Briefly about Shadowsocks, or OpenVPN is not needed (in every home)
Nowadays, when all sorts of bad elements and strive to get into your traffic and somehow there is a mess, it has become fashionable to encrypt traffic. Starting this good and useful, only do it often redundant. If encrypting traffic to a trusted server, such as your VPS, is your only goal, then OpenVPN is too heaped up for such a purpose. It is long to configure, easy to detect, and most importantly - there are pitfalls, without knowing which you can get such a situation that the VPN costs and traffic goes around. All this because OpenVPN was conceived more as a means of accessing a small network via the Internet, and not to access the entire Internet.
And here the fraternal people of China made a smart gift to us. C 2012, they sawed free open-source project Shadowsocks . This is a couple of programs for the server and the client, which work according to the following principle: the client pretends to be a SOCKS5 proxy server, receives incoming connections, encrypts them, transmits it to the server and releases it to the Internet. That is, the principle of operation is similar to an SSH tunnel, but it has a lot of advantages and a couple of disadvantages compared to it.
We write a config. Here is an example of a complete working config.
This is a config for both server and client. We have the address and port of the server in turn (at least the 80th is possible); port from which the client will accept connections (it is better not to touch); password in clear text; and the time in seconds after which the server closes an unnecessary channel. And about the last two in more detail.
')
Shadowsocks has a bunch of encryption methods to choose from, but only two are practically applicable. chacha20-ietf-poly1305 , an algorithm written by Daniel J. Bernstein, developed by Google for internal needs. Good for devices that do not know how to hardware AES, and this is very cheap mobile phones and other smart irons; and for paranoids who are afraid of bookmarks in the processor. Everyone else use aes-256-cfb . However, both ciphers are reliable and time-tested.
Setting fast_open reduces connection latency, but requires a kernel of at least 3.7. And even there it does not always work, in particular, it does not work if your virtual machine is made OpenVZ. On the Scaleway ARMs, too, did not start. In general, turn on if it works.
Now that the config is ready, install the package. Here it is necessary to clarify that there are two versions. Just shadowsocks is a reference written in python, and shadowsock-libev is the same but rewritten in pure C for speed. Here we set it up. In the newest Linux, it is in the main turnip, and for older ones - see here .
Well, run: ss-server -c config.conf. Everything should work. Do not forget the firewall and autorun. I will not write here on Linux administration, so if something doesn't work, go to method 2.
Install docker and docker-compose.
Next, in the file, which must necessarily be called
Pay attention to the indents, they are important. If you want, you can pick up several servers at different ports with different passwords, for this you just need to duplicate the whole block of shadowsocks: with different names. When the config is ready, run it in the same folder
and everything will start. Docker even for you, without demand, will drill a hole in the firewall for each port, such an infection.
It's all easier. We go to the site , download the desired client, set up in the interface. For linuksoidov, of course, there is a console daemon, eating config from method 1.
After setting up the client, a SOCKS5 proxy will be sitting on your system on port 1080, which by default is not accessible from the outside. But you can open it if you are in a friendly locale. It is important to understand that the programs themselves will not break there. You need to configure the system proxy (if you want all the programs to go through Socks) or each program separately, and it’s better that and that doesn’t hurt. On Windows 10 in the control panel there is the item Network & Internet → Proxy. There you need to enter the proxy address 127.0.0.1, port as configured (1080) and ignore for: the local network (usually 192.168.0.1/24, although see for yourself) and, for the server's IP address itself. If someone uses Linux Subsystem, then this configuration does not apply to it, it is necessary to declare the variable socks5_proxy there . Full Linux usually have similar settings in the control panel. For browsers, I recommend add-ons like FoxyProxy (FF) and SwitchyOmega (Chrome) for detailed settings, which site to go through a proxy, and which one directly. In particular, direct access must be configured to the resources of your provider, and, possibly, to your bank. I also recommend not to surprise Mosenergosbyt with invoices from abroad - they are there, and so are some kind of shy. Paypal, oddly enough, to the bulb. Do not forget to tick "DNS through proxy" or make sure that it is the default so.
At this stage, everything should work. Need to do 2 tests. First, a browser, preferably a primitive “out-of-the-box”, and not the main one, go to https://duckduckgo.com/ and enter my ip into the search. The address must be server. Then, in the client settings, enter the wrong password, and make sure that all the programs stopped working. This is a check that no program is crawling around a proxy.
I'll tell you about some additions to Shadowsocks, but I will not delve into their settings. Ask if that.
Polipo . Some ancient or up [er / oro] programs are not able to SOCKS5, but HTTP_PROXY are able. In particular, the official Twitter client for Android still does not know how to use Shadowsocks if it is installed not on a mobile phone, but, say, on a router. In this case, you can install the Polipo http_proxy server, and in its settings specify the redirect to Shadowsocks. All http proxy programs are abandoned due to low need, but Polipo still works without problems.
