8

【Network】Shadowsocks Server - 西维蜀黍的博客 | 西维蜀黍 Blog

 2 years ago
source link: https://swsmile.info/post/shadowsocks-server/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Shadowsocks Server 的实现

Shadowsocks Server 分为 Python、Go、C++ with Qt、C with libevb 和 Perl 版本。

  • shadowsocks: The original Python implementation.
  • shadowsocks-libev: Lightweight C implementation for embedded devices and low end boxes. Very small footprint (several megabytes) for thousands of connections.
  • go-shadowsocks2: Another Go implementation focusing on core features and code reusability.
  • shadowsocks-rust: A rust port of shadowsocks.

shadowsocks-libev

shadowsocks-libev,是一个基于 libev 库开发的 shadowsocks 代理套件。包含 ss-local,ss-redir,ss-tunnel,ss-server 四部分。

  1. ss-server 是 shadowsocks 的服务端程序。
  2. ss-local 是 shadowsocks 客户端程序。
  3. ss-redir 是透明代理工具。
  4. ss-tunnel 是本地端口转发工具,通常用于解决 dns 污染问题。

go-shadowsocks2

https://github.com/shadowsocks/go-shadowsocks2

Shadowsocks Server 的搭建

Debian / Ubuntu:

apt-get install python-pip
pip install shadowsocks

CentOS:

yum install python-setuptools && easy_install pip
pip install shadowsocks

操作系统选择

建议选择 Ubuntu 14.04 LTS 作为服务器以便使用 TCP Fast Open。除非有明确理由,不建议用对新手不友好的 CentOS。

VPS 选择

为了更好的性能,VPS 尽量选择 XEN 或 KVM,不要使用 OpenVZ。推荐使用以下 VPS:

  • Digital Ocean 自带的内核无需自己编译模块即可使用 hybla 算法
  • Linode 功能强大,机房较多

Shadowsocks Server 的运行

ssserver -p 443 -k password -m rc4-md5
# 使用配置文件
ssserver -c /etc/shadowsocks.json

sudo ssserver -p 443 -k password -m rc4-md5 --user nobody -d start

如果要停止:

sudo ssserver -d stop

如果要检查日志:

sudo less /var/log/shadowsocks.log

You can use a configuration file instead of command line arguments.

Create a config file /etc/shadowsocks.json. Example:

{
    "server":"my_server_ip",
    "server_port":8388,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"mypassword",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open": false
}

Explanation of the fields:

Name Explanation

server the address your server listens

server_port server port

local_address the address your local listens

local_port local port

password password used for encryption

timeout in seconds

method default: “aes-256-cfb”

fast_open use TCP_FASTOPEN, true / false

workers number of workers, available on Unix/Linux

The default cipher is chacha20-ietf-poly1305.

The strongest option is an AEAD cipher. The recommended choice is “chacha20-ietf-poly1305” or “aes-256-gcm”.

salsa20 and chacha20 are fast stream ciphers. Optimized salsa20 implementation on x86_64 is even 2x faster than rc4 (but slightly slower on ARM).

These legacy ciphers are either slow or not safe. Do not use them:

  • des-cfb
  • table
  • salsa20-ctr

For a detailed and complete list of all supported arguments, you may refer to the man pages of the applications, respectively.

ss-[local|redir|server|tunnel|manager]

   -s <server_host>           Host name or IP address of your remote server.

   -p <server_port>           Port number of your remote server.

   -l <local_port>            Port number of your local server.

   -k <password>              Password of your remote server.

   -m <encrypt_method>        Encrypt method: rc4-md5,
                              aes-128-gcm, aes-192-gcm, aes-256-gcm,
                              aes-128-cfb, aes-192-cfb, aes-256-cfb,
                              aes-128-ctr, aes-192-ctr, aes-256-ctr,
                              camellia-128-cfb, camellia-192-cfb,
                              camellia-256-cfb, bf-cfb,
                              chacha20-ietf-poly1305,
                              xchacha20-ietf-poly1305,
                              salsa20, chacha20 and chacha20-ietf.
                              The default cipher is chacha20-ietf-poly1305.

   [-a <user>]                Run as another user.

   [-f <pid_file>]            The file path to store pid.

   [-t <timeout>]             Socket timeout in seconds.

   [-c <config_file>]         The path to config file.

   [-n <number>]              Max number of open files.

   [-i <interface>]           Network interface to bind.
                              (not available in redir mode)

   [-b <local_address>]       Local address to bind.
                              For servers: Specify the local address to use 
                              while this server is making outbound 
                              connections to remote servers on behalf of the
                              clients.
                              For clients: Specify the local address to use 
                              while this client is making outbound 
                              connections to the server.

   [-u]                       Enable UDP relay.
                              (TPROXY is required in redir mode)

   [-U]                       Enable UDP relay and disable TCP relay.
                              (not available in local mode)

   [-L <addr>:<port>]         Destination server address and port
                              for local port forwarding.
                              (only available in tunnel mode)

   [-6]                       Resolve hostname to IPv6 address first.

   [-d <addr>]                Name servers for internal DNS resolver.
                              (only available in server mode)

   [--reuse-port]             Enable port reuse.

   [--fast-open]              Enable TCP fast open.
                              with Linux kernel > 3.7.0.
                              (only available in local and server mode)

   [--acl <acl_file>]         Path to ACL (Access Control List).
                              (only available in local and server mode)

   [--manager-address <addr>] UNIX domain socket address.
                              (only available in server and manager mode)

   [--mtu <MTU>]              MTU of your network interface.

   [--mptcp]                  Enable Multipath TCP on MPTCP Kernel.

   [--no-delay]               Enable TCP_NODELAY.

   [--executable <path>]      Path to the executable of ss-server.
                              (only available in manager mode)

   [-D <path>]                Path to the working directory of ss-manager.
                              (only available in manager mode)

   [--key <key_in_base64>]    Key of your remote server.

   [--plugin <name>]          Enable SIP003 plugin. (Experimental)

   [--plugin-opts <options>]  Set SIP003 plugin options. (Experimental)

   [-v]                       Verbose mode.

Shadowsocks Server 的配置优化

TCP Fast Open

If both of your server and client are deployed on Linux 3.7.1 or higher, you can turn on fast_open for lower latency.

First set fast_open to true in your config.json.

Then turn on fast open on your OS temporarily:

echo 3 > /proc/sys/net/ipv4/tcp_fastopen

BBR(一种 TCP 拥塞控制算法)

使用 BBR 加速需要服务器端主机完整的内核版本为 4.9 + 的支持,下面一 Linode 主机为例进行设置。

首先 Linode 主机提供的内核版本虽然大于 4.9,但是内核却不完整,并不包含 BBR 组件,无法直接开启。所以我们要先安装完整内核(64 位)。

升级 Linux 内核

BBR 在 Linux kernel 4.9 引入。首先检查服务器 kernel 版本:

uname -r

如果其显示版本在 4.9.0 之下,则需要升级 Linux 内核,否则请忽略下文。

更新包管理器:

sudo apt update

查看可用的 Linux 内核版本:

sudo apt-cache showpkg linux-image

找到一个你想要升级的 Linux 内核版本,如 “linux-image-4.10.0-22-generic”:

sudo apt install linux-image-4.10.0-22-generic

等待安装完成后重启服务器:

sudo reboot

删除老的 Linux 内核:

sudo purge-old-kernels

开启 BBR

运行 lsmod | grep bbr,如果结果中没有 tcp_bbr,则先运行:

modprobe tcp_bbr
echo "tcp_bbr" >> /etc/modules-load.d/modules.conf

echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf

sysctl -p

保存生效。运行:

sysctl net.ipv4.tcp_available_congestion_control
sysctl net.ipv4.tcp_congestion_control

若均有 bbr,则开启 BBR 成功。

hybla 算法

Maximum Number of Open File Descriptors and Kernel Parameters

First of all, upgrade your Linux kernel to 3.5 or later.

Step 1, increase the maximum number of open file descriptors

To handle thousands of concurrent TCP connections, we should increase the limit of file descriptors opened.

Edit the limits.conf

vi /etc/security/limits.conf

Add these two lines

* soft nofile 51200
* hard nofile 51200

Then, before you start the shadowsocks server, set the ulimit first

ulimit -n 51200

Step 2, Tune the kernel parameters

The priciples of tuning parameters for shadowsocks are

  1. Reuse ports and conections as soon as possible.
  2. Enlarge the queues and buffers as large as possible.
  3. Choose the TCP congestion algorithm for large latency and high throughput.

Here is an example /etc/sysctl.conf of our production servers:

fs.file-max = 51200

net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_congestion_control = hybla

Of course, remember to execute sysctl -p to reload the config at runtime.

How to verify your optimizations work

Use munin or any server monitor tools to generate the graph of your TCP connections. A well tuned server should look like this

image-20190619102623137.png

Shadowsocks 中继(relay)

If you want your client connected to a Japan VPS, but you want a US IP.

Client <--> Japan VPS <--> US VPS

Reference


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK