Shadowsocks over Restls

July 20, 2023

Restls is a response to the TLS-in-TLS detection and blocking of October 2022. It imitates a TLS connection, while disrupting the packet lengths that would be characteristic of TLS-in-TLS. Restls does this by injecting spoof packets and fragmenting real packets. The rules for manipulating packets are not hardcoded, but are determined at run time by a "script."

In this tutorial, you'll set up a server and client implementing Shadowsocks over Restls. The server is a small VPS that runs Ubuntu 22.04. The client may be macOS, Windows, or Linux.

The examples in this post use these values:

For more information on Restls, visit

Install and configure Shadowsocks on server

You do not need to open any firewall ports for Shadowsocks, since traffic will pass through Restls first.

Install Shadowsocks from the repositories:

apt update && apt upgrade -y
apt install -y shadowsocks-libev

Edit the Shadowsocks configuration file /etc/shadowsocks-libev/config.json. Of course, you can change the password from the one in the example, provided you make equivalent changes in your client configuration.


Restart Shadowsocks with the new configuration:

systemctl restart shadowsocks-libev

Install and configure Restls on server

Open port tcp/443 in your server firewall.

Download the latest Restls binary for your server architecture from For example:


Copy the binary into a directory that is in your execution path, and give it a shorter name:

cp restls-x86_64-unknown-linux-musl /usr/local/bin/restls
chmod +x /usr/local/bin/restls

Start a new screen session for Restls:

screen -S restls

Run Restls with the given script (this is all one long command):

restls -s "" -l "" -p bONgnNUylELevNbN -f "" --script "200?100,400?100,1200?200<1,1100~300,1000~100<1,2500~500,1300~50,1300~50,100~1200"

Typical response:

INFO Restls server started as on, forwarding to

To detach from the screen session, do Ctrl+a immediately followed by d.

Restls is now listening on port tcp/443.

Your work on the server is done.

Install and configure Clash.Meta Restls fork on client

Now go to work on your client computer.

Download Clash.Meta with Restls Support from Prebuilt binaries are available for macOS Intel, macOS ARM ("Apple Silicon"), Linux Intel, Linux ARM, Windows Intel, and Windows ARM.

Create a configuration file ~/.config/clash/config.yaml. You can use the one below as a template to start with. Consult the Clash wiki at (简体中文) or (English) to learn how Clash configuration works.

port: 7890
socks-port: 7891
mode: rule

  - name: restls-tls13
    type: ss
    port: 443
    cipher: chacha20-ietf-poly1305
    password: "h9n40xhka0i2cqms"
    plugin: restls
      host: ""
      password: "bONgnNUylELevNbN"
      version-hint: "tls13"
      client-id: chrome

  - MATCH,restls-tls13

Run Clash.Meta Restls fork on client

Run Clash.Meta from the command line. Since the configuration file is in the default location, you should not need to specify it explicitly.

Typical response:

INFO Start initial configuration in progress
INFO Geodata Loader mode: memconservative
WARN Deprecated: Use Sniff instead
INFO Initial configuration complete, total time: 0ms
INFO Sniffer is closed
INFO Start initial compatible provider default
INFO HTTP proxy listening at:
INFO SOCKS proxy listening at:

Finally, configure your browser to use the SOCKS proxy on localhost port 7891. For example, in Firefox you can do that as follows:

  1. From the hamburger menu, open Settings.
  2. Select the General page.
  3. Scroll down to Network Settings.
  4. Click Settings.
  5. Select Manual proxy configuration.
  6. Specify SOCKS Host
  7. Specify Port 7891.
  8. Select SOCKS v5.
  9. Check Proxy DNS when using SOCKS v5.
  10. Click OK.