You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

357 lines
11 KiB

12 years ago
12 years ago
12 years ago
11 years ago
10 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
9 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
12 years ago
12 years ago
9 years ago
11 years ago
12 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
12 years ago
10 years ago
10 years ago
9 years ago
9 years ago
9 years ago
9 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
  1. shadowsocks-libev
  2. =================
  3. Intro
  4. -----
  5. [Shadowsocks-libev](http://shadowsocks.org) is a lightweight secured socks5
  6. proxy for embedded devices and low end boxes.
  7. It is a port of [shadowsocks](https://github.com/shadowsocks/shadowsocks)
  8. created by [@clowwindy](https://github.com/clowwindy) maintained by
  9. [@madeye](https://github.com/madeye) and [@linusyang](https://github.com/linusyang).
  10. Current version: 2.3.0 | [Changelog](debian/changelog)
  11. Travis CI: [![Travis CI](https://travis-ci.org/shadowsocks/shadowsocks-libev.png?branch=master)](https://travis-ci.org/shadowsocks/shadowsocks-libev) | Jenkins Matrix: [![Jenkins](https://jenkins.shadowvpn.org/buildStatus/icon?job=Shadowsocks-libev)](https://jenkins.shadowvpn.org/job/Shadowsocks-libev/)
  12. Features
  13. --------
  14. Shadowsocks-libev is writen in pure C and only depends on
  15. [libev](http://software.schmorp.de/pkg/libev.html) and
  16. [openssl](http://www.openssl.org/) or [polarssl](https://polarssl.org/).
  17. In normal usage, the memory footprint is about 600KB and the CPU utilization is
  18. no more than 5% on a low-end router (Buffalo WHR-G300N V2 with a 400MHz MIPS CPU,
  19. 32MB memory and 4MB flash).
  20. Installation
  21. ------------
  22. #### Notes about PolarSSL
  23. * Default crypto library is OpenSSL. To build against PolarSSL,
  24. specify `--with-crypto-library=polarssl` and `--with-polarssl=/path/to/polarssl`
  25. when running `./configure`.
  26. * PolarSSL __1.2.5 or newer__ is required. Currently, PolarSSL does __NOT__ support
  27. CAST5-CFB, DES-CFB, IDEA-CFB, RC2-CFB and SEED-CFB.
  28. * RC4 is only support by PolarSSL __1.3.0 or above__.
  29. ### Debian & Ubuntu
  30. #### Install from repository
  31. Add GPG public key
  32. ```bash
  33. wget -O- http://shadowsocks.org/debian/1D27208A.gpg | sudo apt-key add -
  34. ```
  35. Add either of the following lines to your /etc/apt/sources.list
  36. ```
  37. # Debian Wheezy, Ubuntu 12.04 or any distribution with libssl > 1.0.1
  38. deb http://shadowsocks.org/debian wheezy main
  39. # Debian Squeeze, Ubuntu 11.04, or any distribution with libssl > 0.9.8, but < 1.0.0
  40. deb http://shadowsocks.org/debian squeeze main
  41. ```
  42. Then,
  43. ``` bash
  44. sudo apt-get update
  45. sudo apt-get install shadowsocks-libev
  46. ```
  47. #### Build package from source
  48. ``` bash
  49. cd shadowsocks-libev
  50. sudo apt-get install build-essential autoconf libtool libssl-dev gawk debhelper
  51. dpkg-buildpackage -us -uc
  52. cd ..
  53. sudo dpkg -i shadowsocks-libev*.deb
  54. ```
  55. #### Configure and start the service
  56. ```
  57. # Edit the configuration
  58. sudo vim /etc/shadowsocks-libev/config.json
  59. # Start the service
  60. sudo /etc/init.d/shadowsocks-libev start
  61. ```
  62. ### Fedora & RHEL
  63. Supported distributions include
  64. - Fedora 20, 21, rawhide
  65. - RHEL 6, 7 and derivatives (including CentOS, Scientific Linux)
  66. #### Install from repository
  67. Enable repo via `dnf`:
  68. ```
  69. su -c 'dnf copr enable librehat/shadowsocks'
  70. ```
  71. Or download yum repo on [Fedora Copr](https://copr.fedoraproject.org/coprs/librehat/shadowsocks/) and put it inside `/etc/yum.repos.d/`. The release `Epel` is for RHEL and its derivatives.
  72. Then, install `shadowsocks-libev` via `dnf`:
  73. ```bash
  74. su -c 'dnf update'
  75. su -c 'dnf install shadowsocks-libev'
  76. ```
  77. or `yum`:
  78. ```bash
  79. su -c 'yum update'
  80. su -c 'yum install shadowsocks-libev'
  81. ```
  82. ### Linux
  83. For Unix-like systems, especially Debian-based systems,
  84. e.g. Ubuntu, Debian or Linux Mint, you can build the binary like this:
  85. ```bash
  86. sudo apt-get install build-essential autoconf libtool libssl-dev
  87. ./configure && make
  88. sudo make install
  89. ```
  90. ### FreeBSD
  91. ```bash
  92. su
  93. cd /usr/ports/net/shadowsocks-libev
  94. make install
  95. ```
  96. Edit your config.json file. By default, it's located in /usr/local/etc/shadowsocks-libev
  97. To enable shadowsocks-libev, add the following rc variable to your /etc/rc.conf file.
  98. ```
  99. shadowsocks_libev_enable="YES"
  100. ```
  101. Start the shadowsocks server:
  102. ```bash
  103. service shadowsocks_libev start
  104. ```
  105. ### OpenWRT
  106. ```bash
  107. # At OpenWRT build root
  108. pushd package
  109. git clone https://github.com/shadowsocks/shadowsocks-libev.git
  110. popd
  111. # Enable shadowsocks-libev in network category
  112. make menuconfig
  113. # Optional
  114. make -j
  115. # Build the package
  116. make V=99 package/shadowsocks-libev/openwrt/compile
  117. ```
  118. ### OS X
  119. For OS X , use [homebrew](http://brew.sh) to install or build.
  120. Install homebrew
  121. ```bash
  122. ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
  123. ```
  124. Install shadowsocks-libev
  125. ```bash
  126. brew install shadowsocks-libev
  127. ```
  128. ### Windows
  129. For Windows, use either MinGW (msys) or Cygwin to build.
  130. At the moment, only `ss-local` is supported to build against MinGW (msys).
  131. If you are using MinGW (msys), please download OpenSSL or PolarSSL source tarball
  132. to the home directory of msys, and build it like this (may take a few minutes):
  133. * OpenSSL
  134. ```bash
  135. tar zxf openssl-1.0.1e.tar.gz
  136. cd openssl-1.0.1e
  137. ./config --prefix="$HOME/prebuilt" --openssldir="$HOME/prebuilt/openssl"
  138. make && make install
  139. ```
  140. * PolarSSL
  141. ```bash
  142. tar zxf polarssl-1.3.2-gpl.tgz
  143. cd polarssl-1.3.2
  144. make lib WINDOWS=1
  145. make install DESTDIR="$HOME/prebuilt"
  146. ```
  147. Then, build the binary using the commands below, and all `.exe` files
  148. will be built at `$HOME/ss/bin`:
  149. * OpenSSL
  150. ```bash
  151. ./configure --prefix="$HOME/ss" --with-openssl="$HOME/prebuilt"
  152. make && make install
  153. ```
  154. * PolarSSL
  155. ```bash
  156. ./configure --prefix="$HOME/ss" --with-crypto-library=polarssl --with-polarssl=$HOME/prebuilt
  157. make && make install
  158. ```
  159. Usage
  160. -----
  161. ```
  162. ss-[local|redir|server|tunnel]
  163. -s <server_host> host name or ip address of your remote server
  164. -p <server_port> port number of your remote server
  165. -l <local_port> port number of your local server
  166. -k <password> password of your remote server
  167. [-m <encrypt_method>] encrypt method: table, rc4, rc4-md5,
  168. aes-128-cfb, aes-192-cfb, aes-256-cfb,
  169. bf-cfb, camellia-128-cfb, camellia-192-cfb,
  170. camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb,
  171. rc2-cfb, seed-cfb, salsa20 and chacha20
  172. [-f <pid_file>] the file path to store pid
  173. [-t <timeout>] socket timeout in seconds
  174. [-c <config_file>] the path to config file
  175. [-i <interface>] network interface to bind,
  176. not available in redir mode
  177. [-b <local_address>] local address to bind,
  178. not available in server mode
  179. [-u] enable udprelay mode,
  180. TPROXY is required in redir mode
  181. [-U] enable UDP relay and disable TCP relay,
  182. not available in local mode
  183. [-A] enable onetime authentication
  184. [-L <addr>:<port>] specify destination server address and port
  185. for local port forwarding,
  186. only available in tunnel mode
  187. [-d <addr>] setup name servers for internal DNS resolver,
  188. only available in server mode
  189. [--fast-open] enable TCP fast open,
  190. only available in local and server mode,
  191. with Linux kernel > 3.7.0
  192. [--acl <acl_file>] config file of ACL (Access Control List)
  193. only available in local and server mode
  194. [--manager-address <addr>] UNIX domain socket address
  195. only available in server and manager mode
  196. [--executable <path>] path to the executable of ss-server
  197. only available in manager mode
  198. [-v] verbose mode
  199. notes:
  200. ss-redir provides a transparent proxy function and only works on the
  201. Linux platform with iptables.
  202. ```
  203. ## Advanced usage
  204. The latest shadowsocks-libev has provided a *redir* mode. You can configure your linux based box or router to proxy all tcp traffic transparently.
  205. # Create new chain
  206. root@Wrt:~# iptables -t nat -N SHADOWSOCKS
  207. root@Wrt:~# iptables -t mangle -N SHADOWSOCKS
  208. # Ignore your shadowsocks server's addresses
  209. # It's very IMPORTANT, just be careful.
  210. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
  211. # Ignore LANs and any other addresses you'd like to bypass the proxy
  212. # See Wikipedia and RFC5735 for full list of reserved networks.
  213. # See ashi009/bestroutetb for a highly optimized CHN route list.
  214. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
  215. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
  216. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
  217. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
  218. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
  219. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
  220. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
  221. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
  222. # Anything else should be redirected to shadowsocks's local port
  223. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
  224. # Add any UDP rules
  225. root@Wrt:~# ip rule add fwmark 0x01/0x01 table 100
  226. root@Wrt:~# ip route add local 0.0.0.0/0 dev lo table 100
  227. root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01
  228. # Apply the rules
  229. root@Wrt:~# iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
  230. root@Wrt:~# iptables -t mangle -A PREROUTING -j SHADOWSOCKS
  231. # Start the shadowsocks-redir
  232. root@Wrt:~# ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid
  233. ## Security Tips
  234. Although shadowsocks-libev can handle thousands of concurrent connections nicely, we still recommend to
  235. set up your server's firewall rules to limit connections from each user.
  236. # Up to 32 connections are enough for normal usages
  237. iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset
  238. ## License
  239. Copyright (C) 2014 Max Lv <max.c.lv@gmail.com>
  240. This program is free software: you can redistribute it and/or modify
  241. it under the terms of the GNU General Public License as published by
  242. the Free Software Foundation, either version 3 of the License, or
  243. (at your option) any later version.
  244. This program is distributed in the hope that it will be useful,
  245. but WITHOUT ANY WARRANTY; without even the implied warranty of
  246. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  247. GNU General Public License for more details.
  248. You should have received a copy of the GNU General Public License
  249. along with this program. If not, see <http://www.gnu.org/licenses/>.