You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

292 lines
8.7 KiB

12 years ago
12 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
10 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
12 years ago
12 years ago
10 years ago
11 years ago
10 years ago
11 years ago
11 years ago
11 years ago
12 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
12 years ago
11 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
10 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
  1. shadowsocks-libev
  2. =================
  3. Intro
  4. -----
  5. [Shadowsocks-libev](http://shadowsocks.org) is a lightweight secured scoks5
  6. proxy for embedded devices and low end boxes.
  7. It is a port of [shadowsocks](https://github.com/clowwindy/shadowsocks)
  8. created by [@clowwindy](https://github.com/clowwindy) maintained by
  9. [@madeye](https://github.com/madeye) and [@linusyang](https://github.com/linusyang).
  10. Current version: 1.5.0 | [![Build Status](https://travis-ci.org/madeye/shadowsocks-libev.png?branch=master)](https://travis-ci.org/madeye/shadowsocks-libev) | [Changelog](Changes)
  11. Features
  12. --------
  13. Shadowsocks-libev is writen in pure C and only depends on
  14. [libev](http://software.schmorp.de/pkg/libev.html) and
  15. [openssl](http://www.openssl.org/) or [polarssl](https://polarssl.org/).
  16. In normal usage, the memory footprint is about 600KB and the CPU utilization is
  17. no more than 5% on a low-end router (Buffalo WHR-G300N V2 with a 400MHz MIPS CPU,
  18. 32MB memory and 4MB flash).
  19. Installation
  20. ------------
  21. #### Notes about PolarSSL
  22. * Default crypto library is OpenSSL. To build against PolarSSL,
  23. specify `--with-crypto-library=polarssl` and `--with-polarssl=/path/to/polarssl`
  24. when running `./configure`.
  25. * PolarSSL __1.2.5 or newer__ is required. Currently, PolarSSL does __NOT__ support
  26. CAST5-CFB, DES-CFB, IDEA-CFB, RC2-CFB and SEED-CFB.
  27. * RC4 is only support by PolarSSL __1.3.0 or above__.
  28. ### Debian & Ubuntu
  29. #### Install from repository
  30. Add either of the following lines to your /etc/apt/sources.list
  31. ```
  32. # Debian Wheezy, Ubuntu 12.04 or any distribution with libssl > 1.0.1
  33. deb http://shadowsocks.org/debian wheezy main
  34. # Debian Squeeze, Ubuntu 11.04, or any distribution with libssl > 0.9.8, but < 1.0.0
  35. deb http://shadowsocks.org/debian squeeze main
  36. ```
  37. Then,
  38. ``` bash
  39. sudo apt-get update
  40. sudo apt-get install shadowsocks
  41. ```
  42. #### Build package from source
  43. ``` bash
  44. cd shadowsocks-libev
  45. sudo apt-get install build-essential autoconf libtool libssl-dev gawk debhelper
  46. sudo dpkg-buildpackage
  47. cd ..
  48. sudo dpkg -i shadowsocks*.deb
  49. ```
  50. #### Configure and start the service
  51. ```
  52. # Edit the configuration
  53. sudo vim /etc/shadowsocks/config.json
  54. # Start the service
  55. sudo /etc/init.d/shadowsocks start
  56. ```
  57. ### CentOS
  58. Install the dependencies,
  59. ```bash
  60. yum install -y gcc automake autoconf libtool make build-essential autoconf libtool
  61. yum install -y curl curl-devel zlib-devel openssl-devel perl perl-devel cpio expat-devel gettext-devel
  62. ```
  63. Compile and install,
  64. ```bash
  65. ./configure && make
  66. make install
  67. ```
  68. Then copy this [init script](rpm/SOURCES/etc/init.d/shadowsocks) to `/etc/init.d/`.
  69. ### Linux
  70. For Unix-like systems, especially Debian-based systems,
  71. e.g. Ubuntu, Debian or Linux Mint, you can build the binary like this:
  72. ```bash
  73. sudo apt-get install build-essential autoconf libtool libssl-dev
  74. ./configure && make
  75. sudo make install
  76. ```
  77. ### FreeBSD
  78. ```bash
  79. su
  80. cd /usr/ports/net/shadowsocks-libev
  81. make install
  82. ```
  83. Edit your config.json file. By default, it's located in /usr/local/etc/shadowsocks-libev
  84. To enable shadowsocks-libev, add the following rc variable to your /etc/rc.conf file.
  85. ```
  86. shadowsocks_libev_enable="YES"
  87. ```
  88. Start the shadowsocks server:
  89. ```bash
  90. service shadowsocks_libev start
  91. ```
  92. ### OpenWRT
  93. ```bash
  94. # At OpenWRT build root
  95. pushd package
  96. git clone https://github.com/madeye/shadowsocks-libev.git
  97. popd
  98. # Enable shadowsocks-libev in network category
  99. make menuconfig
  100. # Optional
  101. make -j
  102. # Build the package
  103. make V=99 package/shadowsocks-libev/openwrt/compile
  104. ```
  105. ### Windows
  106. For Windows, use either MinGW (msys) or Cygwin to build.
  107. At the moment, only `ss-local` is supported to build against MinGW (msys).
  108. If you are using MinGW (msys), please download OpenSSL or PolarSSL source tarball
  109. to the home directory of msys, and build it like this (may take a few minutes):
  110. * OpenSSL
  111. ```bash
  112. tar zxf openssl-1.0.1e.tar.gz
  113. cd openssl-1.0.1e
  114. ./config --prefix="$HOME/prebuilt" --openssldir="$HOME/prebuilt/openssl"
  115. make && make install
  116. ```
  117. * PolarSSL
  118. ```bash
  119. tar zxf polarssl-1.3.2-gpl.tgz
  120. cd polarssl-1.3.2
  121. make lib WINDOWS=1
  122. make install DESTDIR="$HOME/prebuilt"
  123. ```
  124. Then, build the binary using the commands below, and all `.exe` files
  125. will be built at `$HOME/ss/bin`:
  126. * OpenSSL
  127. ```bash
  128. ./configure --prefix="$HOME/ss" --with-openssl="$HOME/prebuilt"
  129. make && make install
  130. ```
  131. * PolarSSL
  132. ```bash
  133. ./configure --prefix="$HOME/ss" --with-crypto-library=polarssl --with-polarssl=$HOME/prebuilt
  134. make && make install
  135. ```
  136. Usage
  137. -----
  138. ```
  139. usage:
  140. ss-[local|redir|server|tunnel]
  141. -s <server_host> host name or ip address of your remote server
  142. -p <server_port> port number of your remote server
  143. -l <local_port> port number of your local server
  144. -k <password> password of your remote server
  145. [-m <encrypt_method>] encrypt method: table, rc4, rc4-md5
  146. aes-128-cfb, aes-192-cfb, aes-256-cfb,
  147. bf-cfb, camellia-128-cfb, camellia-192-cfb,
  148. camellia-256-cfb, cast5-cfb, des-cfb,
  149. idea-cfb, rc2-cfb and seed-cfb
  150. [-f <pid_file>] file to store the pid
  151. [-t <timeout>] socket timeout in seconds
  152. [-c <config_file>] config file in json
  153. [-i <interface>] network interface to bind,
  154. not available in redir mode
  155. [-b <local_address>] local address to bind,
  156. not available in server mode
  157. [-u] enable udprelay mode
  158. not available in redir mode
  159. [-L <addr>:<port>] setup a local port forwarding tunnel,
  160. only available in tunnel mode
  161. [-v] verbose mode
  162. [--fast-open] enable TCP fast open,
  163. only available on Linux kernel > 3.7.0
  164. [--acl <acl_file>] config file of ACL (Access Control List)
  165. notes:
  166. ss-redir provides a transparent proxy function and only works on the
  167. Linux platform with iptables.
  168. ```
  169. ## Advanced usage
  170. The latest shadowsocks-libev has provided a *redir* mode. You can configure your linux based box or router to proxy all tcp traffic transparently.
  171. # Create new chain
  172. root@Wrt:~# iptables -t nat -N SHADOWSOCKS
  173. # Ignore your shadowsocks server's addresses
  174. # It's very IMPORTANT, just be careful.
  175. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
  176. # Ignore LANs and any other addresses you'd like to bypass the proxy
  177. # See Wikipedia and RFC5735 for full list of reserved networks.
  178. # See ashi009/bestroutetb for a highly optimized CHN route list.
  179. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
  180. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
  181. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
  182. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
  183. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
  184. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
  185. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
  186. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
  187. # Anything else should be redirected to shadowsocks's local port
  188. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
  189. # Apply the rules
  190. root@Wrt:~# iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS
  191. # Start the shadowsocks-redir
  192. root@Wrt:~# ss-redir -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid
  193. ## Security Tips
  194. Although shadowsocks-libev can handle thousands of concurrent connections nicely, we still recommend to
  195. set up your server's firewall rules to limit connections from each user.
  196. # Up to 32 connections are enough for normal usages
  197. iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset
  198. ## License
  199. Copyright (C) 2014 Max Lv <max.c.lv@gmail.com>
  200. This program is free software: you can redistribute it and/or modify
  201. it under the terms of the GNU General Public License as published by
  202. the Free Software Foundation, either version 3 of the License, or
  203. (at your option) any later version.
  204. This program is distributed in the hope that it will be useful,
  205. but WITHOUT ANY WARRANTY; without even the implied warranty of
  206. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  207. GNU General Public License for more details.
  208. You should have received a copy of the GNU General Public License
  209. along with this program. If not, see <http://www.gnu.org/licenses/>.