Shadowsocks for Android – Guides | Mullvad VPN
Unable to surf the entire web because you’re stuck behind a restrictive firewall? Then Shadowsocks might be your answer.
In this Android guide, we’ll walk you through the steps to use this proxy to connect to Mullvad’s servers using the OpenVPN client.
What is Shadowsocks?
Please see our Intro to Shadowsocks guide.
Requirements
To use this guide, you need
an Android device
to have completed our guide on setting up Mullvad on Android before continuing.
Set-up instructions
1. Set up the Shadowsocks app
From the Play Store on your device, search for and install the Shadowsocks app (from TrueNight) or get the Shadowsocks FOSS app from F-Droid
Open the app once it has installed.
Tap on the ☰ menu icon, then Settings.
Tap on Service mode and select Proxy only.
Tap on your device’s back button.
Tap on the plus icon and select Manual Settings.
Tap on Server, change the number to the IP address of one of our bridge servers (uncheck OpenVPN and WireGuard on the Servers page), and click OK. To get the IP address you can ping the hostname, for example ping
Tap on Remote Port, change the number to “443”, and click OK.
Tap on Password, change the entry to “23#dfsbbb”, and click OK.
Tap on Encrypt Method, select CHACHA20, and click OK.
Tap on the checkmark icon to save your settings.
2. Set up the OpenVPN app
First install OpenVPN for Android
Download OpenVPN configuration file for Android from our website and make sure Connect via bridges is checked
Open the OpenVPN for Android app.
Tap on the + icon and tap on import and then select the OpenVPN configuration file that you downloaded in step #2
Tap on the edit icon next to the profile you want to use as your exit location.
In the top menu, tap on ADVANCED, CUSTOM OPTIONS
Add the line: socks-proxy 127. 0. 1 1080
Swipe the top menu until you see ALLOWED APPS. Tap on it.
Make sure that VPN is used for all apps but exclude selected is enabled.
Scroll down the list and enable Shadowsocks.
3. Connect using Shadowsocks
In the Shadowsocks app, select your new configuration and then tap on the connect icon (a paper airplane)
In the OpenVPN app, connect to the server you just finished editing by tapping on the name (not the edit icon) of the profile. The first time you connect to a profile, you will be asked for a username and password:
username – use your Mullvad account number (without any spaces)
password – use the letter m
Both apps should show as being connected. Congrats!
Test your connection with our Connection check. Note that it will only show the OpenVPN exit server, not the Shadowsocks server.
Shadowsocks Review 2021: Before You Buy, Is It Worth It? – WizCase
To connect to Shadowsocks, you need to either rent or buy a server from a third party. Shadowsocks was designed this way so everyone using it would have a different configuration because they would be renting servers from different third parties. This makes it harder for China’s firewall to detect your traffic. Server rental companies operate data centers all around the world and let you rent servers from them.
An app called Outline makes it easy to rent a server from several services and then connect to it with Shadowsocks. Outline automates the process of renting a server from DigitalOcean, Google Cloud, or Amazon Lightsail. Outline recommends using DigitalOcean because it is easy to set up and cost-effective.
The Outline client makes it easy to rent and run your own Shadowsocks-enabled server
These server rental firms don’t offer the features of a VPN, like zero-logs policies to hide your activities, streaming optimized servers, or lightning-fast speeds. You’re also limited to very few servers, which means you’ll be left with no alternatives if there’s a technical problem or your IP gets blocked. That’s why I recommend you try using Private Internet Access (PIA) to connect via Shadowsocks instead. With over 34400 super-fast servers, you have literally thousands of backups if one has a technical issue. Plus, PIA lets you connect with the Shadowsocks protocol. This gives you the advantages of a VPN and Shadowsocks all in one (for less per month than renting a server).
Shadowsocks will get you past strong firewalls but it isn’t guaranteed to keep you safe. Unlike VPNs, Shadowsocks only gives you a way of getting around censorship by disguising your traffic with HTTPS (a data transfer protocol that tricks government filters).
The Outline client makes it easy to connect using Shadowsocks, but it doesn’t have zero-logs policies or encryption to hide your data. That means server operators, ISPs, and other third parties might be able to see what you’re doing online when you use Shadowsocks. You’ll also be vulnerable to common online threats like phishing emails, malware, and scammers on public Wi-Fi networks. To defend against spying and cybercrime, you need a premium VPN.
Shadowsocks was built with the main purpose of bypassing censorship — privacy or anonymity have never been priorities for its developers. Your privacy will be mainly determined by which server you use with Shadowsocks but even if you rent a server that offers powerful encryption protocols, it might not be enough to protect your privacy.
Although Shadowsocks itself does not keep logs, some server rental services do while you use them or put your privacy at risk by partnering with third-party data firms. For example — while DigitalOcean promises not to log your online activities, it partners with SolarWinds to provide server analytics. When SolarWinds got hacked, millions of users (including DigitalOcean users and employees of US government agencies) had their data compromised. Incidents like this show that only a top-tier VPN with a proven no-logs policy and military-grade cipher can offer sufficient protection for your data from malicious third parties.
While it won’t encrypt your connection, you can torrent with Shadowsocks as long as the server you’re connecting to allows it. If you use a server with no encryption, torrent speeds will be faster than with a traditional VPN — but you also won’t stay anonymous. While you should never use torrent sites to violate copyright law, even accidental downloads of protected material could get you in legal trouble. If safety is a priority for you when torrenting I would not recommend Shadowsocks. I prefer a super-fast VPN that ensures I remain anonymous and keeps my data safe while torrenting.
Does Shadowsocks Work in China? Yes!
Created by an anonymous Chinese hacker calling themselves “clowwindy” to bypass internet blocks, Shadowsocks reliably works in China.
Recently, China has cracked down on VPNs that were previously able to bypass China’s strong firewall. Only a few VPNs work in China and they rely on well-known protocols to encrypt data. This has allowed Chinese censors to create machine-learning technology that can often identify these protocols and block the VPNs supporting them.
While a VPN is rerouting your traffic through a server in a different location, Shadowsocks is disguising the connection between your local computer and a proxy server. Shadowsocks relies on you renting, buying, or creating your own proxy servers. You will therefore have a different configuration to other Shadowsocks users who use other server providers. Its non-centralized system makes it less likely for officials to detect your traffic as each Shadowsocks connection looks a little different.
Although officials are aware of Shadowsocks and have attempted to block its use in China, it still remains one of the more reliable tools to circumvent censorship. This is because Shadowsocks is open-source and anyone can maintain, alter and release new versions of Shadowsocks if a version of it gets blocked.
If you are traveling to China and need access to your emails and other online accounts, the easiest way to rent servers and use Shadowsocks is through a third-party app. I used Outline to rent and connect servers to Shadowsocks. You can download Outline straight from its website, rent a server located outside China using Outline’s manager and connect to the open web.
Shadowsocks makes it easy to open up the restricted web in other countries like Saudi Arabia, Russia, and UAE. Just take note that non-approved VPNs and using circumvention tools to bypass censorship aren’t legal in these countries. The protection of a VPN or circumvention tool doesn’t give you the license to break the law.
Install Shadowsocks-libev SOCKS5 proxy server – Tutorial
Tutorials How to install Shadowsocks-libev SOCKS5 proxy server
Shadowsocks is a free open-source SOCKS5 proxy widely used to protect privacy on the Internet. Shadowsocks-libev, written in C, ports Shadowsocks to create a regularly maintained, lighter and faster version of the original Shadowsocks. The data passing through the Shadowsocks-server and Shadowsocks-client is encrypted and can be made indistinguishable from any other web traffic to avoid third-party monitoring.
In this tutorial, we’ll show the steps for installing Shadowsocks-libev on a cloud server, configuring the proxy server, and using a client to connect to the proxy. The instructions are given here for CentOS 8, Debian 10 and Ubuntu 20. 04 but the process should be much the same on any operating system supported by Snap.
Test hosting on UpCloud!
Installing Shadowsocks-libev
Shadowsocks-libev recommends using their Snap releases for an easy way to install the latest binaries.
On CentOS 8 servers you will need EPEL repository before you can install Snap. Add it using the following commands:
sudo dnf install -y epel-release
sudo dnf update -y
Then install and enable Snap by running the next two commands:
sudo dnf install -y snapd
sudo systemctl enable –now
For Debian 10 and Ubuntu 20. 04 systems, first, update the server software and then install Snap with the commands below.
sudo apt update && apt upgrade -y
sudo apt install -y snapd
Before installing Shadowsocks-libev, you may wish to install haveged to improve randomness but this is optional.
# CentOS 8
sudo dnf install -y haveged
# Debian 10 and Ubuntu 20. 04
sudo apt install -y haveged
Once you have Snap and the optional haveged installed, reboot the server before continuing.
sudo reboot
When your cloud server is up and running again, log back in over SSH. Then install Shadowsocks-libev proxy via Snap using the following command:
sudo snap install shadowsocks-libev
Once you’ve installed Shadowsocks-libev, continue to the next section about how to configure the proxy server.
Configuring proxy server
Snap will install Shadowsocks-libev for you but it’ll need a little help with the setup. Make a directory to hold your configuration files.
sudo mkdir -p /var/snap/shadowsocks-libev/common/etc/shadowsocks-libev
Next, create a JSON file for Shadowsocks-libev configuration. It can be named anything. Here we are using simple config as the name.
sudo touch /var/snap/shadowsocks-libev/common/etc/shadowsocks-libev/
Then edit the file and add the following configuration to the file.
sudo nano /var/snap/shadowsocks-libev/common/etc/shadowsocks-libev/
{
“server”:[“[::0]”, “0. 0. 0”],
“mode”:”tcp_and_udp”,
“server_port”:443,
“password”:”your-secure-password”,
“timeout”:60,
“method”:”chacha20-ietf-poly1305″,
“nameserver”:”1. 1. 1″}
Let’s go over each of the configuration parameteres and what they do.
Server
The example configuration uses the server definition values which accept any IP address, both IPv6 and IPv4:
“server”:[“::0”, “0. 0”],
Not binding to a specific address can be useful if you wish to create a template of the configuration or a custom image of your Shadowsock server. This way the configuration will work regardless of the public IP address.
You can also use your public IPv6 and IPv4 addresses, for example:
“server”:[“2a04:3543:1000:2312:4631:c1ff:feb5:01f0”, “95. 123. 198. 234”],
If you have a domain name that resolves to your cloud server’s IP address, you can also use it to have the proxy only respond to a certain domain.
“server”:””,
Mode
The different modes define the data communication protocol used by the proxy. There are three valid values for “mode”:
1. “tcp_and_udp”
2. “tcp_only”
3. “udp_only”
Using both TCP and UDP allows the proxy to negotiate the best connection available at the time and should be fine. If your network has specific requirements or restrictions, you may need to select tcp_only.
Server port
Our example Shadowsocks config uses the port 443 but it can be set to any free port. If you’re not using HTTP (80) or HTTPS (443) ports by hosting a website on the same server, you should use either of these ports. Note that using a common port such as 80 or 443 can attract unauthorised connection attempts so make sure your password is secure.
Password
The server password is used to authenticate connections to the proxy. Make sure to select a secure password with adequate complexity and length.
Timeout
This is the socket timeout in seconds. The example value of 60 should be fine. However, if you installed Shadowsocks from backports you might need to set it higher but it’s suggested you keep it under 5 minutes, i. e. 300 seconds.
Method
The method refers to the encryption cipher used by the proxy to secure the communications. The cipher used in the example config is a modern and efficient option:
“method”:”chacha20-ietf-poly1305″
You can choose other ciphers if you want. Another popular alternative is:
“method”:”aes-256-gcm”
Nameserver
Our example also includes a domain name server which is not strictly necessary. Without this parameter the proxy will use the DNS used by your cloud server. You can have Shadowsocks use your preferred DNS by setting the nameserver in your config file.
For example, to use Google’s DNS, enter the following:
“nameserver”:”8. 8. 8″
Or if you prefer Cloudflare’s DNS, use their IP address instead:
“nameserver”:”1. 1″
Once you are done editing the configuration, save the file ctrl+o and exit the editor ctrl+x.
Creating systemd service unit
Shadowsocks-libev can be run manually in the terminal but this isn’t very practical in the long-term. Instead, create a systemd service unit file using the following command:
sudo touch /etc/systemd/system/[email protected]
Next, open the newly created file for edit:
sudo nano /etc/systemd/system/[email protected]
Then copy and paste the following content into the file:
[Unit]
Description=Shadowsocks-Libev Custom Server Service for%I
Documentation=man:ss-server(1)
[Service]
Type=simple
ExecStart=/usr/bin/snap run -c /var/snap/shadowsocks-libev/common/etc/shadowsocks-libev/
[Install]
Afterwards, save the file and exit the editor.
