Domain name is the easiest part. Type: Inbound / Outbound. Vice versa. Shadowsocks protocol, for both inbound and outbound connections. Well, what does "protect" mean here? For the server side, try to use this nginx configuration: I bought a domain name super*****.xyz. All strings must be enclosed in double quotes " ", as all keys strings, so keys should also be enclosed in double quotes. See command line args for advanced usages. netstat show ss server is listening both on tcp and udp. The client-server must have an incoming and outgoing configuration. If this field is not specified, V2Ray auto detects OTA settings from incoming connections. Difficulty getting nginx and shadowsocks-libev with v2ray-plugin to work. This is mine: At the end of the install script, the parameters are redisplayed: Add lines for the plugin and plugin options, like this: Remember the comma after what used to be the last option. Change the config files to suit your preferences, using the configuration section of the official wiki for guidance and read our protocol explanation below. Right-click on the download, and use 7-Zip to extract v2ray-plugin-windows-amd64-v1.3.1.tar. A configuration file looks like this. However, because V2Ray supports many functions, the configuration is inevitably more complicated. Whether or not to use OTA. Sign the certificate signing request, creating your certificate: Generate a private key for your server certificate: Make the server private key readable by Nginx: Delete the default contents, and enter contents as below: Change /abcdefgh to a secret path of your choice. Pure SS will work with any TCP/UDP traffic. Actually, it only spent me 10$ to have this vps for 2 years. And this is my detailed instruction for Russian-speaking rookies: https://overclockers.ru/blog/Indigo81/show/31739/shadowsocks-cherez-cloudflare-cdn-povyshaem-bezopasnost-v-seti, hi all, just finish reading this thread and got a couple questions as im interest too to try out ss+v2ray setup-. In some usages, the address part can be omitted, like ":443". V2Ray uses protobuf-based configuration. Your can still access your vps even if it is blocked by gfw. Before V2Ray runs, it automatically converts JSON config into protobuf. Click the Add button. .win). For example, right now the most recent release is Shadowsocks-4.4.0.185.zip. Shadowsocks server address. This article discusses the details of why AEAD based encryption algorithms are safer than stream encryption + OTA algorithms. Configure Firefox to use a Manual proxy configuration. Since V2ray is taking over the http traffic, the port specified in ss-libev is actually served by v2ray, and then the decoded traffic is passed to ss-libev through a insignificant port number. Copy the binary into the same folder as the extracted shadowsocks binaries. 2019-01-19 Update the information of v2ray-plugin of Shadowsocks. Yet another SIP003 plugin for shadowsocks, based on v2ray, https://circleci.com/gh/shadowsocks/v2ray-plugin/20#artifacts, Alternatively, you can grab the latest nightly from Circle CI by logging into Circle CI or adding. here is the config content. however, it still tells that "no internet connection: unable to resolve host www.google.com No address associated with hostname ", I guess that there must be something run with nginx-v2rayplugin forwarding chain. If true and the incoming connection doesn't enable OTA, V2Ray will reject this connection. If not, you can install it by following this instruction. is there way for us to check if the setup/obfuscation working fine? Shadowsocks. It does work. In this section, the obfuscation configuration using v2ray-plugin will be introduced. sudo nano /etc/init.d/v2ray. So could anyone tell me how I came to this problem? A typical object is like below: V2Ray supports comments in JSONannotated by "//" or "/* */". But with Cloudflare there are more possibilities. Server may choose to enable, disable or auto. V2Ray Protocols Explained. Avilable formats are: Path to the local config file. Right-click on that, and use 7-Zip again to extract from this the application v2ray-plugin_windows_amd64.exe. 4. JSON, or JavaScript Object Notation, in short is objects in Javascript. Note that you would need extra configuration on your client shadowsocks application so that obfuscation works. "plugin-opts" should be "plugin_opts". starting shadowsocks command. Therefore we directly give the example configuration. Besides, this gist suggests AES based algorithm performs badly on ARM processors. Hello I'm using the V2Ray plugin, I need to pass the plugin arguments like this: tls; host=example.com ;path=/wss;loglevel=none But unfortunately the plugin asks for a cert file which is incorrect, it shouldn't ask for that when in client mode, it should ask for that only in server mode. VMess A key value pair usually ends with a comma ",", but must not ends with a comma if it is the last element of the object. There are multiple versions of Shadowsocks available, including the original Python based Shadowsocks, the Shadowsocks-libev, and ShadowsocksR. Before this section is finished, I would like to talk more about some details about the configuration. What android client do you use? hopefully this time it will work :). It's http://localhost:8388; NOT http://localhost:8388/; . Only two booleans are true and false. VMess Finally, the shadowsocks server can be started as the previous section mentioned. V2ray configuration file format. Modules with tagged versions give importers more predictable builds. privacy statement. You signed in with another tab or window. But it can be visited using ss. An address with port, such as "8.8.8.8:53" or "www.v2ray.com:80". Your run of the script will look like this: Wait while the installs and compiles take place. Issue the command below, replacing 123.45.67.89 by your actual server IP address: Open a Run box (Win+r), type mmc, and click OK. There is no documentation for this package. (I searched about JSON on Google The article is rather long-winded, I guess its for programmers, so we dont need to get confused. In addition, I think I need to add a few points to the introduction of the document: All punctuation marks in JSON file must use half-width symbols (English symbols). Ahhhhhh! Select the option Add/Remove Snap-in. Is using Cloudflare a must? After trial and error for nearly 2 hours, hmm.Eventually I got 404 Nothing in Error.log Very frustrating chacha20-ietf-poly1305. could anybody help me to investigating the issue ? It is a port of shadowsocks created by @clowwindy maintained by @madeye and @linusyang.. Based on alpine with latest version shadowsocks-libev and v2ray-plugin, xray-plugin.. Docker images are built for quick deployment in various computing cloud providers. Our example is 8008. Then attach the following lines to your configuration file so that Shadowsocks-libev uses v2ray-plugin to obfuscate its data stream. Unlike Shadowsocks, V2ray supports numerous protocols, both inbound and outbound. Give it a try. "password":"yourshadowsocksserverpassword", "plugin_opts":"path=/yourpath;host=your.host.name;tls". Extract the contents of the archive. An object whose keys and values have fixed types. Please input password for shadowsocks-libev: (Default password: teddysun.com):socKsecreT2021%d, Please enter a port for shadowsocks-libev [1-65535]. For values, if it's a string it needs quotes, while numbers do not need to be double quoted. Already on GitHub? By following its README file, Shadowsocks-libev could be installed with the following two commands. "plugin_opts":"server;host=example.com;path=/example;loglevel=none". Because of the protocol bug, OTA (one-time authentication) of Shadowsocks has been deprecated and switched to AEAD (authenticated encryption with associated data). (124** Android 4G; 222** Windows PC) Select Computer account, and click Next. From the Firefox hamburger menu, choose Settings. The Go module system was introduced in Go 1.11 and is the official dependency management . Sometimes its faster than directly connecting to your vps (depending on the vps location). However, UDP doesn't seem to work. If nothing happens, download GitHub Desktop and try again. If you would like to shut down the server, use ps -ef | grep ss-server to get the pid of your shadowsocks server, and then kill the process using kill. I checked the profile.db-wal with notepad and incorrect arguments are passed to the plugin, thats why it never connects. If you're not logged in as root, then become root as follows. Your Password : socKsecreT2021%d, Welcome to visit:https://teddysun.com/358.html, scp root@123.45.67.89:/etc/openssl/ca.crt Downloads/ca.crt, https://github.com/shadowsocks/shadowsocks-windows/releases, https://github.com/shadowsocks/v2ray-plugin/releases, https://www.mozilla.org/en-US/firefox/new, X-UI, a multi-user Xray graphical management panel (replacing V2-UI and V2Ray). Supports OTA . Caution "server":["[::1]", "127.0.0.1"], What'more, I found a detailed instruction on setting-up vray-plugins and nginx server for Chinese-speaking rookies. No. The implementation of Shadowsocks in V2Ray is compatible with Shadowsocks-libev, Go-shadowsocks2 