Slackware ShadowSocks server
12 July 2020The ShadowSocks protocol is something I came across because a friend who is due to go back to China was asking about mobile proxies, and it was one of the protocols supported by an iPhone VPN app they had ended up buying. Since my existing StrongSwan IKEv2 server needed updating due to an expired certificate, I ended up deciding to try it for myself. Although distributed in source form the instructions for building & installing it on Linux assume Ubuntu, but since I mostly use Slackware I decided to work out how to build it for the latter. This article documents what I did to get it working.
After doing some background reading into ShadowSocks what struck me was how lightweight it is, in particular requiring a minimal amount of setup to get a proxy server operational. I suspect this is intentional because the typical life-expectency of VPN servers used to access blocked websites from China is often limited, so fast setup is favoured over pretty much everything else. Unlike most VPNs it is about getting outside rather than inside.
Software dependencies
Normally when I install Slackware I install pretty much all the disksets but for some reason the server I used to build ShadowSocks only had a subset of them installed, which was resulting in some odd error messages. The list below is probably not complete but it is the packakes that are most likley going to be missing.git
autoconf
automake
cmake
libtool
libarchive
libxslt
linuxdoc-tools
m4
mbedtls
libsodium
c-aras
libev
Building ShadowSocks
This is more or mess cut'n'pasted from the ShadowSocks online documentation, although with two notable changes: Specifically building version3.3.4
rather than the bleeding-edge latest, and it is placed under /opt
rather than the default location.
git clone https://github.com/shadowsocks/shadowsocks-libev.git cd shadowsocks-libev git checkout v3.3.4 git submodule update --init ./configure --prefix=/opt/shadowsocks make make install
Setup and running
ShadowSocks uses a small JSON file for configuration, and anyone with any sort of background in computer networking can easily guess what each parameter represents. The only odd one ismethod
which is the encryption algorithm that is to be used.
If server
has the interface's actual IP address rather than the bind-to-everything place-holder 0.0.0.0
then it is possible, with the addition of other parameters the server part ignores, for the same config file to be used by both servers and clients.
{ "server" : "0.0.0.0", "server_port" : 8388, "password" : "sekret", "timeout" : 600, "method" : "aes-256-cfb", "user" : "nobody" }
The server can then be started using a command much like that below; parameters can instead be specified on the command-line, which will be demonstrated for the client setup. The -c
parameter give the configuration file. The -f
parameter daemonises the program so that it runs in the background, and writes the PID to the specified file.
/opt/shadowsocks/bin/ss-server -c /opt/shadowsocks/etc/shadowsocks.json -f /run/shadowsocks.pid
Client setup
For mobiles an Android client is available on Google Play, whereas for desktops there are basically two ways to route traffic: Applications individually using a local Socks proxy, and system-wide traffic using some fancy iptables rules. So far I have not tried out the latter. Most people will only be interested in browser traffic, in which case they can use the following to connect toproxy.example.com:8388
with password sekret
and aes-256-cfb
as the encryprion algorithm.
ss-local -s proxy.example.com -p 8388 -l 1080 -m aes-256-cfb -k sekret
A Socks proxy will appeaer on the local machine on port 1080
which Chrome/Chromium can connect to using the following command-line. This is the same one as used by the similar Socks-over-SSH method of tunelling.
chromium-browser --proxy-server="socks5://127.0.0.1:1080" --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE localhost"
One thing to keep in mind is that ShadowSock is not known for informative error messages. If the wrong encryption key is used for instance, the server will spit out errors about bad addresses, rather than reporting a password mismatch.