You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

269 lines
8.3 KiB

12 years ago
12 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
10 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
12 years ago
12 years ago
11 years ago
10 years ago
11 years ago
11 years ago
11 years ago
12 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
12 years ago
11 years ago
10 years ago
12 years ago
11 years ago
12 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
  1. shadowsocks-libev
  2. =================
  3. Intro
  4. -----
  5. [Shadowsocks-libev](http://shadowsocks.org) is a lightweight secured scoks5
  6. proxy for embedded devices and low end boxes.
  7. It is a port of [shadowsocks](https://github.com/clowwindy/shadowsocks)
  8. created by [@clowwindy](https://github.com/clowwindy) maintained by
  9. [@madeye](https://github.com/madeye) and [@linusyang](https://github.com/linusyang).
  10. Current version: 1.4.6 | [![Build Status](https://travis-ci.org/madeye/shadowsocks-libev.png?branch=master)](https://travis-ci.org/madeye/shadowsocks-libev) | [Changelog](Changes)
  11. Features
  12. --------
  13. Shadowsocks-libev is writen in pure C and only depends on
  14. [libev](http://software.schmorp.de/pkg/libev.html) and
  15. [openssl](http://www.openssl.org/) or [polarssl](https://polarssl.org/).
  16. In normal usage, the memory footprint is about 600KB and the CPU utilization is
  17. no more than 5% on a low-end router (Buffalo WHR-G300N V2 with a 400MHz MIPS CPU,
  18. 32MB memory and 4MB flash).
  19. Installation
  20. ------------
  21. #### Notes about PolarSSL
  22. * Default crypto library is OpenSSL. To build against PolarSSL,
  23. specify `--with-crypto-library=polarssl` and `--with-polarssl=/path/to/polarssl`
  24. when running `./configure`.
  25. * PolarSSL __1.2.5 or newer__ is required. Currently, PolarSSL does __NOT__ support
  26. CAST5-CFB, DES-CFB, IDEA-CFB, RC2-CFB and SEED-CFB.
  27. * RC4 is only support by PolarSSL __1.3.0 or above__.
  28. ### Debian & Ubuntu
  29. Add either of the following lines to your /etc/apt/sources.list
  30. ```
  31. # Debian Wheezy, Ubuntu 12.04 or any distribution with libssl > 1.0.1
  32. deb http://shadowsocks.org/debian wheezy main
  33. # Debian Squeeze, Ubuntu 11.04, or any distribution with libssl > 0.9.8, but < 1.0.0
  34. deb http://shadowsocks.org/debian squeeze main
  35. ```
  36. Then,
  37. ``` bash
  38. sudo apt-get update
  39. sudo apt-get install shadowsocks
  40. # Edit the configuration
  41. sudo vim /etc/shadowsocks/config.json
  42. # Start the service
  43. sudo /etc/init.d/shadowsocks start
  44. ```
  45. ### CentOS
  46. Install the dependencies,
  47. ```bash
  48. yum install -y gcc automake autoconf libtool make build-essential autoconf libtool
  49. yum install -y curl curl-devel zlib-devel openssl-devel perl perl-devel cpio expat-devel gettext-devel
  50. ```
  51. Compile and install,
  52. ```bash
  53. ./configure && make
  54. make install
  55. ```
  56. Then copy this [init script](rpm/SOURCES/etc/init.d/shadowsocks) to `/etc/init.d/`.
  57. ### Linux
  58. For Unix-like systems, especially Debian-based systems,
  59. e.g. Ubuntu, Debian or Linux Mint, you can build the binary like this:
  60. ```bash
  61. sudo apt-get install build-essential autoconf libtool libssl-dev
  62. ./configure && make
  63. sudo make install
  64. ```
  65. ### FreeBSD
  66. ```bash
  67. su
  68. cd /usr/ports/net/shadowsocks-libev
  69. make install
  70. ```
  71. Edit your config.json file. By default, it's located in /usr/local/etc/shadowsocks-libev
  72. To enable shadowsocks-libev, add the following rc variable to your /etc/rc.conf file.
  73. ```
  74. shadowsocks_libev_enable="YES"
  75. ```
  76. Start the shadowsocks server:
  77. ```bash
  78. service shadowsocks_libev start
  79. ```
  80. ### OpenWRT
  81. ```bash
  82. # At OpenWRT build root
  83. pushd package
  84. git clone https://github.com/madeye/shadowsocks-libev.git
  85. popd
  86. # Enable shadowsocks-libev in network category
  87. make menuconfig
  88. # Optional
  89. make -j
  90. # Build the package
  91. make V=99 package/shadowsocks-libev/openwrt/compile
  92. ```
  93. ### Windows
  94. For Windows, use either MinGW (msys) or Cygwin to build.
  95. At the moment, only `ss-local` is supported to build against MinGW (msys).
  96. If you are using MinGW (msys), please download OpenSSL or PolarSSL source tarball
  97. to the home directory of msys, and build it like this (may take a few minutes):
  98. * OpenSSL
  99. ```bash
  100. tar zxf openssl-1.0.1e.tar.gz
  101. cd openssl-1.0.1e
  102. ./config --prefix="$HOME/prebuilt" --openssldir="$HOME/prebuilt/openssl"
  103. make && make install
  104. ```
  105. * PolarSSL
  106. ```bash
  107. tar zxf polarssl-1.3.2-gpl.tgz
  108. cd polarssl-1.3.2
  109. make lib WINDOWS=1
  110. make install DESTDIR="$HOME/prebuilt"
  111. ```
  112. Then, build the binary using the commands below, and all `.exe` files
  113. will be built at `$HOME/ss/bin`:
  114. * OpenSSL
  115. ```bash
  116. ./configure --prefix="$HOME/ss" --with-openssl="$HOME/prebuilt"
  117. make && make install
  118. ```
  119. * PolarSSL
  120. ```bash
  121. ./configure --prefix="$HOME/ss" --with-crypto-library=polarssl --with-polarssl=$HOME/prebuilt
  122. make && make install
  123. ```
  124. Usage
  125. -----
  126. ```
  127. usage:
  128. ss-[local|redir|server|tunnel]
  129. -s <server_host> host name or ip address of your remote server
  130. -p <server_port> port number of your remote server
  131. -l <local_port> port number of your local server
  132. -k <password> password of your remote server
  133. [-m <encrypt_method>] encrypt method, supporting table, rc4,
  134. aes-128-cfb, aes-192-cfb, aes-256-cfb,
  135. bf-cfb, camellia-128-cfb, camellia-192-cfb,
  136. camellia-256-cfb, cast5-cfb, des-cfb,
  137. idea-cfb, rc2-cfb and seed-cfb
  138. [-f <pid_file>] valid path to the pid file
  139. [-t <timeout>] socket timeout in seconds
  140. [-c <config_file>] json format config file
  141. [-i <interface>] specific network interface to bind,
  142. not available in redir mode
  143. [-b <local_address>] specific local address to bind,
  144. not available in server mode
  145. [-u] udprelay mode to supprot udp traffic
  146. not available in redir mode
  147. [-L <addr>:<port>] setup a local port forwarding tunnel
  148. only available in tunnel mode
  149. [-v] verbose mode, debug output in console
  150. notes:
  151. ss-redir provides a transparent proxy function and only works on the
  152. Linux platform with iptables.
  153. ```
  154. ## Advanced usage
  155. The latest shadowsocks-libev has provided a *redir* mode. You can configure your linux based box or router to proxy all tcp traffic transparently.
  156. # Create new chain
  157. root@Wrt:~# iptables -t nat -N SHADOWSOCKS
  158. # Ignore your shadowsocks server's addresses
  159. # It's very IMPORTANT, just be careful.
  160. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
  161. # Ignore LANs and any other addresses you'd like to bypass the proxy
  162. # See Wikipedia and RFC5735 for full list of reserved networks.
  163. # See ashi009/bestroutetb for a highly optimized CHN route list.
  164. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
  165. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
  166. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
  167. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
  168. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
  169. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
  170. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
  171. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
  172. # Anything else should be redirected to shadowsocks's local port
  173. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
  174. # Apply the rules
  175. root@Wrt:~# iptables -t nat -A OUTPUT -p tcp -j SHADOWSOCKS
  176. # Start the shadowsocks-redir
  177. root@Wrt:~# ss-redir -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid
  178. ## Security Tips
  179. Although shadowsocks-libev can handle thousands of concurrent connections nicely, we still recommend to
  180. set up your server's firewall rules to limit connections from each user.
  181. # Up to 32 connections are enough for normal usages
  182. iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset
  183. ## License
  184. Copyright (C) 2014 Max Lv <max.c.lv@gmail.com>
  185. This program is free software: you can redistribute it and/or modify
  186. it under the terms of the GNU General Public License as published by
  187. the Free Software Foundation, either version 3 of the License, or
  188. (at your option) any later version.
  189. This program is distributed in the hope that it will be useful,
  190. but WITHOUT ANY WARRANTY; without even the implied warranty of
  191. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  192. GNU General Public License for more details.
  193. You should have received a copy of the GNU General Public License
  194. along with this program. If not, see <http://www.gnu.org/licenses/>.