/article/2018/03/10/proxy-agentd-tool-shadowsocks/

Shadowsocks 翻墙神器!

  • 【作者】看不见我
  • 【分类】Service
  • 【发布】2018-03-10 16:45
  • 【更新】2019-09-22 12:17
【ss】 【shadowsocks】

shadowsocks (ss)

  • 官网:shadowsocks.org
  • github: https://github.com/shadowsocks
  • wiki: https://github.com/shadowsocks/shadowsocks/wiki
  • GFW原理: http://blog.neargle.com/SecNewsBak/drops/%E7%BF%BB%E5%A2%99%E8%B7%AF%E7%94%B1%E5%99%A8%E7%9A%84%E5%8E%9F%E7%90%86%E4%B8%8E%E5%AE%9E%E7%8E%B0%20.html

服务端搭建(Server)

https://shadowsocks.org/en/download/servers.html

安装:

Ubuntu依赖

#安装libsodium支持高级加密(支持chacha20-ietf-poly1305加密)
sudo apt install libsodium-dev

# 另一安装支持chacha20-ietf-poly1305加密:
# (Ubuntu)https://linuxssh.com/ubuntu-anzhuang-chacha20-ietf-poly1305-jiami-shadowsocks/
# Ubuntu17.04和17.10自带Shadowsocks-libev,可直接安装。
#sudo apt install shadowsocks-libev

Centos依赖

# 安装libsodium支持高级加密(支持chacha20-ietf-poly1305加密)注意安装shadowsocks3.0的版本(从github安装)
# yum源:
#   wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo # epel(RHEL 7)
#   wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo # epel(RHEL 6)
yum install libsodium -y  # for Yum-base install


# 以下是另一安装加密支持的方式: (支持chacha20-ietf-poly1305加密)
# (Centos)https://linuxssh.com/cntos7-anzhuang-chacha20-ietf-poly1305-shadowsocks/
# YUM源: https://copr.fedorainfracloud.org/coprs/librehat/shadowsocks/
#cd /etc/yum.repos.d/
##curl -O https://copr.fedorainfracloud.org/coprs/librehat/shadowsocks/repo/epel-6/librehat-shadowsocks-epel-6.repo
#curl -O https://copr.fedorainfracloud.org/coprs/librehat/shadowsocks/repo/epel-7/librehat-shadowsocks-epel-7.repo
#yum install -y shadowsocks-libev

shadowsocks安装

# 依赖Python 2.6 or 2.7 +
# https://www.python.org/downloads/
# PyPI安装:
#pip install shadowsocks
install git+https://github.com/shadowsocks/shadowsocks.git@master

# 或
# GitHub安装:
git clone https://github.com/shadowsocks/shadowsocks.git
cd shadowsocks
git checkout master
python setup.py build
python setup.py install

启动服务:

ssserver服务配置项说明

  • server: your hostname or server IP (IPv4/IPv6).
  • server_port: server port number.
  • local_port: local port number.
  • password: a password used to encrypt transfer.
  • timeout: connections timeout in seconds.
  • method: encryption method. more...
    • chacha20-ietf-poly1305 (shadowsocks 3.0.0+)
    • aes-256-gcm (shadowsocks 3.0.0+)
    • aes-256-cfb
# 关于ss加密方式: https://blog.csdn.net/Bleachswh/article/details/78079185
# 总结一点:
#   AES兼顾效率和安全。在拥有AES指令集的机器上, 效率比XCHACHA20更高。推荐:sodium:aes-256-gcm
#   XCHACHA20兼顾效率和安全。在没有AES指令集的机器上,效率比AES高。推荐:xchacha20-ietf-poly1305

# 查看设备cpu指令集是否有AES指令集
grep --color aes /proc/cpuinfo && echo '此设备CPU有AES指令集'

启动ssserver服务

# 直接使用命令选项启动服务:
nohup ssserver -s 0.0.0.0 -p 1111 -k "z7T0XRpassword" -m chacha20-ietf-poly1305 -t 600 </dev/null &>/tmp/ssserver.log &


# 或着启动服务指定配置文件:
nohup ssserver -c /path/to/ssserver.json </dev/null &>/tmp/ssserver.log &


# To run in the background
#   默认PID文件 --pid-file /var/run/shadowsocks.pid
#   默认日志文件 --log-file /var/log/shadowsocks.log
ssserver -s 0.0.0.0 -p 1111 -k z7T0XRpassword -m chacha20-ietf-poly1305 -t 600 --fast-open --user nobody --pid-file /var/run/shadowsocks.pid --log-file /dev/null -d start
# 停止damon程序直接kill进程号,或使用-d stop:
# ssserver [--pid-file /var/run/shadowsocks.pid] -d stop
ssserver -d stop

ssserver.json:

{
    "server": "0.0.0.0",
    "server_port": 1111,
    "password":"z7T0XRpassword",
    "timeout": 60,
    "method":"chacha20-ietf-poly1305",
    "fast_open": false,
    "user": "nobody",
    "PID_FILE": "/var/run/shadowsocks_ssserver.pid",
    "LOG_FILE": "/var/run/shadowsocks_ssserver.log"
}

服务器参数优化

Step 1, increase the maximum number of open file descriptors

编辑/etc/security/limits.conf文件

echo '* soft nofile 51200' >> /etc/security/limits.conf
echo '* hard nofile 51200' >> /etc/security/limits.conf

启动ssserver前先执行ulimit -n 51200

Step 2, Tune the kernel parameters

编辑内核配置文件/etc/sysctl.conf

fs.file-max = 51200

net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
# tcp_fastopen是开启TCP Fast Open参数(TCP快速打开,缩略为TFO)
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_congestion_control = hybla

执行sysctl -p重新加载内核参数.

启用BBR

https://linuxssh.com/centos-qiyong-bbr/

# 下载bbr自动安装脚本执行
wget --no-check-certificate https://github.com/teddysun/across/raw/master/b
br.sh && chmod +x bbr.sh && ./bbr.sh

# 升级内核并开启bbr加速后,会提示重启系统,输入y即可
# 重启完毕后,就成功开启bbr加速了。
# 查看是否成功开启,可以执行如下命令,返回值里有bbr就表示成功开启了
sysctl net.ipv4.tcp_available_congestion_control

客户端搭建(Client)

https://shadowsocks.org/en/download/clients.html

(Linux|Windows|Mac OS X)命令行使用:

sslocal客户端工具安装

1安装方式跟服务端搭建方式一样.

客户端启动命令

# 直接使用sslocal命令选项启动:
nohup sslocal -s 48.48.48.48 -p 1111 -b 192.168.1.209 -l 1080 -k 'z7T0XRpassword' -m chacha20-ietf-poly1305 -t 600 --user nobody </dev/null &>/tmp/ssserver.log &


# 或着启动时指定配置文件:
sslocal -c /path/to/sslocal.json


# To run in the background
#   默认PID文件 --pid-file /var/run/shadowsocks.pid
#   默认日志文件 --log-file /var/log/shadowsocks.log
sslocal -s 48.48.48.48 -p 1111 -b 192.168.1.209 -l 1080 -k 'z7T0XRpassword' -m chacha20-ietf-poly1305 -t 600 --fast-open --user nobody --pid-file /var/run/shadowsocks.pid --log-file /dev/null -d start
# 停止damon程序直接kill进程号,或使用-d stop:
# sslocal [--pid-file /var/run/shadowsocks.pid] -d stop
sslocal -d stop

sslocal.json:

{
    "server": "48.38.87.48",
    "server_port": 1111,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"z7T0XRpassword",
    "timeout": 60,
    "method":"chacha20-ietf-poly1305",
    "fast_open": false,
    "user": "nobody",
    "PID_FILE": "/var/run/shadowsocks_sslocal.pid",
    "LOG_FILE": "/var/run/shadowsocks_sslocal.log"
}

OpenWRT

  • ss全套openwrt软件: http://openwrt-dist.sourceforge.net/
  • OpenWrt/LEDE使用ss+ChinaDNS+DNS-Forwarder实现透明代理: https://www.vpnto.net/posts/shadowsocks-openwrt/
  • Shadowsocks+ChinaDNS+dns-forwarder实现OpenWRT自动翻墙: https://cokebar.info/archives/664
  • ss科学上网漫游指南: https://lvii.gitbooks.io/outman/content/

ss+chinaDNS+DNS-Forwarder一键安装脚本

# 这个脚本使用的方式来源 http://openwrt-dist.sourceforge.net/
# 不要再安装ShadowVPN(没什么用了)
wget http://openwrt-dist.sourceforge.net/auto_install.sh
chmod +x auto_install.sh
./auto_install.sh

Android

支持

iOS

支持

Windows GUI Client

Linux

使用socks5请求代理客户端

curl

curl 'https://www.google.com/' --socks5-hostname 127.0.0.1:1080

代理插件 SwitchyOmega (for Chromium & Firefox)

https://github.com/FelisCatus/SwitchyOmega/releases

通过proxychains工具在终端命令行使用代理

安装proxychains

# On Debian/Ubuntu:
sudo apt install proxychains

配置proxychains

strict_chain
proxy_dns 
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
localnet 127.0.0.0/255.0.0.0
quiet_mode

[ProxyList]
socks5  127.0.0.1 1080

使用proxychains代理

# Run command with proxychains. Examples:
proxychains4 curl https://www.twitter.com/
proxychains4 git push origin master

# Or just proxify bash:
proxychains4 bash
curl https://www.twitter.com/
git push origin master
Top