocks server.

Windows Desktop

Windows users can download this Shadowsocks client. Download the ZIP file and extract it. Then double-click the shadowsocks executable. If the Windows Defender program prevents Shadowsocks from running, click More Info and select Run it anyway.

Next, you need to add a new server in the client software.

  • Specify the server IP address, server port (8888), and password.
  • You can also change the Timeout value (It should be less than 20 seconds).
  • Leave other settings as default.

Click Apply button

shadowsocks windows client

If you have several proxy servers, you can click the Add button to add more proxy servers. Note that you use only one proxy server at a time.

Step 4: Configure Web Browser to Use the Socks Proxy

To make your program use a socks proxy, the program must support socks proxy. Programs like Firefox, Google Chrome and Dropbox allows users to use proxy. I will show you how to configure Firefox and Google Chrome.

Firefox

  1. In Firefox, go to Edit > Settings> General (or Tools -> Settings -> General).
  2. Then scroll down to the bottom and click Settings button in Network Setting.
  3. In the Connection Settings window, select manual proxy configuration.
  4. Then select SOCKS v5 because Shadowsocks is a Socks5 proxy.
  5. Enter 127.0.0.1 in the SOCKS Host field and 1080 in the port field.
  6. You can enable Proxy DNS when using SOCKS v5 , or enable DNS over HTTPS. Both are fine.
  7. Click OK to apply these modifications.

shadowsocks-libev ubuntu 22.04

Google Chrome

While you can configure proxy for Google Chrome and Chromium browser from the command line, I recommend installing the Proxy SwitchyOmega extension to manage proxies.

google chrome Proxy SwitchyOmega

Once the extension is installed in Google Chrome, configure a proxy server as follows:

  • Choose the SOCKS5 protocol.
  • Set 127.0.0.1 as the server address.
  • Set 1080 as the port number.

google chrome proxy command line

Apply the changes. Then click the extensions icon on the upper-right corner and click Proxy SwithyOmega.

proxy swithy omega shadowsocks-libev

By default, SwithyOmega uses the operating system’s proxy settings. We need to change it from system proxy to proxy.

switchyomega default proxy

Now your proxy should be working.

Step 5: DNS Leak Test

Go to dnsleaktest.com. You will see your Shadowsocks server’s IP address, which indicates that your proxy is working.

shadowsocks-libev ubuntu install

Click the Standard test. Make sure your local ISP isn’t in the test results.

shadowsocks-libev ubuntu 17.10

Proxy in Command Line

To let your command line programs use the proxy, you can install tsocks.

sudo apt install tsocks

Then edit the configuration file.

sudo nano /etc/tsocks.conf

Find the following line:

server = 192.168.0.1

Change it to

server = 127.0.0.1

Save and close the file. Now you can allow you command-line program to use Shadowsocks proxy like this:

sudo tsocks apt update

There’s also a similar program called proxychains.

Enable TCP Fast Open

You can speed up Shadowsocks by enabling TCP fast open. TCP is a connection-oriented protocol, which means data can only be exchanged after a connection is established, which is done via the three-way handshake. In other words, traditionally, data can only be exchanged after the three-way handshake is complete. TCP fast open (TFO) is a mechanism that allows data to be exchanged before three-way handshake is complete, saving up to 1 round-trip time (RTT).

TCP fast open support is merged to Linux kernel since version 3.7 and enabled by default since version 3.13. You can check your kernel version by running:

uname -r

To check TCP fast open configuration on your Ubuntu server, run

cat /proc/sys/net/ipv4/tcp_fastopen

It can return 4 values.

  • 0 means disabled.
  • 1 means it’s enabled for outgoing connection (as a client).
  • 2 means it’s enabled for incoming connection (as a server).
  • 3 means it’s enabled for both outgoing and incoming connection.

All my Ubuntu VPS (Virtual Private Server) returned 1 after running the above command. We want tcp_fastopen set to 3 on our server. To achieve that, we can edit the sysctl configuration file.

sudo nano /etc/sysctl.conf

Then paste the following line at the end of the file.

net.ipv4.tcp_fastopen=3

Reload sysctl settings for the change to take effect.

sudo sysctl -p

Then you will also need to enable TCP fast open in Shadowsocks configuration file.

sudo nano /etc/shadowsocks-libev/config.json

Add the following line.

