ShadowsocksR Clients and Server

ShadowsocksR Clients and Server

This article shows you how to install ShadowsocksR (SSR) on Windows, Android, and Linux clients, and how to create a private ShadowsocksR server.

On July 27, 2017, the breakwa11 ShadowsocksR repositories were deleted from Github. This page links to copies of the software from the ShadowsocksRR (SSRR) repositories.

This article comprises these sections:

• Windows Client
  • Download
  • Add Server
  • Scan QR Code
  • Mode
  • Options
• Android Client
• Linux Client
• Server
• Advanced Server Configuration
  • Optimize System
  • Restrict Outbound ports
  • Restart ShadowsocksR
• Free Servers
• Support

Windows Client

Download

To extract the Windows C# client, you will need to use 7-Zip. Therefore first download and install 7-zip.

Now download the Windows C# client software from Github. For your convenience, the download is also mirrored here.

At the time of writing, the latest release has file name ShadowsocksR-win-4.8.0.rar. The file size is 823,114 bytes. The SHA256 sum is 14135ef9 a7e2ca8a 084a6b2f 74a4cb4d 17fc114f 9dc52329 3e219aca 189014b0. You can check this on Windows using 7-Zip by right-clicking on the file, and doing CRC SHA and then SHA 256.

To unzip the download, right-click on the downloaded file, choose the 7-Zip set of options, and extract the downloaded file into its own folder. The new folder will have a name ShadowsocksR-win-4.8.0.

In Windows Explorer, change into the folder for ShadowsocksR.

Choose your executable depending on how modern your Windows PC is:

• For >= Windows 8 or with .NET 4.0, use ShadowsocksR-dotnet4.0.exe
• For <= Windows 7 or with .NET 2.0, use ShadowsocksR-dotnet2.0.exe

Double-click on the appropriate application file to launch the program.

Add Server

To add a server, open the system tray notification area, and find the ShadowsocksR icon. It looks like a paper airplane. Right-click on the ShadowsocksR icon to bring up the control options. Choose Servers then Edit servers....

Fill in your server details, and click OK. (You may need to quit and restart ShadowsocksR when you change the first entry.)

Scan QR Code

If someone has shared a quick-response (QR) code with you, you can use the option Scan QR code from screen... to add a server.

Mode

In global mode, any Windows application that is set up to use the Windows system proxy server settings will send its traffic through ShadowsocksR.

• For example, Microsoft Edge will automatically send its traffic through ShadowsocksR if this option is set.
• In Windows 10, you can see what your current setting is in Settings > Network & Internet > Proxy.

The opposite of global mode is to disable the system proxy feature. Then you will have to manually configure each application to send its traffic through ShadowsocksR.

• You can do this in Firefox under Options > Advanced > Network >Settings. If you are going to do this, make sure you also proxy your DNS traffic.
• If you are using Chrome instead of Firefox, you can do something similar with the extension Proxy SwitchyOmega by FelisCatus. Configure SwitchyOmega for a SOCKS5 proxy server at address 127.0.0.1 port 1080.

Options

To control ShadowocksR, again open the system tray notification area, and find the ShadowsocksR icon. It looks like a paper airplane. It will be color-coded depending on your current Mode setting. Right-click on the ShadowsocksR icon to bring up the control options.

• Mode controls whether SSR will disable Windows system-wide proxying, use proxy automatic configuration (PAC), act as a global system-wide proxy, or leave the Windows system-wide proxy settings unchanged
• PAC populates the proxy automatic configuration (PAC) list
• Proxy rule controls whether SSR will bypass the proxy server for local area network (LAN) and/or mainland IP addresses
• Servers allows you to add, edit, or delete SSR servers and their configuration details
• Servers Subscribe allows you to get an up-to-date list of free public servers from Github (may no longer work due to Github deletion)
• Load balance causes SSR to try to find the most responsive server from among your list (uncheck this option to use one definite server only)
• Global settings controls things like whether to start on boot, and whether port 1080 or some other port is used for the local proxy
• Port settings is for port forwarding
• Scan QR Code from screen scans a server configuration from a quick-response (QR) code you have displayed in your browser or elsewhere
• Import SSR links can import links in the format of the SSR QRcode scheme
• Help gives options such as viewing the log
• Quit to exit from the ShadowsocksR program

Android Client

Download the Android apk file from Github. For your convenience, the download is also mirrored here.

At the time of writing, the latest release has file name shadowsocksr-android-3.5.1.apk. The file size is 3,705,200 bytes. The SHA256 sum is 30aa16d5 9e48afd0 16986f6a 5f2ed60c 9769006c 03110395 d152439e 028655bf. If you wish, you can check this in Android with the Hash Droid application.

