You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

304 lines
9.0 KiB

12 years ago
12 years ago
12 years ago
11 years ago
10 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
10 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
12 years ago
12 years ago
11 years ago
12 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
12 years ago
11 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
  1. shadowsocks-libev
  2. =================
  3. Intro
  4. -----
  5. [Shadowsocks-libev](http://shadowsocks.org) is a lightweight secured socks5
  6. proxy for embedded devices and low end boxes.
  7. It is a port of [shadowsocks](https://github.com/clowwindy/shadowsocks)
  8. created by [@clowwindy](https://github.com/clowwindy) maintained by
  9. [@madeye](https://github.com/madeye) and [@linusyang](https://github.com/linusyang).
  10. Current version: 1.6.1 | [![Build Status](https://travis-ci.org/madeye/shadowsocks-libev.png?branch=master)](https://travis-ci.org/madeye/shadowsocks-libev) | [Changelog](Changes)
  11. Features
  12. --------
  13. Shadowsocks-libev is writen in pure C and only depends on
  14. [libev](http://software.schmorp.de/pkg/libev.html) and
  15. [openssl](http://www.openssl.org/) or [polarssl](https://polarssl.org/).
  16. In normal usage, the memory footprint is about 600KB and the CPU utilization is
  17. no more than 5% on a low-end router (Buffalo WHR-G300N V2 with a 400MHz MIPS CPU,
  18. 32MB memory and 4MB flash).
  19. Installation
  20. ------------
  21. #### Notes about PolarSSL
  22. * Default crypto library is OpenSSL. To build against PolarSSL,
  23. specify `--with-crypto-library=polarssl` and `--with-polarssl=/path/to/polarssl`
  24. when running `./configure`.
  25. * PolarSSL __1.2.5 or newer__ is required. Currently, PolarSSL does __NOT__ support
  26. CAST5-CFB, DES-CFB, IDEA-CFB, RC2-CFB and SEED-CFB.
  27. * RC4 is only support by PolarSSL __1.3.0 or above__.
  28. ### Debian & Ubuntu
  29. #### Install from repository
  30. Add either of the following lines to your /etc/apt/sources.list
  31. ```
  32. # Debian Wheezy, Ubuntu 12.04 or any distribution with libssl > 1.0.1
  33. deb http://shadowsocks.org/debian wheezy main
  34. # Debian Squeeze, Ubuntu 11.04, or any distribution with libssl > 0.9.8, but < 1.0.0
  35. deb http://shadowsocks.org/debian squeeze main
  36. ```
  37. Then,
  38. ``` bash
  39. sudo apt-get update
  40. sudo apt-get install shadowsocks-libev
  41. ```
  42. #### Build package from source
  43. ``` bash
  44. cd shadowsocks-libev
  45. sudo apt-get install build-essential autoconf libtool libssl-dev gawk debhelper
  46. dpkg-buildpackage -us -uc
  47. cd ..
  48. sudo dpkg -i shadowsocks-libev*.deb
  49. ```
  50. #### Configure and start the service
  51. ```
  52. # Edit the configuration
  53. sudo vim /etc/shadowsocks-libev/config.json
  54. # Start the service
  55. sudo /etc/init.d/shadowsocks-libev start
  56. ```
  57. ### Fedora & RHEL
  58. Supported distributions include
  59. - Fedora 19, 20, 21, rawhide
  60. - RHEL 6, 7 and derivatives (including CentOS, Scientific Linux)
  61. #### Install from repository
  62. Enable repo via `dnf`:
  63. ```
  64. su -c 'dnf copr enable librehat/shadowsocks'
  65. ```
  66. Or download yum repo on [Fedora Copr](https://copr.fedoraproject.org/coprs/librehat/shadowsocks/) and put it inside `/etc/yum.repos.d/`. The release `Epel` is for RHEL and its derivatives.
  67. Then, install `shadowsocks-libev` via `dnf`:
  68. ```bash
  69. su -c 'dnf update'
  70. su -c 'dnf install shadowsocks-libev'
  71. ```
  72. or `yum`:
  73. ```bash
  74. su -c 'yum update'
  75. su -c 'yum install shadowsocks-libev'
  76. ```
  77. ### Linux
  78. For Unix-like systems, especially Debian-based systems,
  79. e.g. Ubuntu, Debian or Linux Mint, you can build the binary like this:
  80. ```bash
  81. sudo apt-get install build-essential autoconf libtool libssl-dev
  82. ./configure && make
  83. sudo make install
  84. ```
  85. ### FreeBSD
  86. ```bash
  87. su
  88. cd /usr/ports/net/shadowsocks-libev
  89. make install
  90. ```
  91. Edit your config.json file. By default, it's located in /usr/local/etc/shadowsocks-libev
  92. To enable shadowsocks-libev, add the following rc variable to your /etc/rc.conf file.
  93. ```
  94. shadowsocks_libev_enable="YES"
  95. ```
  96. Start the shadowsocks server:
  97. ```bash
  98. service shadowsocks_libev start
  99. ```
  100. ### OpenWRT
  101. ```bash
  102. # At OpenWRT build root
  103. pushd package
  104. git clone https://github.com/madeye/shadowsocks-libev.git
  105. popd
  106. # Enable shadowsocks-libev in network category
  107. make menuconfig
  108. # Optional
  109. make -j
  110. # Build the package
  111. make V=99 package/shadowsocks-libev/openwrt/compile
  112. ```
  113. ### Windows
  114. For Windows, use either MinGW (msys) or Cygwin to build.
  115. At the moment, only `ss-local` is supported to build against MinGW (msys).
  116. If you are using MinGW (msys), please download OpenSSL or PolarSSL source tarball
  117. to the home directory of msys, and build it like this (may take a few minutes):
  118. * OpenSSL
  119. ```bash
  120. tar zxf openssl-1.0.1e.tar.gz
  121. cd openssl-1.0.1e
  122. ./config --prefix="$HOME/prebuilt" --openssldir="$HOME/prebuilt/openssl"
  123. make && make install
  124. ```
  125. * PolarSSL
  126. ```bash
  127. tar zxf polarssl-1.3.2-gpl.tgz
  128. cd polarssl-1.3.2
  129. make lib WINDOWS=1
  130. make install DESTDIR="$HOME/prebuilt"
  131. ```
  132. Then, build the binary using the commands below, and all `.exe` files
  133. will be built at `$HOME/ss/bin`:
  134. * OpenSSL
  135. ```bash
  136. ./configure --prefix="$HOME/ss" --with-openssl="$HOME/prebuilt"
  137. make && make install
  138. ```
  139. * PolarSSL
  140. ```bash
  141. ./configure --prefix="$HOME/ss" --with-crypto-library=polarssl --with-polarssl=$HOME/prebuilt
  142. make && make install
  143. ```
  144. Usage
  145. -----
  146. ```
  147. usage:
  148. ss-[local|redir|server|tunnel]
  149. -s <server_host> host name or ip address of your remote server
  150. -p <server_port> port number of your remote server
  151. -l <local_port> port number of your local server
  152. -k <password> password of your remote server
  153. [-m <encrypt_method>] encrypt method: table, rc4, rc4-md5
  154. aes-128-cfb, aes-192-cfb, aes-256-cfb,
  155. bf-cfb, camellia-128-cfb, camellia-192-cfb,
  156. camellia-256-cfb, cast5-cfb, des-cfb,
  157. idea-cfb, rc2-cfb and seed-cfb
  158. [-f <pid_file>] file to store the pid
  159. [-t <timeout>] socket timeout in seconds
  160. [-c <config_file>] config file in json
  161. [-i <interface>] network interface to bind,
  162. not available in redir mode
  163. [-b <local_address>] local address to bind,
  164. not available in server mode
  165. [-u] enable udprelay mode
  166. not available in redir mode
  167. [-L <addr>:<port>] setup a local port forwarding tunnel,
  168. only available in tunnel mode
  169. [-v] verbose mode
  170. [--fast-open] enable TCP fast open,
  171. only available on Linux kernel > 3.7.0
  172. [--acl <acl_file>] config file of ACL (Access Control List)
  173. notes:
  174. ss-redir provides a transparent proxy function and only works on the
  175. Linux platform with iptables.
  176. ```
  177. ## Advanced usage
  178. The latest shadowsocks-libev has provided a *redir* mode. You can configure your linux based box or router to proxy all tcp traffic transparently.
  179. # Create new chain
  180. root@Wrt:~# iptables -t nat -N SHADOWSOCKS
  181. # Ignore your shadowsocks server's addresses
  182. # It's very IMPORTANT, just be careful.
  183. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
  184. # Ignore LANs and any other addresses you'd like to bypass the proxy
  185. # See Wikipedia and RFC5735 for full list of reserved networks.
  186. # See ashi009/bestroutetb for a highly optimized CHN route list.
  187. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
  188. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
  189. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
  190. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
  191. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
  192. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
  193. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
  194. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
  195. # Anything else should be redirected to shadowsocks's local port
  196. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
  197. # Apply the rules
  198. root@Wrt:~# iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS
  199. # Start the shadowsocks-redir
  200. root@Wrt:~# ss-redir -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid
  201. ## Security Tips
  202. Although shadowsocks-libev can handle thousands of concurrent connections nicely, we still recommend to
  203. set up your server's firewall rules to limit connections from each user.
  204. # Up to 32 connections are enough for normal usages
  205. iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset
  206. ## License
  207. Copyright (C) 2014 Max Lv <max.c.lv@gmail.com>
  208. This program is free software: you can redistribute it and/or modify
  209. it under the terms of the GNU General Public License as published by
  210. the Free Software Foundation, either version 3 of the License, or
  211. (at your option) any later version.
  212. This program is distributed in the hope that it will be useful,
  213. but WITHOUT ANY WARRANTY; without even the implied warranty of
  214. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  215. GNU General Public License for more details.
  216. You should have received a copy of the GNU General Public License
  217. along with this program. If not, see <http://www.gnu.org/licenses/>.