Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save QuLk/2f482746f3dff29c795a52be4c4c9a8e to your computer and use it in GitHub Desktop.
Save QuLk/2f482746f3dff29c795a52be4c4c9a8e to your computer and use it in GitHub Desktop.
Set up Shadowsocks server on Raspberry Pi

Set up Shadowsocks server on Raspberry Pi

By QuLk @ 2018.7.12

Refer:
https://medium.freecodecamp.org/running-your-own-openvpn-server-on-a-raspberry-pi-8b78043ccdea
https://www.reddit.com/r/China/comments/8hp0kr/shadowsocks_server_on_raspberry_pi/
https://www.linuxbabe.com/linux-server/setup-your-own-shadowsocks-server-on-debian-ubuntu-centos

This article uses RASPBERRY PI 3 MODEL B, OS version: Raspbian GNU/Linux 9 (stretch).

There are four main sections in this article:

  1. Preparing
  2. Installing Shadowsocks
  3. Port forwarding
  4. Set up dynamic DNS

1. Preparing

1.1 Buy Raspberry Pi

Buy Raspberry Pi 3 Model B from https://www.raspberrypi.org/products/

1.2 Download NOOBS

Download NOOBS to laptop from https://www.raspberrypi.org/downloads/

1.3 install Raspbian on Raspberry Pi

Follow the software setup guide and NOOBS setup guide video to install Raspbian on Raspberry Pi 3 Model B via SD card.

Or follow the instruction here: Install Raspbian on a Raspberry Pi 3

1.4 Make sure the Pi connects to your WIFI

1.5 Set up static IP

I’ve configured my Pi so the Pi always uses a static IP address.
Here I refer the link to set up Raspberry Pi to have a static IP address:
https://www.raspberrypi.org/learning/networking-lessons/rpi-static-ip-address/

Use ifconfig command or ip command to check the local IP.
For example:

$ ip -4 addr show | grep global
    inet 192.168.0.20/24 brd 192.168.0.255 scope global wlan0
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0

192.168.0.20 is the Pi's IP.

Use "traceroute google.com" to check the route IP.
For example:

$ traceroute google.com
traceroute to google.com (172.217.1.46), 30 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  1.517 ms  4.608 ms  4.773 ms
 2  96.120.42.9 (96.120.42.9)  13.754 ms  19.660 ms  19.415 ms

192.168.0.1 is the route's internal IP.

Edit dhcpcd.conf:

$ sudo vi /etc/dhcpcd.conf

Add below 4 lines to the bottom of dhcpcd.conf:

interface wlan0
static ip_address=<Pi's ip>/24
static routers=<route's ip>
static domain_name_servers=<route's ip> 8.8.8.8


For example:

interface wlan0
static ip_address=192.168.0.20/24
static routers=192.168.0.1
static domain_name_servers=192.168.0.1 8.8.8.8

2. Installing Shadowsocks

2.1 Update local package index

$ sudo apt-get update

2.2 Install shadowsocks

Search shadowsocks via start -> preference -> add/remove software and install it.
I select shadowsocks-2.9.0-2 to install.

2.3 Edit config.json

There is a template in the file config.json. You need to modify it according to your server IP, server port, password for Shadowsocks.

Example:

$ sudo vi /etc/shadowsocks/config.json

Modify the template as below lines:

{
    "server":"192.168.0.20",
    "server_port":8388,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"abcdefg",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open": false,
    "workers": 1,
    "prefer_ipv6": false
}

2.4 Start the Shadowsocks server

To start it:

$ sudo ssserver -c /etc/shadowsocks/config.json -d start

To stop it:

$ sudo ssserver -d stop

To restart it:

$ sudo ssserver -c /etc/shadowsocks/config.json -d restart

To see the activity of the Shadowsocks server:

$ tail /var/log/shadowsocks.log

2.5 Auto start on system boot

Edit .profile:

$vi ~/.profile

Add the start server command to the bottom of .profile:

sudo ssserver -c /etc/shadowsocks/config.json -d start

3. Port forwarding

I use NetGear router. It supports port forwarding.

Refer:
http://www.noip.com/support/knowledgebase/setting-port-forwarding-netgear-router-genie-firmware/
https://kb.netgear.com/24290/How-do-I-add-a-custom-port-forwarding-service-on-my-Nighthawk-router

About how to setup port forwarding on your router, please search your router help to see if it can and how to setup your router for port forwarding.

Below service name 2 is the one I use for Shadowsocks on my NetGear router.

Service Name External Port External IP Address Internal Port Internal IP Address
2 TCP: 8388 Any TCP: 8388 192.168.0.20

4. Set up dynamic DNS

4.1 Check your router Internet IP

To know your router Internet IP, you can go to website:
https://whatismyipaddress.com/

You will see you IP address in the webpage.

4.2 Create a free account at www.noip.com

NetGear router users refer: https://kb.netgear.com/23859/How-to-create-a-No-IP-Dynamic-DNS-Account

host name: is the domain name, such as my.noip.com, something like that.
IP/Target: is your router Internet IP, provided by your Internet provider, such as ComCast, AT&T, etc. Use IPv4 to fill the IP/Target. By default noip.com will fill the current your router Internet IP when you create a new account. But you need to update it every 30 days.

4.3 Set up dynamic DNS in your router

NetGear router users refer: https://kb.netgear.com/23930/How-to-setup-Dynamic-DNS-on-a-NETGEAR-router-using-www-no-ip-com
Other router users need to search your router help on this topic.

Example for NetGear router users:

  1. Type http://www.routerlogin.net or http://www.routerlogin.com in your browser.
  2. A login screen displays.
  3. Enter the router user name and password.
  4. The user name is admin. The default password is password. The user name and password are case-sensitive.
  5. The BASIC Home screen displays.
  6. Click the ADVANCED tab.
  7. Select Advanced Setup > Dynamic DNS
  8. Enable the Use a Dynamic DNS Service tick box, and then choose the 'Service Provider' as www.no-ip.com
  9. Enter the Host name, Username and password for No-IP. Please note your No-IP account must already be created and registered.

Host name is the one you created at www.noip.com.
User name is your account name at www.noip.com.
Password is your account password at www.noip.com.


You are all set. Enjoy Shadowsocks !

Note:
Somehow after restart Raspberry Pi, the port 8388 is not released based on tail /var/log/shadowsocks.log. It says:

socket.error: [errno 98] Address already in use.

And Shadowsocks seems not started (not sure. Someone says cannot connect to shadowsocks server in China, but the other can in USA). In this case, need to release the port and start Shadowsocks server manually:

sudo fuser 8388/tcp
sudo netstat -anp | grep 8388
sudo fuser -k 8388/tcp
sudo ssserver -c /etc/shadowsocks/config.json -d start

Using "sudo fuser 8388/tcp", to see if 8388 is occupied by any PID. Or, use "sudo netstat -anp | grep 8388" to see if 8388 is occupied by any PID and which program occupies it.
Using "sudo fuser -k 8388/tcp", to kill any PID which occupies the port 8388.

@fortuna
Copy link

fortuna commented Jul 13, 2020

Do not use the aes-256-cfb cipher. That's insecure and will get your server quickly blocked. You must use one of the AEAD ciphers instead: https://shadowsocks.org/en/spec/AEAD-Ciphers.html

I recommend chacha20-ietf-poly1305, which is designed for performance on devices without AES acceleration: https://tools.ietf.org/html/rfc7539

Also: generate a long, random password. You can use tools like LastPass for that.

@andrew-celine
Copy link

andrew-celine commented Jul 10, 2023

Can confirm the GFW blocks chacha20-ietf-poly1305 connections in a matter of days. Better use the newly supported v2ray/Project V protocol as it adds obfuscation too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment