How to Install Shadowsocks-Libev Proxy Server on Debian 9 Stretch VPS

This tutorial will be showing you how to install Shadowsocks proxy server on a Debian 9 VPS (Virtual Private Server). Shadowsocks is a lightweight , super fast and secure Socks5 proxy that can be used to bypass Internet censorship. You will also learn how to set up Shadosocks-libev client on Debian 9 desktop.

There are many implementations of Shadowsocks, this tutorial shows you how to use Shadowsocks-libev, because

  • It’s written in C, very fast even on low-end machine.
  • It’s well-maintained.
  • It’s the most feature-rich implementation. TCP fast open, multiuser, management API, redirect mode, tunnel mode, UDP relay, AEAD ciphers and plugins are all supported.

Prerequisites

To complete this tutorial, you will need:

How to Install Shadowsocks-libev Server on Debian 9 VPS

Once you have installed Debian 9 on your VPS. Log into your server via SSH. Shadowsocks-libev is included in the default Debian 9 repository, but it’s outdated. As a matter of fact, the outdated version doesn’t work on my server anymore. I recommended installing it from Debian 9 stretch-backports repository, which contains the latest version of Shadowsocks-libev, so that you get security updates and bug fixes.

To enable stretch-backports repository, you need to edit sources.list file.

sudo nano /etc/apt/sources.list

Add the following line at the bottom of this file.

deb http://ftp.debian.org/debian stretch-backports main

Save and close the file. Then update local package index.

sudo apt update

After that, install Shadowsocks-libev from stretch-backports repository.

sudo apt -t stretch-backports install shadowsocks-libev

To check the version number, run

ss-server -v

Sample output:

shadowsocks-libev 3.1.3

The sodium crypto library (libsodium) will be installed along with shadowsocks-libev. It’s a requirement if you want to use the secure and fast ChaCha20-Poly1305 encryption method. Once it’s installed, Shadowsocks-libev will automatically start with the default configuration file. You can check its status with:

systemctl status shadowsocks-libev

Output:

● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
   Loaded: loaded (/lib/systemd/system/shadowsocks-libev.service; enabled; vendor preset: enabled
   Active: active (running) since Wed 2018-04-25 06:18:55 UTC; 3min 47s ago
     Docs: man:shadowsocks-libev(8)
 Main PID: 28728 (ss-server)
   CGroup: /system.slice/shadowsocks-libev.service
           └─28728 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -u

As you can see, it is running and auto-start at boot time is enabled. If it’s not running, you can start it with:

sudo systemctl start shadowsocks-libev

To enabled auto-start at boot time, run:

sudo systemctl enable shadowsocks-libev

Now we need to edit the default configuration file.

sudo nano /etc/shadowsocks-libev/config.json

Default contents of the file are as follows.

{
 "server":"127.0.0.1",
 "server_port":8388,
 "local_port":1080,
 "password":"focobguph",
 "timeout":60,
 "method":null
}

Replace 127.0.0.1 with your Debian server’s public IP address. You can change server_port to other port number, but don’t use port 8388. Then set your preferred password, which is used to encrypt traffic. It is recommended that you replace null with chacha20-ietf-poly1305 as the encryption method. Here’s an example of my configuration.

install shadowsocks-libev on debian 9 server

Save and close the file. Then restart Shadowsocks-libev for the changes to take effect.

sudo systemctl restart shadowsocks-libev

Install and Configure Shadowsocks-libev Client on Debian 9 Desktop

The shadowsocks-libev package contains both the server software and client software. So just use the method mentioned above to install Shadowsocks-libev on Debian 9 desktop.

Note: On Debian 9, Shadowsocks-libev (the server) will automatically start after being installed. You need to stop Shadowsocks server on Debian 9 desktop.

sudo systemctl stop shadowsocks-libev

Also disable auto-start at boot time.

sudo systemctl disable shadowsocks-libev

The Shadowsocks client binary is named ss-local. There’s a template systemd service unit for it: /lib/systemd/system/[email protected]. Before starting the client, we need to create the client side configuration file.

sudo nano /etc/shadowsocks-libev/location-of-your-server.json

You can replace location-of-your-server with something like SFO, LAX. Copy the Shadowsocks-libev server config to the client config file, then add the following line to tell the client to listen on 127.0.0.1.

"local_address":"127.0.0.1",

So the client config file will look like this:

{
 "server":"your-server-ip-address",
 "server_port":8388,
 "local_address":"127.0.0.1",
 "local_port":1080,
 "password":"focobguph",
 "timeout":60,
 "method":"chacha20-ietf-poly1305"
}

Save and close the file. Then we can start the client with:

sudo systemctl start [email protected]location-of-your-server.service

And enable auto-start at boot time.

sudo systemctl enable [email protected]location-of-your-server.service

Check its status. Make sure it’s running.

systemctl status [email protected]location-of-your-server.service

Now the ss-local process listens on 127.0.0.1:1080 on your Ubuntu desktop and it’s connected to your Shadowsocks server.

Configure Web Browser to Use the Socks Proxy

To let your program use a socks proxy, the program must support socks proxy. Programs like Firefox quantum, Google Chrome and Dropbox allows users to use proxy. I will show you how to configure Firefox and Google Chrome.

Firefox

In Firefox, go to Edit > Preferences > General. Then scroll down to the bottom and click Settings in Network Proxy. In the Connection Settings window, select manual proxy configuration. Then select SOCKS v5 because Shadowsocks is a Socks5 proxy. Enter 127.0.0.1 in the SOCKS Host field and 1080 in the port field. Make sure Proxy DNS when using SOCKS v5 is enabled. Click OK to apply these modifications.

shadowsocks-libev-debian-9

Google Chrome

Google Chrome and Chromium Linux version don’t have a GUI to configure proxy, but you can use command line options like below.

google-chrome --proxy-server="socks5://127.0.0.1:1080"

or

chromium-browser --proxy-server="socks5://127.0.0.1:1080"

You can also install and use the SwitchOmega extension configure proxy so you don’t have to type command in the terminal window.

DNS Leak Test

Go to dnsleaktest.com. You will see your Shadowsocks server’s IP address, which indicates that your proxy is working.

shadowsocks-libev-debian-9-stretch-install

Click Standardard test. Make sure your local ISP isn’t in the test results.

shadowsocks-libev-debian-9-server

Enable TCP BBR

TCP BBR is a TCP congestion control algorithm that can drastically improve connection speed. Follow the tutorial below to enable TCP BBR on Debian 9 server. You don’t have to enable it on Debian 9 desktop. The tutorial linked below is for Ubuntu, but also applies to Debian.

Enable TCP Fast Open

You can speed up Shadowsocks a little bit more by enabling TCP fast open. TCP is connection-oriented protocol, which means data can only be exchanged after a connection is established, which is done via the three-way handshake. In other words, traditionally, data can only be exchanged after the three-way handshake is complete. TCP fast open (TFO) is a mechanism that allows data to be exchanged before three-way handshake is complete, saving up to 1 round-trip time (RTT).

TCP fast open support is merged to Linux kernel since version 3.7 and enabled by default since version 3.13. You can check your kernel version by running:

uname -r

To check TCP fast open configuration on your Debian server, run

cat /proc/sys/net/ipv4/tcp_fastopen

It can return 4 values.

  • 0 means disabled.
  • 1 means it’s enabled for outgoing connection (as a client).
  • 2 means it’s enabled for incoming connection (as a server).
  • 3 means it’s enabled for both outgoing and incoming connection.

All my debian servers returned 1 after running the above command. We want tcp_fastopen set to 3 on our server. To achieve that, we can edit the sysctl configuration file.

sudo nano /etc/sysctl.conf

Then paste the following line at the end of the file.

net.ipv4.tcp_fastopen=3

Reload sysctl settings for the change to take effect.

sudo sysctl -p

Then you will also need to enable TCP fast open in Shadowsocks configuration file.

sudo nano /etc/shadowsocks-libev/config.json

Add the following line.

"fast_open": true

So your Shadowsocks server configuration file will look like this:

{
 "server":"your-server-ip-address",
 "server_port":8388,
 "local_port":1080,
 "password":"focobguph",
 "timeout":60,
 "method":"chacha20-ietf-poly1305",
 "fast_open": true
}

Note that last config line has not comma. Save and close the file. Then restart Shadowsocks server.

sudo systemctl restart shadowsocks-libev

Check if it’s running. (An error in configuration file can prevent it from restarting.)

systemctl status shadowsocks-libev

You also need to edit the Shadowsocks client configuration file and restart it to enable TCP fast open on Debian 9 desktop.

For more usage on Shadowsocks, check the manual.

man shadowsocks-libev

That’s it! I hope this tutorial helped you install Shadowsocks-libev proxy on Debian 9 server and desktop. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care.

Rate this tutorial
[Total: 1 Average: 5]