Introduction
Shadowsocks remains a lightweight, high-performance secure proxy widely used to circumvent network restrictions and protect privacy. For Linux-based servers and workstations, the command-line client provides a flexible, scriptable way to route traffic through a Shadowsocks server without heavy GUI dependencies. This article walks you through a practical, security-minded setup of the Shadowsocks command-line client on Linux, covering installation, configuration, encryption choices, systemd integration, and common routing scenarios. The target audience includes system administrators, developers, and enterprise operators who need a robust CLI configuration they can automate and audit.
Why choose a CLI Shadowsocks client on Linux
Using a command-line Shadowsocks client on Linux offers several advantages:
- Automation-friendly: easily integrated into systemd, cron, or deployment scripts.
- Lightweight: minimal resource footprint compared to GUI clients.
- Flexible routing: can combine with iptables, ipset, and policy routing to selectively proxy traffic.
- Security control: explicit cipher and plugin choices, and reproducible configuration files for audits.
Installing shadowsocks-libev
The most common and well-maintained CLI implementation is shadowsocks-libev. It provides both server and client binaries (ss-server, ss-local, ss-tunnel). On Debian/Ubuntu the installation steps are straightforward:
Debian/Ubuntu:
apt update
apt install -y shadowsocks-libev
For distributions without a packaged version, build from source or use official backports. On CentOS/RHEL, enable EPEL or build from source. Verify installation by running ss-local –help.
Basic client configuration
Shadowsocks uses a JSON configuration file. A minimal client config (for ss-local) looks like this:
{
“server”:”1.2.3.4″,
“server_port”:8388,
“local_address”:”127.0.0.1″,
“local_port”:1080,
“password”:”your_strong_password”,
“method”:”chacha20-ietf-poly1305″,
“timeout”:600
}
Save this as /etc/shadowsocks-libev/config.json or ~/.config/shadowsocks/config.json. Important fields:
- server and server_port: the remote Shadowsocks server endpoint.
- local_address and local_port: where the client listens; typically 127.0.0.1:1080 for a SOCKS5 proxy.
- password: shared secret; use a strong random password.
- method: AEAD ciphers such as chacha20-ietf-poly1305 or aes-256-gcm are strongly recommended.
- timeout: socket timeout in seconds.
Command-line invocation
You can launch the client directly for testing:
ss-local -c /etc/shadowsocks-libev/config.json
When started, ss-local listens on the configured local port and accepts SOCKS5 connections. Test with curl:
curl –socks5-hostname 127.0.0.1:1080 https://ifconfig.co
If the response shows the server IP, the proxy is working.
Hardening and cipher selection
Shadowsocks supports multiple encryption methods. Avoid legacy stream ciphers like rc4-md5 and prefer AEAD ciphers. Recommended options:
- chacha20-ietf-poly1305 — fast and safe on CPUs without AES hardware acceleration.
- aes-256-gcm — strong AES-GCM; performs best with AES-NI enabled CPUs.
Keep keys confidential and rotate passwords periodically. For extra obfuscation, you can deploy the v2ray-plugin or obfs-local plugin; these add WebSocket/TLS or simple obfuscation layers, useful in hostile networks. Example of invoking ss-local with a plugin:
ss-local -c /etc/shadowsocks-libev/config.json –plugin v2ray-plugin –plugin-opts “server;tls;host=example.com;path=/ws”
Note: plugin capabilities and arguments vary; review plugin docs for exact syntax and security implications.
Systemd integration for production
For reliability, use systemd to manage the client process. Create a unit file at /etc/systemd/system/ss-local.service with content similar to:
[Unit] Description=Shadowsocks Local ProxyAfter=network.target [Service] Type=simple
ExecStart=/usr/bin/ss-local -c /etc/shadowsocks-libev/config.json
Restart=on-failure
User=nobody
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
LimitNOFILE=4096 [Install] WantedBy=multi-user.target
Then enable and start:
systemctl daemon-reload
systemctl enable –now ss-local.service
Use systemctl status ss-local and journalctl -u ss-local -f to monitor logs and troubleshoot.
Routing traffic through Shadowsocks
There are several common routing approaches depending on use case:
- Per-application proxying via SOCKS-aware tools and environment variables.
- System-wide transparent proxy using redsocks/iptables/tproxy or tun2socks.
- Split tunneling using ipset to route specific IP ranges through the proxy.
Using iptables + redsocks (transparent proxy)
Transparent proxying redirects TCP connections to a local redsocks instance which forwards to the SOCKS5 proxy. High-level steps:
- Install redsocks and run it with configuration pointing to 127.0.0.1:1080.
- Create an iptables NAT rule to mark traffic and redirect to redsocks’ local port.
- Exclude local addresses and the Shadowsocks server IP to avoid routing loops.
Example iptables commands (simplified):
iptables -t nat -N SHADOWSOCKS
iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT –to-ports 12345
iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
Replace 12345 with redsocks’ listening port. For UDP support, use tproxy and ss-redir or tun2socks.
Using ipset for split routing
To route selected IP ranges (for example, foreign IPs) through the proxy, create an ipset and mark those IPs in iptables. Steps:
- Create an ipset: ipset create chinahash hash:net (use provider lists to populate).
- In iptables, bypass proxy for ips in the ipset; send others to the SHADOWSOCKS chain.
This approach is efficient for large rule sets because ipset lookups are fast and scalable.
DNS considerations
DNS leakage can defeat proxying. Preferred approaches:
- Use DNS over HTTPS/TLS at the client side (e.g., systemd-resolved, dnscrypt-proxy, or stubby) and configure it to resolve through trusted resolvers.
- Configure the proxy to forward DNS by using SOCKS5 hostname resolution (curl –socks5-hostname) or by running a DNS proxy that forwards queries via the tunnel.
- When using transparent proxying, redirect DNS UDP/TCP to a local DNS forwarder that resolves over the proxy or to a secure external DNS server.
Explicitly set /etc/resolv.conf or systemd-resolved configuration to avoid leaking queries to the local network.
Monitoring and troubleshooting
Key commands and checks:
- ss-local logs: journalctl -u ss-local -f
- Check listening ports: ss -lntp | grep ss-local
- Test proxy endpoint: curl –socks5-hostname 127.0.0.1:1080 https://ifconfig.co
- Trace routing: iptables -t nat -L -n -v to ensure rules are hit.
When facing connectivity issues, confirm the server is reachable (telnet server port), verify cipher compatibility between client and server, and check plugin versions if used.
Automation and maintenance
For enterprise deployments, treat Shadowsocks configuration like any other configuration-managed artifact:
- Store configuration files in version control with restricted access.
- Use configuration management tools (Ansible, Puppet, Salt) to deploy and rotate credentials.
- Automate certificate/host validation for plugins that use TLS; monitor expiry and configuration drift.
- Set up alerting on service failure and high restart frequency to detect instability.
Conclusion
Mastering the Shadowsocks command-line client on Linux gives administrators and developers a compact, efficient tool for secure proxying. The key takeaways are:
- Prefer shadowsocks-libev and AEAD ciphers like chacha20-ietf-poly1305 or aes-256-gcm.
- Use systemd for reliable process management and integrate logging into your monitoring stack.
- Choose the right routing model (per-app SOCKS vs transparent proxy vs split tunneling) based on operational needs.
- Address DNS leakage proactively with secure resolvers or DNS-over-HTTPS/TLS solutions.
With these practical steps and configuration patterns, you can deploy a secure, maintainable Shadowsocks client setup across Linux servers and workstations. For additional deployment guides and VPN tips, visit Dedicated-IP-VPN.