Create your own Shadowsocks server

VPS -Vultr

This Tutorial Posted in

The first step is to go to Vultr and create an account if you don't already have one. You will need to fund your account with a minimum $5 deposit using PayPal or verify a valid credit card.

When I first signed up, I used my Chinese credit card and I was asked to verify my identity by sending them a copy of my passport and the credit card I used. I suspect that they asked for this because I was connected to a VPN when I added my credit card and the IP address did not match the country of my credit card. I recommend using a PayPal account to avoid this hassle.

Once your account is funded/verified then you can deploy a new instance (VPS).

Choose your location.
Vultr choose server location
Choose the server type (OS). For this tutorial, I am using Ubuntu 14.04 x64.
choose OS
Choose the server size, the smallest one for $2.50/month ($0.004/hr) with 20GB storage, 512MB memory, and 500GB data, is all you need for a personal shadowsocks server.
choose server size
Leave everything else as default until section 7, do not enable IPv6. Now enter a hostname, you can put anything. I entered for my hostname. As we are not using our VPS to host a website, it doesn't matter what you put here. You can also leave it blank with Vultr but some other VPS providers will require you to enter something here.

Press Deploy Now to deploy the VPS.
Enter hostname and deploy
Wait until your VPS is finished installing and the status changes to "Running". Then, click on the server to open the server details.
VPS status running
We will need the IP address and password to log into our server by SSH.
Vultr VPS server manage
The first thing I do after deploying a new VPS is look up the IP address in a geo-location database to see if it shows the correct location. Many Vultr Asian servers are incorrectly geo-located in the USA. If the IP address is not showing the correct location, then I will just destroy the instance and deploy a new one (remember, it only costs $0.01 if you destroy an instance within the first few hours).

Using a shadowsocks server with an IP address with the wrong geo-location can be annoying. You will need to manually choose the correct server when doing a speed test, Google will think you are in the wrong country, etc.

After looking up the IP address, I can see that it is correctly listed as Tokyo.
Vultr Tokyo IP address lookup
Ok, time to connect to our server using SSH. If you are using Mac, you can use the Terminal program. I am using Windows, so I have downloaded Putty.

Open Putty (or Terminal if using Mac), and enter the IP address of your Vultr server and press open to connect to it. Leave all of the settings as default. You can save the session so you don't need to enter the IP address next time, I saved the settings as "Vultr Tokyo".
Enter server IP address
Accept the security warning and then login as root and enter the password from the Vultr server management page.

Tip - To paste text from the clipboard using Putty, simply press the right mouse button once and whatever is in the clipboard will get pasted. When typing or pasting your password, you won't see anything on the screen. Just press enter after you have typed it or pasted it by single clicking the right mouse button.

Now we are logged in, your screen should look like this.
logged in successful
Update and upgrade the machine by entering the command below.

sudo apt-get update && sudo apt-get upgrade -y

Any time that you see highlighted text, enter it as a command. I will only show the screenshot for the first command, shown below.
update and upgrade command entered
After you enter the command, press enter to execute it.

Now, let's install shadowsocks on the server. There are many different versions of shadowsocks and many different ways to install them. I am going to install ShadowsocksR (SSR) using an installation script from GitHub user teddysun.

Teddysun has made some great scripts that make it very easy to install different versions of shadowsocks. If you want to support his work, you can send him a donation on Alipay or Wechat here.

Enter the following 3 commands to download the run the SSR installation script.

wget --no-check-certificate

Note - The above command is shown on 2 lines because it's too long. Make sure you copy the full command starting with wget and ending with

chmod +x

./ 2>&1 | tee shadowsocksR.log
Enter a default password and port number. Choose any password you want, and choose port 443 (works best in China). Then press any key to start the installation. The installation takes around 5 minutes.
Enter port number and password
Now, we are going to make some changes to the configuration file using the nano editor.

nano /etc/shadowsocks.json

Change method to chacha20
Change obfs to http_simple_compatible
Change fast_open to true
Make changes to config file
Press Ctrl + X to exit. When asked to save the modified buffer, press the y key once and then press enter to keep the same file name.

Restart shadowsocks so the changes will take effect.

/etc/init.d/shadowsocks restart

The server is already running, you can download a shadowsocks client and try it now.

iOS Wingy App (free)
iOS Shadowrocket App ($2.99)

Shadowsocks vs ShadowsocksR (SSR)

The original version is called Shadowsocks (SS). ShadowsocksR (SSR) is a newer version that supports obfuscation, which is useful to trick QoS filters and ISP throttling, and prevent your speed from getting throttled. It can make a big difference in speed on certain networks.

The server that we just made is compatible with both SS and SSR clients.

All of the clients are a little bit different, but basically you need to enter the following settings.

Server - The IP address of your server
Port - 443 or whatever you specified
Password - whatever you specified
Encryption - chacha20
Protocol - origin
Obfs - http_simple for obfuscation or plain for no obfuscation (this option is only available in SSR clients)

If there are any other options, leave them as default. Do not enable onetime authentication.

You need to be careful with these settings. If you don't get it exactly right, then it will seem like the proxy is connected, but you won't have any connection to the internet. Unlike a VPN, you cannot easily tell if the proxy is actually connected successfully or not.

Here are my settings using the SSR Windows client.
Windows SSR client settings entered
The way that you enable the system proxy will depend on the version of the client you are using.

Using the SSR Windows client:

Enable the proxy by choosing Mode --> Global or Mode --> PAC. Disable the proxy by choosing Mode --> disable system proxy.

If you are using the original SS client:

Enable or disable the system proxy by toggling the option Enable system proxy. The mode (PAC or Global) has it's own setting under Mode --> Global or Mode --> PAC.

TIP - Make sure you remember to disable the system proxy before you exit the client or shut down your computer. Otherwise, you will find that you have no internet at all. To solve this problem, just open the shadowsocks client and disable the system proxy.

Global vs PAC Mode

Global will route all domains through the proxy, while PAC will only use the proxy for a specific list of blocked websites such as Google, Facebook, etc and use your ISP connection for everything else. Not every blocked website is part of this PAC list.

I recommend using the Global mode.

Once you have enabled the system proxy using the client, most browsers and applications should work by default. Chrome and IE, for example, will use the system proxy settings (unless you have an extension installed that is controlling the proxy settings). Other browsers or programs, such as Firefox, need to be set manually to use the system proxy or use a SOCKS5 proxy on server port 1080. The proxy settings can usually be found in the advanced settings for most applications.

Proxies will not work for all programs and all types of web traffic. Sometimes you need to use a VPN for certain things. It is also possible to tunnel a VPN connection over shadowsocks for better VPN performance. Or, just use a VPN directly with one of the top recommended VPN servers for your ISP.

Let's check the performance of my Tokyo and Los Angeles servers.

Both servers are working but the speed is not great.
Speed test results
When testing the speed of shadowsocks, you must remember use an html5 speed test such as because all proxies will bypass Adobe Flash and you will only test your connection without the proxy if you use or other Flash based speed tests.

Now will will optimize the server for high speed.

Install Google BBR and Optimize the Server

Install Google BBR using the commands below (another teddysun script).

wget --no-check-certificate
chmod +x

The script will change the kernel and will require a reboot. Say yes when asked to reboot the server. You will lose your SSH connection and will need to open another instance of Putty to re-connect after the reboot.

After you have logged back into your server, enter the following command.

lsmod | grep bbr

Next, we need to change the kernel configuration settings.

nano /etc/sysctl.conf

Add the following lines at the bottom of the file after the net.ipv4.tcp_congestion_control = bbr line.
fs.file-max = 51200
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.

Apply the new settings by entering the command below.

sysctl -p

Let's make a few more optimisations.

nano /etc/security/limits.conf

Add these lines to the bottom of the file, include the * symbol.
* soft nofile 51200
* hard nofile 51200
Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.
Next, enter this command.

nano /etc/pam.d/common-session

Add the following line at the end of the file.
session required
Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.

nano /etc/profile

Add the following line at the end of the file.
ulimit -n 51200
Finally, type the command below.

ulimit -n 51200

Restart the shadowsocks server again.

/etc/init.d/shadowsocks restart

The optimizations are finished!

I can see a big improvement in the speeds after the optimizations.
beta speedtest net results after optimizations
The speed is between 10 times and 25 times faster now!

The speed test was done at 11pm, the speed will be even faster during non-peak hours.

Speed test the following morning...
beta speed test following day

Bonus Section - Advanced Customization

How to open more ports and share your server with friends

Warning! Make sure you only share your server with friends or people who you trust because you will be responsible for any illegal activities originating from the IP address of your server.

The easiest way to share you server is to simply tell your friends the port number and password of your server. Everyone can use port 443 with the same password, there is no limit to how many simultaneous connections can be made.

However, if you want to give each user their own unique port number and password, you can edit the shadowsocks.json file. 

nano /etc/shadowsocks.json

Delete all of the contents of the file and then paste the contents below (using your own combination of port numbers and passwords that you wish to use).
    "port_password": {
        "443": "password1",
        "1194": "password2",
        "8000": "password3",
        "8383": "password4",
        "8384": "password5",
        "3000": "password6",
        "3001": "password7",
        "3002": "password8",
        "3003": "password9",
        "3004": "password10",
        "3005": "password11",
        "3006": "password12",
        "3007": "password13",
        "3008": "password14",
        "3009": "password15",
        "3010": "password16"
The above configuration is just an example, you can use whatever ports and passwords you want.

Don't forget to restart shadowsocks after you make changes to the config file.

/etc/init.d/shadowsocks restart

How to limit data per user/port

There is probably a much better way to do this, but this is the method I found.

This is a quick and easy way to get this job done but it has a major flaw. If your VPS is rebooted, then the data counters will be cleared. Theoretically, there should be some way to save the byte counters and restore them after a reboot. Or, there is probably is a better way to do it altogether, but I don't know any such method so I will just show you what I know.

If you know of a better way to do this then get in touch with me by email and let me know your method so I can update this page.

In this example, I will add firewall rules to limit the data transferred on each port. I will add a data limit of 50GB for port 443 and 10GB for each of the other ports I have set up.

Enter the following commands (using the port numbers which you have configured with the data limit in bytes that you want to set).

sudo iptables -I OUTPUT -p tcp --sport 443 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 443 -m quota --quota 50000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 1194 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 1194 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 8000 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 8000 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 8383 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 8383 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 8384 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 8384 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3000 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3000 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3001 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3001 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3002 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3002 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3003 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3003 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3004 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3004 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3005 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3005 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3006 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3006 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3007 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3007 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3008 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3008 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3009 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3009 -m quota --quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 3010 -j DROP
sudo iptables -I OUTPUT -p tcp --sport 3010 -m quota --quota 10000000000 -j ACCEPT

To check the firewall rules and how much data has been used by each user/port, enter this command.

Note - Adjust the width of the Putty or terminal window before entering this command because the default width is not enough to show the output correctly.

sudo iptables -nvL -t filter --line-numbers

Use the scrollbar on the right of the Putty windows to scroll up and see the OUTPUT chain.

In this example, I have added 32 new firewall rules to the top of the OUTPUT chain. The output of the OUTPUT chain of the above command should look like this (2 rules for each port).
iptables output chain with byte counters
Make note of the first column (chain number) for each line. The chain number will be used in some of the commands below.

As you can see, I have used 24MB of data on port 3000 and 56MB of data on port 443 since adding these firewall rules. Once the quota has been used up (50GB for port 443, 10GB for all other ports in my example) for a specific port, then the proxy will stop working for the user/users of that port (until you reset the counter or reboot the server).
To clear the data counters for all users/ports, enter this command.

sudo iptables -Z OUTPUT

To clear the counter for a specific user, enter this command.

sudo iptables -Z OUTPUT #chain number

#chain number = The number shown first column when you use the "sudo iptables -nvL -t filter --line-numbers" command shown above.

For example, to clear the byte counter for port 443, this is the command.

sudo iptables -Z OUTPUT 31

Now the data counter for port 443 has been reset to 0.

To delete the firewall rules for a specific port, first note the 2 chain numbers related to port you want to delete. For example, to remove the data limit for port 3000, we need to delete chain numbers 21-22.

sudo iptables -D OUTPUT 21
sudo iptables -D OUTPUT 21

Note - The above commands are not a mistake, you enter the same command twice. After you delete chain #21 then all of the chains below it will shift up. Chain #22 becomes chain #21, #23 becomes #22, so on and so fourth.

To make these firewall rules persistent after a reboot, use the following commands.

Note - The data counters will still be reset to zero after a reboot, only the rules themselves will be persistent.

sudo apt-get install iptables-persistent
sudo invoke-rc.d iptables-persistent save

1/Post a Comment/Comments

  1. Note temporary soldout pa $2.50/month ang na avail ko po dito ay $5.00/month


Post a comment

Previous Post Next Post