You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

321 lines
9.3 KiB

12 years ago
12 years ago
12 years ago
11 years ago
10 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
9 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
12 years ago
12 years ago
9 years ago
11 years ago
12 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
12 years ago
10 years ago
10 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
  1. shadowsocks-libev
  2. =================
  3. Intro
  4. -----
  5. [Shadowsocks-libev](http://shadowsocks.org) is a lightweight secured socks5
  6. proxy for embedded devices and low end boxes.
  7. It is a port of [shadowsocks](https://github.com/shadowsocks/shadowsocks)
  8. created by [@clowwindy](https://github.com/clowwindy) maintained by
  9. [@madeye](https://github.com/madeye) and [@linusyang](https://github.com/linusyang).
  10. Current version: 2.1.1 | [![Build Status](https://travis-ci.org/shadowsocks/shadowsocks-libev.png?branch=master)](https://travis-ci.org/shadowsocks/shadowsocks-libev) | [Changelog](Changes)
  11. Features
  12. --------
  13. Shadowsocks-libev is writen in pure C and only depends on
  14. [libev](http://software.schmorp.de/pkg/libev.html) and
  15. [openssl](http://www.openssl.org/) or [polarssl](https://polarssl.org/).
  16. In normal usage, the memory footprint is about 600KB and the CPU utilization is
  17. no more than 5% on a low-end router (Buffalo WHR-G300N V2 with a 400MHz MIPS CPU,
  18. 32MB memory and 4MB flash).
  19. Installation
  20. ------------
  21. #### Notes about PolarSSL
  22. * Default crypto library is OpenSSL. To build against PolarSSL,
  23. specify `--with-crypto-library=polarssl` and `--with-polarssl=/path/to/polarssl`
  24. when running `./configure`.
  25. * PolarSSL __1.2.5 or newer__ is required. Currently, PolarSSL does __NOT__ support
  26. CAST5-CFB, DES-CFB, IDEA-CFB, RC2-CFB and SEED-CFB.
  27. * RC4 is only support by PolarSSL __1.3.0 or above__.
  28. ### Debian & Ubuntu
  29. #### Install from repository
  30. Add GPG public key
  31. ```bash
  32. wget -O- http://shadowsocks.org/debian/1D27208A.gpg | sudo apt-key add -
  33. ```
  34. Add either of the following lines to your /etc/apt/sources.list
  35. ```
  36. # Debian Wheezy, Ubuntu 12.04 or any distribution with libssl > 1.0.1
  37. deb http://shadowsocks.org/debian wheezy main
  38. # Debian Squeeze, Ubuntu 11.04, or any distribution with libssl > 0.9.8, but < 1.0.0
  39. deb http://shadowsocks.org/debian squeeze main
  40. ```
  41. Then,
  42. ``` bash
  43. sudo apt-get update
  44. sudo apt-get install shadowsocks-libev
  45. ```
  46. #### Build package from source
  47. ``` bash
  48. cd shadowsocks-libev
  49. sudo apt-get install build-essential autoconf libtool libssl-dev gawk debhelper
  50. dpkg-buildpackage -us -uc
  51. cd ..
  52. sudo dpkg -i shadowsocks-libev*.deb
  53. ```
  54. #### Configure and start the service
  55. ```
  56. # Edit the configuration
  57. sudo vim /etc/shadowsocks-libev/config.json
  58. # Start the service
  59. sudo /etc/init.d/shadowsocks-libev start
  60. ```
  61. ### Fedora & RHEL
  62. Supported distributions include
  63. - Fedora 20, 21, rawhide
  64. - RHEL 6, 7 and derivatives (including CentOS, Scientific Linux)
  65. #### Install from repository
  66. Enable repo via `dnf`:
  67. ```
  68. su -c 'dnf copr enable librehat/shadowsocks'
  69. ```
  70. Or download yum repo on [Fedora Copr](https://copr.fedoraproject.org/coprs/librehat/shadowsocks/) and put it inside `/etc/yum.repos.d/`. The release `Epel` is for RHEL and its derivatives.
  71. Then, install `shadowsocks-libev` via `dnf`:
  72. ```bash
  73. su -c 'dnf update'
  74. su -c 'dnf install shadowsocks-libev'
  75. ```
  76. or `yum`:
  77. ```bash
  78. su -c 'yum update'
  79. su -c 'yum install shadowsocks-libev'
  80. ```
  81. ### Linux
  82. For Unix-like systems, especially Debian-based systems,
  83. e.g. Ubuntu, Debian or Linux Mint, you can build the binary like this:
  84. ```bash
  85. sudo apt-get install build-essential autoconf libtool libssl-dev
  86. ./configure && make
  87. sudo make install
  88. ```
  89. ### FreeBSD
  90. ```bash
  91. su
  92. cd /usr/ports/net/shadowsocks-libev
  93. make install
  94. ```
  95. Edit your config.json file. By default, it's located in /usr/local/etc/shadowsocks-libev
  96. To enable shadowsocks-libev, add the following rc variable to your /etc/rc.conf file.
  97. ```
  98. shadowsocks_libev_enable="YES"
  99. ```
  100. Start the shadowsocks server:
  101. ```bash
  102. service shadowsocks_libev start
  103. ```
  104. ### OpenWRT
  105. ```bash
  106. # At OpenWRT build root
  107. pushd package
  108. git clone https://github.com/shadowsocks/shadowsocks-libev.git
  109. popd
  110. # Enable shadowsocks-libev in network category
  111. make menuconfig
  112. # Optional
  113. make -j
  114. # Build the package
  115. make V=99 package/shadowsocks-libev/openwrt/compile
  116. ```
  117. ### Windows
  118. For Windows, use either MinGW (msys) or Cygwin to build.
  119. At the moment, only `ss-local` is supported to build against MinGW (msys).
  120. If you are using MinGW (msys), please download OpenSSL or PolarSSL source tarball
  121. to the home directory of msys, and build it like this (may take a few minutes):
  122. * OpenSSL
  123. ```bash
  124. tar zxf openssl-1.0.1e.tar.gz
  125. cd openssl-1.0.1e
  126. ./config --prefix="$HOME/prebuilt" --openssldir="$HOME/prebuilt/openssl"
  127. make && make install
  128. ```
  129. * PolarSSL
  130. ```bash
  131. tar zxf polarssl-1.3.2-gpl.tgz
  132. cd polarssl-1.3.2
  133. make lib WINDOWS=1
  134. make install DESTDIR="$HOME/prebuilt"
  135. ```
  136. Then, build the binary using the commands below, and all `.exe` files
  137. will be built at `$HOME/ss/bin`:
  138. * OpenSSL
  139. ```bash
  140. ./configure --prefix="$HOME/ss" --with-openssl="$HOME/prebuilt"
  141. make && make install
  142. ```
  143. * PolarSSL
  144. ```bash
  145. ./configure --prefix="$HOME/ss" --with-crypto-library=polarssl --with-polarssl=$HOME/prebuilt
  146. make && make install
  147. ```
  148. Usage
  149. -----
  150. ```
  151. ss-[local|redir|server|tunnel]
  152. -s <server_host> host name or ip address of your remote server
  153. -p <server_port> port number of your remote server
  154. -l <local_port> port number of your local server
  155. -k <password> password of your remote server
  156. [-m <encrypt_method>] encrypt method: table, rc4, rc4-md5,
  157. aes-128-cfb, aes-192-cfb, aes-256-cfb,
  158. bf-cfb, camellia-128-cfb, camellia-192-cfb,
  159. camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb,
  160. rc2-cfb, seed-cfb, salsa20 and chacha20
  161. [-f <pid_file>] the file path to store pid
  162. [-t <timeout>] socket timeout in seconds
  163. [-c <config_file>] the path to config file
  164. [-i <interface>] network interface to bind,
  165. not available in redir mode
  166. [-b <local_address>] local address to bind,
  167. not available in server mode
  168. [-u] enable udprelay mode,
  169. not available in redir mode
  170. [-L <addr>:<port>] specify destination server address and port
  171. for local port forwarding,
  172. only available in tunnel mode
  173. [-d <addr>] setup name servers for internal DNS resolver,
  174. only available in server mode
  175. [--fast-open] enable TCP fast open,
  176. only available on Linux kernel > 3.7.0
  177. [--acl <acl_file>] config file of ACL (Access Control List)
  178. [-v] verbose mode
  179. notes:
  180. ss-redir provides a transparent proxy function and only works on the
  181. Linux platform with iptables.
  182. ```
  183. ## Advanced usage
  184. The latest shadowsocks-libev has provided a *redir* mode. You can configure your linux based box or router to proxy all tcp traffic transparently.
  185. # Create new chain
  186. root@Wrt:~# iptables -t nat -N SHADOWSOCKS
  187. # Ignore your shadowsocks server's addresses
  188. # It's very IMPORTANT, just be careful.
  189. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
  190. # Ignore LANs and any other addresses you'd like to bypass the proxy
  191. # See Wikipedia and RFC5735 for full list of reserved networks.
  192. # See ashi009/bestroutetb for a highly optimized CHN route list.
  193. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
  194. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
  195. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
  196. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
  197. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
  198. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
  199. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
  200. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
  201. # Anything else should be redirected to shadowsocks's local port
  202. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
  203. # Apply the rules
  204. root@Wrt:~# iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS
  205. # Start the shadowsocks-redir
  206. root@Wrt:~# ss-redir -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid
  207. ## Security Tips
  208. Although shadowsocks-libev can handle thousands of concurrent connections nicely, we still recommend to
  209. set up your server's firewall rules to limit connections from each user.
  210. # Up to 32 connections are enough for normal usages
  211. iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset
  212. ## License
  213. Copyright (C) 2014 Max Lv <max.c.lv@gmail.com>
  214. This program is free software: you can redistribute it and/or modify
  215. it under the terms of the GNU General Public License as published by
  216. the Free Software Foundation, either version 3 of the License, or
  217. (at your option) any later version.
  218. This program is distributed in the hope that it will be useful,
  219. but WITHOUT ANY WARRANTY; without even the implied warranty of
  220. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  221. GNU General Public License for more details.
  222. You should have received a copy of the GNU General Public License
  223. along with this program. If not, see <http://www.gnu.org/licenses/>.