(Considering the Wall’s ability to block keyword, this column will evade sensitive words and be writen in English.)
You know, we are often stuck in the life, even in the Internet. As a heavy Internet user, I need to visit Google, Android Developer and Github sites by high frequency. But these sites cannot be accessed normally in my country. After comparing the advantages and disadvantages of many solutions, I choose to set up shadowsocks proxy on foreign server. I will share my experience on passing each stage. Hope it works for you.
Catalogue
- Wiki
- Server Side Install
- Configure and start the service
- Optional: chacha20 encryption
- Optional: Optimizing shadowsocks
- Optional: Zeta-TCP
- Clients on windows
Wiki
A foreign server is required firstly. I choosed a VPS which DigitalOcean server is located at San Francisco. Recommended VPS:
DigitalOcean Provide cloud hosting in the US and Singapore. Default Support for TCP Hybla. Low-cost, take Paypal.
Linode Provide cloud hosting in Japan and the US, High Bandwidth.
Bandwagonhost is a popular VPS (Virtual Private Server) provider owned by the Canadian company IT7 Networks Inc. You can use their CN2 GIA to get incredibly low latency and high stability for traffic moving between North America and East Asia, even during peak hours.
Shadowsocks-libev is a lightweight secured socks5 proxy for embedded devices and low end boxes. You can visit official site at github.com/shadowsocks/shadowsocks-libev to see more introduction.
Cow is HTTP proxy and written in Go. It can automatically identify blocked sites and use parent proxies to access. Official website: github.com/cyfdecyf/cow
TCP Hybla is a TCP enhancement for heterogeneous networks.
Server Side Install
Debian & Ubuntu
Build package from source
1
2
3
4
apt-get install build-essential autoconf libtool libssl-dev gawk debhelper git
git clone https://github.com/madeye/shadowsocks-libev.git
cd shadowsocks-libev
dpkg-buildpackage -us -uc
Install shadowsocks-libev
1
2
cd ..
dpkg -i shadowsocks-libev*.deb
Install supervisor
1
apt-get install supervisor
Configure and start the service
Edit the shadowsocks-libev configuration
1
vi /etc/shadowsocks-libev/config.json
With the following content:
1
2
3
4
5
6
7
{
"server":"0.0.0.0",
"server_port":443,
"password":"password",
"method":"aes-256-cfb",
"timeout":300
}
Edit the supervisor configuration
1
vi /etc/supervisor/conf.d/shadowsocks-libev.conf
With the following content:
1
2
3
4
[program:shadowsocks-libev]
command=ss-server -c /etc/shadowsocks-libev/config.json -u
autorestart=true
user=nobody
If the server_Port < 1024 in config.json, change user=nobody to user=root.
Restart the supervisor
1
2
service supervisor restart
supervisorctl reload
After edit any files on /etc/supervisor/*, update supervisor configuration:
1
supervisorctl update
Make sure if shadowsocks-libev is listening to the correct port:
1
netstat -lnp
Optional: chacha20 encryption
Modify "method":"aes-256-cfb" to "method":"chacha20" and save, like this:
1
2
3
4
5
6
7
{
"server":"0.0.0.0",
"server_port":443,
"password":"password",
"method":"chacha20",
"timeout":300
}
Install required libs:
1
2
3
4
5
6
wget https://download.libsodium.org/libsodium/releases/LATEST.tar.gz
tar zxf LATEST.tar.gz
cd libsodium*
./configure
make && make install
Optimizing encryption speed:
1
apt-get install python-m2crypto
Reboot shadowsocks service.
Optional: Optimizing shadowsocks
Debian & Ubuntu
Create /etc/sysctl.d/local.conf with the following content:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096
# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1
# for high-latency network
net.ipv4.tcp_congestion_control = hybla
# for low-latency network, use cubic instead
# net.ipv4.tcp_congestion_control = cubic
Then:
1
sysctl --system
Warning: DO NOT ENABLE net.ipv4.tcp_tw_recycle!!!
If you use Supervisor, make sure you have the following line in /etc/default/supervisor:
1
ulimit -n 51200
Once you added that line, restart Supervisor
1
service stop supervisor && service start supervisor
See more info at the Sourse: Optimizing-Shadowsocks
Optional: Zeta-TCP
Now, Serverspeeder provid a free Zeta-TCP service. We can deploy it on our server to improve the end-to-end performance of TCP.
Install
1
2
3
wget http://my.serverspeeder.com/d/ls/serverSpeederInstaller.tar.gz
tar xzvf serverSpeederInstaller.tar.gz
bash serverSpeederInstaller.sh
Input your Serverspeeder account and press Enter to keep default for others settings during the installation process. 
Some configuration
1
vi /serverspeeder/etc/config
rsc=”1”, RSC 网卡驱动模式 advinacc=”1”, 流量方向加速 maxmode=”1”, 最大传输模式
Restart service
1
2
/serverspeeder/bin/serverSpeeder.sh stop
/serverspeeder/bin/serverSpeeder.sh start
Clients on windows
Edit rc.txt (Windows) with the following content:
1
2
3
4
5
6
7
# 本地 HTTP 代理地址
# 配置 HTTP 和 HTTPS 代理时请填入该地址
# 或者在自动代理配置中填入 http://127.0.0.1:7777/pac
listen = http://127.0.0.1:7777
# shadowsocks 二级代理
proxy = ss://aes-256-cfb:password@1.2.3.4:443
Then, open Internet Explorer, click on Tools, Internet Options. After seeing the Internet Options window, click on Connections, LAN settings. Checked Use automatic configuration script, fill in Address box with the following content:
1
http://127.0.0.1:7777/pac
Peference picture 
Closed.
Comments powered by Disqus.