Install shadowsocks-libev with simple-obfs on Raspberrypi Buster

Page content

Introduction

Shadowsocks-libev is a lightweight secured SOCKS5 proxy for embedded devices and low-end boxes.

Shadowsocks-libev can run on OpenWRT routers, raspberrypi.

Simple-obfs is a simple obfuscating tool, designed as plugin server of shadowsocks. It can pretend your shadowsocks traffic as http traffic and not recognized by firewall.

This article show how to install Shadowsocks-libev and Simple-obfs on raspberrypi buster. It should also apply to all Debian Linux running on Buster.

Install shadowsocks-libev

The easiest way to install shadowsocks-libev is through apt:

$ sudo apt update
$ sudo apt install -y shadowsocks-libev
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libbloom1 libcork16 libcorkipset1 libev4 libmbedcrypto3 libsodium23
Suggested packages:
  haveged kcptun simple-obfs
The following NEW packages will be installed:
  libbloom1 libcork16 libcorkipset1 libev4 libmbedcrypto3 libsodium23 shadowsocks-libev
0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded.
Need to get 564 kB of archives.
After this operation, 1,661 kB of additional disk space will be used.
Get:1 http://mirror.os6.org/raspbian/raspbian buster/main armhf libbloom1 armhf 1.5-5 [6,472 B]
Get:2 http://mirror.os6.org/raspbian/raspbian buster/main armhf libcork16 armhf 0.15.0+ds-12 [31.7 kB]
Get:3 http://mirror.os6.org/raspbian/raspbian buster/main armhf libcorkipset1 armhf 1.1.1+20150311-8 [13.3 kB]
Get:4 http://mirror.os6.org/raspbian/raspbian buster/main armhf libev4 armhf 1:4.25-1 [34.5 kB]
Get:5 http://mirror.os6.org/raspbian/raspbian buster/main armhf libmbedcrypto3 armhf 2.16.0-1 [186 kB]
Get:6 http://mirror.os6.org/raspbian/raspbian buster/main armhf libsodium23 armhf 1.0.17-1 [139 kB]
Get:7 http://mirror.os6.org/raspbian/raspbian buster/main armhf shadowsocks-libev armhf 3.2.5+ds-1 [152 kB]

Setting up shadowsocks-libev (3.2.5+ds-1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/shadowsocks-libev.service → /lib/systemd/system/shadowsocks-libev.service.

Install simple-obfs

$ sudo apt-get install --no-install-recommends build-essential autoconf libtool libssl-dev libpcre3-dev libev-dev asciidoc xmlto automake
$ git clone -–depth=1 --shallow-submodules https://github.com/shadowsocks/simple-obfs.git
$ cd simple-obfs
$ git submodule update --init --recursive
$ ./autogen.sh
$ ./configure && make
$ sudo make install
 /bin/mkdir -p '/usr/local/bin'
  /bin/bash ../libtool   --mode=install /usr/bin/install -c obfs-local obfs-server '/usr/local/bin'
 /bin/mkdir -p '/usr/local/share/doc/simple-obfs'
 /usr/bin/install -c -m 644 obfs-local.html obfs-server.html '/usr/local/share/doc/simple-obfs'
 /bin/mkdir -p '/usr/local/share/man/man1'
 /usr/bin/install -c -m 644 obfs-local.1 obfs-server.1 '/usr/local/share/man/man1'

Enable BBR to improve network performance

BBR is Bottleneck Bandwidth and RTT. BBR congestion control computes the sending rate based on the delivery rate (throughput) estimated from ACKs.

BBR was contributed to Linux kernel 4.9 since 2016 by Google.

Since Buster kernel is already above 4.9:

$ uname -a
Linux lobster 4.19.90-v7+

To enable BBR, add following two lines to /etc/sysctl.conf:

net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

Note:

BBR must be used with the fq qdisc with pacing enabled, since pacing is integral to the BBR design and implementation.

Then reload /etc/sysctl.conf:

$ sudo sysctl -p

Optional: Check the current tcp_congestion_control (You should see bbr in output):

$ sysctl net.ipv4.tcp_congestion_control
net.ipv4.tcp_congestion_control = bbr

More kernel parameters adjustment

Add following lines to /etc/sysctl.conf to improve network throughput:

net.ipv4.ip_forward = 1

fs.file-max = 51200
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1

After change /etc/sysctl.conf, you need reload it:

$ sudo sysctl -p

Config shadowsocks-libev server

The shadowsocks-libev default config file is /etc/shadowsocks-libev/config.json.

Shadowsocks-libev accepts 18 different ciphers:

  • aes-128-gcm, aes-192-gcm, aes-256-gcm # support AEAE
  • chacha20-ietf-poly1305 # support AEAD
  • rc4-md5
  • aes-128-cfb, aes-192-cfb, aes-256-cfb
  • aes-128-ctr, aes-192-ctr, aes-256-ctr
  • bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb
  • salsa20, chacha20 chacha20-ietf.

aes-128-gcm, aes-192-gcm, aes-256-gcm and chacha20-ietf-poly1305 are AEAD (authenticated encryption with associated data) ciphers. In addition to protecting message integrity and confidentiality, AEAD can provide security against chosen ciphertext attack.

Note:

Shadowsocks has known vulnerability on redirect attach without use AEAD ciphers.

AEAD ciphers are recommended for production usage. All the AEAD ciphers list here are security and no known vulnerability.

chacha20-ietf-poly1305 provide the security and balanced performance.

An sample config file:

{
    "server":"0.0.0.0",
    "server_port":9521,
    "local_port":1080,
    "password":"dUS9Sw5QMiMQ<Change it to your password>",
    "timeout":300,
    "method":"chacha20-ietf-poly1305",
    "workers":8,
    "plugin":"obfs-server",
    "plugin_opts": "obfs=tls;obfs-host=www.yahoo.com",
    "fast_open":true,
    "reuse_port":true
}

Start / stop shadowsocks-libev server

Start shadowsocks-libev server:

sudo /etc/init.d/shadowsocks-libev start

Stop shadowsocks-libev server:

sudo /etc/init.d/shadowsocks-libev stop

Check shadowsocks-libev server status:

sudo /etc/init.d/shadowsocks-libev status

Restart shadowsocks-libev server:

sudo /etc/init.d/shadowsocks-libev restart

shadowsocks Clients

To connect to shadowsocks server, I use Outline . Outline is an open source cross platform shadowsocks client app. Outline supports iOS, Android, Windows, Mac, Linux and Chrome.

Download Outline Client app from either the App store or Google Play store. Then use connection access key to connect shadowsocks server. access key starts with ss:// like ss://YmYtY2ZiOnRlc3RAMTkyLjE2OC4xMDAuMTo4ODg4#example-server.

access key is generated from config file, use following tool to generate access key:

https://shadowsocks.org/en/config/quick-guide.html

Or you can generate your access key through javascript by yourself, without expose your key to any 3rd party.

function generateAccesskey(method, password, ip, port) => {
    const firstPart = btoa(`${method.toLowerCase()}:${password}`)
    const secondPart = `${ip}:${port}`
    const accesskey = `ss://${firstPart}@${secondPart}`
    return accesskey
}

// example:
generateAccesskey("chacha20-ietf-poly1305", "<Your password>", "<server ip>", "<server port>")

Download Outline Client:

shadowsocks-libev command line reference

NAME
       shadowsocks-libev - a lightweight and secure socks5 proxy

SYNOPSIS
       ss-local|ss-redir|ss-server|ss-tunnel|ss-manager [-s <server_host>] [-p <server_port>] [-l <local_port>] [-k <password>] [-m
       <encrypt_method>] [-f <pid_file>] [-t <timeout>] [-c <config_file>]

DESCRIPTION
       Shadowsocks-libev is a lightweight and secure socks5 proxy. It is a port of the original shadowsocks created by clowwindy.
       Shadowsocks-libev is written in pure C and takes advantage of libev to achieve both high performance and low resource
       consumption.

       Shadowsocks-libev consists of five components. One is ss-server(1) that runs on a remote server to provide secured tunnel
       service. ss-local(1) and ss-redir(1) are clients on your local machines to proxy traffic(TCP/UDP or both). ss-tunnel(1) is a
       tool for local port forwarding.

       While ss-local(1) works as a standard socks5 proxy, ss-redir(1) works as a transparent proxy and requires netfilter’s NAT
       module. For more information, check out the EXAMPLE section.

       ss-manager(1) is a controller for multi-user management and traffic statistics, using UNIX domain socket to talk with
       ss-server(1). Also, it provides a UNIX domain socket or IP based API for other software. About the details of this API, please
       refer to the PROTOCOL section.

OPTIONS
       -s <server_host>
           Set the server’s hostname or IP.

       -l <local_port>
           Set the local port number.

           Not available in server nor manager mode.

       -k <password>, --password <password>
           Set the password. The server and the client should use the same password.

       --key <key_in_base64>
           Set the key directly. The key should be encoded with URL-safe Base64.

           Not available in manager mode.

       -m <encrypt_method>
           Set the cipher.

           Shadowsocks-libev accepts 18 different ciphers:

           aes-128-gcm, aes-192-gcm, aes-256-gcm, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, aes-128-ctr, aes-192-ctr,
           aes-256-ctr, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, chacha20-ietf-poly1305, salsa20, chacha20 and
           chacha20-ietf.

           The default cipher is chacha20-ietf-poly1305.

           If built with PolarSSL or custom OpenSSL libraries, some of these ciphers may not work.

       -a <user_name>
           Run as a specific user.

       -f <pid_file>
           Start shadowsocks as a daemon with specific pid file.

       -t <timeout>
           Set the socket timeout in seconds. The default value is 60.

       -c <config_file>
           Use a configuration file.

       -n <number>
           Specify max number of open files.

           Not available in manager mode.

           Only available on Linux.

       -i <interface>
           Send traffic through specific network interface.

