How to setup a FAST Shadowsocks server

This tutorial will show you step-by-step instructions to set up your own speed optimized Shadowsocks (SS) or ShadowsocksR (SSR) server on a Ubuntu VPS. This guide includes installation of the bbr add-on for increased speed on high latency networks and how to use the clients for Windows, Mac, iOS, and Android.


Shadowsocks is not a VPN.

Creating your own Shadowsocks proxy server can offer good speeds in China, but it lacks some important features compared to using a VPN in China.

  • Privacy and anonymity. When you create your own proxy or VPN server, you will be using a static IP address that is tied to your identity. This means that anything you do online while connected to your server can be traced back to you. Make sure you don’t do anything illegal using your server. For example, if you use your own server to download torrents, the hosting provider will likely ban your account if they get a DCMA complaint. The advantage of using a good commercial VPN service is that your anonymity is protected by using shared IP addresses that are not tied to the identify of any individual user.
  • Limited support. A VPN works on the network level, which means that all of your traffic is tunneled over the VPN. However, proxies like Shadowsocks work on the browser/application level. That means it will only work for web browsers and applications that specifically support proxy settings. Even in web browsers, proxies don’t work for all types of traffic (Adobe Flash, for example, will bypass all proxies and use your ISP connection directly).

If you want to combine the fast speed of a Shadowsocks proxy and the full privacy of a VPN, the best solution to tunnel a VPN connection over your shadowsocks proxy.

Latest updates for using Shadowsocks in China

November 29, 2019 Update – Black Friday Deals

The 2 Shadowsocks providers that I strongly recommend as an alternative to making your own server are both having very good Black Friday sales right now.

WannaFlix (Shadowsocks and V2Ray)

Black Friday Deal – 1 year for $47

Expires – December 2, 2019

Money Back Guarantee – 30 Days

Here are some speed tests for WannaFlix done today from my China Telecom 100/20M WiFi.

WannaFlix Hong Kong PCCW (Shadowsocks)

P/D/U: 21/86.37/24.37

This is a great server with low ping, and it also works for the Hong Kong version of Netflix.

WannaFlix Singapore 4 (V2Ray)

P/D/U: 50/28/22.14

This is also a great server, even though the speed is capped at 30Mbps. It’s hosted on Aliyun Singapore, one of the best CN2 server locations for connections from China. Very high stability and low packet loss. Great for gaming or important video/VoIP calls.

Get the WannaFlix Black Friday Deal

If you miss out on this deal, you can still get 30% off any time with the Tips for China coupon code.

Surfshark (Shadowsocks and VPN)

Black Friday Deal – 2 years + 3 months (27 months total) for $47

Expires – Unknown, but likely around December 15, 2019

Money Back Guarantee – 30 Days

Here are some speed tests for Surfshark done today from my China Telecom 100/20M WiFi.

Surfshark Taiwan (Shadowsocks)

P/D/U: 56/91.47/24.27

This is my personal favorite Shadowsocks server to use. This server is very fast, and you can watch USA Netflix with it. Surfshark supports Netflix in at least 10 different regions, and the regions that are not supported (such as Taiwan) get USA Netflix.

Surfshark Japan (Shadowsocks)

P/D/U: 72/82.14/23.81

Surfshark can be a little difficult to set up as you need to manually find the good IP addresses for Shadowsocks connections. But I wrote an easy guide here to help you do it.

Get the Surfshark Black Friday deal

If you miss out on this deal, you can still get 2 years for $60 using the links on Tips for China. You just won’t get the additional 3 months free.

October 28, 2019 Update

The Surfshark manual Shadowsocks connections for the Taiwan and Japan servers are still working great. Check my latest guide on how to set up Surfshark manual Shadowsocks connections if you are looking for a good alternative to setting up and managing your own Shadowsocks server.

A Tips for China visitor recently did some speed tests from his Beijing China Unicom 500/100M internet connection for me. The results are very impressive!

Surfshark Taiwan Shadowsocks

P/D/U: 57/313.72/39.94

Surfshark Japan Shadowsocks

P/D/U: 69/484.3/39.11

You can see many more recent Shadowsocks test results on the 2020 VPN in China blog page. My internet connection is only 100/20M, so the speeds aren’t as exciting. But I can still come very close to saturating my 100Mbps line.

With the 2 year special and a 30 day money back guarantee, there is really no reason not to try it.