"fast_open": true

So your Shadowsocks server configuration file will look like this:

{
 "server":"your-server-ip-address",
 "server_port":8388,
 "local_port":1080,
 "password":"focobguph",
 "timeout":60,
 "method":"chacha20-ietf-poly1305",
 "fast_open": true
}

Note that the last config line has no comma. Save and close the file. Then restart Shadowsocks server.

sudo systemctl restart shadowsocks-libev

Check if it’s running. (An error in the configuration file can prevent it from restarting.)

systemctl status shadowsocks-libev

You also need to edit the Shadowsocks client configuration file and restart it to enable TCP fast open on Ubuntu desktop.

Enable TCP BBR

TCP BBR is a TCP congestion control algorithm that can drastically improve connection speed. Check out the following tutorial.

For more usage on Shadowsocks, check the manual.

man shadowsocks-libev

Troubleshooting

Every now and then, my Shadowsocks-libev proxy stops working and the following error is displayed on the server side when I check the status with systemctl.

ERROR: server recv: Connection reset by peer

On the client-side, the error returned by systemctl is:

ERROR: remote_recv_cb_recv: Connection reset by peer

I don’t know why it happens, but restarting the shadowsocks-libev service on the server can fix this issue.

sudo systemctl restart shadowsocks-libev

I don’t want to manually restart the service every time, so I add a cron job to do it for me periodically.

sudo crontab -e

Put the following line at the end of the file.

0 */3 * * * /bin/systemctl restart shadowsocks-libev

This will restart the service every 3 hours. That is to say, restart happens at 12am, 3am, 6am, 9am and so forth. Note that the time is determined by cron. It is not determined by calculating how long the service has been running.

If you see the following error in Shadowsocks-libev log.

ERROR: unable to resolve www.youtube.com

This means the Shadowsocks-libev server can’t successfully resolve DNS. It’s helpful to specify a DNS server in the /etc/shadowsocks-libev/config.json file. Just add the following line in the file and restart the shadowsocks-libev service.

"name_server":"1.1.1.1",

If you have your own DNS resolver running on the Shadowsocks server, you can specify 127.0.0.1 as the name server.

"name_server":"127.0.0.1",

Remember that in the JSON file, the last line doesn’t end with a comma.

Wrapping Up

That’s it! I hope this tutorial helped you install Shadowsocks-libev proxy on Ubuntu. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks 🙂

Shadowsocks is a forward proxy. Want to know what’s a forward proxy? Please read the following article:

Rate this tutorial
[Total: 26 Average: 4.6]

34 Responses to “How to Set Up Shadowsocks-libev Proxy Server on Ubuntu 22.04/20.04

  • Mysterion
    2 days ago

    Thank you for such good tutorial!

    • Xiao Guo-An (Admin)
      1 day ago

      You are welcome, subscribe for more good stuff.

  • Thank you for such a good tutorial!! XD

    But I saw many ‘Network is unreachable’ errors in my /var/log/syslog, could you explain why?

    Aug  7 11:08:59 wbswjc ss-server[2953]:  2018-08-07 11:08:59 ERROR: connect: Network is unreachable
    Aug  7 11:09:16 wbswjc ss-server[2953]:  2018-08-07 11:09:16 ERROR: connect: Network is unreachable
    Aug  7 11:09:16 wbswjc ss-server[2953]:  2018-08-07 11:09:16 ERROR: connect: Network is unreachable
    
    • Xiao Guo-An (Admin)
      2 months ago

      You have a network problem, which is not controlled by your operating system.

    • Thanks, you are right, that occurs when I visit websites in LAN network.

    • Xiao Guoan (Admin)
      2 years ago

      You can exclude LAN IP addresses in the web browser proxy settings.

  • I tried it in Dubai it’s working only on WiFi internet. On mobile data it’s blocked and can be detected by the firewall. Does it work for you in China? What about ShadowsocksR?

    • Xiao Guo An (Admin)
      5 years ago

      Shadowsocks is working for me in China. Never used ShadowsocksR before. Maybe you can try OpenConnect VPN, which is also working in China.

  • jeferrer
    6 months ago

    Thank you!

    It’s all so simple with a competent guide; but without a guide, ignorance is a leather-bound sadist brandishing a cat o’ nine tails.

  • hello and thank you for great tut 🙂

    can i install Shadowsocks on ubuntu Desktop without the Shadowsocks-server ?

    or its both necessary “Shadowsocks-server with the Shadowsocks-client on the same Desktop ”

    and thnk you again

    • Xiao Guo An (Admin)
      5 years ago

      The server binary /usr/bin/ss-server and client binary /usr/bin/ss-local are shipped in the same software package (shadowsocks-libev). If you don’t want the server component, you can delete /usr/bin/ss-server. But when a new version of Shadowsocks-libev comes out, the server binary will be installed again.

      The server binary is only 151K in size. I don’t find any reason to remove it on my own desktop computer.

  • This is an awesome tutorial. Thanks.

  • malefilefu
    5 years ago

    Hey, I used to live in China and used shadowsocks and I set it up and it worked. It kinda stopped working recently so I decided to migrate my virtual server to another location and set it up again but now I am getting this error message when I check if it is running:

    # systemctl status shadowsocks-libev.service
    ● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
       Loaded: loaded (/lib/systemd/system/shadowsocks-libev.service; enabled; vendor preset: enabled)
       Active: failed (Result: exit-code) since Sun 2019-07-14 10:55:01 EDT; 24s ago
         Docs: man:shadowsocks-libev(8)
      Process: 477 ExecStart=/usr/bin/ss-server -c $CONFFILE $DAEMON_ARGS (code=exited, status=255)
     Main PID: 477 (code=exited, status=255)
    
    Jul 14 10:55:01 localhost.localdomain systemd[1]: Started Shadowsocks-libev Default Server Service.
    Jul 14 10:55:01 localhost.localdomain ss-server[477]:  2019-07-14 10:55:01 ERROR: bind: Cannot assign requested address
    Jul 14 10:55:01 localhost.localdomain ss-server[477]:  2019-07-14 10:55:01 ERROR: bind() error
    Jul 14 10:55:01 localhost.localdomain ss-server[477]:  2019-07-14 10:55:01 INFO: UDP relay enabled
    Jul 14 10:55:01 localhost.localdomain ss-server[477]:  2019-07-14 10:55:01 INFO: initializing ciphers... chacha20-ietf-poly1305
    Jul 14 10:55:01 localhost.localdomain ss-server[477]:  2019-07-14 10:55:01 INFO: tcp server listening at 144.34.254.56:2180
    Jul 14 10:55:01 localhost.localdomain systemd[1]: shadowsocks-libev.service: Main process exited, code=exited, status=255/n/a
    Jul 14 10:55:01 localhost.localdomain systemd[1]: shadowsocks-libev.service: Failed with result 'exit-code'.
    Exit code: 3
    

    Any idea how to fix this?
    Thanks in advance!!!

    • malefilefu
      5 years ago

      Nevermind, I figured it out myself. Somehow, even though I migrated the server to another destination and installed a new OS, which should usually erase everything, the config file was still pointing at the old server’s IP. Works fine now!
      Great instruction btw, saw many different ones but this one is clear, on point and works fine for me!
      谢谢你

  • Thank you so much, with these libs I was able to use shadownsocks. This is the only tutorial that works with Ubuntu 18.04 LTS

  • Hi,

    after setting shadownsocks server on my laptop PC (with ubuntu 16.04) can I use the shadownsocks client android app to connect to with by setting a profile in the app with the details written in the Shadowsocks configuration file?

    Btw, does it works in China?

    Thank you so much,
    Cheers,
    Flor

  • как настроить ubuntu 20 ?

  • I installed a shadowsocks server on a VPS and it seems to be working fine. I have setup wireguard/pihole/unbound on the same VPS and it is also working. I would like to use pihole/unbound as DNS resolver for shadowsocks to get the benefits of adblocking and dnssec when using shadowsocks and not attached to the wirehole VPN.

    The shadowsocks option to specify a local resolver doesn’t seem to be working. I have tried ,127.0.0.1, 127.0.0.53 and localhost but none of these work as expected (127.0.0.53:53 is bad syntax), as if the option was not configured. When using shadowsocks by itself with pihole as DNS I do not get adblocking and dnssec. When I use full tunnel wirehole/unbound VPN and use shadowsocks as SOCKS5 proxy I do not get adblocking and secure DNS.

