All notes

Install on CentOS


git clone
cd shadowsocks-libev
# The shadowsocks website lists: libssl-dev, but we need openssl-devel instead.
sudo apt-get install build-essential autoconf libtool openssl-devel
./configure && make -j4
make install

The shadowsocks libs and bins are installed under /usr/local/. To run the server: nohup /usr/local/bin/ss-server -c ~/shadowsocks.cfg &>/dev/null &


Explanation of each field:


Increase maximum number of open file descriptors

# vi /etc/security/limits.conf, Add these two lines
* soft nofile 51200
* hard nofile 51200

# Then, before you start the shadowsocks server, set the ulimit first
ulimit -n 51200

Tune the kernel parameters

The priciples of tuning parameters for shadowsocks are

Here is an example /etc/sysctl.conf of our production servers:

fs.file-max = 51200

net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 3240000

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_congestion_control = hybla

Of course, remember to execute sysctl -p to reload the config at runtime.

Fanqiang, fq


Install on EC2

  1. Use the installation script from to install the server.
  2. A bug fix by this page: That says, at the conf file /etc/shadowsocks.jsonon the server, the server ip should not be the Elastic/public IP, but the IP shown in the result of ifconfig eth0. While on the client side the server IP should be the Elastic/Public IP.

After modifying the json configure file, use this to restart service:

sudo /etc/init.d/shadowsocks restart

Autoproxy GFW-list Remember to use "svn update" to refresh it.


/usr/lib/ undefined symbol: EVP_CIPHER_CTX_cleanup

Edit crypto/, replace libcrypto.EVP_CIPHER_CTX_cleanup.argtypes to libcrypto.EVP_CIPHER_CTX_reset.argtypes.

Reason: in openssl 1.1.0, EVP_CIPHER_CTX_cleanup is replaced by EVP_CIPHER_CTX_reset.