October 12, 2019 Update

Shadowsocks servers were getting blocked more easily recently during the Cyber Security Conference in late September and the National Week holiday during the beginning of October.

During this time, WannaFlix developed a new protocol called Eclipse when all of their Shadowsocks servers were blocked. The Eclipse protocol cannot be blocked by the Great Firewall, so it can always be used as a backup.

Things seem to be back to normal now. WannaFlix Shadowsocks servers are back online and working quite well.

Another new recommendation for a paid Shadowsocks service is Surfshark VPN. They recently added support for manual Shadowsocks connections.

Surfshark is currently offering a 2 year plan for only $60 which is an incredible value (only $2 per month). The Shadowsocks setup is a little bit difficult because you need to find the specific server IPs to enter. Check my latest updates on the 2019 China VPN blog page for some suggested IPs and recent speed tests. The Taiwan and Japan servers are working very well right now.

If you are making your own server on Vultr and find that you can’t get an un-blocked IP address in the US, try some European locations. Those ones don’t get blocked as easily.

May 2019 Update

The ShadowsocksR Windows app was recently updated. There appears to be issues when loading Facebook and Instagram using the latest version 4.9.2.

I recommend using version 4.9.0, which doesn’t have this problem.

Alternatively, you can try setting the DNS server to in the Global Settings of version 4.9.2. This seems to have solved the problem for me, although I have not tested it long enough to be certain that the problem won’t re-appear.

DNS settings screen for SSR version 4.9.2

You may need to flush your DNS cache after doing this. To flush your DNS cache, open a command prompt and run the command “ipconfig /flushdns”.

In other news, the WannaFlix Shadowsocks service is still working extremely well for me. Especially the Hong Kong and Taiwan servers.

I highly recommend trying WannaFlix if you have not already.

March 2019 Update

Here are some more speed tests results for the WannaFlix ShadowsocksR service. The tests I did in February were done using an older computer that can only get around 75Mbps on WiFi.

These tests were done on March 17, 2019 using my China Telecom 100/20M connection from a computer that can get closer to the full 100Mbps speed of my line.

Hong Kong Server (PCCW network)

P/D/U: 19/88.47/23.39

Taiwan Server (Hi-Net network, new)

P/D/U: 42/91.81/22.91

US Netflix 4 Server (Netflix, Hulu, Amazon Prime, etc)

P/D/U: 187/86.17/20

There are many more servers, including Netflix servers for several regions and a few torrenting servers. Give it a try yourself, totally risk-free with the 30 day money back guarantee. Don’t forget to use the Tips for China coupon code for 30% off.

February 2019 Update

WannaFlix ShadowsocksR service

I recently discovered a good alternative to making your own Shadowsocks server. There is a paid service called WannaFlix, which offers very fast and affordable ShadowsocksR servers.

Although WannaFlix advertises itself as a VPN, it is actually a pure Shadowsocks service. Despite this false advertising, I have to give it a high recommendation due to the high performance servers and low cost.

Here are some speed test results using a few of the WannaFlix ShadowsocksR servers, tested on February 11, 2019 from my China Telecom 100/20 Mbps internet connection.

Hong Kong Server (PCCW network)

P/D/U: 23/74.99/13.18

Philippines Server

P/D/U: 60/72.10/5.13

Singapore Server (Aliyun network)

P/D/U: 57/29.67/5.13

South Korea Server

P/D/U: 55/72.26/4.79

WannaFlix is currently offering a 30% off coupon code for Tips for China visitors (valid for the first billing cycle only).

Using the coupon code, the price for 1 year comes down to only $58.72 (works out to less than $5/month).

That is an incredible value considering that these servers are hosted on top quality hosting providers. In fact, you would need to literally spend hundreds of dollars per month if you wanted to set up your own servers on these providers.

Not only does WannaFlix have fast servers for China, some of their servers can also unblock Netflix as well. Actually, quite a few of them including USA, UK, Canada, South Korea, Japan, and a few others.

Some of their servers allow torrenting too!

Still not sure if WannaFlix is worth trying? Don’t worry, they are offering a very generous 30 day money back guarantee so you can try it completely risk-free!

Give it a try and compare the performance to your own Shadowsocks server. You will definitely see the value.

Go to WannaFlix now and save 30% with the Tips for China coupon code!

October 2018 Update

The following changes were made to this tutorial on October 13, 2018.

1. Now recommending Ubuntu 18.04 instead of Unbuntu 14.04. It appears that Google BBR now comes pre-installed with the Ubuntu 18.04 Vultr image, so it makes the process much easier. I will leave the BBR installation instructions here in case other providers don’t offer BBR pre-installed on their images.

2. No longer recommending Vultr Tokyo location for China Telecom. The latency has become too high. The best locations for China Telecom these days are the US west coast ones (Los Angeles, Silicon Valley, etc).

3. Now recommending Vultr’s new $3.50/month plan after IPv4 IP addresses were removed from the $2.50 plan.

Some of the images in this tutorial are from before the above changes were made.

Choosing a VPS provider to host your server

Why I am using Vultr for this tutorial

With servers starting from $0.005 per hour ($3.50/month) and good routing to China Telecom, Vultr offers a good combination of price and speed. It’s not the fastest server you can buy, but it does offer the best value for money in my opinion.

Vultr servers are always billed hourly. This is a very useful feature for 2 reasons.

1. If you mess something up and want to start over again, just destroy the VPS and make a new one. It will only cost you $0.01 if you destroy the VPS within the first 2 hours. This is a great way for beginners to learn to use Linux.

2. If your server gets blocked, you can just destroy it and make a new one. You won’t lose money because you only pay for the amount of hours you use the server for.

Once you have used the server for 625 hours (~26 days), then you will pay the monthly price. If you destroy your server before 625 hours, then you will pay for the number of hours that you used. You will see both the monthly and hourly price when you choose your instance. This is not an option to choose, it is just showing you both prices.

Vultr offers a very generous bandwidth allowance that you will likely never go over. The smallest package for $3.50/month includes 500GB of data. The next package for $5/month includes 1TB of data. Note that the data allowance is pro-rated for the amount of hours if you use the server for less than 1 month.

Tip – If you go over this allowance, it’s cheaper to shut down your instance and start a new one rather than paying the excess data fee (or upgrade to a higher price instance).

Vultr Alternatives

If this is your first time setting up a Shadowsocks server, then just stick with Vultr for now and follow this tutorial exactly to the letter.

After you learn the process of making a server using Vultr or if you are already familiar with Linux, you may want to consider some other providers for higher performance (if you are willing to spend more and take the risk of paying monthly/annually instead of hourly).

If you want to try other providers, make sure you choose Ubuntu 18.04 64 bit as the OS and KVM as the virtualization (if available).

Previously this tutorial did not work for OpenVZ virtualization because it is not possible to change the kernel to install BBR. However, now that BBR comes pre-installed on Ubuntu 18.04, this tutorial might work with Ubuntu 18.04 on OpenVZ virtualization (not sure, someone please confirm in the comments if you have tried it).

#1 Alternative – Rackspace Hong Kong

Rackspace Hong Kong has the best network for connections to mainland China. Direct peering to China Telecom (CN2), China Unicom, and China Mobile.

The only problem with Rackspace is that it’s very expensive (over USD $50/month plus USD $0.20/GB).

If the cost is not a concern for you, I would be very interested to know how a shadowsocks server performs on Rackspace. If anyone has tried a cloud server on Rackspace Hong Kong, please let me know about it in the comments below.

#2 Alternative – ExpressVPN Hong Kong 3

The #2 alternative not actually a VPS provider, but rather a VPN company that hosting one of their servers on Rackspace Hong Kong. This is a much cheaper way to get access to a high performance Rackspace Hong Kong server.

The ExpressVPN Hong Kong 3 server is hosted on Rackspace!

Just sign up for ExpressVPN and connect to the Hong Kong 3 server.

Using the ExpressVPN links on this page will give you access to a special offer for an additional 3 months free when you purchase a 12 month subscription. You will get 15 months for the price of 12 months.

If you consider the cost of setting up your own premium China Telecom CN2 server in Hong Kong, paying $99 for 15 months of ExpressVPN is actually very cheap!

The Hong Kong 3 server is hidden away under the “All” section of the app. You won’t find it in the “Recommended” section.

Hong Kong 3 was blocked in November/December last year, but it seems to be back and working better than ever! I have tested the speed of this server at various times over a 24 hour period on Feb 25-26, 2018. You can see the results below.

ExpressVPN Hong Kong 3 speed test results.

This server has ultra low latency (direct connection to China Telecom on premium CN2 network). Note the very low ping times of only 17-19 ms. The download speed is not too bad either!

I’m also running this server on a cheap 180 yuan router from Taobao that I use for video streaming. Check out my tutorial on this router here. This router can get around 20Mbps download speed on Hong Kong 3.

Here is the best part.

Every ExpressVPN subscription comes with a no-hassle 30 day money back guarantee. Get a full refund any time within 30 days. No sneaky terms and conditions. Just ask for a refund if you are not satisfied and you will get one!

In case the Hong Kong 3 server gets blocked again or is unavailable, the Hong Kong 5, Hong Kong 4, Taiwan 1, and Taiwan 2 servers also have premium routing to mainland China ISPs.

#3 Alternative – Bandwagon Host

I have not tried this one yet, but several people have suggested it. They offer China Telecom CN2 servers hosted in Los Angeles.

USA CN2 servers are not as fast as Asian CN2, but it should be faster than Vultr and other providers.

The special China Telecom CN2 servers are only offered though this page. The servers offered from the regular homepage are not the CN2 ones.

After using the above link, find the special called SPECIAL 10G KVM PROMO V3 – LOS ANGELES – CN2.

When you check out, make sure the location is US – Los Angeles DC3 CN2 (USCA_3). There is another promo package for $19.99 per year, but this is not the CN2 location.

I heard rumors that Bandwagon Host does support a limited number of IP address changes if your server gets blocked. I have sent a request asking for details about this and I will update here when I get the official answer about this.

Update: Here is the answer from Bandwagon Host regarding the IP address changing policy.

James: What is your policy for changing IP addresses if the IP gets blocked by China GFW? Your TOS mentions something about a fee for changing IP but doesn’t say how much the fee is.

Bandwagon Host: We change this policy and fees from time to time. We guide customers through the process of changing IP when the need arises (be it free replacement or not). Usually the fee to replace IP is between $2 and $20.

James: What is the current policy right now? Between $2 to $20 is a very big range. Can you provide more information about this?

Bandwagon Host: I am very sorry, but we are not able to provide any more assistance on these questions.

It seems they don’t want to answer my questions about this.

If anyone has first-hand experience on this issue, please leave a comment.

Unlike Vultr and Rackspace, I believe Bandwagon Host counts the data allowance as INPUT + OUTPUT. With a proxy server, the data input and output is approximately be the same. This means that 500GB from Bandwagon Host is is actually only 250GB of traffic.

Vultr, Rackspace, and Aliyun only count OUTPUT data so you get the full amount of data that they advertise.

#4 Alternative – Aliyun Hong Kong

Alibaba Cloud (aka Aliyun) does offer Hong Kong CN2 servers at a better price than Rackspace, but there are some drawbacks.

I’m going to move the Aliyun information to a new page because Aliyun is very complicated and this page is already long enough.

Check this page for more info about Aliyun.

#5 Alternative – Other Providers

I don’t know much about these ones except that they are popular choices for Shadowsocks users in China. I will just leave the links here and you can do your own research. Be sure to leave a comment if you have tried any of these.

Kdatacenter – Premium South Korea VPS (recommended if you are near Shanghai)

Gigsgigscloud – Variety of different Hong Kong and USA servers

Choose the best server locations for your ISP

Before we get started, it’s a good idea to do some network analysis to find the best Vultr server location for your Shadowsocks server.

Using the hostnames below, send a ping command to each server to check the latency to your location. Remember to turn off any existing VPN connections, because we want to check the latency between your ISP and the Vultr servers.

The locations shown in bold have the best routing to China Telecom.

Tokyo, Japan
 Silicon Valley, California
 Los Angeles, California
 Seattle, Washington
 Frankfurt, DE
 Amsterdam, NL
 Paris, France
 London, UK
 New York (NJ)
 Chicago, Illinois
 Atlanta, Georgia
 Miami, Florida
 Dallas, Texas
 Sydney, Australia

If you are using Windows, you can download my Vultr ping script to automatically ping all of Vultr servers.

I have identified 4 servers that have a decent ping time to my China Telecom connection.

  • Tokyo
  • Singapore
  • Silicon Valley
  • Los Angeles

I am going try a Tokyo server and a Los Angeles server.

To avoid confusion, I will just show the instructions for setting up 1 of the servers, although I am actually doing both at the same time.

2019 Update – Tokyo is no longer a recommended location due to degraded performance since this tutorial was first made. I now recommend US west coast locations. Or you can try Europe locations if you can’t find an unblocked IP in the US.

Deploy your instance

The first step is to go to Vultr and create an account if you don’t already have one. You will need to fund your account with a minimum $5 deposit using PayPal or verify a valid credit card.

When I first signed up, I used my Chinese credit card and I was asked to verify my identity by sending them a copy of my passport and the credit card I used. I suspect that they asked for this because I was connected to a VPN when I added my credit card and the IP address did not match the country of my credit card.

I recommend turning off your VPN if you are using a Chinese credit card or Chinese PayPal account to avoid this fraud detection. If you are are using an overseas credit card, you may want to connect to a VPN in the same country as your credit card, or turn your VPN off. I’m not sure which option is better in this case.

Although Vultr offers WeChat payments, this won’t work for you unless you have a Chinese ID card (only Chinese citizens can use WeChat and Alipay for merchants outside of China).

Once your account is funded/verified then you can deploy a new instance (VPS).

Choose your location.

Vultr deploy new instance page

Choose the server type (OS). For this tutorial, I am using Ubuntu 18.04 x64.

Vultr server type selection section

Choose the server size, the $3.50/month ($0.005/hr) with 20GB, 512MB memory, and 500GB data, is all you need for a personal shadowsocks server.

Choosing a more expensive instance will not increase the performance of your server. The only reason to choose more expensive instance is if you need more than 500GB of data per month.

Vultr server size selection section

Note: As of October 2019, the only location with $3.50 instances available is New Jersey. If you don’t want a server in New Jersey, you will have to pay $5.

Leave everything else as default until section 7, do not enable IPv6 (untick it if it’s selected).

Now enter a hostname, you can put anything. I entered for my hostname. As we are not using our VPS to host a website, it doesn’t matter what you put here. You can also leave it blank with Vultr but some other VPS providers will require you to enter something here.

Press Deploy Now to deploy the VPS.

Vultr server hostname and label section

Wait until your VPS is finished installing and the status changes to “Running”. Then, click on the server to open the server details.

VPS status shows running

We will need the IP address and password to log into our server by SSH.

Server information page showing IP and password.

The first thing I do after deploying a new VPS is look up the IP address in a geo-location database to see if it shows the correct location. Many Vultr Asian servers are incorrectly geo-located in the USA. If the IP address is not showing the correct location, then I will just destroy the instance and deploy a new one (remember, it only costs $0.01 if you destroy an instance within the first few hours).

Using a shadowsocks server with an IP address with the wrong geo-location can be annoying. You will need to manually choose the correct server when doing a speed test, Google will think you are in the wrong country, etc.

After looking up the IP address, I can see that it is correctly listed as Tokyo.

IP lookup results for the server

Ok, time to connect to our server using SSH.

If you are using Mac, you can use the Terminal program to start an SSH session with your server.

Open Terminal and enter the following command (Mac users only):

ssh server_ip -p 22 -l root

replace server_ip with the IP address of your server.

For example, using my server in this tutorial, you would enter the following.

ssh -p 22 -l root

Unlike Mac, Windows does not come with an SSH client.

I am using Windows, so I have downloaded Putty.

If you are using Putty for Windows, enter the IP address of your Vultr server and press open to connect to it. Leave all of the settings as default. You can save the session so you don’t need to enter the IP address next time, I saved the settings as “Vultr Tokyo”.

Putty configuration screen

Accept the security warning and then login as root and enter the password from the Vultr server management page.

Tip – To paste text from the clipboard using Putty, simply press the right mouse button once and whatever is in the clipboard will get pasted. When typing or pasting your password, you won’t see anything on the screen. Just press enter after you have typed it or pasted it by single clicking the right mouse button.

If your SSH connection is not successful, wait a few more minutes and try again. When you first create a server, it can take up to 5 minutes until it’s ready to use.

If you still can’t connect after your server is ready, that means your IP address is blocked by the Great Firewall of China (probably due to the person who used that IP address before you).

This can be confirmed by connecting to a VPN to see if you can connect.

If your IP is blocked, then destroy your instance and make a new one.

Once you have a good IP address that is not blocked and you are logged in successfully, your screen should look like this.

Putty ssh session screen

Install ShadowsocksR

Update and upgrade the machine by entering the command below.

sudo apt-get update && sudo apt-get upgrade -y

Any time that you see highlighted text like the text in the above line, enter it as a command. I will only show the screenshot for the first command, shown below.

Putty ssh screen showing update and upgrade commands entered.

After you enter the command, press enter to execute it.

When executing this first commend, you may get a message that says something like this:

“A new version of configuration file /etc/default/grub is available, but the version installed currently has been locally modified. What do you want to do about modified configuration file grub?”

You can just press enter to keep the default option of using the current one.

Now, let’s install shadowsocks on the server. There are many different versions of shadowsocks and many different ways to install them. I am going to install ShadowsocksR (SSR) using an installation script from GitHub user teddysun.

Teddysun has made some great scripts that make it very easy to install different versions of shadowsocks and other linux applications.

There used to be a donation page ( where you could send a donation to Teddy Sun by WeChat or Alipay to support his good work. However, that link is now dead and I can’t find any similar page on his website now. If anyone knows how to support the work of Teddy Sun, please let me know what link I can include here.

Enter the following 3 commands to download the run the SSR installation script.

wget – no-check-certificate

Note – The above command is shown on 2 lines because it’s too long. Make sure you copy the full command starting with wget and ending with

chmod +x
./ 2>&1 | tee shadowsocksR.log

Enter the parameters that you want to use for your server. Here is what I am using for this tutorial. You can always change these settings later if you want so don’t think about it too much.

Password: testing
Port: 443
cipher: chacha20
protocol: origin
obfs: http_simple_compatible

After you enter all of the settings, press any key to start the installation. It will take about 5 minutes.

February 2019 Update – Try protocol auth_sha1_v4_compatible instead of origin.

Configuration script options 1/2
Configuration script options - 2/2

If you want to make any changes to the configuration, enter the command below to edit the server config file.

nano /etc/shadowsocks.json

Press Ctrl + X to exit. When asked to save the modified buffer, press the y key once and then press enter to keep the same file name.

Every time you make changes to this file, you need to restart shadowsocks so the changes will take effect. Restart shadowsocks using the command below (if you have changed the config file).

/etc/init.d/shadowsocks restart

The server is already running, you can download a shadowsocks client and try it now.

Download a client and test your server

The standard Shadowsocks (SS) client is no longer stable in China. I recommend using the ShadowsocksR (SSR) client if you are in China.

SSR Clients (recommended for China)

ShadowsocksR for Windows (Download version 4.9.0, the newer ones have DNS leaks)

ShadowsocksR for Android

ShadowsocksR for Mac

iOS Potatso Lite (FREE)

iOS Shadowrocket ($2.99)

Original SS Clients (NOT recommended for China)

Shadowsocks for Windows

Shadowsocks for Android

Shadowsocks for Mac

Note for iOS Users

For iOS, I highly recommend paying $2.99 for Shadowrocket because WhatsApp calls and other VoIP applications don’t work with Potatso Lite or any other iOS app. Shadowrocket is the only stable Shadowsocks client for iOS that will tunnel VoIP through the proxy, so it’s definitely worth the price for it.

Apple has removed all VPN and Shadowsocks apps from the China version of the app store. If your iTunes account is registered with a Chinese address, you need to create a new iTunes account with a foreign address to download these apps.

If you are using a USA iTunes account but don’t have a US credit card to buy apps, you can always buy a $5 USA iTunes gift card on Taobao.

Shadowsocks vs ShadowsocksR (SSR)

The original version is called Shadowsocks (SS). ShadowsocksR (SSR) is a newer version that supports obfuscation, which can make your shadowsocks traffic look more like regular https web traffic. This can prevent your speed from getting throttled by your network or ISP.

The server that we just made is compatible with both SS and SSR clients (if you chose the same parameters as me when creating your server).

All of the clients are a little bit different, but basically you need to enter the following settings (assuming you chose the same options as me).

Server – The IP address of your server
Port – 443
Password – testing (or whatever password you chose)
Encryption – chacha20
Protocol – origin or auth_sha1_v4 (if you choose auth_sha1_v4_compatible for your server, this option is only available for SSR clients)
Obfs – http_simple for obfuscation or plain for no obfuscation (this option is only available in SSR clients)

If there are any other options, leave them as default. Do not enable onetime authentication.

You need to be careful with these settings. If you don’t get it exactly right, then it will seem like the proxy is connected, but you won’t have any connection to the internet. Unlike a VPN, you cannot easily tell if the proxy is actually connected successfully or not.

Here are my settings using the SSR Windows client.