    Is there is a config in wireguard/pihole/unbound that prevents other services on the same server from using pihole/unbound as their resolver?

    I must say thank you for all the information you provide. I have used many of your guides to configure and secure my server.

  • Thanks. Worked for me.

  • hi Xiao GuoAn

    Thanks for this tutorial! I tried this and works like a charm.

    Since I have multiple servers, I want to use Outline AppImage to manage the connections via a gui. As of now no luck getting outline to work.

    Should I stop the service before I initiate the connection from Outline? or is there something else I need to do?

    thanks again for the tutorial.

    BM

    • Xiao Guoan (Admin)
      3 years ago

      I have never used outline.

      You can set up multiple Shadowsocks connections from the command line. For a second server, create the configuration file under /etc/shadowsocks-libev/ directory, like /etc/shadowsocks-libev/2nd-server.json on the client computer. You need to use a different port because port 1080 is already taken by the first connection.

      Then you can start the second connection with

      sudo systemctl start [email protected]

      Enable auto-start at boot time.

      sudo systemctl [email protected]

      In your web browser, you can change the connection by changing the port number.

  • What exactly do you mean by “location-of-your-server”?

    • Xiao Guoan (Admin)
      2 years ago

      You can replace location-of-your-server with the city name of your server location like new-york. It doesn’t have any meaning to Shadowsocks, just to help you recognize the config file.

  • Hi Xiao Guoan
    Thanks for this guide! Can I use other encryption methods like MS-CHAP-v2? I would like to connect to the VPN client with my router, and this is the only option available.

  • chenggen
    2 years ago
    2022-07-22 12:44:05 INFO: initializing ciphers... chacha20-ietf-poly1305
     2022-07-22 12:44:05 INFO: listening at 127.0.0.1:1080
     2022-07-22 12:44:05 INFO: udprelay enabled
    

    when i execute “/usr/bin/ss-local -c /etc/shadowsocks-libev/singapore.json”, it echos what is presented above, and it stopped there, even though i stopped the service on server side.

    • Xiao Guoan (Admin)
      2 years ago

      That’s not an error.

      127.0.0.1:1080 is used to receive browser requests. The Shadowsocks client listens on 127.0.0.1:1080, regardless of the server is up or down.

      If the server is up, then the client will establish a tunnel with the server. If the server is down, then the client won’t establish a tunnel.

      • chenggen
        2 years ago

        i have enabled proxy switchomega, but it run into a net crash…
        so, how can i check whether i had established connect with remote service

      • chenggen
        2 years ago

        could you please to help check if my remote service works? i would provide my remote service ip&port&password and so on.

      • chenggen
        2 years ago

        at the first terminal, i executed “ss-local”, at the second terminal, i execute “tcpdump” to monitor data transfering, but i can not capture any packets, so i think there are no data sent to remote service. I checked so many times that i don’t think there are any faults in my operations. so did the shadowsock-libev itself went wrong ?

        cg@cg-QTC6:~/software/canal$ ss-local -c /etc/shadowsocks-libev/singapore.json 
         2022-07-22 23:52:46 INFO: initializing ciphers... chacha20-ietf-poly1305
         2022-07-22 23:52:46 INFO: listening at 127.0.0.1:1080
         2022-07-22 23:52:46 INFO: udprelay enabled
        
        cg@cg-QTC6:~/software/canal$ sudo tcpdump -n host 43.134.35.152 -v
        tcpdump: listening on wlp7s0, link-type EN10MB (Ethernet), capture size 262144 bytes
        
  • Hello:
    Thank you so much for this guide and so many other guides of yours that I have followed to successfully create servers and other tasks. There is a typo for the tip about configuring a specific dns name server. The syntax should be

     nameserver 

    and not

     name server 

    . Otherwise your guide is excellent as usual. Thanks again.

    • Sorry I made a typo in my own correction. Since I can’t delete or edit my previous post let me restate for clarity:

      There is a typo for the tip about configuring a specific dns name server. The syntax should be

      nameserver

      and not

      name_server

      .

  • how can i create server config for multiple clients , will it use sampe port or different port

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here