Setting Up a VPN with Shadowsocks - Help | Hosting provider TheHost

8.2.11 Setting Up a VPN with Shadowsocks

The Host Banner Shadowsocks

Shadowsocks is a lightweight proxy VPN with encryption, designed to bypass firewalls and QoS restrictions. This article covers the installation and setup of shadowsocks-libev on Ubuntu 24.04, as well as client connection instructions.

Use cases

Bypassing website and service blocks
Eliminating high latency or limitations of PPTP/L2TP/OpenVPN
Encrypting traffic without heavy TLS tunnels

Shadowsocks uses asynchronous I/O, encrypts streams with AEAD algorithms, and acts as a SOCKS5 proxy, making it faster than traditional VPN solutions.

Server Preparation

System requirements

An ordered virtual server or dedicated server
CPU: minimum 1 vCPU
RAM: minimum 1 GB
SSD: minimum 10 GB
OS: Ubuntu 24.04 LTS
Root or sudo access
Open UDP/TCP port (default — 8388)

Before installation, make sure your system is up to date. The command below updates the package cache and installs the latest security and bug fixes:

System update

sudo apt update && sudo apt upgrade -y

update and upgrade system

Installing shadowsocks-libev

The universe repository for Ubuntu 24.04 already contains an up-to-date shadowsocks-libev package, so no additional PPA is required. Run:

Package installation

sudo apt install -y shadowsocks-libev

installation

If your system reports the package not found, the universe repository is disabled. Activate it and repeat the installation:

sudo add-apt-repository universe && sudo apt update

Creating server configuration

By default, the service looks for settings in /etc/shadowsocks-libev. Let’s create the config.json file to specify listen address, port, password, and encryption method. All parameters can be changed later without reinstalling the application:

/etc/shadowsocks-libev/config.json

sudo nano /etc/shadowsocks-libev/config.json

{
  "server": "0.0.0.0",         // listen on all interfaces
  "server_port": 8388,         // Shadowsocks port
  "password": "password",      // secure client password
  "timeout": 60,               // packet timeout (sec.)
  "method": "aes-256-gcm",     // AEAD encryption algorithm
  "fast_open": true            // TCP Fast Open to reduce RTT
}

password — set a unique, long password, shared by all clients.
method — use AEAD algorithms (e.g., aes-256-gcm), which are protected from MITM attacks.
fast_open — speeds up the initial connection if your kernel supports TFO (cat /proc/sys/net/ipv4/tcp_fastopen).

Starting and enabling the service

The systemd unit shadowsocks-libev-server@<name> reads configuration from /etc/shadowsocks-libev/<name>.json. By default, the name is config. The command below starts the service and enables it on boot:

Start and enable

sudo systemctl enable --now shadowsocks-libev-server@config

Symlink

Check status and logs:

sudo systemctl status shadowsocks-libev-server@config
journalctl -u shadowsocks-libev-server@config -f

service status

Status Active: active (running) confirms correct startup.

Firewall configuration

To allow clients to connect, open the selected TCP and UDP port. With ufw:

UFW rules

sudo ufw allow 8388/tcp
sudo ufw allow 8388/udp
sudo ufw reload

ufw

Using iptables directly:

sudo iptables -A INPUT -p tcp --dport 8388 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 8388 -j ACCEPT

Client connection

Below are the basic connection scenarios.

Windows / macOS

Download the official app from shadowsocks.org
Click Add → Manual Settings and enter:
- Server IP — your VPS address
- Server Port — 8388
- Password — password
- Encryption — aes-256-gcm

Set client

Save and activate the profile — the client icon will turn green.

Linux (ss-local)

On Linux workstations, it’s recommended to use ss-local to start a local SOCKS5 port and encrypt traffic to the server:

sudo apt install shadowsocks-libev
ss-local -s <SERVER_IP> -p 8388 -k <PASSWORD> -m aes-256-gcm -l 1080

Replace the following values:

<PASSWORD> — Your strong password;
<SERVER_IP> — The IP address of your server.

Now, point applications or browser plugins to the SOCKS5 proxy at 127.0.0.1:1080.

Android / iOS

Install ShadowSocks from Google Play or the App Store.
Tap + → Manual Settings or scan a QR code.
Enter the same server parameters.
Activate VPN mode — a key will appear in the status bar.

Generate a QR code directly on the server:

qrencode -t ansiutf8 "ss://$(echo -n aes-256-gcm:<PASSWORD>@<SERVER_IP>:8388 | base64 -w0)#Shadowsocks"

Replace the following values:

<PASSWORD> — Your strong password;
<SERVER_IP> — The IP address of your server.

Checking operation

Channel speed test

The following command downloads the Cloudflare speed test page via the SOCKS5 proxy — this helps you estimate real tunnel throughput:

speedtest via proxy

curl --socks5 127.0.0.1:1080 https://speed.cloudflare.com

DNS leak test

Open https://dnsleaktest.com (or https://browserleaks.com/dns) in your browser and run the Extended Test. If your provider’s IPs are not in the list, DNS queries are correctly routed via Shadowsocks.

Typical issues

Symptom	Possible cause	Quick fix
`connection timeout` when connecting a client	Port 8388 closed in the firewall	Check `ufw`/`iptables` rules
Low speed	`fast_open` disabled or weak cipher	Enable `"fast_open": true`, use `aes-256-gcm`
Service won’t start	JSON config syntax error	`sudo journalctl -u shadowsocks-libev-server@config` will show the error line
`Failed to parse JSON` on startup	Syntax error in `config.json`	`jq . /etc/shadowsocks-libev/config.json`, fix typo and restart the service
`port already in use` / `Address already in use`	Port 8388 used by another process	`sudo lsof -i :8388`, change `server_port` and restart Shadowsocks

Links and documentation

Official Shadowsocks website — https://shadowsocks.org
GitHub shadowsocks-libev — https://github.com/shadowsocks/shadowsocks-libev