Obfs-proxy . Allows you to wrap Shadowsocks traffic in clean, unremarkable SSL and so on port 443. This is if someone already has white lists of protocols.
KCPTUN . The KCP protocol is an add-on over UDP for working in very poor networks with large losses, such as a cellular modem on the verge of reception or a tropospheric radio-relay communication. Using KCP will allow to communicate a little faster than pure UDP, and Shadowsocks is a very convenient way to wrap your traffic in KCP.
Fail2ban would be nice to configure more to repel DDoS attempts to the server. But if you do not offend schoolchildren, then who will dispose you? Set a longer password, the benefit of it even once in mobile phones do not have to drive, and do not worry. My real password is 40 random characters.
Everything!
And here the fraternal people of China made a smart gift to us. C 2012, they sawed free open-source project Shadowsocks . This is a couple of programs for the server and the client, which work according to the following principle: the client pretends to be a SOCKS5 proxy server, receives incoming connections, encrypts them, transmits it to the server and releases it to the Internet. That is, the principle of operation is similar to an SSH tunnel, but it has a lot of advantages and a couple of disadvantages compared to it.
Shadowsocks dignity
- Ease of server setup: below I will show that the standard config is just 5 lines, and you don’t need to mess around with certificates. Well, really, it's not the banking network that we do.
- Easy to customize client. Clients have everything, not afraid of the big word. Client config is the same 5 lines.
- The client does not need admin rights to work. Moreover, it can be installed from pip. That is, any programmer can connect from work.
- Easy to configure access at the level of individual programs. In the browser, using add-ons like FoxyProxy / OmegaSwitchy is generally so at the level of individual addresses according to complex rules. When using VPN, this can be achieved only by raising local proxies on each client.
- Unlike VPN, which on most systems is implemented through a virtual network card, the Shadowsocks client does not go anywhere with a connection break. So your traffic will not go by itself unprotected way. In addition, even if the Shadowsocks application itself crashes, programs will not contact directly unless they are configured to do so. When using VPN, kill-switches have to be implemented, and these, especially under Windows, are unreliable and have side effects.
- Compared with SSH tunnel - large bandwidth, supports thousands of clients with a bunch of connections from each. SSH tunnel under, for example, torrents, noticeably sad; In addition, minor irregularities of the network significantly reduce its speed. Shadowsocks don't care.
- Drives less technical information on the connections, which is favorable for the battery of mobile devices.
- There are exotic versions of servers, written in the form of libraries for different languages. That is, you can add a server to your program to encrypt access to your clients.
- Graphic customization of customers. You can make a QR code, when scanning which clients of mobile phones and Windows configure themselves. One client under Windows was configured, the code was generated, it was scattered on 20 mobile phones in a minute. You can put on the site, or hang on the wall.
Disadvantages of Shadowsocks
- Unlike OpenVPN, did not pass official audit. So a lot of people were looking at it, since the code is open and small, but officially it isn’t.
- Does not share users. You can teach to listen on several ports with different passwords, but on one port - one password. The knowledge of the password does not allow (in theory) to listen to another subscriber of the same port.
- Can not forward the port in the opposite direction. That is, all as for NAT sit. You have to use SSH tunnel if you can.
- The client for Android holds as many as two (!) Non-selectable messages. If you do not hide them, it is very disturbing.
- There are a couple of hard-nosed Windu programs that don’t crawl into the Shadowsocks like you don’t customize them. Alas, the author of the program can write the opening of the connection so as to ignore the proxy settings, and this is how they sometimes do when they check licenses for software. Below I will write a clever trick how to recognize these programs.
- Latency connections are higher than OpenVPN. Not much, and din can be, but still.
- Cannot compress traffic by archiver. In the HTTPS century, this is not important, but for, say, uncompressed text files and real Ubunt images - there is a difference.
- The documentation was written by the Chinese, in Chinese English, with a bunch of missing points and mutual contradictions.
Shadowsocks server setup. Method 1
We write a config. Here is an example of a complete working config.
{ "server":"111.222.333.444", "server_port":8390, "local_port":1080, "password":"buratino.ty.sam.sebe.vragg", "timeout":60, "method":"aes-256-cfb", "fast_open": true } This is a config for both server and client. We have the address and port of the server in turn (at least the 80th is possible); port from which the client will accept connections (it is better not to touch); password in clear text; and the time in seconds after which the server closes an unnecessary channel. And about the last two in more detail.
