Briefly about Shadowsocks, or OpenVPN is not needed (in every house)

Nowadays, when all sorts of bad elements try to get into your traffic and somehow corrupt it, traffic encryption has become fashionable. The beginning is good and useful, they just make it often redundant. If encrypting traffic to a trusted server, such as your VPS, is your only goal, then OpenVPN is too clever for that purpose. It’s easy to configure it for a long time, it’s easy to detect, and most importantly, there are pitfalls, without knowing which you can get such a situation that the VPN is standing and the traffic is bypassing. All this because OpenVPN was conceived more as a means of accessing a small network via the Internet, rather than for access to the entire Internet.

And here the fraternal people of China made a gorgeous gift to us. Since 2012, they are sawing a free open project Shadowsocks. This is a pair of server and client programs that work according to the following principle: the client is a SOCKS5 proxy server, receives incoming connections, encrypts them, broadcasts them to the server, and then releases them on the Internet. That is, the principle of operation is similar to the SSH tunnel, but has a lot of advantages and a couple of disadvantages compared to it.

Advantages of Shadowsocks


  • Ease of server configuration: below I will show that the standard config is only 5 lines, and there is no need to bother with certificates. Well, really, we are not doing a banking network.
  • Ease of client setup. Customers have everything, I’m not afraid of a big word. The client config is the same 5 lines.
  • The client does not need admin rights to work. Not only that, it can be installed from pip. That is, any programmer will be able to connect from work.
  • Easy to configure access at the level of individual programs. In a browser, with the help of add-ons like FoxyProxy / OmegaSwitchy, this is generally at the level of individual addresses according to complex rules. When using a VPN, this can only be achieved by raising local proxies on each client.
  • Unlike VPN, which on most systems is implemented through a virtual network card, the Shadowsocks client does not go anywhere when the connection is disconnected. So your traffic will not go on its own in an unprotected way. In addition, even if the Shadowsocks application itself crashes, programs will not access directly unless configured to do so. When using a VPN, you have to implement kill-switch, and they, especially under Windu, are unreliable and with side effects.
  • Compared to the SSH tunnel, this is a large bandwidth that supports thousands of clients with a bunch of connections from each. SSH tunnel under, for example, torrents, noticeably sad; in addition, small irregularities in the network noticeably reduce its speed. Shadowsocks do not care.
  • It drives less technical information on the connections, which is favorable for the battery of mobile devices.
  • There are exotic versions of servers written in the form of libraries for different languages. That is, you can add a server to your program to encrypt access to your clients.
  • Graphic customization of clients. You can make a QR code, when scanning which clients of mobile phones and Windows are configured themselves. One client was configured for Windows, the code was generated, scattered on 20 mobile phones in a minute. You can put it on the site, or hang it on the wall.

Disadvantages of Shadowsocks


  • Unlike OpenVPN, it did not pass an official audit. So a lot of people looked at him, the benefit is open and small, but officially - no.
  • Does not share users. You can teach listening on several ports with different passwords, but on one port - one password. Knowing the password does not allow (in theory) to listen to another subscriber of the same port.
  • Does not know how to forward the port in the opposite direction. That is, everyone is sitting behind NAT. You will have to use the SSH tunnel if you can.
  • The client for Android holds as many as two (!) Fixed messages. If you do not hide them, it is very in the way.
  • There are a couple of hard-core Windu programs that don’t fit into Shadowsocks, as you don’t configure them. Alas, the author of the program can write the opening of the connection so as to ignore the proxy settings, and sometimes they do this when they check software licenses. Below I will write a tricky trick how to recognize these programs.
  • Latency of connection is higher than that of OpenVPN. Not much, and you can gamut, but still.
  • Does not know how to compress traffic by the archiver. In the HTTPS age, this is not important, but for, say, uncompressed text files and real Ubunta images, there is a difference.
  • The documentation was written by the Chinese, in Chinese English, with a bunch of missing points and mutual contradictions.

Shadowsocks server setup. Method 1

We are writing a config. Here is an example of a full working config.

{
    "server":"111.222.333.444",
    "server_port":8390,
    "local_port":1080,
    "password":"buratino.ty.sam.sebe.vragg",
    "timeout":60,
    "method":"aes-256-cfb",
    "fast_open": true
}

This is a config for both server and client. We have in turn the server address and port (at least the 80th is possible); the port from which the client will accept connections (it is better not to touch); password in plain text; and the time in seconds after which the server closes the unnecessary channel. And about the last two in more detail.

Shadowsocks has a bunch of encryption methods to choose from, but just two are applicable. chacha20-ietf-poly1305 , an algorithm authored by Daniel J. Bernstein, developed by Google for internal use. Good for devices that do not know how to hardware AES, and these are very cheap mobile phones and other smart irons; and for paranoids who are afraid of bookmarks in the processor. Everyone else use aes-256-cfb . However, both ciphers are reliable and time-tested.

Customizationfast_open reduces latency of the connection, but requires a kernel of at least 3.7. And even there it doesn’t always work, in particular, it doesn’t work if your virtual machine is made by OpenVZ. On Scaleway-sky ARMs also did not start. In general, turn it on if it works.

Now that the config is ready, install the package. Here it is necessary to clarify that there are two versions. Just shadowsocks is a reference written in python, and shadowsock-libev is the same, but rewritten in pure C for speed. Here we put it. In the newest Linux, it is in the main turnip, and for older ones, see here .

Well, run: ss-server -c config.conf. Everything should work. Do not forget the firewall and autorun. I won’t write any Linux administration questions, so if something doesn’t work, go to method 2.

Method 2

Install docker and docker-compose.

apt install docker docker-compose

Next, in the file, which must be called docker-compose.yml, we write the config like this:

version: '3'
services:
  shadowsocks:
    image: shadowsocks/shadowsocks-libev:latest   
    environment:
      - TZ=Europe/Moscow
      - PASSWORD=buratino.ty.sam.sebe.vragg
      - METHOD=aes-256-cfb
      - ARGS=--fast-open
    ports:
      - "8390:8390"
      - "8390:8390/udp"
    restart: unless-stopped

Pay attention to the indentation, they are important. If you want, you can raise several servers at once on different ports, with different passwords, for this you just need to duplicate the entire shadowsocks block: with different names. When the config is ready, run in the same folder

docker-compose up -d

and everything will start. Docker for you, even without demand, will drill a hole in the firewall for each port, such an infection.

Customer configuration

Everything is simpler here. We go to the site , download the desired client, configure in the interface. For Linuxoids, of course, there is a console daemon eating the config from method 1.

After setting up the client, a SOCKS5 proxy will be sitting on your system on port 1080, which is by default inaccessible from the outside. But you can open it if you are in a friendly LAN. It is important to understand that the programs themselves will not break there. You need to configure the system proxy (if you want all the programs to go through Socks) or each program separately, and it is better that this and that will not hurt. On Windows 10, in the control panel, there is a Network & Internet → Proxy item. There you need to enter the proxy address 127.0.0.1, the port as configured (1080) and ignore it for: the local network (usually 192.168.0.1/24, although see for yourself) and, for the server IP itself. If anyone uses the Linux Subsystem, then this configuration does not apply to it, the socks5_proxy variable must be declared there. Full-fledged Linux usually have the same settings in the control panel. For browsers, I recommend add-ons such as FoxyProxy (FF) and SwitchyOmega (Chrome) for fine-tuning which site to go through the proxy to and which one directly. In particular, direct access must be configured to the resources of your provider, and possibly to your bank. I recommend also not to surprise Mosenergosbyt with accounts from abroad - they are so timid there. Paypal, strangely enough, to a light bulb. Do not forget to check the box “DNS through proxy” or make sure that it is by default so.

Work check

At this point, everything should work. Need to do 2 tests. First, go to https://duckduckgo.com/ and enter my ip in the search browser, preferably a primitive "boxed" one rather than the main one . The address must be server-side. Then, in the client settings, enter the wrong password, and make sure that all programs have stopped working. This is a check that no program crawls around the proxy.

Additions

I’ll tell you about some additions to Shadowsocks, but I won’t go into their settings. Ask if that.

Polipo . Some ancient or up [er / oro] programs do not know how to SOCKS5, but they can do HTTP_PROXY . In particular, the official Twitter client for Android still does not know how to use Shadowsocks if it is not installed on a mobile phone, but, say, on a router. In this case, you can install the Polipo http_proxy server, and in its settings specify a redirect to Shadowsocks. All http proxy programs are abandoned due to their small need, but Polipo is working without problems so far.

Obfs-proxy . Allows you to wrap Shadowsocks traffic in a clean, unremarkable SSL, and so let it go to port 443. This is if anyone already has white lists of protocols.

Kcptun. The KCP protocol is an add-on over UDP for working in very poor networks with large losses, such as a cellular modem on the verge of receiving or tropospheric radio relay communication. Using KCP will allow you to communicate a little faster than pure UDP, and Shadowsocks is a very convenient way to wrap your traffic in KCP.

It would be nice to configure Fail2ban yet to repulse DDOS attempts to the server. But if you do not offend schoolchildren, then who will DDOSit you? Set the password more authentically, since it’s not necessary to drive it into mobile phones even once, and don’t worry. My real password is 40 random characters.

All!

Also popular now: