Skip to content

Instantly share code, notes, and snippets.

@itsuki-hayashi
Last active March 27, 2023 02:24
Show Gist options
  • Save itsuki-hayashi/4d07d2c2caaae9ea8cac16555a9e4f8a to your computer and use it in GitHub Desktop.
Save itsuki-hayashi/4d07d2c2caaae9ea8cac16555a9e4f8a to your computer and use it in GitHub Desktop.
Ubuntu 18.04 LTS setup script for shadowsocks-libev + simple-obfs.
#!/bin/bash
# Get base packages up-to-date.
apt update -y && apt dist-upgrade -y && apt autoremove -y
# Install what we needs
apt install shadowsocks-libev simple-obfs haveged curl -y
# Enable haveged for more entropy on cloud server
systemctl enable haveged.service && systemctl restart haveged.service
# Backup /etc/sysctl.conf
mv /etc/sysctl.conf /etc/sysctl.conf.orig
# Write optimized kernel parameters
cat > /etc/sysctl.conf <<END
# Enable BBR TCP Congestion Control.
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
# The maximum size of the receive queue.
# The received frames will be stored in this queue after taking them
# from the ring buffer on the NIC.
# Use high value for high speed cards to prevent loosing packets.
# In real time application like SIP router, long queue must be assigned
# with high speed CPU otherwise the data in the queue will be out of
# date (old).
net.core.netdev_max_backlog = 65536
# The maximum ancillary buffer size allowed per socket.
# Ancillary data is a sequence of struct cmsghdr structures with
# appended data.
net.core.optmem_max = 65536
# The upper limit on the value of the backlog parameter passed to the
# listen function.
# Setting to higher values is only needed on a single highloaded server
# where new connection rate is high/bursty
net.core.somaxconn = 16384
# The default and maximum amount for the receive/send socket memory
# By default the Linux network stack is not configured for high speed
# large file transfer across WAN links.
# This is done to save memory resources.
# You can easily tune Linux network stack by increasing network buffers
# size for high-speed networks that connect server systems to handle more network packets.
net.core.rmem_default = 1048576
net.core.wmem_default = 1048576
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384
# An extension to the transmission control protocol (TCP) that helps
# reduce network latency by enabling data to be exchanged during the
# sender’s initial TCP SYN.
# If both of your server and client are deployed on Linux 3.7.1 or
# higher, you can turn on fast_open for lower latency
net.ipv4.tcp_fastopen = 3
# The maximum queue length of pending connections 'Waiting
# Acknowledgment'
# In the event of a synflood DOS attack, this queue can fill up pretty
# quickly, at which point tcp_syncookies will kick in allowing your
# system to continue to respond to legitimate traffic, and allowing you
# to gain access to block malicious IPs.
# If the server suffers from overloads at peak times, you may want to
# increase this value a little bit.
net.ipv4.tcp_max_syn_backlog = 65536
# The maximum number of sockets in 'TIME_WAIT' state.
# After reaching this number the system will start destroying the
# socket in this state.
# Increase this to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 65536
# Whether TCP should start at the default window size only for new
# connections or also for existing connections that have been idle for
# too long.
# It kills persistent single connection performance and should be turned
# off.
net.ipv4.tcp_slow_start_after_idle = 0
# Whether TCP should reuse an existing connection in the TIME-WAIT state
# for a new outgoing connection if the new timestamp is strictly bigger
# than the most recent timestamp recorded for the previous connection.
# This helps avoid from running out of available network sockets.
net.ipv4.tcp_tw_reuse = 1
# Fast-fail FIN connections which are useless.
net.ipv4.tcp_fin_timeout = 15
# TCP keepalive is a mechanism for TCP connections that help to
# determine whether the other end has stopped responding or not.
# TCP will send the keepalive probe contains null data to the network
# peer several times after a period of idle time. If the peer does not
# respond, the socket will be closed automatically.
# By default, TCP keepalive process waits for two hours (7200 secs) for
# socket activity before sending the first keepalive probe, and then
# resend it every 75 seconds. As long as there is TCP/IP socket
# communications going on and active, no keepalive packets are needed.
# With the following settings, your application will detect dead TCP
# connections after 120 seconds (60s + 10s + 10s + 10s + 10s + 10s +
# 10s)
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 6
# The longer the MTU the better for performance, but the worse for
# reliability.
# This is because a lost packet means more data to be retransmitted
# and because many routers on the Internet can't deliver very long
# packets.
# Enable smart MTU discovery when an ICMP black hole detected.
net.ipv4.tcp_mtu_probing = 1
# Turn timestamps off to reduce performance spikes related to timestamp
# generation.
net.ipv4.tcp_timestamps = 0
# Max open files.
fs.file-max = 65536
# Turn off fast timewait sockets recycling.
# net.ipv4.tcp_tw_recycle = 0 # Deprecated
# Outbound port range
net.ipv4.ip_local_port_range = 10000 65000
## TCP SYN cookie protection (default)
## helps protect against SYN flood attacks
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
net.ipv4.tcp_syncookies = 1
## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1
## sets the kernels reverse path filtering mechanism to value 1 (on)
## will do source validation of the packet's recieved from all the interfaces on the machine
## protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
## log martian packets
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
## ignore echo broadcast requests to prevent being part of smurf attacks (default)
net.ipv4.icmp_echo_ignore_broadcasts = 1
## ignore bogus icmp errors (default)
net.ipv4.icmp_ignore_bogus_error_responses = 1
## send redirects (not a router, disable it)
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
## ICMP routing redirects (only secure)
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Restricting access to kernel logs.
kernel.dmesg_restrict = 1
# Restricting access to kernel pointers in the proc filesystem.
kernel.kptr_restrict = 1
END
# Enable our kernel parameters.
sysctl -p
# Generate password. /dev/random is safer than /dev/urandom
PASSWORD=$(cat /dev/random | tr -dc 'a-zA-Z0-9+/' | fold -w 48 | head -n 1)
# Write Shadowsocks config file.
cat > /etc/shadowsocks-libev/config.json <<END
{
"server":["::", "0.0.0.0"],
"server_port":443,
"method": "aes-256-gcm",
"password": "$PASSWORD",
"timeout": 60,
"mode":"tcp_and_udp",
"plugin":"obfs-server",
"plugin_opts":"obfs=tls"
}
END
# Enable Shadowsocks service.
systemctl enable shadowsocks-libev.service && systemctl restart shadowsocks-libev.service
# Get server's public IP.
SERVER_IP=$(curl https://ipecho.net/plain)
# Write client config.
cat > ~/client.json <<END
{
"server": "$SERVER_IP",
"server_port": 443,
"method": "aes-256-gcm",
"password": "$PASSWORD",
"plugin": "obfs-local",
"plugin_opts": "obfs=tls;obfs-host=www.bing.com"
}
END
# Generate Shadowsocks URI
SS_URI="ss://$(echo -n aes-256-gcm:$PASSWORD | base64 --wrap=0 | tr +/ -_)@$SERVER_IP:443/?plugin=obfs-local%3bobfs%3dtls%3bobfs-host%3dwww.bing.com"
echo $SS_URI > ~/ss-uri.txt
# Show config to user.
echo "Hello, your Shadowsocks server is ready for use!"
echo "Here is the Shadowsocks URI:"
echo $SS_URI
echo "You can also use the following JSON config:"
cat ~/client.json
echo "Your config is saved at files ~/ss-uri.txt and ~/client.json"
@volkabil
Copy link

volkabil commented Jul 23, 2021

I hope a way to install on CentOS7. 8
Thanks, I love shadowsocks + obfs. I hope to find a way like this

I don't like to use v2ray

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment