You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

324 lines
9.5 KiB

12 years ago
12 years ago
12 years ago
11 years ago
10 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
9 years ago
9 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
12 years ago
12 years ago
10 years ago
11 years ago
12 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
12 years ago
10 years ago
10 years ago
9 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
  1. shadowsocks-libev
  2. =================
  3. Intro
  4. -----
  5. [Shadowsocks-libev](http://shadowsocks.org) is a lightweight secured socks5
  6. proxy for embedded devices and low end boxes.
  7. It is a port of [shadowsocks](https://github.com/shadowsocks/shadowsocks)
  8. created by [@clowwindy](https://github.com/clowwindy) maintained by
  9. [@madeye](https://github.com/madeye) and [@linusyang](https://github.com/linusyang).
  10. Current version: 2.1.2 | [Changelog](Changes)
  11. Travis CI: [![Travis CI](https://travis-ci.org/shadowsocks/shadowsocks-libev.png?branch=master)](https://travis-ci.org/shadowsocks/shadowsocks-libev) | Jenkins Matrix: [![Jenkins](https://jenkins.shadowvpn.org/buildStatus/icon?job=Shadowsocks-libev)](https://jenkins.shadowvpn.org/job/Shadowsocks-libev/)
  12. Features
  13. --------
  14. Shadowsocks-libev is writen in pure C and only depends on
  15. [libev](http://software.schmorp.de/pkg/libev.html) and
  16. [openssl](http://www.openssl.org/) or [polarssl](https://polarssl.org/).
  17. In normal usage, the memory footprint is about 600KB and the CPU utilization is
  18. no more than 5% on a low-end router (Buffalo WHR-G300N V2 with a 400MHz MIPS CPU,
  19. 32MB memory and 4MB flash).
  20. Installation
  21. ------------
  22. #### Notes about PolarSSL
  23. * Default crypto library is OpenSSL. To build against PolarSSL,
  24. specify `--with-crypto-library=polarssl` and `--with-polarssl=/path/to/polarssl`
  25. when running `./configure`.
  26. * PolarSSL __1.2.5 or newer__ is required. Currently, PolarSSL does __NOT__ support
  27. CAST5-CFB, DES-CFB, IDEA-CFB, RC2-CFB and SEED-CFB.
  28. * RC4 is only support by PolarSSL __1.3.0 or above__.
  29. ### Debian & Ubuntu
  30. #### Install from repository
  31. Add GPG public key
  32. ```bash
  33. wget -O- http://shadowsocks.org/debian/1D27208A.gpg | sudo apt-key add -
  34. ```
  35. Add either of the following lines to your /etc/apt/sources.list
  36. ```
  37. # Debian Wheezy, Ubuntu 12.04 or any distribution with libssl > 1.0.1
  38. deb http://shadowsocks.org/debian wheezy main
  39. # Debian Squeeze, Ubuntu 11.04, or any distribution with libssl > 0.9.8, but < 1.0.0
  40. deb http://shadowsocks.org/debian squeeze main
  41. ```
  42. Then,
  43. ``` bash
  44. sudo apt-get update
  45. sudo apt-get install shadowsocks-libev
  46. ```
  47. #### Build package from source
  48. ``` bash
  49. cd shadowsocks-libev
  50. sudo apt-get install build-essential autoconf libtool libssl-dev gawk debhelper
  51. dpkg-buildpackage -us -uc
  52. cd ..
  53. sudo dpkg -i shadowsocks-libev*.deb
  54. ```
  55. #### Configure and start the service
  56. ```
  57. # Edit the configuration
  58. sudo vim /etc/shadowsocks-libev/config.json
  59. # Start the service
  60. sudo /etc/init.d/shadowsocks-libev start
  61. ```
  62. ### Fedora & RHEL
  63. Supported distributions include
  64. - Fedora 20, 21, rawhide
  65. - RHEL 6, 7 and derivatives (including CentOS, Scientific Linux)
  66. #### Install from repository
  67. Enable repo via `dnf`:
  68. ```
  69. su -c 'dnf copr enable librehat/shadowsocks'
  70. ```
  71. Or download yum repo on [Fedora Copr](https://copr.fedoraproject.org/coprs/librehat/shadowsocks/) and put it inside `/etc/yum.repos.d/`. The release `Epel` is for RHEL and its derivatives.
  72. Then, install `shadowsocks-libev` via `dnf`:
  73. ```bash
  74. su -c 'dnf update'
  75. su -c 'dnf install shadowsocks-libev'
  76. ```
  77. or `yum`:
  78. ```bash
  79. su -c 'yum update'
  80. su -c 'yum install shadowsocks-libev'
  81. ```
  82. ### Linux
  83. For Unix-like systems, especially Debian-based systems,
  84. e.g. Ubuntu, Debian or Linux Mint, you can build the binary like this:
