How to Set up Shadowsocks-libev Proxy Server on Ubuntu
This tutorial is going to show you how to set up Shadowsocks proxy server on Ubuntu. Shadowsocks is a lightweight, fast, and secure Socks5 proxy to bypass Internet censorship. We will learn how to set up the server-side and how to configure the desktop client on Ubuntu. There are many implementations of Shadowsocks, this tutorial shows you how to use Shadowsocks-libev, because
It’s written in C, very fast even on low-end machines.
It’s the most feature-rich implementation. TCP fast open, multiuser, management API, redirect mode, tunnel mode, UDP relay, AEAD ciphers, and plugins are all supported.
To complete this tutorial, you will need:
A VPS (Virtual Private Server). I recommend Vultr. They offer 512M memory high performance VPS for just $2. 5 per month, which is perfect for your private proxy server.
Then install Ubuntu on your VPS.
Step 1: Install Shadowsocks-libev Server on Ubuntu
SSH into your remote Ubuntu server. Shadowsocks-libev is included in Ubuntu repository since 17. 04, so you can install it with:
sudo apt update
sudo apt install shadowsocks-libev
Ubuntu 16. 04 users can install it from PPA by running the following commands. software-properties-common is needed if you want to install software from PPA. It may be missing on your Ubuntu server.
sudo apt install software-properties-common -y
sudo add-apt-repository ppa:max-c-lv/shadowsocks-libev -y
The sodium crypto library (libsodium) will be installed along with shadowsocks-libev. It’s a requirement if you want to use the secure and fast ChaCha20-Poly1305 encryption method. Once it’s installed, edit the configuration file.
sudo nano /etc/shadowsocks-libev/
The default contents of the file are as follows.
“server”:[“::1”, “127. 0. 1”],
We need to change 127. 1 to 0. 0, so Shadowsocks-libev server will listen on the public IP address. Then change server_port to other port numbers like 8888. The password was randomly generated, so you can leave it as it is.
Save and close the file. Then restart shadowsocks-libev service for the changes to take effect.
sudo systemctl restart rvice
Enable auto-start at boot time.
sudo systemctl enable rvice
Check its status. Make sure it’s running.
systemctl status rvice
If you see the following error.
This system doesn’t provide enough entropy to quickly generate high-quality random numbers. The service will not start until enough entropy has been collected.
You can fix this error by installing rng-tools.
sudo apt-get install rng-tools
sudo rngd -r /dev/urandom
Now you can start Shadowsocks-libev service.
Step 2: Configure Firewall
If you are using iptables firewall on your server, then you need to allow traffic to the TCP and UDP port Shadowsocks is listening on. For example, if port 8888 is being used by Shadowsocks, then run the following command:
sudo iptables -I INPUT -p tcp –dport 8888 -j ACCEPT
sudo iptables -I INPUT -p udp –dport 8888 -j ACCEPT
If you are using UFW firewall, then run the following commands:
sudo ufw allow 8888
If you are using AWS or Google Cloud, then you need to configure firewall at the web-based control panel.
Step 3: Install and Configure Shadowsocks-libev Client
The shadowsocks-libev package contains both the server software and client software. On Ubuntu 20. 04, 18. 04 desktop, run the following commands to install Shadowsocks-libev.
On Ubuntu 16. 04 desktop, run the following commands to install Shadowsocks-libev.
Shadowsocks-libev (the server) will automatically start after being installed. You need to stop Shadowsocks server on Ubuntu desktop.
sudo systemctl stop shadowsocks-libev
Also, disable auto-start at boot time.
sudo systemctl disable shadowsocks-libev
The Shadowsocks client binary is named ss-local. There’s a template systemd service unit for it: /lib/systemd/system/[email protected]. Before starting the client, we need to create the client-side configuration file. We can copy the Shadowsocks-libev server config to the client config file.
sudo cp /etc/shadowsocks-libev/ /etc/shadowsocks-libev/
You can replace location-of-your-server with something like SFO, LAX. Then edit the client config file.
Change the server address to the public IP address of your server, and add the following line to tell the client to listen on 127. 1.
So the client config file will look like this:
Save and close the file. Then we can start the client with:
sudo systemctl start [email protected]rvice
And enable auto-start at boot time.
sudo systemctl enable [email protected]rvice
systemctl status [email protected]rvice
Now the ss-local process listens on 127. 1:1080 on your Ubuntu desktop and it’s connected to your Shadowsocks server.
Windows users can download this Shadowsocks client. Once it’s installed, you can add a new server in the client software. Specify the server IP address, port and password. Click Apply button
If you have several proxy servers, you can click the Add button to add more proxy servers. Note that you use only one proxy server at a time.
Step 4: Configure Web Browser to Use the Socks Proxy
To make your program use a socks proxy, the program must support socks proxy. Programs like Firefox, Google Chrome and Dropbox allows users to use proxy. I will show you how to configure Firefox and Google Chrome.
In Firefox, go to Edit > Preferences > General (or Tools -> Options -> General). Then scroll down to the bottom and click Settings in Network Proxy. In the Connection Settings window, select manual proxy configuration. Then select SOCKS v5 because Shadowsocks is a Socks5 proxy. Enter 127. 1 in the SOCKS Host field and 1080 in the port field. Make sure Proxy DNS when using SOCKS v5 is enabled. Click OK to apply these modifications.
While you can configure proxy for Google Chrome and Chromium browser from the command line, I recommend installing the Proxy SwitchyOmega extension to manage proxies.
Once the extension is installed in Google Chrome, configure a proxy server as follows:
Choose the SOCKS5 protocol.
Set 127. 1 as the server address.
Set 1080 as the port number.
Apply the changes. Then click the extensions icon on the upper-right corner and click Proxy SwithyOmega.
By default, SwithyOmega uses the operating system’s proxy settings. We need to change it from system proxy to proxy.
Now your proxy should be working.
Step 5: DNS Leak Test
Go to You will see your Shadowsocks server’s IP address, which indicates that your proxy is working.
Click the Standard test. Make sure your local ISP isn’t in the test results.
Proxy in Command Line
To let your command line programs use the proxy, you can install tsocks.
sudo apt install tsocks
Then edit the configuration file.
sudo nano /etc/
Find the following line:
server = 192. 168. 1
Change it to
server = 127. 1
Save and close the file. Now you can allow you command-line program to use Shadowsocks proxy like this:
sudo tsocks apt update
There’s also a similar program called proxychains.
Enable TCP Fast Open
You can speed up Shadowsocks by enabling TCP fast open. TCP is a connection-oriented protocol, which means data can only be exchanged after a connection is established, which is done via the three-way handshake. In other words, traditionally, data can only be exchanged after the three-way handshake is complete. TCP fast open (TFO) is a mechanism that allows data to be exchanged before three-way handshake is complete, saving up to 1 round-trip time (RTT).
TCP fast open support is merged to Linux kernel since version 3. 7 and enabled by default since version 3. 13. You can check your kernel version by running:
To check TCP fast open configuration on your Ubuntu server, run
It can return 4 values.
0 means disabled.
1 means it’s enabled for outgoing connection (as a client).
2 means it’s enabled for incoming connection (as a server).
3 means it’s enabled for both outgoing and incoming connection.
All my Ubuntu VPS (Virtual Private Server) returned 1 after running the above command. We want tcp_fastopen set to 3 on our server. To achieve that, we can edit the sysctl configuration file.
Then paste the following line at the end of the file.
Reload sysctl settings for the change to take effect.
sudo sysctl -p
Then you will also need to enable TCP fast open in Shadowsocks configuration file.
Add the following line.
So your Shadowsocks server configuration file will look like this:
Note that the last config line has no comma. Save and close the file. Then restart Shadowsocks server.
sudo systemctl restart shadowsocks-libev
Check if it’s running. (An error in the configuration file can prevent it from restarting. )
systemctl status shadowsocks-libev
You also need to edit the Shadowsocks client configuration file and restart it to enable TCP fast open on Ubuntu desktop.
Enable TCP BBR
TCP BBR is a TCP congestion control algorithm that can drastically improve connection speed. Check out the following tutorial.
How to Easily Boost Ubuntu Network Performance by Enabling TCP BBR
For more usage on Shadowsocks, check the manual.
Every now and then, my Shadowsocks-libev proxy stops working and the following error is displayed on the server side when I check the status with systemctl.
ERROR: server recv: Connection reset by peer
On the client-side, the error returned by systemctl is:
ERROR: remote_recv_cb_recv: Connection reset by peer
I don’t know why it happens, but restarting the shadowsocks-libev service on the server can fix this issue.
I don’t want to manually restart the service every time, so I add a cron job to do it for me periodically.
sudo crontab -e
Put the following line at the end of the file.
0 */3 * * * /bin/systemctl restart shadowsocks-libev
This will restart the service every 3 hours. That is to say, restart happens at 12am, 3am, 6am, 9am and so forth. Note that the time is determined by cron. It is not determined by calculating how long the service has been running.
If you see the following error in Shadowsocks-libev log.
ERROR: unable to resolve This means the Shadowsocks-libev server can’t successfully resolve DNS. It’s helpful to specify a DNS server in the /etc/shadowsocks-libev/ file. Just add the following line in the file and restart the shadowsocks-libev service.
“name_server”:”1. 1. 1″,
If you have your own DNS resolver running on the Shadowsocks server, you can specify 127. 1 as the name server.
Remember that in the JSON file, the last line doesn’t end with a comma.
That’s it! I hope this tutorial helped you install Shadowsocks-libev proxy on Ubuntu. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks
Installing and running shadowsocks on Ubuntu Server – gists …
Installing and running shadowsocks on Ubuntu Server
16. 10 yakkety and above
Install the the shadowsocks-libev package from apt repository.
sudo apt update
sudo apt install shadowsocks-libev
Save as /etc/shadowsocks-libev/
Replace server_port and password in with your own choices.
Restart the shadowsocks-libev service.
sudo systemctl restart shadowsocks-libev
sudo systemctl status shadowsocks-libev
16. 04 xenial
Install shadowsocks with pip.
sudo apt install python-pip
sudo pip install shadowsocks
Save under /etc/shadowsocks/.
Save rvice under /usr/lib/systemd/system/
Enable the systemd service.
sudo systemctl enable ssserver
sudo systemctl start ssserver
sudo systemctl status ssserver
14. 04 trusty
sudo apt-get update
sudo apt-get install python-pip
Save,, under /etc/shadowsocks/.
Put the following in /etc/ to start ssserver upon server start.
# Start shadowsocks server
Use TCP BBR
This will enable TCP BBR congestion control algorithm to improve network bandwidth utilization (10x improvement is not uncommon).
Install linux kernel 4. 9
Note: do this only if the distribution comes with a older kernel version.
sudo dpkg -i $(basename $URL)
Enable TCP BBR
echo “” | sudo tee $SYSCTL_CONF
echo “p_congestion_control=bbr” | sudo tee -a $SYSCTL_CONF
sudo sysctl -p $SYSCTL_CONF
lsmod | grep bbr
“server”: “0. 0. 0”,
“nameserver”: “8. 8. 8”}
Description=Daemon to start shadowsocks server
ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks/ -qq
sudo /usr/local/bin/ssserver -c /etc/shadowsocks/ –user nobody -qq -d start
sudo /usr/local/bin/ssserver -c /etc/shadowsocks/ -d stop
How to install and configure Shadowsocks server – Hostens
Shadowsocks is a free and light socks5 web proxy. It is mostly used to bypass some network censorship and restrictions on the Internet.
Preparation for the install, generally updating the system and installing epel release. Afterward, we install additional tools that will be necessary for socks5:
yum update -y
yum install epel-release -y
yum install -y gcc gettext autoconf libtool automake make pcre-devel asciidoc xmlto udns-devel libev-devel libsodium-devel mbedtls-devel git m2crypto c-ares-devel
We download the Shadowsocks from GIT and install it:
git clone git submodule update –init –recursive. /. /configure
make && make install
Configuring the Shadowsocks
Adding a new system user for Shadowsocks.
adduser –system –no-create-home -s /bin/false shadowsocks
Creating a directory and configuration file.
mkdir -m 755 /etc/shadowsocks
touch & nano /etc/shadowsocks/
Configuration file content should consist of the following lines, while values are adjusted to your situation:
A short explanation of the options for your config file:
server – enter your server’s public IP;
server port– enter any available port that you will be using to connect to Shadowsocks proxy at your server;
password – a password that you will use to connect to the Shadowsocks server from your device;
timeout – a value that determines when to close the session when inactive;
method – an encryption method. AEAD cipher seems to be the most secure option, like “aes-256-gcm“, but you can browse other stream ciphers here;
fast_open – it can be “true” or “false” values. If you are using a kernel higher than 3. 7. 1 (Linux VPS), it reduces latency when “true“. Otherwise, not necessary.
Once you configured the Shadowsocks, it’s convenient to create it as Systemd service:
touch & nano /etc/systemd/system/rvice
Configuration file content is below, just copy it:
Description=Shadowsocks proxy server
ExecStart=/usr/local/bin/ss-server -c /etc/shadowsocks/ -a shadowsocks -v start
ExecStop=/usr/local/bin/ss-server -c /etc/shadowsocks/ -a shadowsocks -v stop
Start the service:
systemctl enable shadowsocks
systemctl start shadowsocks
Alternatively you can use “stop“, “restart” or “status” options as well.
All of our VPS servers use iptables, so you will have to adjust iptables settings to allow traffic via your Shadowsocks port:
iptables -4 -A INPUT -p tcp –dport 8388 -m comment –comment “Shadowsocks” -j ACCEPT
That is it. Shadowsocks is installed, configured, and hopefully running on your server. In order to connect to it, you will need a Shadowsocks client on your device. You can find a client for almost any device here. Install it and connect to your Shadowsocks server. You will need the server details that are configured on file “/etc/shadowsocks/“.
More information can be found below:
Frequently Asked Questions about shadowsocks linux server
How do I run Shadowsocks on Linux?
Installing and running shadowsocks on Ubuntu ServerInstall the the shadowsocks-libev package from apt repository. sudo apt update sudo apt install shadowsocks-libev.Save ss. json as /etc/shadowsocks-libev/config. … Replace server_port and password in ss. json with your own choices.Restart the shadowsocks-libev service.
How do I run Shadowsocks server?
Configuring the Shadowsocksserver – enter your server’s public IP;server port– enter any available port that you will be using to connect to Shadowsocks proxy at your server;password – a password that you will use to connect to the Shadowsocks server from your device;More items…
How do I setup a SOCKS5 proxy?
Using SOCKS5 Proxy for US Netflix Go to Advanced and click the Network tab. Under Connection > Configure how Firefox connects to the Internet, click Settings… First, change Configure Proxies to Access the Internet to Manual proxy configuration. Under SOCKS Host enter the URL or IP address of your proxy server.