How to Install Shadowsocks-Libev Proxy Server on Debian 10 VPS

This tutorial will be showing you how to install Shadowsocks proxy server on a Debian 10 VPS (Virtual Private Server). Shadowsocks is a lightweight, super fast and secure Socks5 proxy that can be used to bypass Internet censorship. You will also learn how to set up Shadosocks-libev client on Debian 10 desktop.

There are many implementations of Shadowsocks, this tutorial shows you how to use Shadowsocks-libev, because

  • It’s written in C, very fast even on low-end machine.
  • It’s well-maintained.
  • It’s the most feature-rich implementation. TCP fast open, multiuser, management API, redirect mode, tunnel mode, UDP relay, AEAD ciphers and plugins are all supported.

Prerequisites

To complete this tutorial, you will need:

How to Install Shadowsocks-libev Server on Debian 10 VPS

Once you have installed Debian 10 on your VPS. Log into your server via SSH. Shadowsocks-libev is included in the default Debian 10 repository, but it’s outdated. As a matter of fact, the outdated version doesn’t work on my server anymore. I recommended installing it from Debian 10 buster-backports repository, which contains the latest version of Shadowsocks-libev, so that you get security updates and bug fixes.

To enable the buster-backports repository, run the following command.

echo "deb http://deb.debian.org/debian buster-backports main" | sudo tee /etc/apt/sources.list.d/buster-backports.list

Then update local package index.

sudo apt update

After that, install Shadowsocks-libev from buster-backports repository.

sudo apt -t buster-backports install shadowsocks-libev

To check the version number, run

ss-server -v

Sample output:

shadowsocks-libev 3.3.4

The sodium crypto library (libsodium) will be installed along with shadowsocks-libev. It’s a requirement if you want to use the secure and fast ChaCha20-Poly1305 encryption method. Once it’s installed, Shadowsocks-libev will automatically start with the default configuration file. You can check its status with:

systemctl status shadowsocks-libev

Output:

 shadowsocks-libev.service - Shadowsocks-libev Default Server Service
   Loaded: loaded (/lib/systemd/system/shadowsocks-libev.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-06-23 13:33:46 UTC; 14s ago
     Docs: man:shadowsocks-libev(8)
 Main PID: 20316 (ss-server)
    Tasks: 1 (limit: 558)
   Memory: 552.0K
   CGroup: /system.slice/shadowsocks-libev.service
           └─20316 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json

Hint: If the above command doesn’t quit immediately, press Q to gain back control of the terminal.

As you can see, it is running and auto-start at boot time is enabled. If it’s not running, you can start it with:

sudo systemctl start shadowsocks-libev

To enabled auto-start at boot time, run:

sudo systemctl enable shadowsocks-libev

Now we need to edit the default configuration file.

sudo nano /etc/shadowsocks-libev/config.json

The default contents of the file are as follows.

{
 "server":"127.0.0.1",
 "server_port":8388,
 "local_port":1080,
 "password":"focobguph",
 "timeout":60,
 "method":null
}

Replace 127.0.0.1 with your Debian server’s public IP address. You can change server_port to other port number, but don’t use port 8388. Then set your preferred password, which is used to encrypt traffic. It is recommended that you replace null with chacha20-ietf-poly1305 as the encryption method. Here’s an example of my configuration.

install-shadowsocks-libev-on-debian-10-server

Save and close the file. Then restart Shadowsocks-libev for the changes to take effect.

sudo systemctl restart shadowsocks-libev

Install and Configure Shadowsocks-libev Client on Debian 10 Desktop

The shadowsocks-libev package contains both the server software and client software. So just use the method mentioned above to install Shadowsocks-libev on Debian 10 desktop.

Note: On Debian 10, Shadowsocks-libev (the server) will automatically start after being installed. You need to stop Shadowsocks server on Debian 10 desktop.

sudo systemctl stop shadowsocks-libev

Also, disable auto-start at boot time.

sudo systemctl disable shadowsocks-libev

The Shadowsocks client binary is named ss-local. There’s a template systemd service unit for it: /lib/systemd/system/[email protected]. Before starting the client, we need to create the client-side configuration file.

sudo nano /etc/shadowsocks-libev/location-of-your-server.json

You can replace location-of-your-server with something like SFO, LAX. Copy the Shadowsocks-libev server config to the client config file, then add the following line to tell the client to listen on 127.0.0.1.

"local_address":"127.0.0.1",

So the client config file will look like this:

{
 "server":"your-server-ip-address",
 "server_port":8388,
 "local_address":"127.0.0.1",
 "local_port":1080,
 "password":"focobguph",
 "timeout":60,
 "method":"chacha20-ietf-poly1305"
}

Save and close the file. Then we can start the client with:

sudo systemctl start shadowsocks-libev-local@location-of-your-server.service

And enable auto-start at boot time.

sudo systemctl enable shadowsocks-libev-local@location-of-your-server.service

Check its status. Make sure it’s running.

systemctl status shadowsocks-libev-local@location-of-your-server.service

Now the ss-local process listens on 127.0.0.1:1080 on your Ubuntu desktop and it’s connected to your Shadowsocks server.

Configure Web Browser to Use the Socks Proxy

To let your program use a socks proxy, the program must support socks proxy. Programs like Firefox quantum, Google Chrome and Dropbox allows users to use proxy. I will show you how to configure Firefox and Google Chrome.

Firefox

In Firefox, go to Edit > Preferences > General. Then scroll down to the bottom and click Settings in Network Proxy. In the Connection Settings window, select manual proxy configuration. Then select SOCKS v5 because Shadowsocks is a Socks5 proxy. Enter 127.0.0.1 in the SOCKS Host field and 1080 in the port field. Make sure Proxy DNS when using SOCKS v5 is enabled. Click OK to apply these modifications.

shadowsocks-libev-debian-9

Google Chrome

Google Chrome and Chromium Linux version don’t have a GUI to configure proxy, but you can use command-line options like below.

google-chrome --proxy-server="socks5://127.0.0.1:1080"

or

chromium-browser --proxy-server="socks5://127.0.0.1:1080"

You can also install and use the SwitchOmega extension configure proxy so you don’t have to type the command in the terminal window.

DNS Leak Test

Go to dnsleaktest.com. You will see your Shadowsocks server’s IP address, which indicates that your proxy is working.

shadowsocks-libev-debian-9-stretch-install

Click Standardard test. Make sure your local ISP isn’t in the test results.

shadowsocks-libev-debian-9-server

Enable TCP BBR

TCP BBR is a TCP congestion control algorithm that can drastically improve connection speed. Follow the tutorial below to enable TCP BBR on Debian 10 server. You don’t have to enable it on Debian 10 desktop. The tutorial linked below is for Ubuntu, but also applies to Debian.

Enable TCP Fast Open

You can speed up Shadowsocks a little bit more by enabling TCP fast open. TCP is connection-oriented protocol, which means data can only be exchanged after a connection is established, which is done via the three-way handshake. In other words, traditionally, data can only be exchanged after the three-way handshake is complete. TCP fast open (TFO) is a mechanism that allows data to be exchanged before three-way handshake is complete, saving up to 1 round-trip time (RTT).

TCP fast open support is merged to Linux kernel since version 3.7 and enabled by default since version 3.13. You can check your kernel version by running:

uname -r

To check TCP fast open configuration on your Debian server, run

cat /proc/sys/net/ipv4/tcp_fastopen

It can return 4 values.

  • 0 means disabled.
  • 1 means it’s enabled for outgoing connection (as a client).
  • 2 means it’s enabled for incoming connection (as a server).
  • 3 means it’s enabled for both outgoing and incoming connection.

All my debian servers returned 1 after running the above command. We want tcp_fastopen set to 3 on our server. To achieve that, we can edit the sysctl configuration file.

sudo nano /etc/sysctl.conf

Then paste the following line at the end of the file.

net.ipv4.tcp_fastopen=3

Reload sysctl settings for the change to take effect.

sudo sysctl -p

Then you will also need to enable TCP fast open in Shadowsocks configuration file.

sudo nano /etc/shadowsocks-libev/config.json

Add the following line.

"fast_open": true

So your Shadowsocks server configuration file will look like this:

{
 "server":"your-server-ip-address",
 "server_port":8388,
 "local_port":1080,
 "password":"focobguph",
 "timeout":60,
 "method":"chacha20-ietf-poly1305",
 "fast_open": true
}

Note that last config line has not comma. Save and close the file. Then restart Shadowsocks server.

sudo systemctl restart shadowsocks-libev

Check if it’s running. (An error in configuration file can prevent it from restarting.)

systemctl status shadowsocks-libev

You also need to edit the Shadowsocks client configuration file and restart it to enable TCP fast open on Debian 10 desktop.

For more usage on Shadowsocks, check the manual.

man shadowsocks-libev

Wrapping Up

That’s it! I hope this tutorial helped you install Shadowsocks-libev proxy on Debian 10 server and desktop. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks.

Shadowsocks is a forward proxy. Want to know what’s a forward proxy? Please read the following article:

Rate this tutorial
[Total: 16 Average: 4.4]

3 Responses to “How to Install Shadowsocks-Libev Proxy Server on Debian 10 VPS

  • I welcome you. thanks for the article buddy, silently would you write a couple of lines about obfsproxy shadowsocks

  • Thanks for this tutorial 🙂 , I’m strugling to get this to work though.

    According to the Shadowsocks app on my Android phone, there’s a working connection with the Shadowsocks server on my Debian router-pc, but no internet access.

    If I had to guess, the firewall’s default policy (drop) is probably the cause, but I cannot seem to find a virtual interface used by Shadowsocks (like tun0) that I can write accept-rules for.

    Plus, PiHole (on a different system) is not showing any DNS-requests that might be coming in through Shadowsocks, the router-pc itself has access to PiHole so the requests are not being blocked there, but maybe are when coming in through Shadowsocks.

    I don’t suppose you have any ideas?

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here