SSR Windows app server options

The way that you enable the system proxy will depend on the version of the client you are using.

Using the SSR Windows client:

Enable the proxy by choosing Mode –> Global or Mode –> PAC.

Disable the proxy by choosing Mode –> disable system proxy.

TIP – Make sure you remember to disable the system proxy before you exit the client or shut down your computer. Otherwise, you will find that you have no internet at all. To solve this problem, just open the shadowsocks client and disable the system proxy.

Global vs PAC Mode

Global will route all domains through the proxy, while PAC will only use the proxy for a specific list of blocked websites such as Google, Facebook, etc and use your ISP connection for everything else. Not every blocked website is part of this PAC list. And even foreign websites that are not blocked are very slow if not using a proxy or VPN.

For this reason, I recommend using the Global mode. It’s easy enough to enable/disable that you can conveniently switch it off if you need to access some Chinese websites.

You can also can choose the “Bypass LAN & China” proxy rule to automatically bypass the proxy when connecting to websites or servers in China. This will only bypass the proxy for known China IP addresses and use the proxy for everything else (assuming you are in Global Mode).

Once you have enabled the system proxy using the client, most browsers and applications should work by default. Chrome and IE, for example, will use the system proxy settings (unless you have an extension installed that is controlling the proxy settings).

Other browsers or programs, such as Firefox, may need to be set manually to use the system proxy or use a SOCKS5 proxy on server port 1080 (port 1086 for Mac). The proxy settings can usually be found in the advanced settings for most applications.

Proxies will not work for all programs and all types of web traffic. Sometimes you need to use a VPN for certain things. It is also possible to tunnel a VPN connection over shadowsocks for better VPN performance.

Let’s check the performance of my Tokyo and Los Angeles servers.

Both servers are working but the speed is not great. results page

When testing the speed of shadowsocks, you must remember use an html5 speed test such as because all proxies will bypass Adobe Flash and you will only test your connection without the proxy if you use or other Flash based speed tests.

Install Google BBR and Optimize the Server

Google BBR is a TCP congestion control algorithm that can give a huge speed boost on networks with high packet loss (basically all of the networks in/out of China).

October 2018 Update – As Google BBR is now included by default with Ubuntu 18.04 on Vultr, you can skip this step. You will still need to do this if you are using a different version of Ubuntu or if using another VPS that doesn’t include BBR with their Ubuntu 18.04 image.

To confirm whether Google BBR is already installed, enter the following command.

lsmod | grep bbr

If you see a text output from this command with the words “tcp_bbr” and a number beside it, then you already have BBR. You can skip the next command.

If you are using an older version of Ubuntu or don’t have BBR installed, then install it using the command below (another great script from Teddy Sun).

wget – no-check-certificate && chmod +x && ./

If you have an incompatible kernel, you will be asked to reboot your server after the kernel is changed. You will need to re-connect using Putty after rebooting.

You can confirm that the installation was successful by using the “lsmod | grep bbr” command again.

Now that bbr is installed, we just have a few more settings to optimize.

Next, change the kernel configuration settings.

nano /etc/sysctl.conf

Add the following lines at the bottom of the file after the net.ipv4.tcp_congestion_control = bbr line.

fs.file-max = 51200
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mem = 25600 51200 102400
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1

Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.

Apply the new settings by entering the command below.

sysctl -p

Let’s make a few more optimizations.

nano /etc/security/limits.conf

Add these lines to the bottom of the file, include the * symbol.

* soft nofile 51200
* hard nofile 51200

Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.

Next, enter this command.

nano /etc/pam.d/common-session

Add the following line at the end of the file.

session required

Press Ctrl + X to exit and then press Y to save the file, and press enter to keep the same file name.

nano /etc/profile

Add the following line at the end of the file.

ulimit -n 51200

Finally, type the command below.

ulimit -n 51200

Restart the shadowsocks server again.

/etc/init.d/shadowsocks restart

The optimizations are finished!

I can see a big improvement in the speeds after the optimizations. results after optimisation

The speed is between 10 times and 25 times faster now!

The speed test was done at 11pm, the speed will be even faster during non-peak hours.

Speed test the following morning… results - next day

Bonus Section – Advanced Customization

How to open more ports and share your server with friends

Warning! Make sure you only share your server with friends or people who you trust because you will be responsible for any illegal activities originating from the IP address of your server.

The easiest way to share you server is to simply tell your friends the port number and password of your server. Everyone can use port 443 with the same password, there is no limit to how many simultaneous connections can be made.

However, if you want to give each user their own unique port number and password, you can edit the shadowsocks.json file.

nano /etc/shadowsocks.json

Delete all of the contents of the file and then paste the contents below (using your own combination of port numbers and passwords that you wish to use).


    "port_password": {
        "443": "password1",
        "1194": "password2",
        "8000": "password3",
        "8383": "password4",
        "8384": "password5",
        "3000": "password6", 
        "3001": "password7", 
        "3002": "password8",
        "3003": "password9", 
        "3004": "password10", 
        "3005": "password11", 
        "3006": "password12", 
        "3007": "password13", 
        "3008": "password14", 
        "3009": "password15", 
        "3010": "password16"

The above configuration is just an example, you can use whatever ports and passwords you want.

Don’t forget to restart shadowsocks after you make changes to the config file.

/etc/init.d/shadowsocks restart

How to limit data per user/port

There is probably a much better way to do this, but this is the method I found.

This is a quick and easy way to get this job done but it has a major flaw. If your VPS is rebooted, then the data counters will be cleared. Theoretically, there should be some way to save the byte counters and restore them after a reboot. Or, there is probably is a better way to do it altogether, but I don’t know any such method so I will just show you what I know.

If you know of a better way to do this then get in touch with me by email and let me know your method so I can update this page.

In this example, I will add firewall rules to limit the data transferred on each port. I will add a data limit of 50GB for port 443 and 10GB for each of the other ports I have set up.

Enter the following commands (using the port numbers which you have configured with the data limit in bytes that you want to set).

sudo iptables -I OUTPUT -p tcp – sport 443 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 443 -m quota – quota 50000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 1194 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 1194 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 8000 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 8000 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 8383 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 8383 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 8384 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 8384 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 3000 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 3000 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 3001 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 3001 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 3002 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 3002 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 3003 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 3003 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 3004 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 3004 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 3005 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 3005 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 3006 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 3006 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 3007 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 3007 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 3008 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 3008 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 3009 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 3009 -m quota – quota 10000000000 -j ACCEPT
sudo iptables -I OUTPUT -p tcp – sport 3010 -j DROP
sudo iptables -I OUTPUT -p tcp – sport 3010 -m quota – quota 10000000000 -j ACCEPT

To check the firewall rules and how much data has been used by each user/port, enter this command.

Note – Adjust the width of the Putty or terminal window before entering this command because the default width is not enough to show the output correctly.

sudo iptables -nvL -t filter – line-numbers

Use the scrollbar on the right of the Putty windows to scroll up and see the OUTPUT chain.

In this example, I have added 32 new firewall rules to the top of the OUTPUT chain. The output of the OUTPUT chain of the above command should look like this (2 rules for each port).

output of iptables command to check firewall rules

Make note of the first column (chain number) for each line. The chain number will be used in some of the commands below.

As you can see, I have used 24MB of data on port 3000 and 56MB of data on port 443 since adding these firewall rules. Once the quota has been used up (50GB for port 443, 10GB for all other ports in my example) for a specific port, then the proxy will stop working for the user/users of that port (until you reset the counter or reboot the server).

To clear the data counters for all users/ports, enter this command.

sudo iptables -Z OUTPUT

To clear the counter for a specific user, enter this command.

sudo iptables -Z OUTPUT #chain number

#chain number = The number shown first column when you use the “sudo iptables -nvL -t filter –line-numbers” command shown above.

For example, to clear the byte counter for port 443, this is the command.

sudo iptables -Z OUTPUT 31

Now the data counter for port 443 has been reset to 0.

To delete the firewall rules for a specific port, first note the 2 chain numbers related to port you want to delete. For example, to remove the data limit for port 3000, we need to delete chain numbers 21-22.

sudo iptables -D OUTPUT 21
sudo iptables -D OUTPUT 21

Note – The above commands are not a mistake, you enter the same command twice. After you delete chain #21 then all of the chains below it will shift up. Chain #22 becomes chain #21, #23 becomes #22, so on and so fourth.

To make these firewall rules persistent after a reboot, use the following commands.

Note – The data counters will still be reset to zero after a reboot, only the rules themselves will be persistent.

sudo apt-get install iptables-persistent

sudo invoke-rc.d iptables-persistent save

This is the end of the bonus section for now. Maybe it will be updated to include more later on…

Leave a comment