           For example, there are three interfaces in your device, which is lo (127.0.0.1), eth0 (192.168.0.1) and eth1 (192.168.0.2).
           Meanwhile, you configure shadowsocks-libev to listen on 0.0.0.0:8388 and bind to eth1. That results the traffic go out
           through eth1, but not lo nor eth0. This option is useful to control traffic in multi-interface environment.

           Not available in redir mode.

       -b <local_address>
           Specify local address to bind.

           Not available in server nor manager mode.

       -u
           Enable UDP relay.

           TPROXY is required in redir mode. You may need root permission.

       -U
           Enable UDP relay and disable TCP relay.

           Not available in local mode.

       -L <addr:port>
           Specify destination server address and port for local port forwarding.

           Only available in tunnel mode.

       -d <addr>
           Setup name servers for internal DNS resolver (libc-ares). The default server is fetched from /etc/resolv.conf.

           Only available in server and manager mode.

       --fast-open
           Enable TCP fast open.

           Not available in redir nor tunnel mode, with Linux kernel > 3.7.0.

       --reuse-port
           Enable port reuse.

           Only available with Linux kernel > 3.9.0.

       --no-delay
           Enable TCP_NODELAY.

       --acl <acl_config>
           Enable ACL (Access Control List) and specify config file.

           Not available in redir nor tunnel mode.

       --manager-address <path_to_unix_domain>
           Specify UNIX domain socket address.

           Only available in server and manager mode.

       --executable <path_to_server_executable>
           Specify the executable path of ss-server.

           Only available in manager mode.

       -v
           Enable verbose mode.

       -h|--help
           Print help message.

CONFIG FILE
       The config file is written in JSON and easy to edit.

       The config file equivalent of command line options is listed as example below.

       ┌────────────────────────────────────┬──────────────────────────────────────┐
       │Command line                        │ JSON                                 │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-s some.server.net                  │ "server": "some.server.net"          │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-s some.server.net -p 1234 (client) │ "server": "some.server.net:1234"     │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-p 1234                             │ "server_port": "1234"                │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-b 0.0.0.0                          │ "local_address": "0.0.0.0"           │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-l 4321                             │ "local_port": "4321"                 │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-k "PasSworD"                       │ "password": "PasSworD"               │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-m "aes-256-cfb"                    │ "method": "aes-256-cfb"              │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-t 60                               │ "timeout": 60                        │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-a nobody                           │ "user": "nobody"                     │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │--acl "/path/to/acl"                │ "acl": "/path/to/acl"                │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │--fast-open                         │ "fast_open": true                    │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │--reuse-port                        │ "reuse_port": true                   │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │--no-delay                          │ "no_delay": true                     │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │--plugin "obfs-server"              │ "plugin": "obfs-server"              │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │--plugin-opts "obfs=http"           │ "plugin_opts": "obfs=http"           │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-6                                  │ "ipv6_first": true                   │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-n "/etc/nofile"                    │ "nofile": "/etc/nofile"              │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-d "8.8.8.8"                        │ "nameserver": "8.8.8.8"              │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-L "somedns.net:53"                 │ "tunnel_address": "somedns.net:53"   │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-u                                  │ "mode": "tcp_and_udp"                │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │-U                                  │ "mode": "udp_only"                   │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │no "-u" nor "-U" options (default)  │ "mode": "tcp_only"                   │
       ├────────────────────────────────────┼──────────────────────────────────────┤
       │                                    │                                      │
       │(only in ss-manager’s config)       │ "port_password": {"1234":"PasSworD"} │
       └────────────────────────────────────┴──────────────────────────────────────┘

EXAMPLE
       ss-redir requires netfilter’s NAT function. Here is an example:

           # Create new chain
           iptables -t nat -N SHADOWSOCKS
           iptables -t mangle -N SHADOWSOCKS

           # Ignore your shadowsocks server's addresses
           # It's very IMPORTANT, just be careful.
           iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN

           # Ignore LANs and any other addresses you'd like to bypass the proxy
           # See Wikipedia and RFC5735 for full list of reserved networks.
           # See ashi009/bestroutetb for a highly optimized CHN route list.
           iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
           iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
           iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
           iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
           iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
           iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
           iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
           iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN

           # Anything else should be redirected to shadowsocks's local port
           iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345

           # Add any UDP rules
           ip rule add fwmark 0x01/0x01 table 100
           ip route add local 0.0.0.0/0 dev lo table 100
           iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01

           # Apply the rules
           iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
           iptables -t mangle -A PREROUTING -j SHADOWSOCKS

           # Start the shadowsocks-redir
           ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid

PROTOCOL
       ss-manager(1) provides several APIs through UDP protocol

           Send UDP commands in the following format to the manager-address provided to ss-manager(1):
               command: [JSON data]

           To add a port:
               add: {"server_port": 8001, "password":"7cd308cc059"}

           To remove a port:
               remove: {"server_port": 8001}

           To receive a pong:
               ping

           Then ss-manager(1) will send back the traffic statistics:
               stat: {"8001":11370}

SEE ALSO
       ss-local(1), ss-server(1), ss-tunnel(1), ss-redir(1), ss-manager(1), iptables(8), /etc/shadowsocks-libev/config.json

References