How to Setup a Fast Shadowsocks Server on Vultr VPS

05-25

Updated on November 24, 2017

Warning

Setting up your own shadowsocks server can offer very fast speeds compared to a VPN, but there are some disadvantages that you should know about.

Privacy and anonymity. One of the best features of using a good VPN service is that you are using a shared IP address, which makes it very difficult for your internet activities to be traced back to you (assuming your VPN provider doesnt keep activity logs and enough users are sharing the same IP address). However, using a VPS will give you a static IP address that belongs only to you. This makes it very easy for your internet activity to be traced back to you. If you download materials protected by copyright, your VPS provider will likely ban your account after receiving a DCMA notice. Or, if a government agency provides evidence of illegal activity originating from your IP address, you may find yourself in big trouble.
Limited support. With a VPN, all of your traffic is tunneled over the VPN. However, proxies dont work for all types of traffic (Adobe Flash, for example, will bypass all proxies and use your ISP connection directly). Proxies also dont work in all programs, it will only work in programs that have proxy settings or use the system proxy.

The best solution to improve your speed and solve both of the above problems is to tunnel a VPN connection over your shadowsocks proxy.

Why Vultr VPS?

With servers starting from $2.50/month and good routing to China Telecom, Vultr offers a good combination of price and speed. Its also great for beginners because the servers are billed hourly. It will only cost you $0.01 if you destroy your VPS within a few hours.

Vultr is not the fastest VPS available, but its the best value for money if you are using China Telecom. If you want the best speed and are willing to spend more, the best option is to use a server in Hong Kong with China Telecom CN2 routing such as Alibaba Cloud (Aliyun) Hong Kong (tutorial coming soon, which is very similar to this one).

Another option with CN2 routing is Rackspace Hong Kong, but that is even more expensive than Alibaba Cloud (over USD $50/month plus USD $0.20/GB). Rackspace has very good (and very expensive) China bandwidth. If the cost is not a concern for you, I would be very interested to know how a shadowsocks server performs on Rackspace. If anyone has tried a cloud server on Rackspace Hong Kong, please let me know about it in the comments below.

Let me tell you a secret. There is a much cheaper way to get access to Rackspace Hong Kong.

The ExpressVPN Hong Kong 3 is hosted on Rackspace! Just sign up for ExpressVPN and connect to the Hong Kong 3 server. This server is currently blocked during the big meeting in Beijing, but should be back online soon (I hope). In the meantime, ExpressVPNs Hong Kong 1 server is working great and it also has premium China Telecom CN2 routing. My typical ping time is under 20ms and I usually never get under 20Mbps.

Some people use Digital Ocean for shadowsocks, but I found that none of their servers have good latency to China Telecom, although the Singapore location has good latency to China Mobile.

Before we get started, its a good idea to do some network analysis to find the best Vultr server location for our shadowsocks server.

Using the hostnames below, send a ping command to each server to check the latency to your location. Remember to turn off any existing VPN connections, because we want to check the latency between our ISP and the Vultr servers. The locations shown in bold have the best routing to China Telecom.

Tokyo, Japan http://hnd-jp-ping.vultr.com Singapore http://sgp-ping.vultr.com Silicon Valley, California http://sjo-ca-us-ping.vultr.com Los Angeles, California http://lax-ca-us-ping.vultr.com Seattle, Washington http://wa-us-ping.vultr.com Frankfurt, DE http://fra-de-ping.vultr.com Amsterdam, NL http://ams-nl-ping.vultr.com Paris, France http://par-fr-ping.vultr.com London, UK http://lon-gb-ping.vultr.com New York (NJ) http://nj-us-ping.vultr.com Chicago, Illinois http://il-us-ping.vultr.com Atlanta, Georgia http://ga-us-ping.vultr.com Miami, Florida http://fl-us-ping.vultr.com Dallas, Texas http://tx-us-ping.vultr.com Sydney, Australia http://syd-au-ping.vultr.com

If you are using Windows, you can download my Vultr ping script to automatically ping all of Vultr servers.

I have identified 4 servers that have a decent ping time to my China Telecom connection.

Tokyo

Singapore

Silicon Valley

Los Angeles

Now, I will analyze these servers using WinMTR to monitor the latency and packet loss over the next hour. You can skip this step, its not strictly required, but I recommend doing it.

Look at the packet loss and average ping time for each server and choose the best one, or choose a few of them.

I am going deploy 2 servers because Vultr allows you to deploy a maximum of 2 instances of the $2.50/mo instance. Additional instances must be on the $5/mo or higher plans.

I am going try a Tokyo server (14% packet loss, 122ms average ping) and a Los Angeles server (1% packet loss, 179ms average ping).

To avoid confusion, I will just show the instructions for setting up 1 of the servers, although I am actually doing both at the same time.

Lets get started.

The first step is to go to Vultr and create an account if you dont already have one. You will need to fund your account with a minimum $5 deposit using PayPal or verify a valid credit card.

When I first signed up, I used my Chinese credit card and I was asked to verify my identity by sending them a copy of my passport and the credit card I used. I suspect that they asked for this because I was connected to a VPN when I added my credit card and the IP address did not match the country of my credit card. I recommend using a PayPal account to avoid this hassle.

Once your account is funded/verified then you can deploy a new instance (VPS).

Choose your location.

Choose the server type (OS). For this tutorial, I am using Ubuntu 14.04 x64.

Choose the server size, the smallest one for $2.50/month ($0.004/hr) with 20GB storage, 512MB memory, and 500GB data, is all you need for a personal shadowsocks server.

Leave everything else as default until section 7, do not enable IPv6. Now enter a hostname, you can put anything. I entered http://tokyo.com for my hostname. As we are not using our VPS to host a website, it doesnt matter what you put here. You can also leave it blank with Vultr but some other VPS providers will require you to enter something here.

Press Deploy Now to deploy the VPS.

Wait until your VPS is finished installing and the status changes to "Running". Then, click on the server to open the server details.

We will need the IP address and password to log into our server by SSH.

The first thing I do after deploying a new VPS is look up the IP address in a geo-location database to see if it shows the correct location. Many Vultr Asian servers are incorrectly geo-located in the USA. If the IP address is not showing the correct location, then I will just destroy the instance and deploy a new one (remember, it only costs $0.01 if you destroy an instance within the first few hours).

Using a shadowsocks server with an IP address with the wrong geo-location can be annoying. You will need to manually choose the correct server when doing a speed test, Google will think you are in the wrong country, etc.

After looking up the IP address, I can see that it is correctly listed as Tokyo.

Ok, time to connect to our server using SSH. If you are using Mac, you can use the Terminal program to start an SSH session with your server.

Open Terminal and enter the following command (Mac users only):

ssh server -p 22 -l root

replace "server" with the IP address of your server. For example, using my server in this tutorial, you would enter the following.

ssh 45.32.50.230 -p 22 -l root

I am using Windows, so I have downloaded Putty.

If you are using Putty for Windows, enter the IP address of your Vultr server and press open to connect to it. Leave all of the settings as default. You can save the session so you dont need to enter the IP address next time, I saved the settings as "Vultr Tokyo".

Accept the security warning and then login as root and enter the password from the Vultr server management page.

Tip - To paste text from the clipboard using Putty, simply press the right mouse button once and whatever is in the clipboard will get pasted. When typing or pasting your password, you wont see anything on the screen. Just press enter after you have typed it or pasted it by single clicking the right mouse button.

Now we are logged in, your screen should look like this.

Update and upgrade the machine by entering the command below.

sudo apt-get update && sudo apt-get upgrade -y

Any time that you see highlighted text, enter it as a command. I will only show the screenshot for the first command, shown below.

After you enter the command, press enter to execute it.

When executing this first commend, you may get a message that says something like this:

"A new version of configuration file /etc/default/grub is available, but the version installed currently has been locally modified. What do you want to do about modified configuration file grub?"

You can just press enter to keep the default option of using the current one.

Now, lets install shadowsocks on the server. There are many different versions of shadowsocks and many different ways to install them. I am going to install ShadowsocksR (SSR) using an installation script from GitHub user teddysun.

Teddysun has made some great scripts that make it very easy to install different versions of shadowsocks. If you want to support his work, you can send him a donation on Alipay or Wechat here.

Enter the following 3 commands to download the run the SSR installation script.

wget --no-check-certificate https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocksR.sh

Note - The above command is shown on 2 lines because its too long. Make sure you copy the full command starting with wget and ending with shadowsocksR.sh

chmod +x shadowsocksR.sh

./shadowsocksR.sh 2>&1 | tee shadowsocksR.log

Enter the parameters that you want to use for your server. Here is what I am using for this tutorial. You change these settings later if you want.

Password: testing

Port: 443

cipher: chacha20

protocol: origin

obfs: http_simple_compatible

After you enter all of the settings, press any key to start the installation. It will take about 5 minutes.

If you want to make any changes to the configuration, enter the command below to edit the server config file.

nano /etc/shadowsocks.json

Press Ctrl + X to exit. When asked to save the modified buffer, press the y key once and then press enter to keep the same file name.

Every time you make changes to this file, you need to restart shadowsocks so the changes will take effect. Restart shadowsocks using the command below (if you have changed the config file).

/etc/init.d/shadowsocks restart

The server is already running, you can download a shadowsocks client and try it now.

The standard Shadowsocks (SS) client is no longer stable in China. I recommend using the ShadowsocksR (SSR) client if you are in China

SSR Clients (recommended for China)

ShadowsocksR for Windows

ShadowsocksR for Android

ShadowsocksR for Mac

iOS Potatso Lite (FREE)

iOS Shadowrocket ($2.99)

Original SS Clients (NOT recommended for China)

Shadowsocks for Windows (not recommended for China)

Shadowsocks for Android (not recommended for China)

Shadowsocks for Mac

Note for iOS Users

Apple has removed all VPN and Shadowsocks apps from the China version of the app store. If your iTunes account is registered with a Chinese address, you need to create a new iTunes account with a USA addressto download these apps.

Shadowsocks vs ShadowsocksR (SSR)

The original version is called Shadowsocks (SS). ShadowsocksR (SSR) is a newer version that supports obfuscation, which can make your shadowsocks traffic look more like regular https web traffic. This can prevent your speed from getting throttled by your network or ISP.

The server that we just made is compatible with both SS and SSR clients (if you chose the same parameters as me when creating your server).

All of the clients are a little bit different, but basically you need to enter the following settings (assuming you chose the same options as me).

Server - The IP address of your server

Port - 443

Password - whatever you specified

Encryption - chacha20

Protocol - origin (this option is only available for SSR clients)

Obfs - http_simple for obfuscation or plain for no obfuscation (this option is only available in SSR clients)

If there are any other options, leave them as default. Do not enable onetime authentication.

The android app has a nice feature called "per app proxy", which you can use to bypass the proxy for certain apps (useful for Wechat and other Chinese apps).

You need to be careful with these settings. If you dont get it exactly right, then it will seem like the proxy is connected, but you wont have any connection to the internet. Unlike a VPN, you cannot easily tell if the proxy is actually connected successfully or not.

Here are my settings using the SSR Windows client.

The way that you enable the system proxy will depend on the version of the client you are using.

Using the SSR Windows client:

Enable the proxy by choosing Mode --> Global or Mode --> PAC. Disable the proxy by choosing Mode --> disable system proxy.

If you are using the original SS client:

Enable or disable the system proxy by toggling the option Enable system proxy. The mode (PAC or Global) has its own setting under Mode --> Global or Mode --> PAC.

TIP - Make sure you remember to disable the system proxy before you exit the client or shut down your computer. Otherwise, you will find that you have no internet at all. To solve this problem, just open the shadowsocks client and disable the system proxy.

Global vs PAC Mode

Global will route all domains through the proxy, while PAC will only use the proxy for a specific list of blocked websites such as Google, Facebook, etc and use your ISP connection for everything else. Not every blocked website is part of this PAC list. And even foreign websites that are not blocked are very slow if not using a proxy or VPN.

For this reason, I recommend using the Global mode. Its easy enough to enable/disable that you can conveniently switch it off if you need to access some Chinese websites.

Once you have enabled the system proxy using the client, most browsers and applications should work by default. Chrome and IE, for example, will use the system proxy settings (unless you have an extension installed that is controlling the proxy settings). Other browsers or programs, such as Firefox, need to be set manually to use the system proxy or use a SOCKS5 proxy on server 127.0.0.1 port 1080. The proxy settings can usually be found in the advanced settings for most applications.

Proxies will not work for all programs and all types of web traffic. Sometimes you need to use a VPN for certain things. It is also possible to tunnel a VPN connection over shadowsocks for better VPN performance. Or, just use a VPN directly with one of the top recommended VPN servers for your ISP.

Lets check the performance of my Tokyo and Los Angeles servers.

Both servers are working but the speed is not great.

When testing the speed of shadowsocks, you must remember use an html5 speed test such as beta.speedtest.net because all proxies will bypass Adobe Flash and you will only test your connection without the proxy if you use speedtest.net or other Flash based speed tests.

Now will will optimize the server for high speed.

Install Google BBR and Optimize the Server

Google BBR is a TCP congestion control algorithm that can give a huge speed boost on networks with high packet loss (basically all of the networks in/out of China).

Install Google BBR using the commands below (another teddysun script).

wget --no-check-certificate https://github.com/teddysun/across/raw/master/bbr.sh

chmod +x bbr.sh

./bbr.sh The script will change the kernel and will require a reboot. Say yes when asked to reboot the server. You will lose your SSH connection and will need to open another instance of Putty to re-connect after the reboot.

After you have logged back into your server, enter the following command.

lsmod | grep bbr

Next, we need to change the kernel configuration settings.

nano /etc/sysctl.conf

Add the following lines at the bottom of the file after the net.ipv4.tcp_congestion_control = bbr line.

fs.file-max = 51200

net.core.rmem_max = 67108864

net.core.wmem_max = 67108864

net.core.netdev_max_backlog = 250000

net.core.somaxconn = 4096

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_tw_recycle = 0

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 1200

net.ipv4.ip_local_port_range = 10000 65000

net.ipv4.tcp_max_syn_backlog = 8192

net.ipv4.tcp_max_tw_buckets = 5000

net.ipv4.tcp_fastopen = 3

net.ipv4.tcp_mem = 25600 51200 102400

net.ipv4.tcp_rmem = 4096 87380 67108864

net.ipv4.tcp_wmem = 4096 65536 67108864

net.ipv4.tcp_mtu_probing = 1

Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.

Apply the new settings by entering the command below.

sysctl -p Lets make a few more optimisations.

nano /etc/security/limits.conf

Add these lines to the bottom of the file, include the * symbol.

* soft nofile 51200

* hard nofile 51200

Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.

Next, enter this command.

nano /etc/pam.d/common-session

Add the following line at the end of the file.

session required pam_limits.so

Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.

nano /etc/profile

Add the following line at the end of the file.

ulimit -n 51200

Finally, type the command below.

ulimit -n 51200

Restart the shadowsocks server again.

/etc/init.d/shadowsocks restart

The optimizations are finished!

I can see a big improvement in the speeds after the optimizations.

The speed is between 10 times and 25 times faster now!

The speed test was done at 11pm, the speed will be even faster during non-peak hours.

Speed test the following morning...

Bonus Section - Advanced Customization

How to open more ports and share your server with friends

Warning! Make sure you only share your server with friends or people who you trust because you will be responsible for any illegal activities originating from the IP address of your server.

The easiest way to share you server is to simply tell your friends the port number and password of your server. Everyone can use port 443 with the same password, there is no limit to how many simultaneous connections can be made.

However, if you want to give each user their own unique port number and password, you can edit the shadowsocks.json file.

nano /etc/shadowsocks.json

Delete all of the contents of the file and then paste the contents below (using your own combination of port numbers and passwords that you wish to use).

{

"server":"0.0.0.0",

"server_ipv6":"::",

"port_password": {

"443": "password1",

"1194": "password2",

"8000": "password3",
"8383": "password4",
"8384": "password5",
"3000": "password6",
"3001": "password7",
"3002": "password8",
"3003": "password9",
"3004": "password10",
"3005": "password11",
"3006": "password12",
"3007": "password13",
"3008": "password14",
"3009": "password15",
"3010": "password16"
},

"local_address":"127.0.0.1",

"local_port":1080,

"timeout":120,

"method":"chacha20",

"protocol":"origin",

"protocol_param":"",

"obfs":"http_simple_compatible",

"obfs_param":"",

"redirect":"",

"dns_ipv6":false,

"fast_open":true,

"workers":1

}

The above configuration is just an example, you can use whatever ports and passwords you want.

Dont forget to restart shadowsocks after you make changes to the config file.

/etc/init.d/shadowsocks restart

How to limit data per user/port

There is probably a much better way to do this, but this is the method I found.

This is a quick and easy way to get this job done but it has a major flaw. If your VPS is rebooted, then the data counters will be cleared. Theoretically, there should be some way to save the byte counters and restore them after a reboot. Or, there is probably is a better way to do it altogether, but I dont know any such method so I will just show you what I know.

If you know of a better way to do this then get in touch with me by email and let me know your method so I can update this page.

In this example, I will add firewall rules to limit the data transferred on each port. I will add a data limit of 50GB for port 443 and 10GB for each of the other ports I have set up.

Enter the following commands (using the port numbers which you have configured with the data limit in bytes that you want to set).

sudo iptables -I OUTPUT -p tcp --sport 443 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 443 -m quota --quota 50000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 1194 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 1194 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 8000 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 8000 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 8383 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 8383 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 8384 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 8384 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 3000 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 3000 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 3001 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 3001 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 3002 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 3002 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 3003 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 3003 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 3004 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 3004 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 3005 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 3005 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 3006 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 3006 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 3007 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 3007 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 3008 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 3008 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 3009 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 3009 -m quota --quota 10000000000 -j ACCEPT

sudo iptables -I OUTPUT -p tcp --sport 3010 -j DROP

sudo iptables -I OUTPUT -p tcp --sport 3010 -m quota --quota 10000000000 -j ACCEPT

To check the firewall rules and how much data has been used by each user/port, enter this command.

Note - Adjust the width of the Putty or terminal window before entering this command because the default width is not enough to show the output correctly.

sudo iptables -nvL -t filter --line-numbers

Use the scrollbar on the right of the Putty windows to scroll up and see the OUTPUT chain.

In this example, I have added 32 new firewall rules to the top of the OUTPUT chain. The output of the OUTPUT chain of the above command should look like this (2 rules for each port).

Make note of the first column (chain number) for each line. The chain number will be used in some of the commands below.

As you can see, I have used 24MB of data on port 3000 and 56MB of data on port 443 since adding these firewall rules. Once the quota has been used up (50GB for port 443, 10GB for all other ports in my example) for a specific port, then the proxy will stop working for the user/users of that port (until you reset the counter or reboot the server).

To clear the data counters for all users/ports, enter this command.

sudo iptables -Z OUTPUT

To clear the counter for a specific user, enter this command.

sudo iptables -Z OUTPUT #chain number

#chain number = The number shown first column when you use the "sudo iptables -nvL -t filter --line-numbers" command shown above.

For example, to clear the byte counter for port 443, this is the command.

sudo iptables -Z OUTPUT 31

Now the data counter for port 443 has been reset to 0.

To delete the firewall rules for a specific port, first note the 2 chain numbers related to port you want to delete. For example, to remove the data limit for port 3000, we need to delete chain numbers 21-22.

sudo iptables -D OUTPUT 21

Note - The above commands are not a mistake, you enter the same command twice. After you delete chain #21 then all of the chains below it will shift up. Chain #22 becomes chain #21, #23 becomes #22, so on and so fourth.

To make these firewall rules persistent after a reboot, use the following commands.

Note - The data counters will still be reset to zero after a reboot, only the rules themselves will be persistent.

sudo apt-get install iptables-persistent

sudo invoke-rc.d iptables-persistent save

This is the end of the bonus section for now. Maybe it will be updated to include more later on...

If you liked this tutorial, please share it using the buttons below!