You can then enable the systemd service unit for your config file by running the following command. Note that the @config is used to select the configuration file, in this case, but without the file format notation.
sudo systemctl enable –now [email protected]
Check that the server started up successfully by using the status command:
sudo systemctl status [email protected]
You should see Shadowsocks listening to the IP addresses, ports and protocols you defined in the configuration. In our example output below, you can see both TCP and UDP running on IPv4 and IPv6 addresses as set in the configuration step.
● [email protected] – Shadowsocks-Libev Custom Server Service for config
Loaded: loaded (/etc/systemd/system/[email protected]; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-08-30 10:37:06 UTC; 3s ago
Docs: man:ss-server(1)
Main PID: 1229 (ss-server)
Tasks: 1 (limit: 1074)
Memory: 18. 0M
CGroup: /x2dlibev[email protected]
└─1229 /snap/shadowsocks-libev/508/bin/ss-server -c /var/snap/shadowsocks-libev/common/etc/shadowsocks-libev/
Aug 30 10:37:06 systemd[1]: Started Shadowsocks-Libev Custom Server Service for config.
Aug 30 10:37:07 snap[1229]: 2020-08-30 10:37:07 INFO: UDP relay enabled
Aug 30 10:37:07 snap[1229]: 2020-08-30 10:37:07 INFO: initializing ciphers… chacha20-ietf-poly1305
Aug 30 10:37:07 snap[1229]: 2020-08-30 10:37:07 INFO: using nameserver: 1. 1
Aug 30 10:37:07 snap[1229]: 2020-08-30 10:37:07 INFO: tcp server listening at [::0]:443
Aug 30 10:37:07 snap[1229]: 2020-08-30 10:37:07 INFO: tcp server listening at 0. 0:443
Aug 30 10:37:07 snap[1229]: 2020-08-30 10:37:07 INFO: udp server listening at [::0]:443
Aug 30 10:37:07 snap[1229]: 2020-08-30 10:37:07 INFO: udp server listening at 0. 0:443
Aug 30 10:37:07 snap[1229]: 2020-08-30 10:37:07 INFO: running from root user
With Shadowsocks-libev proxy server up and running, we are almost ready to start testing the connection. Before then, check the next part of the tutorial to configure your firewall to allow a connection.
Allowing connection through firewall
If you are using a firewall like UFW or firewalld, make sure you open up the port used by server_port as set in the configuration file, port 443 in this example.
# Ubuntu
sudo ufw allow 443
# CentOS
sudo firewall-cmd –add-service= –permanent
sudo firewall-cmd –reload
If you’re not using a software firewall on your server we recommend enabling the UpCloud’s Firewall service on your cloud server.
Check out the tutorial for managing UpCloud Firewall to find out more.
Connecting using proxy client
Shadowsocks-libev is now ready for proxy connections. To be able to connect to your Shadowsocks proxy server, you’ll need a client.
Client software
Shadowsocks is supported by a number of different clients and devices. You can find the list of available clients for your devices at the Shadowsocks download page.
Install a client of your choosing and test out the connection with the help of the details below.
For example, you can use the same Shadowsocks-libev software in client mode by installing it on your local system. Follow the installation steps like when installing the Shadowsocks-libev server then continue in the Linux client configuration step underneath.
Configuring mobile devices
As a light-weight proxy, Shadowsocks-libev works great with mobile devices. If you want a quick way to connect using a smartphone, go to the Shadowsocks’ QR generator and fill your config details in the following format:
ssmethod:[email protected]:port
Replace the hostname with your server’s public IP if you are using the IPs instead of a domain name. For example:
sschacha20-ietf-poly1305:[email protected]:443
Then import the generated URI or QR code on your device using the client software. Select the imported profile and activate the connection. And finally, configure your system to use the proxy.
In mobile devices like iOS and Android, the connection can serve as a full VPN.
Configuring another Linux host
Connecting using the Shadowsock-libev as a client can be done by configuring the proxy in localhost mode. Once installed, create file as underneath.
Set the file to include the server IP address and port as you configured on the proxy server. Also, include local address and port like shown below. Lastly, set the password and encryption method to match your Shadowsocks proxy server.
“server”:”95. 234″,
“local_address”:”127. 1″,
“local_port”:1080,
“method”:”chacha20-ietf-poly1305″}
Next, create a systemd unit file for the Shadowsocks client and edit it to have the following content.
Description=Shadowsocks-Libev Local Service for%I
Documentation=man:ss-local(1)
Once done, save the file and exit the editor.
Then start the client proxy using the following command. Note that the @config is used to select the configuration file, e. g. but without the file format.
sudo systemctl start [email protected]
The local proxy creates a connection to your cloud server and allows data to pass through them. To actually have application data to use the proxy, you’ll need to configure your web browser or operating system to use the local proxy. The actual process depends on your use case but by our configuration, the proxy is running on the IP 127. 1 and port 1080.
Testing the connection
Once you are connected, check that your traffic is running through the proxy. For example, open the following URL to test the IP address you are connecting from as seen by others on the Internet.
Alternatively, you can test it directly by using curl in the terminal:
curl –proxy socks5127. 1:1080 Or by starting Google Chrome with the following command-line option:
google-chrome –proxy-server=”socks5127. 1:1080″
You should then see your connection details listing the IP address of your cloud server instead of the IP of your client device.
Note that using a VPN connection to your cloud server does not guarantee anonymity and any network traffic must comply with UpCloud Terms of Service and Acceptable Use Policy.
Making further optimisations
You should now have a fully functional proxy securing your connection to your cloud server. You may not need any additional optimisations, but in the off-chance that you are having a less than ideal experience, the following tweaks might help.
Increasing open file descriptors
Check the current values by running:
ulimit -aH
If open files parameter shows less than 51200, do the following:
Open the file in a text editor.
sudo nano /etc/security/
Then add the following lines just before the # End of file:
* soft nofile 51200
* hard nofile 51200
Alternatively, use the following if the proxy server is running as root:
root soft nofile 51200
root hard nofile 51200
Tuning the kernel parameters
Depending on the performance of your proxy server, you may wish to make the following changes to your system configuration:
sudo nano /etc/
Add the following lines to the end of the file:
= 51200
= 250000
= 4096
p_syncookies = 1
p_tw_reuse = 1
p_tw_recycle = 0
p_fin_timeout = 30
p_keepalive_time = 1200
net. ipv4. ip_local_port_range = 10000 65000
p_max_syn_backlog = 8192
p_max_tw_buckets = 5000
p_fastopen = 3
p_mtu_probing = 1
= 67108864
p_mem = 25600 51200 102400
p_rmem = 4096 87380 67108864
p_wmem = 4096 65536 67108864
Then save the file and run the command below to reload the settings.
sudo sysctl -p
Using TCP BBR
TCP BBR is a TCP congestion control algorithm developed by Google and its been reported to improve performance on certain networks. You can enable it by adding the following to lines to your system configuration file.
p_congestion_control=bbr
Then save the file and reload the settings.
Check the changes by running the next command.
sudo sysctl p_congestion_control
If the output is as follows the setting was applied successfully.
p_congestion_control = bbr
These optimisations should help alleviate any possible performance issues.
Locations
Helsinki (HQ)
London
Singapore
Seattle
In the capital city of Finland, you will find our headquarters, and our first data centre. This is where we handle most of our development and innovation.
London was our second office to open, and a important step in introducing UpCloud to the world. Here our amazing staff can help you with both sales and support, in addition to host tons of interesting meetups.
Singapore was our 3rd office to be opened, and enjoys one of most engaged and fastest growing user bases we have ever seen.
Seattle is our 4th and latest office to be opened, and our way to reach out across the pond to our many users in the Americas.
Frequently Asked Questions about shadowsocks proxy
How do I use Shadowsocks proxy?
Set-up instructionsFrom the Play Store on your device, search for and install the Shadowsocks app (from TrueNight) or get the Shadowsocks FOSS app from F-Droid.Open the app once it has installed.Tap on the ☰ menu icon, then Settings.Tap on Service mode and select Proxy only.Tap on your device’s back button.More items…•May 15, 2021
Is Shadowsocks VPN good?
Is Shadowsocks a good proxy? As long as you have a server you can use, Shadowsocks is a reliable proxy. It has given access to censored websites in China consistently for years, even as authorities have kept trying to block it. If you don’t own or rent a server, you’re better off using a VPN like ExpressVPN.Sep 4, 2021
What is Shadowsocks VPN?
Shadowsocks is a tunneling proxy developed to be free, open-source, and mainly used by Chinese people to bypass the Great Firewall restrictions. While using, it covers your browser traffic only, and it is almost impossible to detect and block it.Apr 7, 2021