Raising the Shadowsocks proxy with traffic encryption and minimal speed drop

[Carding]

Shadowsocks is a free open source SOCKS5 proxy. The essence of the work is as follows: the client pretends to be a proxy server, receives incoming connections and encrypts them. After that, it sends it to the server and then releases it to the Internet.

Why is it so good?

• All data that passes through the client and server is encrypted.
• Speed of work. Compared to the SSH tunnel, which works on a similar principle, shadowsocks has a higher bandwidth.
• You can choose the encryption algorithm yourself.
• Ability to configure access at the level of individual programs/sites.
• OpenVPN, Tor, and SSH are easily detected by the Chinese firewall. Shadowsocks - no. Even if your provider wants to Trott the connection to the proxy, it is possible to fasten the connection obfuscation. The plugin masks proxy traffic as HTTPS or TLS / SSL.
• Convenient clients for any device. You can forget about unreliable VPNs on mobile devices, download the client and connect to your own server. The battery does not eat much, although it depends on the encryption method. If you use AES, it flies on almost any smartphone, even quite old ones due to hardware support for encryption.

What tasks will it be useful for?

• Data protection when using networks that do not inspire confidence. For example, public wifi.
• Bypassing any blockages or provider firewalls. It is enough to rent a server that is located in a country where there are no blockages.
• To protect against traffic interception. But it's more of a privacy tool than an anonymity tool. If you do something illegal through the server, the hoster will merge data about you on the first request. To avoid this, you can buy a server in a third-world country where the hoster doesn't really care about information requests. But in any case, there is a risk. However, it is much lower than when working with regular VPNs like Nord, because they also merge data on the first request.

Now I came up with the idea that you can detect a real IP address using comparisons (if you use Russian services that merge data). The Yarovaya package contains traffic data, as well as data from servers and Russian services, and can compare which IP the user used the service from, and who connected to the IP address at that time. You can work around this by sending traffic to the cloudflare CDN server. The overs describe how this can be done. If anyone is interested, here's how it works:

Well, the water is finished, let's move on to installing the server. I will show on the example of a server for 99r/month from a Russian hoster, with a server in the Netherlands. Operating system-ubuntu 20.04. Features-1 GB RAM, 1 core e5-2630L v2 and kvm virtualization. The declared network is 200 Mbit.

Buying a server. Select the operating system.

You will receive an individual entrepreneur with a password. We connect via ssh via putty to this IP. We leave the standard port-22.

We'll log in. According to the standard via root, if not, the hoster specified the name of the account in the control panel/email that was sent to the mail. The password must be in the same place. (the fact that the password is not shown when you enter it is normal.)

Run the following command to update the linux software repository. (You can paste a command from the clipboard by pressing RMB in putty)

sudo apt update && apt upgrade -y
This will take some time. Progress can be seen on the bottom left.

Next, install snapd. The shadowsocks-libev github says that it is recommended to install the server itself via snap

sudo apt install -y snapd

Now let's reboot the server:

sudo reboot

After that, we install the shadowsocks server itself. We will use the version written in C. It's very fast and doesn't weigh much. Enter:

sudo snap install shadowsocks-libev

Creating a directory where the configuration files will be stored:

sudo mkdir -p /var/snap/shadowsocks-libev/common/etc/shadowsocks-libev

After that, we create and go to the server configuration file:

sudo touch /var/snap/shadowsocks-libev/common/etc/shadowsocks-libev/config.json
sudo nano /var/snap/shadowsocks-libev/common/etc/shadowsocks-libev/config.json

We bring it to this form:

{
"server":"server_ip",
"server_port":random_port,
"local_port":1080,
"password":"pass",
"timeout":20,
"method":"chacha20-ietf-poly1305",
"fast_open":true,
"nameserver":"1.1.1.1",
"mode":"tcp_and_udp"
}

• IP in the server field - the public ip of the server (the one you use to connect to it). You can listen on all network interfaces using ip 0.0.0.0
• Server_port is the server port. I use 443, although it can be any free port. If you don't use ports 80/443 for hosting a site on the same server, you can use them.
• we leave local_port as standard
• password is more complicated to enter. In any case, you don't have to enter it many times, only once in the client from the computer. You can connect your phone via a QR code.
• timeout is the time until the socket is disconnected, in seconds, if the connection is not in use. With a value of 20 seconds, everything will be fine.
• Method - the encryption method. Chacha20 is reliable enough that no one can decrypt your traffic. For faster operation, if you have AES hardware acceleration, or your phone's battery runs out quickly, you can use it. In this case, enter aes-256-gcm instead of chacha20-ietf-poly1305. Both encryption algorithms are very powerful.
• fast_open reduces latency, i.e. ping. In case of problems, you should try disabling it.
• nameserver - Which DNS server will use shadowsocks. You don't need to specify this line, then the server will use the DNS that your hoster uses. I will set the DNS from CloudFlare, namely, 1.1.1.1
• mode - use tcp / udp traffic or both. If your network has specific requirements, you may need to set tcp_only. In all other cases, use tcp_and_udp.

After you have registered the configuration file, press CTRL+O, then Enter
Exit the configuration file by CTRL+X

Now we have a configured server. But isn't it inconvenient to run it yourself after any reboot? Let's create a service that will do this for us:

sudo touch /etc/systemd/system/[email protected]
sudo nano /etc/systemd/system/[email protected]

Insert this:

[Unit]
Description=Shadowsocks-Libev Custom Server Service for %I
Documentation=man:ss-server(1)
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/snap run shadowsocks-libev.ss-server -c /var/snap/shadowsocks-libev/common/etc/shadowsocks-libev/%i.json

[Install]
WantedBy=multi-user.target

We exit by saving all this via ctrl+o.
Run the following command:

sudo systemctl enable --now shadowsocks-libev-server@config

Checking if our server has started up:

sudo systemctl status shadowsocks-libev-server@config

Success.

upd: sometimes after reboots, the server starts with an error, and you need to manually run this command again:
sudo systemctl enable --now shadowsocks-libev-server@config
After that, the server starts normally.

Now we are configuring the client. Download it for the desired device from the official site: https://shadowsocks.org/en/download/clients.html
We add the server and specify the data that we entered in config. json. We choose the same encryption.

Now click on the shadowsocks icon, check the autoload box, and select the system proxy server - for the entire system. We check the IP address on the site that is convenient for you. To connect from your phone, download shadowsocks to it. Go to the servers from your computer and share the server configuration. We scan the qr code.

2ip.ru and duckduckgo determine different locations, which is strange, but everything is fine with the ip - we go online not with our IP, but with the IP of our host.

Now, for maximum performance, we will slightly edit the kernel settings.

sudo nano /etc/sysctl.conf

At the end of the file, insert this:

fs.file-max = 51200
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.core.netdev_max_backlog = 4096
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mtu_probing = 1
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864

Save it. Applying the new settings:

sudo sysctl -p

A couple of screenshots with speeds to the same data center:

- without a proxy, directly

- using shadowsocks (2 tests at different times of the day)

The drop is not so significant. upload sank for some reason, but still using the Internet even through a proxy is quite comfortable.

How can I only send traffic to certain sites via shadowsocks?

Download the extension for chrome - proxySwitchSharp, for Fox-foxyproxy (in chrome, too, but I worked crookedly). I don't think you need to leave any links.you can find them yourself.
Go to settings. I'll show you the example of chrome, but in Fox it's almost the same, only the interface is slightly different.
Adding a socks5 proxy. Host - 127.0.0.1, port 1080 (if you didn't change it in the settings of shadowsocks itself)

Then go to switch rules and add the desired site

Also set auto switch mode

We check it on the appropriate site. Don't forget that you must have shadowsocks enabled with a configured server.

If you need to launch a specific application through a proxy, use proxifier.