How To Use ShadowsocksR To Bypass The Chinese Firewall

Shadowsocks is open-source software that hides or obfuscates internet connections.

It is widely used in mainland China to circumvent Internet censorship. It was created in 2012 by a Chinese programmer named “clowwindy”; multiple protocol implementations have been made available since.

You also consult VPN.AC — a company that specializes in obfuscating connections in China

Recently, the Great Firewall has started to block Shadowsocks servers in the same way that they block VPN servers. It is still possible to use Shadowsocks in China, but you may have to rebuild your server with a new IP address if it gets blocked.

The latest recommendation is to use ShadowsocksR (SSR) with obfuscation following the guide posted below. Although ShadowsocksR can still be blocked, it is less likely to be detected.

A List Of ShadowsocksR Apps

How To Set Up ShadowsocksR on a VPS

Step 1. Get a VPS from Vultr.com.

  • Rent a VPS from Vultr
  • You need bitcoin, a credit card, Paypal, Alipay, UnionPay or WeChat Pay
  • Go to “Servers”, click on the “+” and deploy a new instance
  • Select those options:
  • Server: Tokyo
  • Server Type: Debian 7 x64
  • Package: $2.50 (The cheapest, comes with 500GB traffic)
  • Additional Features: Enable IPv6

Step 2. Install ShadowsocksR

Login to your server using Putty or any other SSH client.

wget –no-check-certificate https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks-all.sh

chmod +x shadowsocks-all.sh

./shadowsocks-all.sh 2>&1 | tee shadowsocks-all.log

The install script will do everything for you. Choose option 2. ShadowsocksR, choose a password and port (any port will do). Press enter and wait for it to complete.

After it is done, it will display the config.

Congratulations, ShadowsocksR server install completed!

Your Server IP : 0.0.0.0

Your Server Port : 8989

Your Password : password

Your Encryption Method: aes-256-cfb

Protocol : origin

obfs : plain

Step 3. Edit the config

vi /etc/shadowsocks-r/config.json

Press “i” to edit the file. Move the cursor around to change text. Change "protocol": "origin", to "protocol": "auth_sha1_v4", and "obfs": "plain", to "obfs": "tls1.2_ticket_auth",

Press “esc” then type “:wq!” to save the file and go back

Restart shadowsocksr with

/etc/init.d/shadowsocks-r restart

Step 4. Download the Client

Run it, enter your IP, Port, Password and change the protocol and obfs. Done

Step 5. Protect your SSH access from brute-force attacks

The simplest way to do that is using iptables

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP

This will block IP addresses that try to log in more than 3 times per minute. It only affects “NEW” connections, so properly authenticated ssh sessions will not get blocked.

Other Rumors

Is Shadowsocks currently banned? Here is what a user in China reports:

The government seems to be trying to intercept but apparently still needs to work hard. They tried to discover these hidden services by using social engineering, traffic detection and analysis, and port proactive detection. However, some service providers of Shadowsocks are also trying to counter these bans. The Shadowsocks protocol is still being maintained, and the protocol has missing a clear communication magic word to be discovered.

Ding Yufeng

This guide is similar to the setup listed in the article above but has a few differences:

https://www.tipsforchina.com/how-to-setup-a-fast-shadowsocks-server-on-vultr-vps-the-easy-way.html

Keep in mind BBR doesn’t work with OpenVZ. It works for KVM, I believe. Vultr should be fine since the guide uses Vultr as well.

Let me know if that guide isn’t enough.

For KCP, if you’re familiar with SS/SSR, then it’s basically the same thing.

https://github.com/xtaci/kcptun

Basically, instead of going direct SS (client) to SS (server), you go SS (client) -> Kcp (client) -> Kcp (server) -> SS (server).

The git page has enough basics. If you have problems with that, you may need to spend some time familiarizing yourself with linux command line/vi or vim editor.


5 thoughts on “How To Use ShadowsocksR To Bypass The Chinese Firewall”

  1. Warning: DO NOT use HDsocks.

    They are Chinese Scammers.

    I paid for a 1 year subscription and got a bunch of servers that I couldn’t connect to. They used to be OK but they are now evidently just taking people’s money and shafting them.

    They are not responding to support tickets, emails or via QQ.

    AVOID HDsocks at all cost or you will be scammed as well. Use another provider (eg I’m currently using Wannaflix)

  2. Hello there! I’ve installed shadowsocksR successfully and made little changes. Here they are:
    {
    “server”: “0.0.0.0”,
    “local_address”: “127.0.0.1”,
    “local_port”: 1080,
    “port_password”:{
    “110”:”Me$e1edal”,
    “143”:”G@@gle”,
    “443”:”G@njirug”,
    “465”:”passw0rd!”,
    “563”:”40-Emjek?”,
    “587”:”Lashgabat2@18″,
    “631”:”Ke11esine!”,
    “993”:”Bereke!La?”,
    “994”:”B!9rek”,
    “995”:”ASU_1990!”,
    “1241”:”P@$$w0rd”,
    “9090”:”P0lis@n2018″

    },
    “timeout”:120,
    “method”:”chacha20-ietf”,
    “protocol”:”auth_sha1_v4_compatible”,
    “protocol_param”:””,
    “obfs”:”tls1.2_ticket_auth_compatible”,
    “obfs_param”:””,
    “redirect”:””,
    “dns_ipv6”:false,
    “fast_open”:true,
    “workers”:1
    }

    Each port for one user. I have a question. How can i restrict users from using one port in two or more device. So when they share ssr (in app we can share) both of devices couldn’t use it.

Leave a Comment

Your email address will not be published. Required fields are marked *