Tap on the downloaded apk file to install it. It will likely be blocked by your default security settings. Follow the prompt to go to Settings. You will need to check the box to allow installs from Unknown sources to permit the install.Make sure the box is checked to allow this installation, and tap OK.

Once the install is complete, open the app.

1. Tap the logotype ShadowsocksR at the top left to bring up the server configuration options.
2. Click the plus sign button + at the bottom right to add a new server.

You can add a new server by typing in its details, or by scanning a displayed QR code with your Android device camera.

To use the feature to scan QR codes, you may need to first install the app Barcode Scanner by ZXing Team.

Once you have added your server, tap the connect button at the top right. It looks like a paper airplane in a circle.

You will need to check the box to say I trust this application. Tap OK.

You are now connected.

Linux Client

These instructions are for Ubuntu 16.04. You will need to adjust them if you are using a different Linux distro.

Start by installing on your Linux PC the prerequisite packages for ShadowsocksR:

sudo apt-get install git python-m2crypto libsodium18

We are going to install ShadowsocksR into our Downloads directory, so change into that directory if you need to:

cd ~/Downloads

Get ShadowsocksR from Github:

git clone -b manyuser https://github.com/shadowsocksrr/shadowsocksr.git

Note that long commands may appear on multiples lines on this web page, but you should enter them as a single command.

Edit your initial ShadowsocksR configuration file:

sudo vi /etc/shadowsocks.json

You can start with the template below. Of course, you must substitute in your values for the ShadowsocksR server IP address, port, password, encryption method, protocol, obfuscation method, and so on. Here is the template to start with:

{
"server":"12.34.56.78",
"server_ipv6":"::",
"server_port":8388,
"local_address":"127.0.0.1",
"local_port":1080,
"password":"happy2017",
"timeout":300,
"udp_timeout":60,
"method":"aes-128-ctr",
"protocol":"auth_aes128_md5",
"protocol_param":"",
"obfs":"tls1.2_ticket_auth",
"obfs_param":"",
"fast_open":false,
"workers":1
}

Press Esc if you need to escape from insert or replace mode. Type :wq to write the file to disk and quit the editor.

Change into the directory for the single-user version of SSR:

cd shadowsocksr/shadowsocks

Start the ShadowsocksR client running as a daemon:

sudo python local.py -c /etc/shadowsocks.json -d start

Check that it is running okay:

sudo tail /var/log/shadowsocksr.log

If you are using Firefox, configure it to send traffic to ShadowsocksR on localhost port 1080. You do this under Preferences > Advanced > Network >Settings. Make sure you also proxy your DNS traffic.

If you are using Chrome instead of Firefox, install the extension Proxy SwitchyOmega by FelisCatus, and configure it for a SOCKS5 proxy server on localhost port 1080.

When you have finished using ShadowsocksR, set Firefox or Chrome back to using the system proxy settings, and stop the daemon:

sudo python local.py -c /etc/shadowsocks.json -d stop

If you subsequently add a new server, you will need to edit the file/etc/shadowsocks.json and restart the daemon.

Server

Begin by visiting DigitalOcean and opening and funding an account. If you use my link, they may reward you with an extra credit when you add funds for the first time. Follow the remainder of the article Basic Linux VPS Set Up from a Windows PC to create and set up your “droplet” (VPS).

Once you have done this, continue as follows.

Choose a port that you will run ShadowsocksR on. In the rest of this article, we will use port 8388 as an example.

Open your firewall on your ShadowsocksR port. Consider the possibility of whitelisting the IP addresses that can send traffic to your ShadowsocksR server. In the example given below, we assume you are always connecting from a local ISP that always allocates IP addresses to you in the range 12.34.0.0 through 12.34.255.255. In classless inter-domain routing (CIDR) notation, this is12.34.0.0/16:

sudo iptables -A INPUT -p tcp -s 12.34.0.0/16 --dport 8388 -j ACCEPT

If, on the other hand, you want to allow traffic from anywhere to connect to your server, then omit the source specification, i.e.:

sudo iptables -A INPUT -p tcp --dport 8388 -j ACCEPT

Note that long commands may appear on multiples lines on this web page, but you should enter them as a single command.

Persist your firewall change across reboots:

sudo dpkg-reconfigure iptables-persistent

Install the prerequisite packages for ShadowsocksR:

sudo apt-get install git python-m2crypto libsodium18

We are going to install ShadowsocksR into cd /usr/local, so change into that directory:

cd /usr/local

Get ShadowsocksR from Github:

sudo git clone -b manyuser https://github.com/shadowsocksrr/shadowsocksr.git

Note that long commands may appear on multiples lines on this web page, but you should enter them as a single command.

