.ig . manual page for shadowsocks-libev . . Copyright (c) 2012-2016, by: Max Lv . All rights reserved. . . Permission is granted to copy, distribute and/or modify this document . under the terms of the GNU Free Documentation License, Version 1.1 or . any later version published by the Free Software Foundation; . with no Front-Cover Texts, no Back-Cover Texts, and with the following . Invariant Sections (and any sub-sections therein): . all .ig sections, including this one . STUPID TRICKS Sampler . AUTHOR . . A copy of the Free Documentation License is included in the section . entitled "GNU Free Documentation License". . .. \# - these two are for chuckles, makes great grammar .ds Lo \fBss-local\fR .ds Re \fBss-redir\fR .ds Se \fBss-server\fR .ds Tu \fBss-tunnel\fR .ds Ma \fBss-manager\fR .ds Me \fBShadowsocks-libev\fR . .TH "SHADOWSOCKS-LIBEV" "8" "April 19, 2016" "SHADOWSOCKS-LIBEV" .SH NAME shadowsocks-libev \- a lightweight and secure socks5 proxy .SH SYNOPSIS \*(Lo|\*(Re|\*(Se|\*(Tu|\*(Ma [\fB\-s\fR \fIserver_host\fR] [\fB\-p\fR \fIserver_port\fR] [\fB\-l\fR \fIlocal_port\fR] [\fB\-k\fR \fIpassword\fR] [\fB\-m\fR \fIencrypt_method\fR] [\fB\-f\fR \fIpid_file\fR] [\fB\-t\fR \fItimeout\fR] [\fB\-c\fR \fIconfig_file\fR] .SH DESCRIPTION \*(Me is a lightweight and secure socks5 proxy. It is a port of the original shadowsocks created by clowwindy. \*(Me is written in pure C and takes advantage of \fBlibev\fP to achieve both high performance and low resource consumption. .PP \*(Me consists of five components. One is \*(Se(1) that runs on a remote server to provide secured tunnel service. \*(Lo(1) and \*(Re(1) are clients on your local machines to proxy TCP traffic. \*(Tu(1) is a tool for local port forwarding. .PP While \*(Lo(1) works as a standard socks5 proxy, \*(Re(1) works as a transparent proxy and requires netfilter's NAT module. For more information, check out the example section. .PP \*(Ma(1) is a controller for multi-user management and traffic statistics, using UNIX domain socket to talk with \*(Se(1). Also, it provides a UNIX domain socket or IP based API for other software. About the details of this API, please refer to the protocol section. .SH OPTIONS .TP .B \-s \fIserver_host\fP Set the server's hostname or IP. .TP .B \-p \fIserver_port\fP Set the server's port number. Not available in manager mode. .TP .B \-l \fIlocal_port\fP Set the local port number. Not available in server nor manager mode. .TP .B \-k \fIpassword\fP Set the password. The server and the client should use the same password. .TP .B \-m \fIencrypt_method\fP Set the cipher. \*(Me accepts 18 different ciphers: table, rc4, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, rc2-cfb, seed-cfb, salsa20, chacha20 and chacha20-ietf. The default cipher is \fItable\fP. If built with PolarSSL or custom OpenSSL libraries, some of these ciphers may not work. .TP .B \-a \fIuser_name\fP Run as a specific user. .TP .B \-f \fIpid_file\fP Start shadowsocks as a daemon with specific pid file. .TP .B \-t \fItimeout\fP Set the socket timeout in seconds. The default value is 60. .TP .B \-c \fIconfig_file\fP Use a configuration file. .TP .B \-n \fInumber\fP Specify max number of open files. Not available in manager mode. Only available on Linux. .TP .B \-i \fIinterface\fP Send traffic through specific network interface. For example, there are three interfaces in your device, which is lo (127.0.0.1), eth0 (192.168.0.1) and eth1 (192.168.0.2). Meanwhile, you configure \fBshadowsocks-libev\fR to listen on 0.0.0.0:8388 and bind to eth1. That results the traffic go out through eth1, but not lo nor eth0. This option is useful to control traffic in multi-interface environment. Not available in redir mode. .TP .B \-b \fIlocal_address\fP Specify local address to bind. Not available in server nor manager mode. .TP .B \-u Enable UDP relay. TPROXY is required in redir mode. You may need root permission. .TP .B \-U Enable UDP relay and disable TCP relay. Not available in local mode. .TP .B \-A Enable onetime authentication. .TP .B \-w Enable white list mode (when ACL enabled). Only available in server mode. .TP .B \-L \fIaddr\fR:\fIport\fP Specify destination server address and port for local port forwarding. Only available in tunnel mode. .TP .B \-d \fIaddr\fP Setup name servers for internal DNS resolver (libudns). The default server is fetched from /etc/resolv.conf. Only available in server and manager mode. .TP .B \--fast-open Enable TCP fast open. Not available in redir nor tunnel mode, with Linux kernel > 3.7.0. .TP .B \--acl \fIacl_config\fP Enable ACL (Access Control List) and specify config file. Not available in redir nor tunnel mode. .TP .B \--manager-address \fIpath_to_unix_domain\fP Specify UNIX domain socket address. Only available in server and manager mode. .TP .B \--executable \fIpath_to_server_executable\fP Specify the executable path of ss-server. Only available in manager mode. .TP .B \-v Enable verbose mode. .TP .B \-h, --help Print help message. .SH EXAMPLE \*(Re requires netfilter's NAT function. Here is an example: .nf # Create new chain root@Wrt:~# iptables -t nat -N SHADOWSOCKS root@Wrt:~# iptables -t mangle -N SHADOWSOCKS # Ignore your shadowsocks server's addresses # It's very IMPORTANT, just be careful. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN # Ignore LANs and any other addresses you'd like to bypass the proxy # See Wikipedia and RFC5735 for full list of reserved networks. # See ashi009/bestroutetb for a highly optimized CHN route list. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN # Anything else should be redirected to shadowsocks's local port root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345 # Add any UDP rules root@Wrt:~# ip rule add fwmark 0x01/0x01 table 100 root@Wrt:~# ip route add local 0.0.0.0/0 dev lo table 100 root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01 # Apply the rules root@Wrt:~# iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS root@Wrt:~# iptables -t mangle -A PREROUTING -j SHADOWSOCKS # Start the shadowsocks-redir root@Wrt:~# ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid .fi .SH PROTOCOL \*(Ma(1) provides several APIs through UDP protocol: .in +4n Send UDP commands in the following format to the manager-address provided to \*(Ma(1). command: [JSON data] To add a port: add: {"server_port": 8001, "password":"7cd308cc059"} To remove a port: remove: {"server_port": 8001} To receive a pong: ping Then \*(Ma(1) will send back the traffic statistics: stat: {"8001":11370} .SH SEE ALSO .BR \*(Lo (1), .BR \*(Se (1), .BR \*(Tu (1), .BR \*(Re (1), .BR \*(Ma (1), .BR iptables (8), /etc/shadowsocks-libev/config.json .br .SH AUTHOR shadowsocks was created by clowwindy and shadowsocks-libev was maintained by Max Lv and Linus Yang . .PP This manual page was written by Max Lv . .PP The manual pages were rearranged by hosiet <073plan@gmail.com>.