8.2.11 Setting Up a VPN with Shadowsocks

The Host Banner Shadowsocks

Shadowsocks is a lightweight proxy VPN with encryption, designed to bypass firewalls and QoS restrictions. This article covers the installation and setup of shadowsocks-libev on Ubuntu 24.04, as well as client connection instructions.

Use cases

  • Bypassing website and service blocks
  • Eliminating high latency or limitations of PPTP/L2TP/OpenVPN
  • Encrypting traffic without heavy TLS tunnels

Shadowsocks uses asynchronous I/O, encrypts streams with AEAD algorithms, and acts as a SOCKS5 proxy, making it faster than traditional VPN solutions.

Server Preparation

System requirements

  • An ordered virtual server or dedicated server
  • CPU: minimum 1 vCPU
  • RAM: minimum 1 GB
  • SSD: minimum 10 GB
  • OS: Ubuntu 24.04 LTS
  • Root or sudo access
  • Open UDP/TCP port (default — 8388)

Before installation, make sure your system is up to date. The command below updates the package cache and installs the latest security and bug fixes:

System update
sudo apt update && sudo apt upgrade -y

update and upgrade system

Installing shadowsocks-libev

The universe repository for Ubuntu 24.04 already contains an up-to-date shadowsocks-libev package, so no additional PPA is required. Run:

Package installation
sudo apt install -y shadowsocks-libev

installation

If your system reports the package not found, the universe repository is disabled. Activate it and repeat the installation:

sudo add-apt-repository universe && sudo apt update

Creating server configuration

By default, the service looks for settings in /etc/shadowsocks-libev. Let’s create the config.json file to specify listen address, port, password, and encryption method. All parameters can be changed later without reinstalling the application:

/etc/shadowsocks-libev/config.json
sudo nano /etc/shadowsocks-libev/config.json
{
  "server": "0.0.0.0",         // listen on all interfaces
  "server_port": 8388,         // Shadowsocks port
  "password": "password",      // secure client password
  "timeout": 60,               // packet timeout (sec.)
  "method": "aes-256-gcm",     // AEAD encryption algorithm
  "fast_open": true            // TCP Fast Open to reduce RTT
}
  • password — set a unique, long password, shared by all clients.
  • method — use AEAD algorithms (e.g., aes-256-gcm), which are protected from MITM attacks.
  • fast_open — speeds up the initial connection if your kernel supports TFO (cat /proc/sys/net/ipv4/tcp_fastopen).

Starting and enabling the service

The systemd unit shadowsocks-libev-server@<name> reads configuration from /etc/shadowsocks-libev/<name>.json. By default, the name is config. The command below starts the service and enables it on boot:

Start and enable
sudo systemctl enable --now shadowsocks-libev-server@config

Symlink

Check status and logs:

sudo systemctl status shadowsocks-libev-server@config
journalctl -u shadowsocks-libev-server@config -f

service status

Status Active: active (running) confirms correct startup.

Firewall configuration

To allow clients to connect, open the selected TCP and UDP port. With ufw:

UFW rules
sudo ufw allow 8388/tcp
sudo ufw allow 8388/udp
sudo ufw reload

ufw

Using iptables directly:

sudo iptables -A INPUT -p tcp --dport 8388 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 8388 -j ACCEPT

Client connection

Below are the basic connection scenarios.

Windows / macOS

  1. Download the official app from shadowsocks.org

  2. Click AddManual Settings and enter:

    • Server IP — your VPS address
    • Server Port8388
    • Passwordpassword
    • Encryptionaes-256-gcm

Set client

  1. Save and activate the profile — the client icon will turn green.

Linux (ss-local)

On Linux workstations, it’s recommended to use ss-local to start a local SOCKS5 port and encrypt traffic to the server:

sudo apt install shadowsocks-libev
ss-local -s <SERVER_IP> -p 8388 -k <PASSWORD> -m aes-256-gcm -l 1080

Replace the following values:

  • <PASSWORD> — Your strong password;
  • <SERVER_IP> — The IP address of your server.

Now, point applications or browser plugins to the SOCKS5 proxy at 127.0.0.1:1080.

Android / iOS

  1. Install ShadowSocks from Google Play or the App Store.
  2. Tap +Manual Settings or scan a QR code.
  3. Enter the same server parameters.
  4. Activate VPN mode — a key will appear in the status bar.

Generate a QR code directly on the server:

qrencode -t ansiutf8 "ss://$(echo -n aes-256-gcm:<PASSWORD>@<SERVER_IP>:8388 | base64 -w0)#Shadowsocks"

Replace the following values:

  • <PASSWORD> — Your strong password;
  • <SERVER_IP> — The IP address of your server.

Checking operation

Channel speed test

The following command downloads the Cloudflare speed test page via the SOCKS5 proxy — this helps you estimate real tunnel throughput:

speedtest via proxy
curl --socks5 127.0.0.1:1080 https://speed.cloudflare.com

DNS leak test

Open https://dnsleaktest.com (or https://browserleaks.com/dns) in your browser and run the Extended Test. If your provider’s IPs are not in the list, DNS queries are correctly routed via Shadowsocks.

Typical issues
Symptom Possible cause Quick fix
connection timeout when connecting a client Port 8388 closed in the firewall Check ufw/iptables rules
Low speed fast_open disabled or weak cipher Enable "fast_open": true, use aes-256-gcm
Service won’t start JSON config syntax error sudo journalctl -u shadowsocks-libev-server@config will show the error line
Failed to parse JSON on startup Syntax error in config.json jq . /etc/shadowsocks-libev/config.json, fix typo and restart the service
port already in use / Address already in use Port 8388 used by another process sudo lsof -i :8388, change server_port and restart Shadowsocks