From 98ea49e1375a55e6a8ce50d08fc3c1dcdcbe46e4 Mon Sep 17 00:00:00 2001 From: Boyuan Yang <073plan@gmail.com> Date: Mon, 21 Dec 2015 21:56:49 +0800 Subject: [PATCH 1/6] man: fix a typo. --- man/ss-manager.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/man/ss-manager.1 b/man/ss-manager.1 index 59f52466..f61382c1 100644 --- a/man/ss-manager.1 +++ b/man/ss-manager.1 @@ -150,7 +150,7 @@ $(which ss-server) -s example.com -m aes-256-cfb -c /path/to/config.json # Connect to the socket. Using netcat-openbsd as an example. # You should use scripts or other programs for further management. - nc -Uu /tmp/ss.socket + nc -Uu /tmp/manager.sock After that, you may communicate with \*(Ma(1) as described above in the \fBPROTOCOL\fR section. From b7618dc9b8558ef3d715c21edffc821b4593f6f5 Mon Sep 17 00:00:00 2001 From: Boyuan Yang <073plan@gmail.com> Date: Mon, 21 Dec 2015 22:15:16 +0800 Subject: [PATCH 2/6] man: update info about cipher. --- man/shadowsocks-libev.8 | 4 ++-- man/ss-local.1 | 4 ++-- man/ss-manager.1 | 4 ++-- man/ss-redir.1 | 4 ++-- man/ss-server.1 | 4 ++-- man/ss-tunnel.1 | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/man/shadowsocks-libev.8 b/man/shadowsocks-libev.8 index 386a0abb..3f341aaa 100644 --- a/man/shadowsocks-libev.8 +++ b/man/shadowsocks-libev.8 @@ -71,10 +71,10 @@ Set the password. The server and the client should use the same password. .B \-m \fIencrypt_method\fP Set the cipher. -Shadowsocks accepts 16 different ciphers: table, rc4, rc4-md5, +\*(Me accepts 18 different ciphers: table, rc4, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, rc2-cfb, -seed-cfb, salsa20 and chacha20. The default cipher is \fItable\fP. +seed-cfb, salsa20, chacha20 and chacha20-ietf. The default cipher is \fItable\fP. If built with PolarSSL or custom OpenSSL libraries, some of these ciphers may not work. diff --git a/man/ss-local.1 b/man/ss-local.1 index 46a49e5d..52d9d96f 100644 --- a/man/ss-local.1 +++ b/man/ss-local.1 @@ -62,10 +62,10 @@ Set the password. The server and the client should use the same password. .B \-m \fIencrypt_method\fP Set the cipher. -Shadowsocks accepts 16 different ciphers: table, rc4, rc4-md5, +\*(Me accepts 18 different ciphers: table, rc4, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, rc2-cfb, -seed-cfb, salsa20 and chacha20. The default cipher is \fItable\fP. +seed-cfb, salsa20, chacha20 and chacha20-ietf. The default cipher is \fItable\fP. If built with PolarSSL or custom OpenSSL libraries, some of these ciphers may not work. diff --git a/man/ss-manager.1 b/man/ss-manager.1 index f61382c1..9480fb06 100644 --- a/man/ss-manager.1 +++ b/man/ss-manager.1 @@ -67,10 +67,10 @@ Set the password. The server and the client should use the same password. .B \-m \fIencrypt_method\fP Set the cipher. -Shadowsocks accepts 16 different ciphers: table, rc4, rc4-md5, +\*(Me accepts 18 different ciphers: table, rc4, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, rc2-cfb, -seed-cfb, salsa20 and chacha20. The default cipher is \fItable\fP. +seed-cfb, salsa20, chacha20 and chacha20-ietf. The default cipher is \fItable\fP. If built with PolarSSL or custom OpenSSL libraries, some of these ciphers may not work. diff --git a/man/ss-redir.1 b/man/ss-redir.1 index 4f8783f0..f9b3065e 100644 --- a/man/ss-redir.1 +++ b/man/ss-redir.1 @@ -64,10 +64,10 @@ Set the password. The server and the client should use the same password. .B \-m \fIencrypt_method\fP Set the cipher. -Shadowsocks accepts 16 different ciphers: table, rc4, rc4-md5, +\*(Me accepts 18 different ciphers: table, rc4, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, rc2-cfb, -seed-cfb, salsa20 and chacha20. The default cipher is \fItable\fP. +seed-cfb, salsa20, chacha20 and chacha20-ietf. The default cipher is \fItable\fP. If built with PolarSSL or custom OpenSSL libraries, some of these ciphers may not work. diff --git a/man/ss-server.1 b/man/ss-server.1 index 81cca85d..f386d5ff 100644 --- a/man/ss-server.1 +++ b/man/ss-server.1 @@ -64,10 +64,10 @@ Set the password. The server and the client should use the same password. .B \-m \fIencrypt_method\fP Set the cipher. -Shadowsocks accepts 16 different ciphers: table, rc4, rc4-md5, +\*(Me accepts 18 different ciphers: table, rc4, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, rc2-cfb, -seed-cfb, salsa20 and chacha20. The default cipher is \fItable\fP. +seed-cfb, salsa20, chacha20 and chacha20-ietf. The default cipher is \fItable\fP. If built with PolarSSL or custom OpenSSL libraries, some of these ciphers may not work. diff --git a/man/ss-tunnel.1 b/man/ss-tunnel.1 index 42a1a0b4..35fd992f 100644 --- a/man/ss-tunnel.1 +++ b/man/ss-tunnel.1 @@ -64,10 +64,10 @@ Set the password. The server and the client should use the same password. .B \-m \fIencrypt_method\fP Set the cipher. -Shadowsocks accepts 16 different ciphers: table, rc4, rc4-md5, +\*(Me accepts 18 different ciphers: table, rc4, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, rc2-cfb, -seed-cfb, salsa20 and chacha20. The default cipher is \fItable\fP. +seed-cfb, salsa20, chacha20 and chacha20-ietf. The default cipher is \fItable\fP. If built with PolarSSL or custom OpenSSL libraries, some of these ciphers may not work. From 665217a502aefc1e5ae89566bd491776df32cd8f Mon Sep 17 00:00:00 2001 From: Boyuan Yang <073plan@gmail.com> Date: Mon, 21 Dec 2015 22:18:09 +0800 Subject: [PATCH 3/6] readme: update minor information. --- README.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a20da57b..6e0580c8 100644 --- a/README.md +++ b/README.md @@ -144,7 +144,8 @@ su -c 'yum install shadowsocks-libev' sudo pacman -S shadowsocks-libev ``` -Please refer to downstream `PKGBUILD` file for any extra modifications. +Please refer to downstream [PKGBUILD](https://projects.archlinux.org/svntogit/community.git/tree/trunk?h=packages/shadowsocks-libev) +script for extra modifications. ### Linux @@ -256,6 +257,9 @@ make && make install ## Usage +For a detailed and complete list of all supported arguments, you may refer to the +man pages of the applications, respectively. + ``` ss-[local|redir|server|tunnel] @@ -271,7 +275,8 @@ make && make install aes-128-cfb, aes-192-cfb, aes-256-cfb, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, - rc2-cfb, seed-cfb, salsa20 and chacha20 + rc2-cfb, seed-cfb, salsa20 ,chacha20 and + chacha20-ietf [-f ] the file path to store pid From 0d58018dac72f6c739517150a309472e0a5712ff Mon Sep 17 00:00:00 2001 From: Boyuan Yang <073plan@gmail.com> Date: Mon, 21 Dec 2015 22:49:23 +0800 Subject: [PATCH 4/6] man: update info of arguments. --- man/shadowsocks-libev.8 | 5 +++++ man/ss-local.1 | 7 ++++++- man/ss-redir.1 | 7 ++++++- man/ss-server.1 | 7 ++++++- man/ss-tunnel.1 | 7 ++++++- 5 files changed, 29 insertions(+), 4 deletions(-) diff --git a/man/shadowsocks-libev.8 b/man/shadowsocks-libev.8 index 3f341aaa..6945b480 100644 --- a/man/shadowsocks-libev.8 +++ b/man/shadowsocks-libev.8 @@ -88,6 +88,11 @@ Set the socket timeout in seconds. The default value is 10. .B \-c \fIconfig_file\fP Use a configuration file. .TP +.B \-n \fInofile\fP +Specify max number of open files. + +Only available on Linux. +.TP .B \-i \fIinterface\fP Specify network interface to bind. diff --git a/man/ss-local.1 b/man/ss-local.1 index 52d9d96f..04ec5209 100644 --- a/man/ss-local.1 +++ b/man/ss-local.1 @@ -35,7 +35,7 @@ ss-local \- shadowsocks client as socks5 proxy, libev port [\fB\-s\fR \fIserver_host\fR] [\fB\-p\fR \fIserver_port\fR] [\fB\-l\fR \fIlocal_port\fR] [\fB\-k\fR \fIpassword\fR] [\fB\-m\fR \fIencrypt_method\fR] [\fB\-f\fR \fIpid_file\fR] [\fB\-t\fR \fItimeout\fR] [\fB\-c\fR \fIconfig_file\fR] [\fB\-b\fR \fIinterface\fR] [\fB\-a\fR \fIuser_name\fR] - [\fB\-\-fast\-open\fR] [\fB\-\-acl\fR \fIacl_config\fR] + [\fB\-n\fR \fInofile\fR] [\fB\-\-fast\-open\fR] [\fB\-\-acl\fR \fIacl_config\fR] .SH DESCRIPTION \*(Me is a lightweight and secure socks5 proxy. It is a port of the original @@ -79,6 +79,11 @@ Set the socket timeout in seconds. The default value is 10. .B \-c \fIconfig_file\fP Use a configuration file. .TP +.B \-n \fInofile\fP +Specify max number of open files. + +Only avaliable on Linux. +.TP .B \-i \fIinterface\fP Specify network interface to bind. .TP diff --git a/man/ss-redir.1 b/man/ss-redir.1 index f9b3065e..e3f5045f 100644 --- a/man/ss-redir.1 +++ b/man/ss-redir.1 @@ -35,7 +35,7 @@ ss-redir \- shadowsocks client as transparent proxy, libev port [\fB\-s\fR \fIserver_host\fR] [\fB\-p\fR \fIserver_port\fR] [\fB\-l\fR \fIlocal_port\fR] [\fB\-k\fR \fIpassword\fR] [\fB\-m\fR \fIencrypt_method\fR] [\fB\-f\fR \fIpid_file\fR] [\fB\-t\fR \fItimeout\fR] [\fB\-c\fR \fIconfig_file\fR] [\fB\-b\fR \fIlocal_address\fR] - [\fB\-a\fR \fIuser_name\fR] + [\fB\-a\fR \fIuser_name\fR] [\fB\-n\fR \fInofile\fR] .SH DESCRIPTION \*(Me is a lightweight and secure socks5 proxy. It is a port of the original @@ -81,6 +81,11 @@ Set the socket timeout in seconds. The default value is 10. .B \-c \fIconfig_file\fP Use a configuration file. .TP +.B \-n \fInofile\fP +Specify max number of open files. + +Only avaliable on Linux. +.TP .B \-b \fIlocal_address\fP Specify local address to bind. .TP diff --git a/man/ss-server.1 b/man/ss-server.1 index f386d5ff..b6dd09a8 100644 --- a/man/ss-server.1 +++ b/man/ss-server.1 @@ -35,7 +35,7 @@ ss-server \- shadowsocks server, libev port [\fB\-s\fR \fIserver_host\fR] [\fB\-p\fR \fIserver_port\fR] [\fB\-l\fR \fIlocal_port\fR] [\fB\-k\fR \fIpassword\fR] [\fB\-m\fR \fIencrypt_method\fR] [\fB\-f\fR \fIpid_file\fR] [\fB\-t\fR \fItimeout\fR] [\fB\-c\fR \fIconfig_file\fR] [\fB\-i\fR \fIinterface\fR] - [\fB\-a\fR \fIuser_name\fR] [\fB\-d\fR \fIaddr\fR] + [\fB\-a\fR \fIuser_name\fR] [\fB\-d\fR \fIaddr\fR] [\fB\-n\fR \fInofile\fR] [\fB\-\-fast\-open\fR] [\fB\-\-acl\fR \fIacl_config\fR] [\fB\-\-manager\-address\fR \fIpath_to_unix_domain\fR] @@ -81,6 +81,11 @@ Set the socket timeout in seconds. The default value is 10. .B \-c \fIconfig_file\fP Use a configuration file. .TP +.B \-n \fInofile\fP +Specify max number of open files. + +Only avaliable on Linux. +.TP .B \-i \fIinterface\fP Specify network interface to bind. .TP diff --git a/man/ss-tunnel.1 b/man/ss-tunnel.1 index 35fd992f..a4116284 100644 --- a/man/ss-tunnel.1 +++ b/man/ss-tunnel.1 @@ -35,7 +35,7 @@ ss-tunnel \- shadowsocks tools for local port forwarding, libev port [\fB\-s\fR \fIserver_host\fR] [\fB\-p\fR \fIserver_port\fR] [\fB\-l\fR \fIlocal_port\fR] [\fB\-k\fR \fIpassword\fR] [\fB\-m\fR \fIencrypt_method\fR] [\fB\-f\fR \fIpid_file\fR] [\fB\-t\fR \fItimeout\fR] [\fB\-c\fR \fIconfig_file\fR] [\fB\-i\fR \fIinterface\fR] - [\fB\-b\fR \fIlocal_addr\fR] [\fB\-a\fR \fIuser_name\fR] + [\fB\-b\fR \fIlocal_addr\fR] [\fB\-a\fR \fIuser_name\fR] [\fB\-n\fR \fInofile\fR] [\fB\-L\fR \fIaddr\fR:\fIport\fR] .SH DESCRIPTION @@ -81,6 +81,11 @@ Set the socket timeout in seconds. The default value is 10. .B \-c \fIconfig_file\fP Use a configuration file. .TP +.B \-n \fInofile\fP +Specify max number of open files. + +Only avaliable on Linux. +.TP .B \-i \fIinterface\fP Specify network interface to bind. .TP From 3d487d51571b1d22d8b93f6304f044fbece942f2 Mon Sep 17 00:00:00 2001 From: Boyuan Yang <073plan@gmail.com> Date: Mon, 21 Dec 2015 22:59:50 +0800 Subject: [PATCH 5/6] readme: refine structure; add info about mbedTLS. --- README.md | 93 +++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 74 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 6e0580c8..b99894ea 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,11 @@ ## Intro -[Shadowsocks-libev](http://shadowsocks.org) is a lightweight secured SOCKS5 +[Shadowsocks-libev](http://shadowsocks.org) is a lightweight secured SOCKS5 proxy for embedded devices and low-end boxes. -It is a port of [Shadowsocks](https://github.com/shadowsocks/shadowsocks) -created by [@clowwindy](https://github.com/clowwindy), which is maintained by +It is a port of [Shadowsocks](https://github.com/shadowsocks/shadowsocks) +created by [@clowwindy](https://github.com/clowwindy), which is maintained by [@madeye](https://github.com/madeye) and [@linusyang](https://github.com/linusyang). Current version: 2.4.3 | [Changelog](debian/changelog) @@ -16,24 +16,76 @@ Travis CI: [![Travis CI](https://travis-ci.org/shadowsocks/shadowsocks-libev.svg ## Features Shadowsocks-libev is written in pure C and only depends on -[libev](http://software.schmorp.de/pkg/libev.html) and +[libev](http://software.schmorp.de/pkg/libev.html) and [OpenSSL](http://www.openssl.org/) or [PolarSSL](https://polarssl.org/). +The use of [mbedTLS](https://tls.mbed.org/) is added but still for testing, and +it is not officially supported yet. -In normal usage, the memory footprint is about 600KB and the CPU utilization is -no more than 5% on a low-end router (Buffalo WHR-G300N V2 with a 400MHz MIPS CPU, +In normal usage, the memory footprint is about 600KB and the CPU utilization is +no more than 5% on a low-end router (Buffalo WHR-G300N V2 with a 400MHz MIPS CPU, 32MB memory and 4MB flash). +For a full list of feature comparison between different versions of shadowsocks, +refer to the [Wiki page](https://github.com/shadowsocks/shadowsocks/wiki/Feature-Comparison-across-Different-Versions). + + ## Installation -**Notes about PolarSSL** +### Distribution-specific guide + +- [Debian & Ubuntu](#debian--ubuntu) + + [Install from repository](#install-from-repository) + + [Build deb package from source](#build-deb-package-from-source) + + [Configure and start the service](#configure-and-start-the-service) +- [Fedora & RHEL](#fedora--rhel) + + [Install from repository](#install-from-repository-1) +- [Archlinux](#archlinux) +- [Directly build and install on UNIX-like system](#linux) +- [FreeBSD](#freebsd) +- [OpenWRT](#openwrt) +- [OS X](#os-x) +- [Windows](#windows) + +* * * + +### Pre-build configure guide + +For a complete list of avaliable configure-time option, +try `configure --help`. + +#### Using alternative crypto library + +There are three crypto libraries available: + +- OpenSSL (**default**) +- PolarSSL +- mbedTLS (__NOT__ officially supported) + +##### PolarSSL -* The default crypto library is OpenSSL. To build against PolarSSL, -specify `--with-crypto-library=polarssl` and `--with-polarssl=/path/to/polarssl` -when running `./configure`. -* PolarSSL __1.2.5 or newer__ is required. Currently, PolarSSL does __NOT__ support +To build against PolarSSL, specify `--with-crypto-library=polarssl` +and `--with-polarssl=/path/to/polarssl` when running `./configure`. + +* PolarSSL __1.2.5 or newer__ is required. Currently, PolarSSL does __NOT__ support CAST5-CFB, DES-CFB, IDEA-CFB, RC2-CFB and SEED-CFB. * RC4 is only support by PolarSSL __1.3.0 or above__. +##### mbedTLS +To build against mbedTLS, specify `--with-crypto-library=mbedtls` +and `--with-mbedtls=/path/to/mbedtls` when running `./configure`. + +Please not that we do **NOT** officially support mbedTLS right now, +and you should use it at your own risk. + +Windows users will need extra work when compiling mbedTLS library, +see [this issue](https://github.com/shadowsocks/shadowsocks-libev/issues/422) for detail info. + +#### Using shared library from system + +Please specify `--enable-system-shared-lib`. This will replace the bundled +`libev`, `libsodium` and `libudns` with the corresponding libraries installed +in the system during compilation and linking. + ### Debian & Ubuntu #### Install from repository @@ -82,7 +134,7 @@ Please follow the instructions on [Debian Backports](http://backports.debian.org This also means that you can only install those built packages on systems that have `init-system-helpers` installed. -Otherwise, try to build and install directly from source. See the **Linux** +Otherwise, try to build and install directly from source. See the [Linux](#linux) section below. ``` bash @@ -145,11 +197,11 @@ sudo pacman -S shadowsocks-libev ``` Please refer to downstream [PKGBUILD](https://projects.archlinux.org/svntogit/community.git/tree/trunk?h=packages/shadowsocks-libev) -script for extra modifications. +script for extra modifications and distribution-specific bugs. ### Linux -For Unix-like systems, especially Debian-based systems, +For Unix-like systems, especially Debian-based systems, e.g. Ubuntu, Debian or Linux Mint, you can build the binary like this: ```bash @@ -182,13 +234,16 @@ service shadowsocks_libev start ### OpenWRT +**Note**: You may want to use [openwrt-shadowsocks](https://github.com/shadowsocks/openwrt-shadowsocks) +, which is developed specifically for OpenWRT. + ```bash # At OpenWRT build root pushd package git clone https://github.com/shadowsocks/shadowsocks-libev.git popd -# Enable shadowsocks-libev in network category +# Enable shadowsocks-libev in network category make menuconfig # Optional @@ -238,7 +293,7 @@ make lib WINDOWS=1 make install DESTDIR="$HOME/prebuilt" ``` -Then, build the binary using the commands below, and all `.exe` files +Then, build the binary using the commands below, and all `.exe` files will be built at `$HOME/ss/bin`: #### OpenSSL @@ -322,7 +377,7 @@ man pages of the applications, respectively. notes: - ss-redir provides a transparent proxy function and only works on the + ss-redir provides a transparent proxy function and only works on the Linux platform with iptables. ``` @@ -334,7 +389,7 @@ The latest shadowsocks-libev has provided a *redir* mode. You can configure your # Create new chain root@Wrt:~# iptables -t nat -N SHADOWSOCKS root@Wrt:~# iptables -t mangle -N SHADOWSOCKS - + # Ignore your shadowsocks server's addresses # It's very IMPORTANT, just be careful. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN @@ -358,7 +413,7 @@ The latest shadowsocks-libev has provided a *redir* mode. You can configure your root@Wrt:~# ip rule add fwmark 0x01/0x01 table 100 root@Wrt:~# ip route add local 0.0.0.0/0 dev lo table 100 root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01 - + # Apply the rules root@Wrt:~# iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS root@Wrt:~# iptables -t mangle -A PREROUTING -j SHADOWSOCKS From fe6096c0afbada52ed40b48e00b9263c6f610420 Mon Sep 17 00:00:00 2001 From: Boyuan Yang <073plan@gmail.com> Date: Tue, 22 Dec 2015 21:16:08 +0800 Subject: [PATCH 6/6] readme: fix typo in 3d487d51. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b99894ea..d1915f25 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ CAST5-CFB, DES-CFB, IDEA-CFB, RC2-CFB and SEED-CFB. To build against mbedTLS, specify `--with-crypto-library=mbedtls` and `--with-mbedtls=/path/to/mbedtls` when running `./configure`. -Please not that we do **NOT** officially support mbedTLS right now, +Please note that we do **NOT** officially support mbedTLS right now, and you should use it at your own risk. Windows users will need extra work when compiling mbedTLS library,