October 17, 2023
Some people need a quick and free way to access a Shadowsocks server.
At the same time, other people are willing to provide free Shadowsocks servers, if they are in the public interest.
One thing that puts people off from providing free Shadowsocks servers is that you are effectively acting as an exit node. Whatever anyone does on your server can be blamed on you.
The architecture in this post addresses this problem. It makes it safer for anyone to offer free public-interest Shadowsocks servers.
+----------+ +--------+--------+ | SS | | SS | Tor | | Client +------->+ Server + Client +------> TOR | | | | | +----------+ +--------+--------+
The free server accepts SS traffic, but forces it into the Tor network. The risk is shunted to the knowledgeable and well-resourced organizations who host Tor exit nodes.
Also, since Tor will be slower than a commercial VPN, your server will not be exploited by cheap people who want a VPN but want someone else to pay for it.
Note that an adversary with both the password and the ability to eavesdrop on network traffic could decrypt the outer layer of encryption. Therefore only use these servers for HTTPS sites and in situations were it does not matter if the Server Name Indicator might be exposed. The pages visited and the data itself will still be protected by HTTPS.
The remainder of this post shows you how to set up the server and gives an example of installing a client.
Install the prerequisite package to access the Tor repositories:
apt install -y apt-transport-https
Create /etc/apt/sources.list.d/tor.list
like the example below (the distribution here is Ubuntu 22.04, which is why the distribution is jammy
):
deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main
Get the Tor signing key:
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
Install Tor:
apt update && apt install -y tor deb.torproject.org-keyring
By default, Tor listens for SOCKS traffic on port 9050
:
systemctl status tor@default
ss -tulpn | grep 9050
Choose a port:
echo $((1024 + $RANDOM))
Choose a password:
< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-24};echo;
Install the latest version of Xray to host your SS server:
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install --beta -u root
Edit the Xray configuration file /usr/local/etc/xray/config.json
. Make it look like this. Note that Tor handles TCP only, and therefore the SS input must also be TCP only. (Firefox has a feature to send DNS queries through a SOCKS tunnel.)
{ "routing": { "domainStrategy": "IPIfNonMatch", "rules": [ { "type": "field", "ip": [ "geoip:private" ], "outboundTag": "block" } ] }, "inbounds": [ { "port": <PORT-NUMBER>, "protocol": "shadowsocks", "settings": { "clients": [ { "password": "<PASSWORD>", "method": "chacha20-ietf-poly1305" } ], "network": "tcp" } } ], "outbounds": [ { "protocol": "socks", "tag": "tor", "settings": { "servers": [ { "address": "127.0.0.1", "port": 9050 } ] } }, { "protocol": "blackhole", "tag": "block" } ] }
Restart Xray with your configuration:
systemctl restart xray && systemctl status xray
Supply the server IP address, port, password, and encryption method to the public. You can also supply them as a URI-style ss://
link or as a QR code. Most SS clients can import server parameters from a URI or on-screen QR code.
The original Shadowsocks URI-style ss:// consisted of:
ss://websafe-base64-encode(method:password@hostname:port)#remark
Shadowsocks Improvement Proposal SIP002 purposed a new URI scheme, following RFC3986, which looks like this:
ss://websafe-base64-encode(method:password)@hostname:port#remark
Some people use the original style, some people use the new style of ss://
URIs.
Clients are available for many platforms. Here are some examples:
We will give detailed installation instructions for Shadowsocks for Windows.
Open a browser and visit https://github.com/shadowsocks/shadowsocks-windows, the C# port of Shadowsocks.
Scroll down and click Releases in the sidebar.
The topmost release will be the most recent.
Scroll down to the Assets section, and download the .zip
file.
The .zip
file is saved to your Downloads
folder.
Right-click on the .zip
file, and select Extract All....
In the extracted folder, click Shadowsocks.exe
to launch the application.
Make sure your screen is displaying the QR code.
Click the up-arrow at the bottom right of your Windows desktop to bring up the icons in the system tray.
Find the Shadowsocks icon. Right-click on it to bring up the Shadowsocks context menu. Select Servers, then select Scan QR code from Screen. Click OK.
Make sure you have set the System Proxy mode to Global (the Shadowsocks icon in the system tray changes color to show this is on).
Open a browser and visit some websites. If you wish, you can check your apparent IP address by visiting https://check.torproject.org.
When you are finished browsing, find the Shadowsocks icon in the system tray, right-click, and select Quit.