How To Use ShadowsocksR To Bypass The Chinese Firewall

Shadowsocks is open-source software which hides or obfuscates internet connections.

It is widely used in mainland China to circumvent Internet censorship. It was created in 2012 by a Chinese programmer named “clowwindy”, and multiple implementations of the protocol have been made available since.

Recently, the Great Firewall has started to block Shadowsocks servers in the same way that they block VPN servers. It is still possible to use Shadowsocks in China, but you may have to rebuild your server with a new IP address if it gets blocked.

The latest recommendation is to use ShadowsocksR (SSR) with obfuscation following the guide pasted below. Although ShadowsocksR can still be blocked, it is less likely to be detected.

A List Of ShadowsocksR Apps

ShadowSocks Providers

These companies apparently provide Shadowsocks services in China: https://shadowtunnelz.com and https://hdsocks.com

How To Set Up ShadowsocksR on a VPS

Step 1. Get a VPS from Vultr.com.

  • Rent a VPS from Vultr
  • You need bitcoin, a credit card, Paypal, Alipay, UnionPay or WeChat Pay
  • Go to “Servers”, click on the “+” and deploy a new instance
  • Select those options:
  • Server: Tokyo
  • Server Type: Debian 7 x64
  • Package: $2.50 (The cheapest, comes with 500GB traffic)
  • Additional Features: Enable IPv6

Step 2. Install ShadowsocksR

Login to your server using Putty or any other SSH client.

wget –no-check-certificate https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks-all.sh

chmod +x shadowsocks-all.sh

./shadowsocks-all.sh 2>&1 | tee shadowsocks-all.log

The install script will do everything for you. Choose option 2. ShadowsocksR, choose a password and port (any port will do). Press enter and wait for it to complete.

After it is done it will display the config.

Congratulations, ShadowsocksR server install completed!

Your Server IP : 0.0.0.0

Your Server Port : 8989

Your Password : password

Your Encryption Method: aes-256-cfb

Protocol : origin

obfs : plain

Step 3. Edit the config

vi /etc/shadowsocks-r/config.json

Press “i” to edit the file. Move the cursor around to change text. Change "protocol": "origin", to "protocol": "auth_sha1_v4", and "obfs": "plain", to "obfs": "tls1.2_ticket_auth",

Press “esc” then type “:wq!” to save the file and go back

Restart shadowsocksr with

/etc/init.d/shadowsocks-r restart

Step 4. Download the Client

Run it, enter your IP, Port, Password and change the protocol and obfs. Done

Step 5. Protect your SSH access from bruteforce attacks

The simplest way to do that is using iptables

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –set

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP

This will block IP addresses that try to login more than 3 times per minute. It only affects “NEW” connections, so properly authenticated ssh sessions will not get blocked.

Other Rumors

Is Shadowsocks currently banned? Here is what a user in China reports:

The government seems to be trying to intercept but apparently still needs to work hard. They tried to discover these hidden services by using social engineering, traffic detection and analysis, and port proactive detection. However, some service providers of Shadowsocks are also trying to counter these bans. The Shadowsocks protocol is still being maintained, and the protocol has missing a clear communication magic word to be discovered.

Ding Yufeng

This guide is similar to the set-up listed in the article above, but has a few differences:

https://www.tipsforchina.com/how-to-setup-a-fast-shadowsocks-server-on-vultr-vps-the-easy-way.html

Keep in mind, BBR doesn’t work with OpenVZ. It works for KVM, I believe. Vultr should be fine since the guide uses Vultr as well.

Let me know if that guide isn’t enough.

For KCP, if you’re familiar with SS/SSR, then it’s basically the same thing.

https://github.com/xtaci/kcptun

Basically, instead of going direct SS (client) to SS (server), you go SS (client) -> Kcp (client) -> Kcp (server) -> SS (server).

The git page has enough basics. If you have problems with that, you may need to spend some time familiarizing yourself with linux command line/vi or vim editor.


Leave a Reply

Your email address will not be published.