  85. ```bash
  86. sudo apt-get install build-essential autoconf libtool libssl-dev
  87. ./configure && make
  88. sudo make install
  89. ```
  90. ### FreeBSD
  91. ```bash
  92. su
  93. cd /usr/ports/net/shadowsocks-libev
  94. make install
  95. ```
  96. Edit your config.json file. By default, it's located in /usr/local/etc/shadowsocks-libev
  97. To enable shadowsocks-libev, add the following rc variable to your /etc/rc.conf file.
  98. ```
  99. shadowsocks_libev_enable="YES"
  100. ```
  101. Start the shadowsocks server:
  102. ```bash
  103. service shadowsocks_libev start
  104. ```
  105. ### OpenWRT
  106. ```bash
  107. # At OpenWRT build root
  108. pushd package
  109. git clone https://github.com/shadowsocks/shadowsocks-libev.git
  110. popd
  111. # Enable shadowsocks-libev in network category
  112. make menuconfig
  113. # Optional
  114. make -j
  115. # Build the package
  116. make V=99 package/shadowsocks-libev/openwrt/compile
  117. ```
  118. ### Windows
  119. For Windows, use either MinGW (msys) or Cygwin to build.
  120. At the moment, only `ss-local` is supported to build against MinGW (msys).
  121. If you are using MinGW (msys), please download OpenSSL or PolarSSL source tarball
  122. to the home directory of msys, and build it like this (may take a few minutes):
  123. * OpenSSL
  124. ```bash
  125. tar zxf openssl-1.0.1e.tar.gz
  126. cd openssl-1.0.1e
  127. ./config --prefix="$HOME/prebuilt" --openssldir="$HOME/prebuilt/openssl"
  128. make && make install
  129. ```
  130. * PolarSSL
  131. ```bash
  132. tar zxf polarssl-1.3.2-gpl.tgz
  133. cd polarssl-1.3.2
  134. make lib WINDOWS=1
  135. make install DESTDIR="$HOME/prebuilt"
  136. ```
  137. Then, build the binary using the commands below, and all `.exe` files
  138. will be built at `$HOME/ss/bin`:
  139. * OpenSSL
  140. ```bash
  141. ./configure --prefix="$HOME/ss" --with-openssl="$HOME/prebuilt"
  142. make && make install
  143. ```
  144. * PolarSSL
  145. ```bash
  146. ./configure --prefix="$HOME/ss" --with-crypto-library=polarssl --with-polarssl=$HOME/prebuilt
  147. make && make install
  148. ```
  149. Usage
  150. -----
  151. ```
  152. ss-[local|redir|server|tunnel]
  153. -s <server_host> host name or ip address of your remote server
  154. -p <server_port> port number of your remote server
  155. -l <local_port> port number of your local server
  156. -k <password> password of your remote server
  157. [-m <encrypt_method>] encrypt method: table, rc4, rc4-md5,
  158. aes-128-cfb, aes-192-cfb, aes-256-cfb,
  159. bf-cfb, camellia-128-cfb, camellia-192-cfb,
  160. camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb,
  161. rc2-cfb, seed-cfb, salsa20 and chacha20
  162. [-f <pid_file>] the file path to store pid
  163. [-t <timeout>] socket timeout in seconds
  164. [-c <config_file>] the path to config file
  165. [-i <interface>] network interface to bind,
  166. not available in redir mode
  167. [-b <local_address>] local address to bind,
  168. not available in server mode
  169. [-u] enable udprelay mode,
  170. not available in redir mode
  171. [-L <addr>:<port>] specify destination server address and port
  172. for local port forwarding,
  173. only available in tunnel mode
  174. [-d <addr>] setup name servers for internal DNS resolver,
  175. only available in server mode
  176. [--fast-open] enable TCP fast open,
  177. only available on Linux kernel > 3.7.0
  178. [--acl <acl_file>] config file of ACL (Access Control List)
  179. only available in local mode
  180. [-v] verbose mode
  181. notes:
  182. ss-redir provides a transparent proxy function and only works on the
  183. Linux platform with iptables.
  184. ```
  185. ## Advanced usage
  186. The latest shadowsocks-libev has provided a *redir* mode. You can configure your linux based box or router to proxy all tcp traffic transparently.
  187. # Create new chain
  188. root@Wrt:~# iptables -t nat -N SHADOWSOCKS
  189. # Ignore your shadowsocks server's addresses
  190. # It's very IMPORTANT, just be careful.
  191. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
  192. # Ignore LANs and any other addresses you'd like to bypass the proxy
  193. # See Wikipedia and RFC5735 for full list of reserved networks.
  194. # See ashi009/bestroutetb for a highly optimized CHN route list.
  195. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
  196. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
  197. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
  198. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
  199. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
  200. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
  201. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
  202. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
  203. # Anything else should be redirected to shadowsocks's local port
  204. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
  205. # Apply the rules
  206. root@Wrt:~# iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS
  207. # Start the shadowsocks-redir
  208. root@Wrt:~# ss-redir -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid
  209. ## Security Tips
  210. Although shadowsocks-libev can handle thousands of concurrent connections nicely, we still recommend to
  211. set up your server's firewall rules to limit connections from each user.
  212. # Up to 32 connections are enough for normal usages
  213. iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset
  214. ## License
  215. Copyright (C) 2014 Max Lv <max.c.lv@gmail.com>
  216. This program is free software: you can redistribute it and/or modify
  217. it under the terms of the GNU General Public License as published by
  218. the Free Software Foundation, either version 3 of the License, or
  219. (at your option) any later version.
  220. This program is distributed in the hope that it will be useful,
  221. but WITHOUT ANY WARRANTY; without even the implied warranty of
  222. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  223. GNU General Public License for more details.
  224. You should have received a copy of the GNU General Public License
  225. along with this program. If not, see <http://www.gnu.org/licenses/>.