8.2.11 Setting Up a VPN with Shadowsocks
Shadowsocks is a lightweight proxy VPN with encryption, designed to bypass firewalls and QoS restrictions. This article covers the installation and setup of shadowsocks-libev on Ubuntu 24.04, as well as client connection instructions.
Use cases
- Bypassing website and service blocks
- Eliminating high latency or limitations of PPTP/L2TP/OpenVPN
- Encrypting traffic without heavy TLS tunnels
Shadowsocks uses asynchronous I/O, encrypts streams with AEAD algorithms, and acts as a SOCKS5 proxy, making it faster than traditional VPN solutions.
Server Preparation
System requirements
- An ordered virtual server or dedicated server
- CPU: minimum 1 vCPU
- RAM: minimum 1 GB
- SSD: minimum 10 GB
- OS: Ubuntu 24.04 LTS
- Root or sudo access
- Open UDP/TCP port (default — 8388)
Before installation, make sure your system is up to date. The command below updates the package cache and installs the latest security and bug fixes:
sudo apt update && sudo apt upgrade -y
Installing shadowsocks-libev
The universe repository for Ubuntu 24.04 already contains an up-to-date shadowsocks-libev package, so no additional PPA is required. Run:
sudo apt install -y shadowsocks-libev
If your system reports the package not found, the universe repository is disabled. Activate it and repeat the installation:
sudo add-apt-repository universe && sudo apt update
Creating server configuration
By default, the service looks for settings in /etc/shadowsocks-libev
. Let’s create the config.json
file to specify listen address, port, password, and encryption method. All parameters can be changed later without reinstalling the application:
sudo nano /etc/shadowsocks-libev/config.json
{
"server": "0.0.0.0", // listen on all interfaces
"server_port": 8388, // Shadowsocks port
"password": "password", // secure client password
"timeout": 60, // packet timeout (sec.)
"method": "aes-256-gcm", // AEAD encryption algorithm
"fast_open": true // TCP Fast Open to reduce RTT
}
- password — set a unique, long password, shared by all clients.
- method — use AEAD algorithms (e.g.,
aes-256-gcm
), which are protected from MITM attacks. - fast_open — speeds up the initial connection if your kernel supports TFO (
cat /proc/sys/net/ipv4/tcp_fastopen
).
Starting and enabling the service
The systemd unit shadowsocks-libev-server@<name>
reads configuration from /etc/shadowsocks-libev/<name>.json
. By default, the name is config
. The command below starts the service and enables it on boot:
sudo systemctl enable --now shadowsocks-libev-server@config
Check status and logs:
sudo systemctl status shadowsocks-libev-server@config
journalctl -u shadowsocks-libev-server@config -f
Status Active: active (running) confirms correct startup.
Firewall configuration
To allow clients to connect, open the selected TCP and UDP port. With ufw
:
sudo ufw allow 8388/tcp
sudo ufw allow 8388/udp
sudo ufw reload
Using iptables
directly:
sudo iptables -A INPUT -p tcp --dport 8388 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 8388 -j ACCEPT
Client connection
Below are the basic connection scenarios.
Windows / macOS
-
Download the official app from shadowsocks.org
-
Click Add → Manual Settings and enter:
- Server IP — your VPS address
- Server Port —
8388
- Password —
password
- Encryption —
aes-256-gcm
- Save and activate the profile — the client icon will turn green.
Linux (ss-local)
On Linux workstations, it’s recommended to use ss-local to start a local SOCKS5 port and encrypt traffic to the server:
sudo apt install shadowsocks-libev
ss-local -s <SERVER_IP> -p 8388 -k <PASSWORD> -m aes-256-gcm -l 1080
Replace the following values:
- <PASSWORD> — Your strong password;
- <SERVER_IP> — The IP address of your server.
Now, point applications or browser plugins to the SOCKS5 proxy at 127.0.0.1:1080
.
Android / iOS
- Install ShadowSocks from Google Play or the App Store.
- Tap
+
→ Manual Settings or scan a QR code. - Enter the same server parameters.
- Activate VPN mode — a key will appear in the status bar.
Generate a QR code directly on the server:
qrencode -t ansiutf8 "ss://$(echo -n aes-256-gcm:<PASSWORD>@<SERVER_IP>:8388 | base64 -w0)#Shadowsocks"
Replace the following values:
- <PASSWORD> — Your strong password;
- <SERVER_IP> — The IP address of your server.
Checking operation
Channel speed test
The following command downloads the Cloudflare speed test page via the SOCKS5 proxy — this helps you estimate real tunnel throughput:
curl --socks5 127.0.0.1:1080 https://speed.cloudflare.com
DNS leak test
Open https://dnsleaktest.com
(or https://browserleaks.com/dns
) in your browser and run the Extended Test. If your provider’s IPs are not in the list, DNS queries are correctly routed via Shadowsocks.
Typical issues
Symptom | Possible cause | Quick fix |
---|---|---|
connection timeout when connecting a client |
Port 8388 closed in the firewall | Check ufw /iptables rules |
Low speed | fast_open disabled or weak cipher |
Enable "fast_open": true , use aes-256-gcm |
Service won’t start | JSON config syntax error | sudo journalctl -u shadowsocks-libev-server@config will show the error line |
Failed to parse JSON on startup |
Syntax error in config.json |
jq . /etc/shadowsocks-libev/config.json , fix typo and restart the service |
port already in use / Address already in use |
Port 8388 used by another process | sudo lsof -i :8388 , change server_port and restart Shadowsocks |
Links and documentation
- Official Shadowsocks website — https://shadowsocks.org
- GitHub
shadowsocks-libev
— https://github.com/shadowsocks/shadowsocks-libev