How to Set Up Shadowsocks-libev Proxy Server on Ubuntu 24.04
This tutorial is going to show you how to set up Shadowsocks proxy server on Ubuntu 24.04. Shadowsocks is a lightweight, fast, and secure Socks5 proxy to bypass Internet censorship. We will learn how to set up the server-side and how to configure the desktop client. There are many implementations of Shadowsocks, writtern in different programming languages. This tutorial shows you how to use Shadowsocks-libev, because:
- It’s written in C, very fast even on low-end machines.
- It’s well-maintained.
- It’s the most feature-rich implementation. TCP fast open, multiuser, management API, redirect mode, tunnel mode, UDP relay, AEAD ciphers, and plugins are all supported.
Requirements
To follow this tutorial, you will need a VPS (Virtual Private Server) that can access blocked websites freely (Outside of your country or Internet filtering system). I recommend Kamatera VPS, which features:
- 30 days free trial.
- Starts at $4/month (1GB RAM)
- High-performance KVM-based VPS
- 9 data centers around the world, including the United States, Canada, UK, Germany, The Netherlands, Hong Kong, and Isreal.
Follow the tutorial linked below to create your Linux VPS server at Kamatera.
Once you have a VPS running Ubuntu 24.04, follow the instructions below.
Step 1: Install Shadowsocks-libev Server on Ubuntu 24.04 VPS
SSH into your remote Ubuntu server. Shadowsocks-libev
is included in Ubuntu repository, so you can install it with:
sudo apt update sudo apt install -y shadowsocks-libev
Once it’s installed, edit the configuration file with the nano command line text editor.
sudo nano /etc/shadowsocks-libev/config.json
The default contents of the file are as follows.
{
"server":["::1", "127.0.0.1"],
"mode":"tcp_and_udp",
"server_port":8388,
"local_port":1080,
"password":"ACRrobo9ymXb",
"timeout":86400,
"method":"chacha20-ietf-poly1305"
}
We need to change 127.0.0.1
to 0.0.0.0
, so Shadowsocks-libev server will listen on the public IP address. Then change server_port
to other port numbers like 8888. The password was randomly generated, so you can leave it as it is.
Save and close the file. Then restart shadowsocks-libev service for the changes to take effect.
sudo systemctl restart shadowsocks-libev.service
Enable auto-start at boot time.
sudo systemctl enable shadowsocks-libev.service
Check its status. Make sure it’s running.
sudo systemctl status shadowsocks-libev.service
Sample output:
● shadowsocks-libev.service - Shadowsocks-libev Default Server Service Loaded: loaded (/usr/lib/systemd/system/shadowsocks-libev.service; enabled; preset: enabled) Active: active (running) since Thu 2024-05-16 07:31:11 UTC; 11s ago Docs: man:shadowsocks-libev(8) Main PID: 8215 (ss-server) Tasks: 1 (limit: 629145) Memory: 424.0K (peak: 1.0M) CPU: 10ms CGroup: /system.slice/shadowsocks-libev.service └─8215 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json
If you see the following error.
This system doesn't provide enough entropy to quickly generate high-quality random numbers. The service will not start until enough entropy has been collected.
You can fix this error by installing rng-tools
.
sudo apt-get install rng-tools
Then run
sudo rngd -r /dev/urandom
Now you can start Shadowsocks-libev service.
Step 2: Configure Firewall on the VPS
If you are using iptables firewall on your server, then you need to allow traffic to the TCP and UDP port Shadowsocks is listening on. For example, if port 8888
is being used by Shadowsocks, then run the following command:
sudo iptables -I INPUT -p tcp --dport 8888 -j ACCEPT sudo iptables -I INPUT -p udp --dport 8888 -j ACCEPT
If you are using UFW firewall, then run the following commands:
sudo ufw allow 8888
Step 3: Install and Configure Shadowsocks-libev Client
Ubuntu Desktop
The shadowsocks-libev
package contains both the server software and client software. On Ubuntu desktop, run the following commands to install Shadowsocks-libev.
sudo apt update sudo apt install shadowsocks-libev
Shadowsocks-libev (the server) will automatically start after being installed. You need to stop Shadowsocks server on Ubuntu desktop.
sudo systemctl disable --now shadowsocks-libev
The Shadowsocks client binary is named ss-local
. There’s a template systemd service unit for it: /lib/systemd/system/[email protected]
. Before starting the client, we need to create the client-side configuration file. We can copy the Shadowsocks-libev server config to the client config file.
sudo cp /etc/shadowsocks-libev/config.json /etc/shadowsocks-libev/client01.json
Then edit the client config file.
sudo nano /etc/shadowsocks-libev/client01.json
Change the server address to the public IP address of your server, and add the following line to tell the client to listen on 127.0.0.1.
"local_address":"127.0.0.1",
So the client config file will look like this:
{ "server":"your-server-ip-address", "mode":"tcp_and_udp", "server_port":8888, "local_address":"127.0.0.1", "local_port":1080, "password":"ACRrobo9ymXb", "timeout":60, "method":"chacha20-ietf-poly1305" }
Save and close the file. Then we can start the client with:
sudo systemctl start [email protected]
And enable auto-start at boot time.
sudo systemctl enable [email protected]
Check its status. Make sure it’s running.
systemctl status [email protected]
Now the ss-local
process listens on 127.0.0.1:1080
on your Ubuntu desktop and it’s connected to your Shadowsocks server. Go to step 4 to configure your web browser to use Shadowsocks proxy.
Windows Desktop
Windows users can download this Shadowsocks client. Download the ZIP file and extract it. Then double-click the shadowsocks executable. If the Windows Defender program prevents Shadowsocks from running, click More Info and select Run it anyway.
Next, you need to add a new server in the client software.
- Specify the server IP address, server port (8888), and password.
- You can also change the Timeout value (It should be less than 20 seconds).
- Leave other settings as default.
Click Apply
button
If you have several proxy servers, you can click the Add
button to add more proxy servers. Note that you use only one proxy server at a time.
Step 4: Configure Web Browser to Use the Socks Proxy
To make your program use a socks proxy, the program must support socks proxy. Programs like Firefox, Google Chrome and Dropbox allows users to use proxy. I will show you how to configure Firefox and Google Chrome.
Firefox
- In Firefox, go to Edit > Settings> General (or Tools -> Settings -> General).
- Then scroll down to the bottom and click Settings button in Network Setting.
- In the Connection Settings window, select manual proxy configuration.
- Then select SOCKS v5 because Shadowsocks is a Socks5 proxy.
- Enter
127.0.0.1
in the SOCKS Host field and1080
in the port field. - You can enable Proxy DNS when using SOCKS v5 , or enable DNS over HTTPS. Both are fine.
- Click OK to apply these modifications.
Google Chrome
While you can configure proxy for Google Chrome and Chromium browser from the command line, I recommend installing the Proxy SwitchyOmega extension to manage proxies.
Once the extension is installed in Google Chrome, configure a proxy server as follows:
- Choose the
SOCKS5
protocol. - Set
127.0.0.1
as the server address. - Set
1080
as the port number.
Apply the changes. Then click the extensions icon on the upper-right corner and click Proxy SwithyOmega
.
By default, SwithyOmega uses the operating system’s proxy settings. We need to change it from system proxy
to proxy
.
Now your proxy should be working.
Step 5: DNS Leak Test
Go to dnsleaktest.com. You will see your Shadowsocks server’s IP address, which indicates that your proxy is working.
Click the Standard test. Make sure your local ISP isn’t in the test results.
Proxy in Command Line
To let your command line programs use the proxy, you can install tsocks
.
sudo apt install tsocks
Then edit the configuration file.
sudo nano /etc/tsocks.conf
Find the following line:
server = 192.168.0.1
Change it to
server = 127.0.0.1
Save and close the file. Now you can allow you command-line program to use Shadowsocks proxy like this:
sudo tsocks apt update
There’s also a similar program called proxychains.
Enable TCP Fast Open
You can speed up Shadowsocks by enabling TCP fast open. TCP is a connection-oriented protocol, which means data can only be exchanged after a connection is established, which is done via the three-way handshake. In other words, traditionally, data can only be exchanged after the three-way handshake is complete. TCP fast open (TFO) is a mechanism that allows data to be exchanged before three-way handshake is complete, saving up to 1 round-trip time (RTT).
TCP fast open support is merged to Linux kernel since version 3.7 and enabled by default since version 3.13. You can check your kernel version by running:
uname -r
To check TCP fast open configuration on your Ubuntu server, run
cat /proc/sys/net/ipv4/tcp_fastopen
It can return 4 values.
- 0 means disabled.
- 1 means it’s enabled for outgoing connection (as a client).
- 2 means it’s enabled for incoming connection (as a server).
- 3 means it’s enabled for both outgoing and incoming connection.
All my Ubuntu VPS (Virtual Private Server) returned 1
after running the above command. We want tcp_fastopen set to 3 on our server. To achieve that, we can edit the sysctl configuration file.
sudo nano /etc/sysctl.conf
Then paste the following line at the end of the file.
net.ipv4.tcp_fastopen=3
Reload sysctl settings for the change to take effect.
sudo sysctl -p
Then you will also need to enable TCP fast open in Shadowsocks configuration file.
sudo nano /etc/shadowsocks-libev/config.json
Add the following line.
"fast_open": true
So your Shadowsocks server configuration file will look like this:
{ "server":"your-server-ip-address", "server_port":8388, "local_port":1080, "password":"focobguph", "timeout":60, "method":"chacha20-ietf-poly1305", "fast_open": true }
Note that the last config line has no comma. Save and close the file. Then restart Shadowsocks server.
sudo systemctl restart shadowsocks-libev
Check if it’s running. (An error in the configuration file can prevent it from restarting.)
systemctl status shadowsocks-libev
You also need to edit the Shadowsocks client configuration file and restart it to enable TCP fast open on Ubuntu desktop.
Enable TCP BBR
TCP BBR is a TCP congestion control algorithm that can drastically improve connection speed. Check out the following tutorial.
For more usage on Shadowsocks, check the manual.
man shadowsocks-libev
Troubleshooting
Every now and then, my Shadowsocks-libev proxy stops working and the following error is displayed on the server side when I check the status with systemctl
.
ERROR: server recv: Connection reset by peer
On the client-side, the error returned by systemctl
is:
ERROR: remote_recv_cb_recv: Connection reset by peer
I don’t know why it happens, but restarting the shadowsocks-libev
service on the server can fix this issue.
sudo systemctl restart shadowsocks-libev
I don’t want to manually restart the service every time, so I add a cron job to do it for me periodically.
sudo crontab -e
Put the following line at the end of the file.
0 */3 * * * /bin/systemctl restart shadowsocks-libev
This will restart the service every 3 hours. That is to say, restart happens at 12am, 3am, 6am, 9am and so forth. Note that the time is determined by cron. It is not determined by calculating how long the service has been running.
If you see the following error in Shadowsocks-libev log.
ERROR: unable to resolve www.youtube.com
This means the Shadowsocks-libev server can’t successfully resolve DNS. It’s helpful to specify a DNS server in the /etc/shadowsocks-libev/config.json
file. Just add the following line in the file and restart the shadowsocks-libev service.
"name_server":"1.1.1.1",
If you have your own DNS resolver running on the Shadowsocks server, you can specify 127.0.0.1 as the name server.
"name_server":"127.0.0.1",
Remember that in the JSON file, the last line doesn’t end with a comma.
Wrapping Up
That’s it! I hope this tutorial helped you install Shadowsocks-libev proxy on Ubuntu. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks 🙂
Shadowsocks is a forward proxy. Want to know what’s a forward proxy? Please read the following article:
I have not read through this at the moment, but searched for OBFuscation. Also, please correct “ISRAEL”.
This doesn’t work on highly censored countries, their network structure will recognize SOCKS signature You should try other project and overlay networks like Xray with vless/vmess
https://github.com/XTLS/Xray-core/
Hi, would you please update the procedure with v2ray plugin and cloudflare CDN to further secure the connection.
This article has given me clear steps to create a SS server. It’s been running fine. As I’m not that experienced with Linux, I’m wondering how to create multiple instances of SS server, each with different .json file.