Create the initial ShadowsocksR configuration file:

cd shadowsocksr

sudo bash initcfg.sh

Edit the ShadowsocksR configuration file:

sudo vi user-config.json

Specify your values for the ShadowsocksR port, password, encryption method, protocol, obfuscation method, and so on. For example:

{
"server": "0.0.0.0",
"server_ipv6": "::",
"server_port": 8388,
"local_address": "127.0.0.1",
"local_port": 1080,
"password": "happy2017",
"method": "aes-128-ctr",
"protocol": "auth_aes128_md5",
"protocol_param": "",
"obfs": "tls1.2_ticket_auth_compatible",
"obfs_param": "",
"speed_limit_per_con": 0,
"speed_limit_per_user": 0,
"additional_ports" : {},
"additional_ports_only" : false,
"timeout": 120,
"udp_timeout": 60,
"dns_ipv6": false,
"connect_verbose_info": 0,
"redirect": "",
"fast_open": false
}

Press Esc if you need to escape from insert or replace mode. Type :wq to write the file to disk and quit the editor.

Now create the systemd service file:

sudo vi /etc/systemd/system/shadowsocksr.service

Insert contents as follows:

[Unit]
Description=ShadowsocksR server
After=network.target
Wants=network.target

[Service]
Type=forking
PIDFile=/var/run/shadowsocksr.pid
ExecStart=/usr/bin/python /usr/local/shadowsocksr/shadowsocks/server.py --pid-file /var/run/shadowsocksr.pid -c /usr/local/shadowsocksr/user-config.json -d start
ExecStop=/usr/bin/python /usr/local/shadowsocksr/shadowsocks/server.py --pid-file /var/run/shadowsocksr.pid -c /usr/local/shadowsocksr/user-config.json -d stop
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always

[Install]
WantedBy=multi-user.target

Press Esc to get out of insert mode, then type :wq to write the file out and quit the editor.

Make ShadowocksR start on reboot, and also start it now:

sudo systemctl enable shadowsocksr.service

sudo systemctl start shadowsocksr.service

Check that ShadowsocksR is working as expected:

sudo systemctl status shadowsocksr.service

sudo journalctl -u shadowsocksr

sudo netstat -tulpn | grep 8388

sudo tail /var/log/shadowsocksr.log

Assuming your server work is done:

exit

Now add your new server to your Windows, Android, or Linux client.

Advanced Server Configuration

If you are setting up a ShadowsocksR server for shared or public use, there are various optional additions to your basic server configuration.

Optimize System

Edit the limits.conf file:

sudo vi /etc/security/limits.conf

Add these two lines to increase the maximum allowable number of open files:

* soft nofile 51200
* hard nofile 51200

Press Esc if you need to escape from insert or replace mode. Type :wq to write the file to disk and quit the editor.

Edit the system configuration file:

sudo vi /etc/sysctl.conf

Prevent automatic insertion of comment lines in the insertions below:

:set formatoptions-=cro

Insert the following lines:

# max open files
fs.file-max = 51200
# socket receive buffer 64 MB
net.core.rmem_max = 67108864
# socket send buffer 64 MB
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096

# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1

# for high-latency network, uncomment this line:
net.ipv4.tcp_congestion_control = hybla

# for low-latency network, uncomment this line:
# net.ipv4.tcp_congestion_control = cubic

# for BBR, uncomment two lines:
# net.core.default_qdisc=fq
# net.ipv4.tcp_congestion_control=bbr

BBR congestion control is available only in Linux kernel 4.9 upwards, e.g. in Debian 9.

Press Esc if you need to escape from insert or replace mode. Type :wq to write the file to disk and quit the editor.

Make these changes effective now:

sudo sysctl -p

Restrict Outbound Ports

To restrict the ports to which your users can send outbound traffic to those commonly used for web browsing, as well as those necessary for ordinary server operation, issue the commands:

sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 67 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 68 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 8080 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 8388 -j ACCEPT
sudo iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
sudo iptables -P OUTPUT DROP
sudo dpkg-reconfigure iptables-persistent

In the above example, 8388 is the port chosen for SSR connections. You must change this number if you are using a different port.

Restart ShadowsocksR

Once you have made all your configuration changes, restart your ShadowsocksR server:

sudo systemctl stop shadowsocksr.service

sudo systemctl start shadowsocksr.service

Free Servers

Free servers tend to come and go without notice. Passwords are changed frequently. There may be many users on the same server, thus reducing speeds.

For free SSR servers, try https://doub.io/sszhfx/, mirrored athttps://doub.bid/sszhfx/.

If you find a free server for the original SS, you can access it from the SSR client by using protocol = origin and obfuscation = plain.

Support

Wiki https://github.com/shadowsocksrr/shadowsocks-rss/wiki

Google+ https://plus.google.com/communities/117390969460066916686

Gitter https://gitter.im/breakwa11/shadowsocksr

Creative Commons CC0