Overview

This guide walks you through setting up a secure and performant Shadowsocks server on CentOS 9. It is written for webmasters, enterprise administrators, and developers who need a lightweight, reliable proxy for bypassing restrictive networks or securing outbound traffic. The instructions cover package installation, configuration, firewall and SELinux considerations, systemd integration, performance tuning, and basic operational security.

Why Shadowsocks on CentOS 9?

Shadowsocks is a high-performance SOCKS5-like proxy originally designed to circumvent censorship. Compared with heavier VPNs, Shadowsocks is minimalist and efficient, making it a good fit for servers where CPU and memory are at a premium. On CentOS 9 (including RHEL derivatives), the platform stability and long-term support make it ideal for production deployments.

Prerequisites

Before beginning, ensure you have:

  • A CentOS 9 server with root or sudo access.
  • A static public IP or stable domain name pointing to the server.
  • Basic familiarity with the shell and systemd.

Choosing an Implementation

Two popular Shadowsocks implementations are shadowsocks-libev (C implementation, low overhead) and the original Python implementation (feature-rich but less performant). For CentOS 9 in production, shadowsocks-libev is recommended due to its efficiency and support for modern AEAD ciphers. This guide uses shadowsocks-libev where possible, while also mentioning alternatives and plugin options.

Step 1 — Enable EPEL and Install Dependencies

First enable the EPEL repository and install required packages. On CentOS 9 you can enable EPEL with:

sudo dnf install -y epel-release

Then install shadowsocks-libev and related tools:

sudo dnf install -y shadowsocks-libev iproute firewalld

If shadowsocks-libev is not available in your repository, you can compile from source or use a trusted COPR repository. Compilation requires packages such as automake, autoconf, libev-devel, and openssl-devel.

Step 2 — Create a Secure Configuration

Shadowsocks configuration is stored in JSON format. Create a file at /etc/shadowsocks-libev/config.json with a minimal but secure configuration. Key points:

  • Use an AEAD cipher, e.g., chacha20-ietf-poly1305 or aes-256-gcm, for both security and performance.
  • Choose a strong, random password. Consider using a generated key of sufficient entropy.
  • Bind to the public interface or localhost depending on whether you want the server to accept external connections.

Example configuration (replace values):

{
“server”:”0.0.0.0″,
“server_port”:8388,
“password”:”your-very-strong-password”,
“method”:”chacha20-ietf-poly1305″,
“timeout”:300,
“fast_open”:true,
“nameserver”:”1.1.1.1″,
“mode”:”tcp_and_udp”
}

Notes: fast_open requires kernel support and client-side options. The nameserver entry ensures DNS resolution occurs via the specified resolver, reducing DNS leaks.

Step 3 — Systemd Service and Enable Auto-start

shadowsocks-libev typically installs a systemd unit named shadowsocks-libev.service or ss-server@config.service depending on packaging. To start and enable the default unit:

sudo systemctl enable –now shadowsocks-libev

If the package provides template units, copy your config to /etc/shadowsocks-libev/config.json and use:

sudo systemctl enable –now ss-local@config.service

Check status and logs with:

sudo systemctl status shadowsocks-libev
sudo journalctl -u shadowsocks-libev -f

Adjust unit names according to your installation. Confirm the process is running and listening on the configured port with ss -tulpen or ss -lnp.

Step 4 — Firewall (firewalld) and Port Management

Open the configured Shadowsocks port in firewalld. For example, if you used port 8388:

sudo firewall-cmd –permanent –add-port=8388/tcp
sudo firewall-cmd –permanent –add-port=8388/udp
sudo firewall-cmd –reload

Additionally, restrict SSH and management interfaces to known IPs where possible. For production deployments, consider running Shadowsocks on a non-standard high port and using port knocking or firewall rich rules to minimize attack surface.

Step 5 — SELinux Considerations

CentOS 9 ships with SELinux enabled in enforcing mode by default. shadowsocks-libev running from systemd typically works under SELinux, but if you compiled or placed files in custom locations, you may need to set proper file contexts. Troubleshoot with audit logs:

sudo ausearch -m AVC -ts recent
sudo journalctl -t setroubleshoot

If SELinux prevents network binding, consider creating a local policy or adjust booleans. For example, to allow network access to unconfined services, use targeted policies rather than disabling SELinux.

