You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
258 lines
7.7 KiB
258 lines
7.7 KiB
.ig
|
|
. manual page for shadowsocks-libev
|
|
.
|
|
. Copyright (c) 2012-2016, by: Max Lv
|
|
. All rights reserved.
|
|
.
|
|
. Permission is granted to copy, distribute and/or modify this document
|
|
. under the terms of the GNU Free Documentation License, Version 1.1 or
|
|
. any later version published by the Free Software Foundation;
|
|
. with no Front-Cover Texts, no Back-Cover Texts, and with the following
|
|
. Invariant Sections (and any sub-sections therein):
|
|
. all .ig sections, including this one
|
|
. STUPID TRICKS Sampler
|
|
. AUTHOR
|
|
.
|
|
. A copy of the Free Documentation License is included in the section
|
|
. entitled "GNU Free Documentation License".
|
|
.
|
|
..
|
|
\# - these two are for chuckles, makes great grammar
|
|
.ds Lo \fBss-local\fR
|
|
.ds Re \fBss-redir\fR
|
|
.ds Se \fBss-server\fR
|
|
.ds Tu \fBss-tunnel\fR
|
|
.ds Ma \fBss-manager\fR
|
|
.ds Me \fBShadowsocks-libev\fR
|
|
.
|
|
.TH "SHADOWSOCKS-LIBEV" "8" "April 19, 2016" "SHADOWSOCKS-LIBEV"
|
|
.SH NAME
|
|
shadowsocks-libev \- a lightweight and secure socks5 proxy
|
|
|
|
.SH SYNOPSIS
|
|
\*(Lo|\*(Re|\*(Se|\*(Tu|\*(Ma
|
|
[\fB\-s\fR \fIserver_host\fR] [\fB\-p\fR \fIserver_port\fR]
|
|
[\fB\-l\fR \fIlocal_port\fR] [\fB\-k\fR \fIpassword\fR]
|
|
[\fB\-m\fR \fIencrypt_method\fR] [\fB\-f\fR \fIpid_file\fR]
|
|
[\fB\-t\fR \fItimeout\fR] [\fB\-c\fR \fIconfig_file\fR]
|
|
|
|
.SH DESCRIPTION
|
|
\*(Me is a lightweight and secure socks5 proxy. It is a port of the original
|
|
shadowsocks created by clowwindy. \*(Me is written in pure C and takes advantage
|
|
of \fBlibev\fP to achieve both high performance and low resource consumption.
|
|
.PP
|
|
\*(Me consists of five components. One is \*(Se(1) that runs on a remote server
|
|
to provide secured tunnel service. \*(Lo(1) and \*(Re(1) are clients on your
|
|
local machines to proxy TCP traffic. \*(Tu(1) is a tool for local port
|
|
forwarding.
|
|
.PP
|
|
While \*(Lo(1) works as a standard socks5 proxy, \*(Re(1) works as a transparent
|
|
proxy and requires netfilter's NAT module. For more information, check out the
|
|
example section.
|
|
.PP
|
|
\*(Ma(1) is a controller for multi-user management and traffic statistics, using
|
|
UNIX domain socket to talk with \*(Se(1). Also, it provides a UNIX domain socket
|
|
or IP based API for other software. About the details of this API, please refer
|
|
to the protocol section.
|
|
|
|
.SH OPTIONS
|
|
.TP
|
|
.B \-s \fIserver_host\fP
|
|
Set the server's hostname or IP.
|
|
.TP
|
|
.B \-p \fIserver_port\fP
|
|
Set the server's port number.
|
|
|
|
Not available in manager mode.
|
|
.TP
|
|
.B \-l \fIlocal_port\fP
|
|
Set the local port number.
|
|
|
|
Not available in server nor manager mode.
|
|
.TP
|
|
.B \-k \fIpassword\fP
|
|
Set the password. The server and the client should use the same password.
|
|
.TP
|
|
.B \-m \fIencrypt_method\fP
|
|
Set the cipher.
|
|
|
|
\*(Me accepts 18 different ciphers: table, rc4, rc4-md5, aes-128-cfb,
|
|
aes-192-cfb, aes-256-cfb, bf-cfb, camellia-128-cfb, camellia-192-cfb,
|
|
camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, rc2-cfb, seed-cfb, salsa20,
|
|
chacha20 and chacha20-ietf. The default cipher is \fItable\fP.
|
|
|
|
If built with PolarSSL or custom OpenSSL libraries, some of these ciphers may
|
|
not work.
|
|
.TP
|
|
.B \-a \fIuser_name\fP
|
|
Run as a specific user.
|
|
.TP
|
|
.B \-f \fIpid_file\fP
|
|
Start shadowsocks as a daemon with specific pid file.
|
|
.TP
|
|
.B \-t \fItimeout\fP
|
|
Set the socket timeout in seconds. The default value is 60.
|
|
.TP
|
|
.B \-c \fIconfig_file\fP
|
|
Use a configuration file.
|
|
.TP
|
|
.B \-n \fInumber\fP
|
|
Specify max number of open files.
|
|
|
|
Not available in manager mode.
|
|
|
|
Only available on Linux.
|
|
.TP
|
|
.B \-i \fIinterface\fP
|
|
Send traffic through specific network interface.
|
|
|
|
For example, there are three interfaces in your device, which is lo (127.0.0.1),
|
|
eth0 (192.168.0.1) and eth1 (192.168.0.2). Meanwhile, you configure
|
|
\fBshadowsocks-libev\fR to listen on 0.0.0.0:8388 and bind to eth1. That results
|
|
the traffic go out through eth1, but not lo nor eth0. This option is useful to
|
|
control traffic in multi-interface environment.
|
|
|
|
Not available in redir mode.
|
|
.TP
|
|
.B \-b \fIlocal_address\fP
|
|
Specify local address to bind.
|
|
|
|
Not available in server nor manager mode.
|
|
.TP
|
|
.B \-u
|
|
Enable UDP relay.
|
|
|
|
TPROXY is required in redir mode. You may need root permission.
|
|
.TP
|
|
.B \-U
|
|
Enable UDP relay and disable TCP relay.
|
|
|
|
Not available in local mode.
|
|
.TP
|
|
.B \-A
|
|
Enable onetime authentication.
|
|
.TP
|
|
.B \-w
|
|
Enable white list mode (when ACL enabled).
|
|
|
|
Only available in server mode.
|
|
.TP
|
|
.B \-L \fIaddr\fR:\fIport\fP
|
|
Specify destination server address and port for local port forwarding.
|
|
|
|
Only available in tunnel mode.
|
|
.TP
|
|
.B \-d \fIaddr\fP
|
|
Setup name servers for internal DNS resolver (libudns). The default server is
|
|
fetched from /etc/resolv.conf.
|
|
|
|
Only available in server and manager mode.
|
|
.TP
|
|
.B \--fast-open
|
|
Enable TCP fast open.
|
|
|
|
Not available in redir nor tunnel mode, with Linux kernel > 3.7.0.
|
|
.TP
|
|
.B \--acl \fIacl_config\fP
|
|
Enable ACL (Access Control List) and specify config file.
|
|
|
|
Not available in redir nor tunnel mode.
|
|
.TP
|
|
.B \--manager-address \fIpath_to_unix_domain\fP
|
|
Specify UNIX domain socket address.
|
|
|
|
Only available in server and manager mode.
|
|
.TP
|
|
.B \--executable \fIpath_to_server_executable\fP
|
|
Specify the executable path of ss-server.
|
|
|
|
Only available in manager mode.
|
|
.TP
|
|
.B \-v
|
|
Enable verbose mode.
|
|
.TP
|
|
.B \-h, --help
|
|
Print help message.
|
|
|
|
.SH EXAMPLE
|
|
\*(Re requires netfilter's NAT function. Here is an example:
|
|
|
|
.nf
|
|
# Create new chain
|
|
root@Wrt:~# iptables -t nat -N SHADOWSOCKS
|
|
root@Wrt:~# iptables -t mangle -N SHADOWSOCKS
|
|
|
|
# Ignore your shadowsocks server's addresses
|
|
# It's very IMPORTANT, just be careful.
|
|
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
|
|
|
|
# Ignore LANs and any other addresses you'd like to bypass the proxy
|
|
# See Wikipedia and RFC5735 for full list of reserved networks.
|
|
# See ashi009/bestroutetb for a highly optimized CHN route list.
|
|
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
|
|
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
|
|
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
|
|
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
|
|
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
|
|
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
|
|
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
|
|
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
|
|
|
|
# Anything else should be redirected to shadowsocks's local port
|
|
root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
|
|
|
|
# Add any UDP rules
|
|
root@Wrt:~# ip rule add fwmark 0x01/0x01 table 100
|
|
root@Wrt:~# ip route add local 0.0.0.0/0 dev lo table 100
|
|
root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01
|
|
|
|
# Apply the rules
|
|
root@Wrt:~# iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
|
|
root@Wrt:~# iptables -t mangle -A PREROUTING -j SHADOWSOCKS
|
|
|
|
# Start the shadowsocks-redir
|
|
root@Wrt:~# ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid
|
|
.fi
|
|
|
|
.SH PROTOCOL
|
|
\*(Ma(1) provides several APIs through UDP protocol:
|
|
|
|
.in +4n
|
|
Send UDP commands in the following format to the manager-address provided to
|
|
\*(Ma(1).
|
|
|
|
command: [JSON data]
|
|
|
|
To add a port:
|
|
|
|
add: {"server_port": 8001, "password":"7cd308cc059"}
|
|
|
|
To remove a port:
|
|
|
|
remove: {"server_port": 8001}
|
|
|
|
To receive a pong:
|
|
|
|
ping
|
|
|
|
Then \*(Ma(1) will send back the traffic statistics:
|
|
|
|
stat: {"8001":11370}
|
|
|
|
.SH SEE ALSO
|
|
.BR \*(Lo (1),
|
|
.BR \*(Se (1),
|
|
.BR \*(Tu (1),
|
|
.BR \*(Re (1),
|
|
.BR \*(Ma (1),
|
|
.BR iptables (8),
|
|
/etc/shadowsocks-libev/config.json
|
|
.br
|
|
.SH AUTHOR
|
|
shadowsocks was created by clowwindy <clowwindy42@gmail.com> and
|
|
shadowsocks-libev was maintained by Max Lv <max.c.lv@gmail.com> and Linus Yang
|
|
<laokongzi@gmail.com>.
|
|
.PP
|
|
This manual page was written by Max Lv <max.c.lv@gmail.com>.
|
|
.PP
|
|
The manual pages were rearranged by hosiet <073plan@gmail.com>.
|