How to Set Up Shadowsocks-libev Proxy Server on CentOS/Rocky Linux

This tutorial is going to show you how to set up Shadowsocks proxy server on CentOS. Shadowsocks is a lightweight, fast, and secure Socks5 proxy to bypass Internet censorship. We will learn how to set up the server-side and how to configure the desktop client on CentOS. There are many implementations of Shadowsocks, this tutorial shows you how to use Shadowsocks-libev, because

  • It’s written in C, very fast even on low-end box.
  • It’s well-maintained.
  • It’s the most feature-rich implementation. TCP fast open, multiuser, management API, redirect mode, tunnel mode, UDP relay, AEAD ciphers, and plugins are all supported.

Set Up Shadowsocks-libev Proxy Server on CentOS

Prerequisites

To complete this tutorial, you will need:

Update: The new Vultr $2.5/month plan includes IPv6 address only. You can select the $3.5/month plan at the New York (NJ) data center to have both IPv4 and IPv6 addresses.

Step 1: Install Shadowsocks-libev Server on CentOS

SSH into your remote CentOS server. Shadowsocks-libev isn’t included in CentOS repository. It’s recommended to install it from the Snap store. To install software from the Snap store, we need to install the snapd daemon.

sudo dnf install -y epel-release
sudo dnf update -y
sudo dnf install -y snapd

Start and enable the snapd systemd service:

sudo systemctl start snapd.service
sudo systemctl enable snapd.service

Then install Shadowsocks-libev.

sudo snap install shadowsocks-libev

Once it’s installed, you can run the following command show detailed information about the shadowsocks-libev snap.

snap info shadowsocks-libev

snap info shadowsocks-libev

As you can see, there are 5 commands available. Before we use the command to start Shadowsocks-libev server, we need to create a configuration file with a command-line text editor like Nano. Install Nano with:

sudo dnf install nano

Create the configuration file.

sudo nano /var/snap/shadowsocks-libev/common/server-config.json

Add the following lines in this file.

{
    "server":["[::0]", "0.0.0.0"],
    "mode":"tcp_and_udp",
    "server_port":8888,
    "local_port":1080,
    "password":"o+4LmywwopNXSUhA7Wf8wg==",
    "timeout":60,
    "name_server":"8.8.8.8",
    "method":"chacha20-ietf-poly1305"
}

Where:

  • server: specify the listening address. [::0] makes it listen on all available IPv6 addresses and 0.0.0.0 makes it listen on all available IPv4 addresses.
  • mode: Use both TCP and UDP mode.
  • server_port: specify a port that isn’t being used by another process on the server, like 8888.
  • local_port: it’s common to use port 1080 as the local port for SOCKS proxy.
  • password: You can generate a secure random password with this command: openssl rand -base64 16.
  • timeout: 60 seconds.
  • name_server: Shadowsocks can make clients use the specified DNS server like 8.8.8.8. You can also change it to 1.1.1.1, so clients will be using Cloudflare DNS server.
  • method: sepcify the encryption algorithm. chacha20-ietf-poly1305 is a very fast secure algorithm.

Save and close the file. (To save a file in Nano text editor, press Ctrl+O, then press Enter to confirm. To exit, press Ctrl+X.)

Step 2: Run Shadowsocks-libev Server as a Systemd Service

We can manually run the Shadowsocks-libev server, but it’s more convenient to create a systemd service unit for it, so it can be automatically started at boot time. Use the Nano text editor to create a systemd service.

sudo nano /etc/systemd/system/shadowsocks-libev.service

Add the following lines in this file.

[Unit]
  Description=Shadowsocks-Libev Server
  After=network-online.target
    
[Service]
  Type=simple
  ExecStart=/usr/bin/snap run shadowsocks-libev.ss-server -c /var/snap/shadowsocks-libev/common/server-config.json
  Restart=always
  RestartSec=2
    
[Install]
 WantedBy=multi-user.target

Save and close the file. Then start shadowsocks-libev service.

sudo systemctl start shadowsocks-libev.service

Enable auto-start at boot time.

sudo systemctl enable shadowsocks-libev.service

Check its status. Make sure it’s running.

systemctl status shadowsocks-libev.service

systemctl status shadowsocks-libev centos

If you made a mistake in your shadowsocks-libev systemd service file, correct your error and reload systemd.

sudo systemctl daemon-reload

Then you can restart shadowsocks-libev service.

sudo systemctl restart shadowsocks-libev.service

If you see the following error.

This system doesn't provide enough entropy to quickly generate high-quality random numbers. The service will not start until enough entropy has been collected.

You can fix this error by installing rng-tools.

sudo dnf install rng-tools

Then run

sudo rngd -r /dev/urandom

Now you can start Shadowsocks-libev service.

Step 3: Configure Firewall

You need to allow traffic to the TCP and UDP port Shadowsocks is listening on. For example, if port 8888 is being used by Shadowsocks, then run the following command:

sudo firewall-cmd --permanent --add-port=8888/tcp
sudo firewall-cmd --permanent --add-port=8888/udp

Then reload firewalld for the change to take effect.

sudo systemctl reload firewalld

Step 3: Install and Configure Shadowsocks-libev Client

CentOS Desktop

The shadowsocks-libev package contains both the server software and client software. The Shadowsocks client binary is named ss-local. Use the same method to install it on CentOS desktop.

First, install the snapd daemon.

sudo dnf install -y epel-release
sudo dnf update -y
sudo dnf install -y snapd

Start and enable the snapd systemd service:

sudo systemctl start snapd.service
sudo systemctl enable snapd.service

Then install Shadowsocks-libev from the Snap store.

sudo snap install shadowsocks-libev

Before starting the client, we need to create the client-side configuration file with a command-line text editor like Nano. Install Nano with:

sudo dnf install nano

Create the client configuration file.

sudo nano /var/snap/shadowsocks-libev/common/client-config.json

Add the following lines in this file.

{
    "server":"your-server-ip-address",
    "mode":"tcp_and_udp",
    "server_port":8888,
    "local_address":"127.0.0.1",
    "local_port":1080,
    "password":"o+4LmywwopNXSUhA7Wf8wg==",
    "timeout":60,
    "name_server":"8.8.8.8",
    "method":"chacha20-ietf-poly1305"
}

Where:

  • server: specify your server’s IP address.
  • mode: Use both TCP and UDP mode.
  • server_port: specify the port Shadowsocks-libev server is listening on.
  • local_address: The client should listen on localhost.
  • local_port: it’s common to use port 1080 as the local port for SOCKS proxy.
  • password: Use the same password as in the server configuration file.
  • timeout: 60 seconds.
  • name_server: The client is not required to specify a name server, but if you use the name_server parameter, you need to use the same name server as in the server configuration file.
  • method: sepcify the encryption algorithm. chacha20-ietf-poly1305 is a very fast secure algorithm.

Save and close the file. (To save a file in Nano text editor, press Ctrl+O, then press Enter to confirm. To exit, press Ctrl+X.)

Then we need to create a systemd service unit for the client, so it can be automatically started at boot time.

sudo nano /etc/systemd/system/shadowsocks-client.service

Add the following lines in this file.

[Unit]
  Description=Shadowsocks-Libev Client
  After=network-online.target
    
[Service]
  Type=simple
  ExecStart=/usr/bin/snap run shadowsocks-libev.ss-local -c /var/snap/shadowsocks-libev/common/client-config.json
  Restart=always
  RestartSec=2
    
[Install]
 WantedBy=multi-user.target

Save and close the file. Then start shadowsocks-client.service.

sudo systemctl start shadowsocks-client.service

Enable auto-start at boot time.

sudo systemctl enable shadowsocks-client.service

Check its status. Make sure it’s running.

systemctl status shadowsocks-client.service

Now the Shadowsocks client process listens on 127.0.0.1:1080 on your CentOS desktop and it’s connected to your Shadowsocks server.

Troubleshooting Tips

If the Shadowsocks client process fails to start, you can check the logs to see what’s wrong.

sudo journalctl -eu shadowsocks-client

For example, I had the following error in the log.

ERROR: 2:0: Unexpected `m` in object

It turned out that I forgot to wrap the server IP address with double quotes in the client configuration file.

Windows Desktop

Windows users can download this Shadowsocks client. Once it’s installed, you can add a new server in the client software. Specify the server IP address, port and password. Click Apply button

shadowsocks windows client

If you have several proxy servers, you can click the Add button to add more proxy servers. Note that you use only one proxy server at a time.

Step 4: Configure Web Browser to Use the Socks Proxy

To make your program use a socks proxy, the program must support socks proxy. Programs like Firefox, Google Chrome and Dropbox allows users to use proxy. I will show you how to configure Firefox and Google Chrome.

Firefox

In Firefox, go to Edit > Preferences > General (or Tools -> Options -> General). Then scroll down to the bottom and click Settings in Network Proxy. In the Connection Settings window, select manual proxy configuration. Then select SOCKS v5 because Shadowsocks is a Socks5 proxy. Enter 127.0.0.1 in the SOCKS Host field and 1080 in the port field. Make sure Proxy DNS when using SOCKS v5 is enabled. Click OK to apply these modifications.

shadowsocks-libev-firefox networking-settings

Now Firefox will connect to the local Shadowsocks client which is listening on 127.0.0.1:1080, then the traffic will be routed through the Shadowsocks-libev server.

Google Chrome

While you can configure proxy for Google Chrome and Chromium browser from the command line, I recommend installing the Proxy SwitchyOmega extension to manage proxies.

google chrome Proxy SwitchyOmega

Once the extension is installed in Google Chrome, configure a proxy server as follows:

  • Choose the SOCKS5 protocol.
  • Set 127.0.0.1 as the server address.
  • Set 1080 as the port number.

google chrome proxy command line

Apply the changes. Then click the extensions icon on the upper-right corner and click Proxy SwithyOmega.

proxy swithy omega shadowsocks-libev

By default, SwithyOmega uses the operating system’s proxy settings. We need to change it from system proxy to proxy.

switchyomega default proxy

Now Google Chrome will connect to the local Shadowsocks client which is listening on 127.0.0.1:1080, then the traffic will be routed through the Shadowsocks-libev server.

Step 5: DNS Leak Test

Go to dnsleaktest.com. You will see your Shadowsocks server’s IP address, which indicates that your proxy is working.

shadowsocks-libev-centos-install

Click the Standard test. Make sure your local ISP isn’t in the test results.

shadowsocks-libev-dns-leak-test

Enable TCP Fast Open

You can speed up Shadowsocks by enabling TCP fast open. TCP is a connection-oriented protocol, which means data can only be exchanged after a connection is established, which is done via the three-way handshake. In other words, traditionally, data can only be exchanged after the three-way handshake is complete. TCP fast open (TFO) is a mechanism that allows data to be exchanged before three-way handshake is complete, saving up to 1 round-trip time (RTT).

TCP fast open support is merged to Linux kernel since version 3.7 and enabled by default since version 3.13. You can check your kernel version by running:

uname -r

To check TCP fast open configuration on your CentOS server, run

cat /proc/sys/net/ipv4/tcp_fastopen

It can return 4 values.

  • 0 means disabled.
  • 1 means it’s enabled for outgoing connection (as a client).
  • 2 means it’s enabled for incoming connection (as a server).
  • 3 means it’s enabled for both outgoing and incoming connection.

All my CentOS VPS (Virtual Private Server) returned 1 after running the above command. We want tcp_fastopen set to 3 on our server. To achieve that, we can edit the sysctl configuration file.

sudo nano /etc/sysctl.conf

Then paste the following line at the end of the file.

net.ipv4.tcp_fastopen=3

Reload sysctl settings for the change to take effect.

sudo sysctl -p

Then you will also need to enable TCP fast open in Shadowsocks server configuration file.

sudo nano /var/snap/shadowsocks-libev/common/server-config.json

Add the following line.

"fast_open": true

So your Shadowsocks server configuration file will look like this:

{
    "server":["[::0]", "0.0.0.0"],
    "mode":"tcp_and_udp",
    "server_port":8888,
    "local_port":1080,
    "password":"o+4LmywwopNXSUhA7Wf8wg==",
    "timeout":60,
    "name_server":"8.8.8.8",
    "method":"chacha20-ietf-poly1305",
    "fast_open": true
}

Note that the last config line doesn’t end with comma. All other lines in the {...} block should end with comma. Save and close the file. Then restart Shadowsocks server.

sudo systemctl restart shadowsocks-libev.service

Check if it’s running. (An error in the configuration file can prevent it from restarting.)

systemctl status shadowsocks-libev

You also need to edit the Shadowsocks client configuration file and restart it to enable TCP fast open on CentOS desktop.

Enable TCP BBR

TCP BBR is a TCP congestion control algorithm that can greatly improve connection speed. To enable it on CentOS server, edit /etc/sysctl.conf file.

sudo nano /etc/sysctl.conf

Add the following two line at the end of the file.

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

Save and close the file. Then reload sysctl configurations.

sudo sysctl -p

Now check the congestion control algorithm in use.

sysctl net.ipv4.tcp_congestion_control

Output:

net.ipv4.tcp_congestion_control = bbr

Congrats! You have successfully enabled TCP BBR on CentOS server.

Wrapping Up

That’s it! I hope this tutorial helped you install Shadowsocks-libev proxy on CentOS. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks 🙂

Shadowsocks is a forward proxy. Want to know what’s a forward proxy? Please read the following article:

Rate this tutorial
[Total: 6 Average: 4.8]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here