ShadowSocks Practices

Table of Contents

当然,首先你需要有一台 VPS,参看《VPS 实践》。

1 简介1

ShadowSocks 是由 clowwindy 编写的轻量级服务器中转包传输工具。

ShadowSocks 主要由三个模块组成:

  • ss-local:工作在本地的命令行客户端。
  • ss-redirect:
  • ss-server:工作在远程主机上的服务器端。 传输的时候,本地网络客户端首先使用 SOCKS5 连接到 ss-local,这里面的流量传输都是明文 的,然后 ss-local 将流量打包传输到 ss-server 上,这里的流量是加密的,然后 ss-server 解码 SOCKS5 数据包,访问目的服务器。

2 安装

2.1 源码编译安装

sudo apt-get install build-essential autoconf libtool libssl-dev
git clone https://github.com/shadowsocks/shadowsocks-libev.git
cd shadowsocks-libev
./configure && make
sudo make install

2.2 ss-server2

主要使用轻量级的 libev 版本:

# First, add the GPG public key to your system:
wget -O- http://ShadowSocks.org/debian/1D27208A.gpg | sudo apt-key add -

# Ubuntu 14.04 or above
sudo sh -c 'echo "deb http://shadowsocks.org/ubuntu trusty main" > /etc/apt/sources.list.d/shadowsocks.list'

# Debian Wheezy, Ubuntu 12.04 or any distribution with libssl > 1.0.1
sudo sh -c 'echo "deb http://shadowsocks.org/debian wheezy main" > /etc/apt/sources.list.d/shadowsocks.list'

sudo apt-get update
sudo apt-get install ShadowSocks-libev

2.3 ss-local3

2.3.1 ss-local

2.3.2 ss-qt5

ss-qt5 是 linux 下面的图形界面客户端。

sudo add-apt-repository ppa:hzwhuang/ss-qt5
sudo apt-get update
sudo apt-get install ShadowSocks-qt5

2.4 基本配置4

ss-server 与 ss-local 配置文件是 json 格式的,默认名字是 config.json,服务器和客户端配置差不多,甚至可以共用一份配置文件。

{
	"server":"server-ip",
	"server_port":443,
	"local_address":"127.0.0.1",
	"local_port":1080,
	"password":"your-password",
	"timeout":300,
	"method":"rc4-md5",
	"fast_open":true,
	"workers":1
}
Table 1: 配置的说明
Name Explaination
server the address your server listens(服务器 IP)
local_address the address your local listens(本地代理地址)
local_port local port(本地代理端口)
port_password password used for encryption(自己设定的服务器端口和密码,可以支持多个用户)
timeout in seconds(超时断开,以秒为单位)
method default: "aes-256-cfb",有多种加密方式可供选择,可以通过 M2Crypto 加快加密速度:
fast_open use TCP_FASTOPEN, true / false,如果客户端和服务器都是 on Linux 3.7+,可以开启 fast_open 来减少延迟。
workers number of workers, available on Unix/Linux(支持类似 nginx 一样使用多个子进程,这个只在 Unix 和 Linux 下有用,可不设置)

2.5 优化5

如果出现

error: too many open files

那么应该对系统做一些优化,创建 /etc/sysctl.d/local.conf 文件,添加以下内容:

# max open files
fs.file-max = 51200
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096

# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1

# for high-latency network
net.ipv4.tcp_congestion_control = hybla

# for low-latency network, use cubic instead
# net.ipv4.tcp_congestion_control = cubic

然后执行以下命令应用上面的优化:

sysctl --system

Warning: DO NOT ENABLE net.ipv4.tcp_tw_recycle!!! See this article.

2.6 开机自启动6

使用 systemd 控制启动:

2.6.1 ss-server

[Unit]
Description=ShadowSocks Server Daemon
After=network.target

[Service]
User=root
Group=root
ExecStart=/usr/bin/ss-server -c /etc/ShadowSocks-libev/server.json
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target

执行以下命令启动服务,并设置开机启动

     systemctl start ss-server.service
     systemctl enable ss-server.service
     systemctl status ss-server.service

2.6.2 ss-local

[Unit]
Description=ShadowSocks client daemon
After=network.target

[Service]
User=root
Group=root
ExecStart=/usr/bin/ss-local -c  /etc/ShadowSocks-libev/local.json
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=5s

[Install]
WantedBy=multi-user.target
     systemctl start ss-local.service
     systemctl enable ss-local.service
     systemctl status ss-local.service

3 源码分析

Footnotes:

Author: lsl

Created: 2016-08-07 Sun 19:30

Validate