Step 6 — Plugins and Obfuscation

To make Shadowsocks traffic harder to identify, you can use plugins such as v2ray-plugin or simple-obfs. These add obfuscation or WebSocket transport layers. On CentOS 9, build or install the plugin binary and configure your client to use it. Example plugin usage in client configuration:

“plugin”: “v2ray-plugin”,
“plugin_opts”: “server;tls;host=example.com;path=/ws”

When using TLS and WebSocket, you can route Shadowsocks traffic over ports like 443 and host it behind a reverse proxy, reducing detection and improving compatibility with restrictive networks.

Step 7 — Client Configuration and DNS

On client devices, configure the Shadowsocks client with the server IP, port, password, and method. For DNS, set clients to use the server-side nameserver or a secure DNS like 1.1.1.1 or 9.9.9.9 to avoid DNS leaks. Many client apps support proxy rules and per-app routing; for enterprise use consider integrating with system-level routing (iptables or tun2socks) to enforce policies.

Performance and Hardening Tips

  • AEAD ciphers: Prefer chacha20-ietf-poly1305 on low-end CPUs and aes-256-gcm on CPUs with AES-NI for best throughput.
  • TCP tuning: Adjust /etc/sysctl.conf for high-concurrency servers:
    net.core.somaxconn = 1024
    net.ipv4.tcp_tw_reuse = 1
    net.ipv4.ip_local_port_range = 1024 65535
    net.core.rmem_max = 16777216
    net.core.wmem_max = 16777216
  • UDP handling: If you enable UDP relay, ensure the kernel and firewall allow the necessary socket buffer sizes to avoid packet loss.
  • Resource limits: Increase systemd service limits (LimitNOFILE) if you expect many concurrent connections.
  • Monitoring: Use netdata, Prometheus exporters, or simple tools (ss, htop, vnstat) to monitor throughput, connections, CPU, and memory.
  • Fail2ban: Implement fail2ban rules for repeated failed connection attempts. While Shadowsocks itself may not emit recognizable auth failures, monitoring logs and connection anomalies can trigger rules.

Security Best Practices

Follow these operational security practices:

  • Use strong, randomly generated passwords or keys and rotate credentials periodically.
  • Use AEAD ciphers to protect integrity and confidentiality.
  • Keep the system and Shadowsocks packages up to date. Subscribe to security notifications for your distribution.
  • Limit access to management services (SSH, control panels) by IP and use key-based SSH authentication with passphrases.
  • Run Shadowsocks as a non-privileged user where possible and use systemd sandboxing options (PrivateTmp, NoNewPrivileges).
  • Consider running the service inside a lightweight container or separate VM for additional isolation when hosting multiple services.

Troubleshooting

Common issues and how to diagnose them:

  • No connectivity: verify shadowsocks is listening (ss -ltnup), firewall rules, and cloud provider security groups.
  • Slow speeds: check CPU usage, cipher choice, and whether AES-NI is available. Test with different ciphers.
  • DNS leaks: confirm client DNS configuration and server-side nameserver in config.json.
  • SELinux denials: inspect audit logs and create local policies if legitimate accesses are blocked.
  • Plugin failures: verify plugin binary is executable, paths are correct, and client/plugin options match server settings.

Example Maintenance Checklist

  • Weekly: check system updates, service uptime, and logs.
  • Monthly: rotate credentials, verify backups, and review firewall rules.
  • Quarterly: perform load testing and review capacity planning for increased traffic or additional users.

Conclusion

Deploying Shadowsocks on CentOS 9 can provide a lightweight, secure proxy solution suitable for both small-scale and enterprise environments. By using shadowsocks-libev, AEAD ciphers, proper firewalling, and systemd integration, you achieve a production-ready setup that balances performance and security. For additional obfuscation and compatibility, consider using plugins like v2ray-plugin and running over TLS/WebSocket. Always follow security best practices and monitor your deployment over time.

For further resources and professional-grade hosting options, visit Dedicated-IP-VPN: https://dedicated-ip-vpn.com/