This will be a general overview of what shadowsocks proxy is, who it is for and how to install and configure it. This is not a super detailed play-by play as everyone’s system will be slightly different and you will likely need to troubleshoot here and there. As a disclaimer – I am not an expert in any of this, and all of the following is the result of many hours of googling around and troubleshooting, so potentially to be take the following info with a dollop of salt.

What is shadowsocks and who is it for?

Shadowsocks is a secure split proxy based on SOCKS5. SOCKS5 is not quite as comprehensive as a VPN as it does not encrypt all traffic, but Shadowsocks is generally faster as the encryption is focused on speed, rather than complete security.

Brief detour into SOCKS5 lore

SOCKS5 (Socket Secure version 5) is a network protocol that facilitates the routing of network traffic between a client and a server through a proxy server. It operates at the session layer (Layer 5) of the OSI model and is generally used to bypass internet restrictions, protect privacy, and anonymise traffic.

Who is it for?

Shadowsocks might be useful for:

• those who want to save money on a VPN and/or do not want to rely on one
• those who want to bypass georestrictions
• those who want greater privacy and anonymity on the internet
• the generally curious do-it-yourself types

How to install, run and troubleshoot Shadowsocks:

Step one – buy a VPS server. It doesn’t need to be super powerful, 1 GB RAM is enough. I used aeza.net, who are pretty cheap and have a nifty telegram bot to keep track of your servers, but you can use whatever company strikes your fancy.

I chose Ubuntu 22.04 as my OS, but this depends on your preference.

Pay for your server and wait to receive your login details and password to your email.

Once your server is up and running here is what you need to do server-side:

• install shadowsocks-libev.
• configure server settings with a config.json file to define the server IP, ports and encryption method. For example you can use something like this:

{
"server": "your_server_ip",
"server_port": 8388,
"local_address": "127.0.0.1",
"local_port": 1080,
"password": "your_password",
"timeout": 300,
"method": "aes-256-gcm"
}

• once everything is configured you can run your server:

sudo systemctl start shadowsocks-libev

for me all of this was painless and fast.

Now to the client-side settings. Here is where I had some issues because I was using an unstable Debian build. For most people this stage should be totally fine too.

• install shadowsocks-libev. I did so via a snap package.

sudo systemctl start shadowsocks-libev

• my client-side config looked something like this:

{
"server": "your_server_ip",
"server_port": 8388,
"local_address": "127.0.0.1",
"local_port": 1080,
"password": "your_password",
"timeout": 300,
"method": "aes-256-gcm"
}

• and to run the client and connect to the server:

snap run shadowsocks-libev.ss-local -c /path/to/your/config.json

• I also created a systemd service to run the shadowsocks client on boot:

sudo nano /etc/systemd/system/shadowsocks-client.service

and an example of the service file:

[Unit]
Description=Shadowsocks Client Service
After=network.target
[Service]
ExecStart=/usr/bin/snap run shadowsocks-libev.ss-local -c /home/youruser/snap/shadowsocks-libev/common/config.json
Restart=always
User=root
[Install]
WantedBy=multi-user.target

• after all that we enable the systemd service and hope for the best 😀

sudo systemctl enable shadowsocks-client.service
sudo systemctl start shadowsocks-client.service

No, of course we don’t just hope – we check to make sure our service is up and running and here is how:

• using netstat to make sure that the local port is listening:

netstat -tuln | grep 1080

• confirm the Shadowsocks client is running with system to status:

sudo systemctl status shadowsocks-client.service

• as I said I had issues with AppArmor. There was an error which restricted the Shadowsocks client’s ability to access files, so I used the following commands:
  bc. sudo systemctl enable snapd.apparmor.service
  sudo systemctl start snapd.apparmor.service

*originally my client-side config.json was placed in a /home/user/location/ or somewhere like that, and AppArmor was restricting shadowsocks(ss-local process) from accessing the file. Here is the approximate kind of error I received:

AppArmor="DENIED" operation="open" class="file" profile="snap.shadowsocks-libev.ss-local" 
name="/home/user/Desktop/shadowsocks-libev/debian/config.json" pid=432819 comm="ss-local" 
requested_mask="r" denied_mask="r”

I moved config.json to my snap-specific directory:

/home/sasha/snap/shadowsocks-libev/common/

Since this directory is within the allowed paths that AppArmor grants access to, Shadowsocks was able to finally read it correctly without encountering AppArmor restrictions.

• I also needed to use journalctl to troubleshoot, as I was having issues understanding what exactly my apparmor permissions issue was all about. This is a helpful “last resort” if you can’t figure something out.

sudo journalctl -xe

*when my client was failing to connect i also used this command to check status

sudo systemctl status shadowsocks-client.service

My issues in a nutshell:

*AppArmor Denied Access: I resolved this by enabling the AppArmor service and moving the config file to an accessible location.
*Failed to Start Service: I reviewed logs with journalctl, which helped identify the cause (usually dodgy permissions settings or incorrect paths).

While setting up my shadowsocks server I also found this very helpful blogpost
, some great info there, a bit more to the point, a bit less rambly than my one hah.
Next step for me is figuring out how to configure fake DNS, as my IP is being cloaked successfully, but my DNS shows up as being geographically different, which trips some websites’ security protocols.

‘till then!