')
Shadowsocks has a bunch of encryption methods to choose from, but only two are practically applicable. chacha20-ietf-poly1305 , an algorithm written by Daniel J. Bernstein, developed by Google for internal needs. Good for devices that do not know how to hardware AES, and this is very cheap mobile phones and other smart irons; and for paranoids who are afraid of bookmarks in the processor. Everyone else use aes-256-cfb . However, both ciphers are reliable and time-tested.
Setting fast_open reduces connection latency, but requires a kernel of at least 3.7. And even there it does not always work, in particular, it does not work if your virtual machine is made OpenVZ. On the Scaleway ARMs, too, did not start. In general, turn on if it works.
Now that the config is ready, install the package. Here it is necessary to clarify that there are two versions. Just shadowsocks is a reference written in python, and shadowsock-libev is the same but rewritten in pure C for speed. Here we set it up. In the newest Linux, it is in the main turnip, and for older ones - see here .
Well, run: ss-server -c config.conf. Everything should work. Do not forget the firewall and autorun. I will not write here on Linux administration, so if something doesn't work, go to method 2.
Method 2
Install docker and docker-compose.
apt install docker docker-compose Next, in the file, which must necessarily be called
docker-compose.yml , we write the config like this: version: '3' services: shadowsocks: image: shadowsocks/shadowsocks-libev:latest environment: - TZ=Europe/Moscow - PASSWORD=buratino.ty.sam.sebe.vragg - METHOD=aes-256-cfb - ARGS=--fast-open ports: - "8390:8390" - "8390:8390/udp" restart: unless-stopped Pay attention to the indents, they are important. If you want, you can pick up several servers at different ports with different passwords, for this you just need to duplicate the whole block of shadowsocks: with different names. When the config is ready, run it in the same folder
docker-compose up -d and everything will start. Docker even for you, without demand, will drill a hole in the firewall for each port, such an infection.
Client configuration
It's all easier. We go to the site , download the desired client, set up in the interface. For linuksoidov, of course, there is a console daemon, eating config from method 1.
After setting up the client, a SOCKS5 proxy will be sitting on your system on port 1080, which by default is not accessible from the outside. But you can open it if you are in a friendly locale. It is important to understand that the programs themselves will not break there. You need to configure the system proxy (if you want all the programs to go through Socks) or each program separately, and it’s better that and that doesn’t hurt. On Windows 10 in the control panel there is the item Network & Internet → Proxy. There you need to enter the proxy address 127.0.0.1, port as configured (1080) and ignore for: the local network (usually 192.168.0.1/24, although see for yourself) and, for the server's IP address itself. If someone uses Linux Subsystem, then this configuration does not apply to it, it is necessary to declare the variable socks5_proxy there . Full Linux usually have similar settings in the control panel. For browsers, I recommend add-ons like FoxyProxy (FF) and SwitchyOmega (Chrome) for detailed settings, which site to go through a proxy, and which one directly. In particular, direct access must be configured to the resources of your provider, and, possibly, to your bank. I also recommend not to surprise Mosenergosbyt with invoices from abroad - they are there, and so are some kind of shy. Paypal, oddly enough, to the bulb. Do not forget to tick "DNS through proxy" or make sure that it is the default so.
Operation check
At this stage, everything should work. Need to do 2 tests. First, a browser, preferably a primitive “out-of-the-box”, and not the main one, go to https://duckduckgo.com/ and enter my ip into the search. The address must be server. Then, in the client settings, enter the wrong password, and make sure that all the programs stopped working. This is a check that no program is crawling around a proxy.
Additions
I'll tell you about some additions to Shadowsocks, but I will not delve into their settings. Ask if that.
Polipo . Some ancient or up [er / oro] programs are not able to SOCKS5, but HTTP_PROXY are able. In particular, the official Twitter client for Android still does not know how to use Shadowsocks if it is installed not on a mobile phone, but, say, on a router. In this case, you can install the Polipo http_proxy server, and in its settings specify the redirect to Shadowsocks. All http proxy programs are abandoned due to low need, but Polipo still works without problems.
Obfs-proxy . Allows you to wrap Shadowsocks traffic in clean, unremarkable SSL and so on port 443. This is if someone already has white lists of protocols.
KCPTUN . The KCP protocol is an add-on over UDP for working in very poor networks with large losses, such as a cellular modem on the verge of reception or a tropospheric radio-relay communication. Using KCP will allow to communicate a little faster than pure UDP, and Shadowsocks is a very convenient way to wrap your traffic in KCP.
Fail2ban would be nice to configure more to repel DDoS attempts to the server. But if you do not offend schoolchildren, then who will dispose you? Set a longer password, the benefit of it even once in mobile phones do not have to drive, and do not worry. My real password is 40 random characters.
Everything!
Source: https://habr.com/ru/post/358126/
All Articles