shadowsocks-libev 在linux上的配置及使用

学习资料
#1

本文前篇为英文文档介绍,身为技术出身,我还是更喜欢阅读英文文档,介绍的透彻直击重点,也不是说中文的文档就不好了,各有喜好吧。以下均亲测可用。

Intro

Shadowsocks-libev is a lightweight secured scoks5 proxy for embedded devices and low end boxes.

It is a port of shadowsocks created by @clowwindy maintained by @madeye and @linusyang.

Current version: 1.4.8 | Build Status | Changelog

Features

Shadowsocks-libev is writen in pure C and only depends on libev and openssl or polarssl.

In normal usage, the memory footprint is about 600KB and the CPU utilization is no more than 5% on a low-end router (Buffalo WHR-G300N V2 with a 400MHz MIPS CPU, 32MB memory and 4MB flash).

Installation

Notes about PolarSSL

  • Default crypto library is OpenSSL. To build against PolarSSL, specify --with-crypto-library=polarssl and --with-polarssl=/path/to/polarssl when running ./configure .
  • PolarSSL 1.2.5 or newer is required. Currently, PolarSSL does NOT support CAST5-CFB, DES-CFB, IDEA-CFB, RC2-CFB and SEED-CFB.
  • RC4 is only support by PolarSSL 1.3.0 or above.

Debian & Ubuntu

Install from repository

Add either of the following lines to your /etc/apt/sources.list

# Debian Wheezy, Ubuntu 12.04 or any distribution with libssl > 1.0.1
deb http://shadowsocks.org/debian wheezy main

# Debian Squeeze, Ubuntu 11.04, or any distribution with libssl > 0.9.8, but < 1.0.0
deb http://shadowsocks.org/debian squeeze main

Then,

sudo apt-get update sudo apt-get install shadowsocks

Build package from source

cd shadowsocks-libev sudo apt-get install build-essential autoconf libtool libssl-dev gawk debhelper sudo dpkg-buildpackage cd … sudo dpkg -i shadowsocks*.deb

Configure and start the service

# Edit the configuration
sudo vim /etc/shadowsocks/config.json

# Start the service
sudo /etc/init.d/shadowsocks start

CentOS

Install the dependencies,

yum install -y gcc automake autoconf libtool make build-essential autoconf libtool yum install -y curl curl-devel zlib-devel openssl-devel perl perl-devel cpio expat-devel gettext-devel

Compile and install,

./configure && make make install

Then copy this init script to /etc/init.d/ .

Linux

For Unix-like systems, especially Debian-based systems, e.g. Ubuntu, Debian or Linux Mint, you can build the binary like this:

sudo apt-get install build-essential autoconf libtool libssl-dev ./configure && make sudo make install

FreeBSD

su cd /usr/ports/net/shadowsocks-libev make install

Edit your config.json file. By default, it’s located in /usr/local/etc/shadowsocks-libev

To enable shadowsocks-libev, add the following rc variable to your /etc/rc.conf file.

shadowsocks_libev_enable="YES"

Start the shadowsocks server:

service shadowsocks_libev start

OpenWRT

At OpenWRT build root pushd package git clone https://github.com/madeye/shadowsocks-libev.git popd # Enable shadowsocks-libev in network category make menuconfig # Optional make -j # Build the package make V=99 package/shadowsocks-libev/openwrt/compile

Windows

For Windows, use either MinGW (msys) or Cygwin to build. At the moment, only ss-local is supported to build against MinGW (msys).

If you are using MinGW (msys), please download OpenSSL or PolarSSL source tarball to the home directory of msys, and build it like this (may take a few minutes):

  • OpenSSL

tar zxf openssl-1.0.1e.tar.gz cd openssl-1.0.1e ./config --prefix="$HOME/prebuilt" --openssldir="$HOME/prebuilt/openssl" make && make install

  • PolarSSL

tar zxf polarssl-1.3.2-gpl.tgz cd polarssl-1.3.2 make lib WINDOWS=1 make install DESTDIR="$HOME/prebuilt"

Then, build the binary using the commands below, and all .exe files will be built at $HOME/ss/bin :

  • OpenSSL

./configure --prefix="$HOME/ss" --with-openssl="$HOME/prebuilt" make && make install

  • PolarSSL

./configure --prefix="$HOME/ss" --with-crypto-library=polarssl --with-polarssl=$HOME/prebuilt make && make install

Usage

usage:

    ss-[local|redir|server|tunnel]

          -s <server_host>           host name or ip address of your remote server
          -p <server_port>           port number of your remote server
          -l <local_port>            port number of your local server
          -k <password>              password of your remote server


          [-m <encrypt_method>]      encrypt method: table, rc4, rc4-md5
                                     aes-128-cfb, aes-192-cfb, aes-256-cfb,
                                     bf-cfb, camellia-128-cfb, camellia-192-cfb,
                                     camellia-256-cfb, cast5-cfb, des-cfb,
                                     idea-cfb, rc2-cfb and seed-cfb
          [-f <pid_file>]            file to store the pid
          [-t <timeout>]             socket timeout in seconds
          [-c <config_file>]         config file in json


          [-i <interface>]           network interface to bind,
                                     not available in redir mode
          [-b <local_address>]       local address to bind,
                                     not available in server mode
          [-u]                       enable udprelay mode
                                     not available in redir mode
          [-L <addr>:<port>]         setup a local port forwarding tunnel,
                                     only available in tunnel mode
          [-v]                       verbose mode


          [--fast-open]              enable TCP fast open,
                                     only available on Linux kernel > 3.7.0
          [--acl <acl_file>]         config file of ACL (Access Control List)

notes:

    ss-redir provides a transparent proxy function and only works on the 
    Linux platform with iptables.

Advanced usage

The latest shadowsocks-libev has provided a redir mode. You can configure your linux based box or router to proxy all tcp traffic transparently.

# Create new chain
root@Wrt:~# iptables -t nat -N SHADOWSOCKS

# Ignore your shadowsocks server's addresses
# It's very IMPORTANT, just be careful.
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN

# Ignore LANs and any other addresses you'd like to bypass the proxy
# See Wikipedia and RFC5735 for full list of reserved networks.
# See ashi009/bestroutetb for a highly optimized CHN route list.
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN

# Anything else should be redirected to shadowsocks's local port
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345

# Apply the rules
root@Wrt:~# iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS

# Start the shadowsocks-redir
root@Wrt:~# ss-redir -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid

Security Tips

Although shadowsocks-libev can handle thousands of concurrent connections nicely, we still recommend to set up your server’s firewall rules to limit connections from each user.

# Up to 32 connections are enough for normal usages
iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset

License

Copyright (C) 2014 Max Lv max.c.lv@gmail.com

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see Licenses - GNU Project - Free Software Foundation.

一般的ShadowSocks实现套装都包含有ShadowSocks Server(Socks Server的实现)和ShadowSocks Client(Socks Client的实现)(跟SSH的实现套装OpenSSH包含有SSH Server的实现和SSH Client的实现一样),常见的ShadowSocks实现套装有:shadowsocks-python,shadowsocks-go,shadowsocks-libev,shadowsocks-libqss(分别由Python语言,Go语言,C语言,C++语言实现)等。

备注:

另外也存在着单独的ShadowSocks Server和ShadowSocks Client,比如Shadowsocks-Qt5就是单独的ShadowSocks Client。

我们以"shadowsocks-libev"为例,进行安装说明。

1、安装基本原理

首先将"shadowsocks-libev"的源码下载到本地(shadowsocks-libev的github地址为:https://github.com/shadowsocks/shadowsocks-libev.git,为了能从github下载源码,需要已经安装好"git")
然后使用从源码编译安装“3步曲”进行安装(需要已经安装好"build-essential autoconf libtool libssl-dev gawk")
2、安装脚本

有一个Shell脚本文件,名称为"InstallShadowSocks.sh",它的内容如下:

[plain] view plain copy

  1. #!/bin/bash
  2. #安装"git build-essential autoconf libtool libssl-dev gawk"
  3. apt-get update
  4. apt-get install git build-essential autoconf libtool libssl-dev gawk
  5. git clone https://github.com/shadowsocks/shadowsocks-libev.git
  6. #使用安装“3步曲”进行安装
  7. cd shadowsocks-libev
  8. ./configure && make
  9. make install

由于该脚本中的"apt-get install"命令需要一个"yes|no"的回答,因而具体执行以上脚本的命令如下:

[plain] view plain copy

  1. echo “YES” | ./InstallShadowSocks.sh

在安装好"shadowsocks-libev"之后,接下来介绍如何在服务器上运行ShadowSocks Server和在本地机器上运行ShadowSocks Client。

一、运行ShadowSocks Server

执行"ss-server"命令,就可以运行ShadowSocks Server。运行ShadowSocks Server需要加载配置有基本选项值的配置文件,配置文件的格式支持JSON。

1.1、JSON配置文件

建立一个ShadowSocks Server运行时需要的配置文件,格式为JSON,路径为任意路径。
具体内容如下:

[plain] view plain copy

  1. {
  2. “server”:“example.com or X.X.X.X”,
  3. “server_port”:443,
  4. “password”:“password”,
  5. “method”:“aes-256-cfb”,
  6. “timeout”:60
  7. }

其中:

[plain] view plain copy

  1. server:ShadowSocks Server所在机器的域名或者IP地址,尽量填IP
  2. server_port:ShadowSocks Server监听的端口
  3. password:ShadowSocks Server配置的密码
  4. method:加密方式。默认为"table",其他有"rc4,rc4-md5,aes-128-cfb, aes-192-cfb, aes-256-cfb,bf-cfb, camellia-128-cfb, camellia-192-cfb,camellia-256-cfb, cast5-cfb, des-cfb"
  5. timeout:连接断开时间

1.2、运行

通过"ss-server"命令的帮助信息(执行"ss-server -?“命令可得),可知”-c"选项可以指定需要加载的配置文件的路径,因而我们可以通过该选项加载"1.1、JSON配置文件"中的JSON配置文件。

并且为了让ShadowSocks Server在后台持续运行,我们可以得到最终的运行ShadowSocks Server的命令如下:

[plain] view plain copy

  1. nohup ss-server -c JSON配置文件路径 > log.out &

二、运行ShadowSocks Client

执行"ss-local"命令,就可以运行ShadowSocks Client。运行ShadowSocks Client需要加载配置有基本选项值的配置文件,配置文件的格式支持JSON。

2.1、JSON配置文件

建立一个ShadowSocks Client运行时需要的配置文件,格式为JSON,路径为任意路径。

具体内容如下:

[plain] view plain copy

  1. {
  2. “server”:“example.com or X.X.X.X”,
  3. “server_port”:443,
  4. “local_port”:1080,
  5. “password”:“password”,
  6. “method”:“aes-256-cfb”
  7. }

其中:

[plain] view plain copy

  1. server:ShadowSocks Server所在机器的域名或者IP地址,尽量填IP
  2. server_port:ShadowSocks Server监听的端口
  3. local_port:本地监听端口
  4. password:ShadowSocks Server配置的密码
  5. method:加密方式。默认为"table",其他有"rc4,rc4-md5,aes-128-cfb, aes-192-cfb, aes-256-cfb,bf-cfb, camellia-128-cfb, camellia-192-cfb,camellia-256-cfb, cast5-cfb, des-cfb"

2.2、运行

通过"ss-local"命令的帮助信息(执行"ss-local -?“命令可得),可知”-c"选项可以指定需要加载的配置文件的路径,因而我们可以通过该选项加载"2.1、JSON配置文件"中的JSON配置文件。

并且为了让ShadowSocks Client在后台持续运行,我们可以得到最终的运行ShadowSocks Client的命令如下:

[plain] view plain copy

  1. nohup ss-local -c JSON配置文件路径 > log.out &
#2

【更新】这篇教程记录了如何安装,配置并维护一台Shadowsocks-libev服务器。 这篇教程的亮点在于, 按照这里的配置建议,你的Shadowsocks-libev服务器可以抵御各种已知的攻击。

我们致力于更新和维护这篇教程。如果今后发现了新的针对Shadowsocks-libev的攻击,我们将在第一时间在这篇教程中加入缓解攻击的办法。 因此请考虑将这个页面加入到你的收藏夹中。

安装

安装Snap应用商店

通过Snap应用商店安装Shadowsocks-libev是官方推荐的方式。

  • 如果你的服务器运行Ubuntu 16.04 LTS及以上的版本,Snap已经默认安装好了。
  • 如果你的服务器运行了其他的Linux发行版,你只需跟着对应的发行版安装Snap core

现在来检测一下你的服务器已经安装了需要的snapd和Snap core:

sudo snap install core

安装Shadowsocks-libev

现在我们安装最新的Shadowsocks-libev:

sudo snap install shadowsocks-libev --edge

配置

下面是我们推荐的Shadowsocks-libev服务器配置:

{
    "server":["::0","0.0.0.0"],
    "server_port":8388,
    "method":"chacha20-ietf-poly1305",
    "password":"ExamplePassword",
    "mode":"tcp_and_udp",
    "fast_open":false
}

注意,你需要把里面的ExamplePassword替换成一个更强的密码。 强密码有助缓解最新发现的针对Shadowsocks服务器的Partitioning Oracle攻击。 你可以用以下命令在终端生成一个强密码:openssl rand -base64 16

你还可以考虑将server_port的值从8388改为102465535之间的任意整数。

现在打开通过Snap安装的Shadowsocks-libev默认的配置文件:

sudo nano /var/snap/shadowsocks-libev/common/etc/shadowsocks-libev/config.json

将上方替换过密码的配置信息复制粘贴到配置文件后, 按Ctrl + x退出。 退出时,文本编辑器将问你"Save modified buffer?",请输入y然后按回车键。

可以看到,通过Snap安装的Shadowsocks-libev默认的配置文件路径太长了,不便于记忆。同时默认配置路径又没有在官方文档中标出。 我们因此建议你收藏此页面,以备今后查找。

防火墙

我们使用ufw来管理Shadowsocks服务器的防火墙。

在基于Debian的服务器上,可以通过如下命令安装ufw

sudo apt update && sudo apt install -y ufw

然后开放有关sshShadowsocks-libev的端口。 请注意,以下命令假设你在/var/snap/shadowsocks-libev/common/etc/shadowsocks-libev/config.json中的server_port的值为8388。 如果你的server_port用了其他的值,请对以下命令作相应的修改:

sudo ufw allow ssh
sudo ufw allow 8388

现在我们启动ufw:

sudo ufw enable

启动时如果弹出Command may disrupt existing ssh connections. Proceed with operation (y|n)?,请输入y并按回车键。

最后,请用sudo ufw status检查一下你的配置是否和下面的一样:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
8388                       ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
8388 (v6)                  ALLOW       Anywhere (v6)

运行Shadowsocks-libev

现在我们启动Shadowsocks-libev:

sudo systemctl start snap.shadowsocks-libev.ss-server-daemon.service

记得设置Shadowsocks-libev开机自启动:

sudo systemctl enable snap.shadowsocks-libev.ss-server-daemon.service

维护

检查运行状态和日志

以下命令可以查看Shadowsocks-libev的运行状态:

sudo systemctl status snap.shadowsocks-libev.ss-server-daemon.service

如果你看到绿色的Active: active (running),那么你的Shadowsocks-libev服务器就在正常的运行; 如果你看到红色的Active: failed,请用跳至如下命令journalctl -u snap.shadowsocks-libev.ss-server-daemon.service的尾部查看问题出在哪里了。

重新加载配置文件

每当你修改过配置文件后,请用如下命令重启Shadowsocks-libev以加载修改后的文件:

sudo systemctl restart snap.shadowsocks-libev.ss-server-daemon.service

配置备用端口来缓解端口

我们在此分享一个用备用端口来缓解端口括封锁的方法。

你可以在服务器上使用以下命令来将服务器从1200012010端口接收到的TCP和UDP流量全部转发到8388端口:

sudo iptables -t nat -A PREROUTING -p tcp --dport 12000:12010 -j REDIRECT --to-port 8388
sudo iptables -t nat -A PREROUTING -p udp --dport 12000:12010 -j REDIRECT --to-port 8388

记得:

  1. 12000:12010替换成一个只有你自己知道的端口号,或者端口区间(我们建议从102465535之间任选几个端口或一个区间)。
  2. 8388端口替换成你的Shadowsocks服务端实际使用的端口。

这样一来,如果你使用的12000端口遭到了封锁,那么你无须更换IP,或者登录服务器修改配置文件。而是只需要在客户端(电脑或者手机上)将端口从12000改为12001就可以继续使用了。

如果你配置正确,那么以下命令的输出应该类似于:

sudo iptables -t nat -L PREROUTING -nv --line-number

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:12000:12010 redir ports 8388
2        0     0 REDIRECT   udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:12000:12010 redir ports 8388

注意任何102465535的端口都可以作为备用端口。即使使用ephermeral端口(/proc/sys/net/ipv4/ip_local_port_range)作为配用端口也不会干扰服务器正常的向外连接。