All notes

Install on CentOS


git clone
cd shadowsocks-libev
# The shadowsocks website lists: libssl-dev, but we need openssl-devel instead.
sudo apt-get install build-essential autoconf libtool openssl-devel
./configure && make -j4
make install

The shadowsocks libs and bins are installed under /usr/local/. To run the server: nohup /usr/local/bin/ss-server -c ~/shadowsocks.cfg &>/dev/null &



Explanation of each field:

ss-local -s server_address -p server_port -l local_port -k password -m encryption_method


Increase maximum number of open file descriptors

# vi /etc/security/limits.conf, Add these two lines
* soft nofile 51200
* hard nofile 51200

# Then, before you start the shadowsocks server, set the ulimit first
ulimit -n 51200

Tune the kernel parameters

The priciples of tuning parameters for shadowsocks are

Here is an example /etc/sysctl.conf of our production servers:

fs.file-max = 51200

net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 3240000

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_congestion_control = hybla

Of course, remember to execute sysctl -p to reload the config at runtime.

Client on Docker

docker run -dt --name ssclient -p 1080:1080 mritd/shadowsocks -m "ss-local" -s "-s -p 6500 -b -l 1080 -m aes-256-cfb -k test123 --fast-open" -x -e "kcpclient" -k "-r SSSERVER_IP:6500 -l :6500 -mode fast2"
# -m : 参数后指定一个 shadowsocks 命令,如 ss-local,不写默认为 ss-server
# -x : 指定该参数后才会开启 kcptun 支持,否则将默认禁用 kcptun
# -e : 参数后指定一个 kcptun 命令,如 kcpclient,不写默认为 kcpserver;
# -k : 参数后指定一个 kcptun 的参数字符串,所有参数将被拼接到 kcptun 后

Fanqiang, fq


Install on EC2

  1. Use the installation script from to install the server.
  2. A bug fix by this page: That says, at the conf file /etc/shadowsocks.jsonon the server, the server ip should not be the Elastic/public IP, but the IP shown in the result of ifconfig eth0. While on the client side the server IP should be the Elastic/Public IP.

After modifying the json configure file, use this to restart service:

sudo /etc/init.d/shadowsocks restart

Autoproxy GFW-list Remember to use "svn update" to refresh it.


/usr/lib/ undefined symbol: EVP_CIPHER_CTX_cleanup

Edit crypto/, replace libcrypto.EVP_CIPHER_CTX_cleanup.argtypes to libcrypto.EVP_CIPHER_CTX_reset.argtypes.

Reason: in openssl 1.1.0, EVP_CIPHER_CTX_cleanup is replaced by EVP_CIPHER_CTX_reset.