Skip to content

Instantly share code, notes, and snippets.

@nikitasius

nikitasius/shadowsocks.md Secret

Last active May 4, 2022 09:52
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save nikitasius/cc04d5a4bd2da0201ca1f8d78b71ea3a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save nikitasius/cc04d5a4bd2da0201ca1f8d78b71ea3a to your computer and use it in GitHub Desktop.
Download ZIP
(EASY) Linux shadowsocks installation
Raw
shadowsocks.md

Installation

  • install shadowsocks aptitude install shadowsocks-libev/apt-get -y install shadowsocks-libev
  • edit /etc/shadowsocks-libev/config.json

the server only (what we need usually)

{
    "server": "server IP or 0.0.0.0",
    "server_port": <SS port>,
    "password": "<server password>",
    "timeout": 300,
    "method": "chacha20-ietf-poly1305",
    "mode": "tcp_and_udp"
}

Security

the ACL:

  • download the https://raw.githubusercontent.com/shadowsocks/shadowsocks-libev/master/acl/server_block_local.acl into /etc/shadowsocks-libev/
  • edit the env file: /etc/default/shadowsocks-libev by adding -i enp0s3 --acl /etc/shadowsocks-libev/server_block_local.acl to DAEMON_ARGS= param
    • So it will become DAEMON_ARGS="-i enp0s3 --acl /etc/shadowsocks-libev/server_block_local.acl"
    • -i enp0s3 mean bind to enp0s3 interface only (remove it if you don't need it / rename it to match yours)
    • if you have Operation not permitted, remove interface from this param

stop/start/status

  • systemctl stop shadowsocks-libev.service
  • systemctl start shadowsocks-libev.service
  • systemctl status shadowsocks-libev.service

the link

  • ss://method:password@hostname:port - classic link
  • ss://BASE64[method:password@hostname:port]#ss-server - mobile app link or QR

packet forward

add

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

into cat /etc/sysctl.conf and run sysctl --system

@nikitasius
Copy link
Author

nikitasius commented Mar 3, 2022

optional local tunnel not for server

local tunnel for WG if needed, run with ss-tunnel -c this_config.json

{
  "server": "WG server IP",
  "server_port": <SS port>,
  "local_address": "0.0.0.0",
  "local_port": <local client port>,
  "password": "<server password>",
  "timeout": 300,
  "method": "chacha20-ietf-poly1305",
  "mode": "tcp_and_udp",
  "tunnel_address": "127.0.0.1:<WG server port>"
}

@nikitasius
Copy link
Author

nikitasius commented Mar 4, 2022
edited
Loading

if you generate a base64 from a text file where you placed your url method:password@hostname:port and it doesn't work:

  • you do base64 -w0 ss-link.txt and ss client say it's fucked up

Just remove last eof symbol from the file truncate -s -1 ss-link.txt and take again your base64 👍

@nikitasius
Copy link
Author

nikitasius commented Mar 11, 2022

https://shadowsocks.org/en/config/advanced.html

@nikitasius
Copy link
Author

nikitasius commented Mar 11, 2022
edited
Loading

vi /etc/security/limits.conf

* soft nofile 51200
* hard nofile 51200

# for server running in root:
root soft nofile 51200
root hard nofile 51200

ulimit -n 51200

vi /etc/sysctl.d/ss.conf

fs.file-max = 51200

net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_congestion_control = hybla

sysctl --system

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment