Briefly about Shadowsocks, or OpenVPN is not needed (in every house)

Nowadays, when all the bad elements and strive to get into your traffic and somehow foul, it became fashionable to encrypt traffic. Beginning is good and useful, but only do it often redundantly. If encryption of traffic to a trusted server, such as its VPS, is your only goal, then OpenVPN is too sophisticated for this purpose. Its a long time to set up, easy to detect, and most importantly - there are pitfalls, not knowing which you can get such a situation that the VPN is worth, and traffic is bypassed. All this is because OpenVPN was conceived more as a means of accessing a small network via the Internet, and not for access to the entire Internet.
 
Clients there is everything, I will not be afraid of a loud word. The client configuration is the same 5 lines.
 
The client does not need admin rights for work. Moreover, it can be installed from pip. That is, any programmer can connect from work.
 
It is easy to configure access at the level of individual programs. In the browser, with the help of add-ons such as FoxyProxy /OmegaSwitchy, so generally - at the level of individual addresses by complex rules. When using VPN, this can be achieved only by raising the local proxy on each client.
 
Unlike VPN, which on most systems is implemented via a virtual network card, the Shadowsocks client does not go away when the connection breaks. So your traffic will not go by itself in an unprotected way. In addition, even if the Shadowsocks application itself falls, the programs will not be accessed directly, unless they are configured to do so. When using VPN you have to implement kill-switch, and they, especially under Windows, are unreliable and with side effects.
 
Compared with the SSH tunnel - a large bandwidth, supports thousands of customers with a bunch of connections from each. SSH tunnel under, for example, torrents, palpably sad; in addition, the small irregularities of the network noticeably reduce its speed. Shadowsocks do not care.
 
It drives less technical information on the connections, which is favorable for the battery of mobile devices.
 
There are exotic versions of servers, written in the form of libraries for different languages. That is, you can add a server to your program to encrypt access to your clients.
 
Graphic configuration of clients. You can make a QR code, when scanning which clients of mobile phones and Windows are configured themselves. One client for Windows was configured, the code was generated, 20 mobile phones were scattered for a minute. You can put on the site, or hang on the wall.
 
 

Disadvantages of Shadowsocks


 
 
Unlike OpenVPN, I did not pass an official audit. So it looked through a lot of people, the blessing of the code is open and small, but officially - no.
 
Does not share users. You can learn to listen to on several ports with different passwords, but on the same port - one password. Knowledge of the password does not allow (in theory) listen to another subscriber of the same port.
 
Can not flip the port in the opposite direction. That is all as for NAT sit. I'll have to use the SSH tunnel, if I can.
 
The client for Android keeps two (!) Non-removable messages. If you do not hide them, it really hinders.
 
There are a couple of hardened programs for Windows that do not climb into Shadowsocks, as they do not tune. Alas, the author of the program can write the opening of the connection so as to ignore proxy settings, and so sometimes do when checking software licenses. Below I will write a tricky trick as to how to recognize these programs.
 
Latency connections are higher than OpenVPN. Not much, and you can duck, but still.
 
It does not know how to compress traffic by the archiver. In the age of HTTPS this is not important, but for the, say, uncompressed text files and real images of Ubuntu, there is a difference.
 
The documentation was written by the Chinese, in Chinese English, with a bunch of missed items and mutual contradictions.
 
 
Configuring the Shadowsocks server. Method 1

 
We write the config. Here is an example of a complete working config.
 
 
{
"server": "???.444",
"server_port": 839?
"local_port": 108?
"password": "buratino.ty.sam.sebe.vragg",
"timeout": 6?
"method": "aes-256-cfb"
"fast_open": true
}

 
This is a config for both the server and the client. We have alternate address and server port (you can at least 80th); port from which the client will accept connections (it is better not to touch); plain text password; and the time in seconds after which the server closes an unnecessary channel. And the last two are in more detail.
 
 
Shadowsocks has a range of encryption methods to choose from, but only two are practical. chacha20-ietf-poly1305 , an algorithm for authorship by Daniel J. Bernstein, developed by Google for internal needs. Good for devices that do not know how to use hardware AES, and these are quite cheap mobile phones and other smart irons; and for paranoid fearful bookmarks in the processor. All the rest use aes-256-cfb . However, both cipher is reliable and time-tested.
 
 
Setting fast_open reduces the latency of the connection, but requires a kernel no lower than 3.7. And even there it does not always work, in particular, it does not work if your virtual machine is made by OpenVZ. Scaleway-ARMs also did not start. In general, turn on if it works.
 
 
Now that the config is ready, install the package. Here we must clarify that there are two versions. Just shadowsocks - a reference written on a python, and shadowsock-libev it's the same, but rewritten on pure C for speed. Here we put it. In the newest Linux it is in the main turnip, and for older ones - see here .
 
 
Well, run: ss-server -c config.conf. Everything should work. Do not forget the firewall and autorun. I will not write here on Linux administration, so if something does not work, go to method 2.
 
 
Method 2

 
Install the docker and docker-compose.
 
 
    apt install docker docker-compose    

 
Next, in the file, which must necessarily be called docker-compose.yml , we write the following configuration:
 
 
    version: '3'
services:
shadowsocks:
image: shadowsocks /shadowsocks-libev: latest
environment:
- TZ = Europe /Moscow
- PASSWORD = buratino.ty.sam.sebe.vragg
- METHOD = aes-256-cfb
- ARGS = - fast-open
ports:
- "8390: 8390"
- "8390: 8390 /udp"
restart: unless-stopped

 
Pay attention to the indentation, they are important. If you want, you can pick up several servers on different ports, with different passwords, you just need to duplicate the whole shadowsocks block: with different names. When the config is ready, in the same folder we run
 
 
    docker-compose up -d  
 
and everything will happen. Docker for you even himself, without demand, a hole in the firewall for each port will drill, an infection such.
 
 
The configuration of the clients is

 
Everything is simpler here. We go to the site , download the right client, configure it in the interface. For linuxoids, of course, there is a console demon that consumes the config from method 1.
 
 
After configuring the client, you will have SOCKS5 proxy on port 108? which by default is not accessible from the outside. But you can open it if you are in a friendly local. It is important to understand that the programs themselves will not break down there. You need to configure the system proxy (if you want all the programs to go through Socks) or each program individually, and better both, and then - it does not hurt. On Windows 1? there is a Network & Internet → Proxy item in the control panel. There you need to enter the proxy address ???.? the port as configured (1080) and ignore for: the local network (usually ???.1/2? although see for yourself) and, for the server's own server. If someone uses Linux Subsystem, then this configuration does not apply to it, there it is necessary to declare the variable socks5_proxy . Full-featured Linux typically have similar settings in the control panel. For browsers I recommend add-ons like FoxyProxy (FF) and SwitchyOmega (Chrome) for detailed configuration of which site to go through a proxy, and which directly. In particular, direct access must be configured to the resources of your ISP, and, possibly, to your bank. I recommend that you also do not surprise Mosenergosbyt with bills from abroad - they are there and so shy some. Paypal, oddly enough, to a light bulb. Do not forget to tick "DNS through proxy" or make sure that it is the default by default.
 
 
Verification of the work

 
At this stage, everything should work. It is necessary to make 2 tests. First, the browser, preferably a primitive "sketchy", and not the main one, go to https://duckduckgo.com/ and drive into search my ip . The address must be server-side. Then, in the client settings, enter the wrong password, and make sure that all programs stopped working. This is a test for the fact that no program can crawl around the proxy.
 
 
Additions

 
I'll tell you about some additions to Shadowsocks, but I will not go into their configuration. Ask, if that.
 
 
Polipo . Some ancient ones or[ёр/оро]The programs do not know SOCKS? but they can HTTP_PROXY . In particular, the official Twitter client for Android still does not know how to use Shadowsocks if it is not installed on a mobile phone, but, say, on a router. In this case, you can install the http_proxy server Polipo, and in its settings specify a redirect to Shadowsocks. All http proxy programs are abandoned due to low need, but Polipo still works without problems.
 
 
Obfs-proxy . Allows you to wrap Shadowsocks traffic in a clean, unobtrusive SSL, and so on to port 443. This is if someone already has a white list of protocols.
 
 
KCPTUN . The KCP protocol is an add-on for UDP to work in very poor networks with large losses, such as a cellular modem on the edge of reception or tropospheric microwave communication. Using KCP allows you to communicate a little faster than pure UDP, and Shadowsocks is a very convenient way to wrap your traffic in KCP.
 
 
Fail2ban it would be nice to set it up again to discourage DDOS attempts on the server. But if you do not offend students, then who will you DDOSit? Put the password is more authentic, the benefit of it even once in the mobile phone does not have to drive, and do not worry. My real password is 40 random characters.
 
 
All!
+ 0 -

Comments 1

Offline
shawnkemp
shawnkemp 12 May 2018 12:47
Here you have written about the sister Nabila. Everyone was satisfied with their work. There should be strict systems of punishments assignment helper uk so that no one can dare to do a crime. I really appreciate the writer for sharing this post.  

Add comment