and other clients based on the Shadowsocks protocol. There could be a lot of reasons leading to this. Now use the following command to start v2ray serving in a background process. Warning: HTTP only provides a moderate (but lightweight) traffic obfuscation. Cautious users should refrain from using this mode. Here we introduce the JSON-based configuration. I have nginx on port 3128 forwarding to port 10001 internally, and v2ray-plugin configured to 127.0.0.1:10001. v2ray-plugin will look for TLS certificates signed by acme.sh by default. When AEAD encryption is used, ota has no effect. Better yet, V2Ray has built in obfuscation to hide traffic in TLS, and can run in parallel with web servers. They will be referenced in the rest of docs. Stories about how and why companies use Go, How Go can help keep you secure by default, Tips for writing clear, performant, and idiomatic Go code, A complete introduction to building software with Go, Reference documentation for Go's standard library, Learn and network with Go developers from around the world. May be IPv4, IPv6 or domain address. By assigning an URL to obfs-host parameter on the client, your data stream will look like data accessing the URL you defined. Installation However, UDP doesn't seem to work. Last youre able to use a very cheap vps with only ipv6 addresses. A domain name costs much less than your VPS. The configuration is similar to VMess. yup, all internet surfing working fine :) saw a post before saying that we could inspect the traffic header to make sure no 'thumbprint' so will not flag by by gfw's dpi, ss will only work for http/https traffic, any other protocol will be route(go directly) to the destination? vray_plugin should listen both ipv4 and ipv6. I almost give up, but I succeed with last attempt. Specify the SOCKS Host at IP address 127.0.0.1, Port 1080. Will you consider this? Regarding the format of JSON, you can see V2Ray Document (opens new window). but when I only add tls support for nginx and modify client config accordingly, it did not work. The text was updated successfully, but these errors were encountered: remove = from location = /ssm like location /ss, i dont belive you can pass nginx -t with your config; remove last / from http://127.0.0.1:9999/ like http://127.0.0.1:9999. if you just want use tls, remove all location = /ss { } code block from your 80 listen. Restart Shadowsocks with your configuration file which now specifies the V2Ray plugin: Now you are going to work on the Windows PC that will be your client. Compatibility with official version: Supports both TCP and UDP connections, where UDP can be optional turned off. Typically you'll get $2.95 a year for a domain (e.g. The server received the packets but it seems shadowsocks with v2-ray plugin on the server side cannot handle the UDP packet. Once you've finished editing the config file (suppose the file name is config.json), you can start the shadowsocks server by executing the following command. However, because V2Ray supports many functions, the configuration is inevitably more complicated. By following this post, you can create an SS + V2Ray plugin server without having to buy a domain name. In your browser, download the most recent V2Ray plugin for Windows from https://github.com/shadowsocks/v2ray-plugin/releases. Or, perhaps Nginx couldn't handle the UDP packets. Please select stream cipher for shadowsocks-libev: Which cipher you'd select(Default: aes-256-gcm):1, Press any key to startor press Ctrl+C to cancel. shadowsocks-libev. V2Ray supports many protocols, including Socks, HTTP, Shadowsocks, VMess, and more. Just configure V2Ray and just look at it here. shadowsocks-libev is a lightweight secured socks5 proxy for embedded devices and low end boxes. Finally, i get where the bug is! Extract the contents of the archive. If you care about the speed a lot while feeling it's okay to change your server's IP some times when they are unluckily blocked, you don't need obfuscation. Open Windows PowerShell (right-click on Windows Start button, then select Windows Terminal). i hv always thought we cant ask question not relate to development in here. Cautious users should refrain from using this mode. V2Ray can be configured as either a Shadowsocks server or a client. Therefore, it is recommended to understand the format of JSON before the actual configuration. Only TCP goes through the plugin. The server received the packets but it seems shadowsocks with v2-ray plugin on the server side cannot handle the UDP packet. ss-server -c config.json -p 443 --plugin v2ray-plugin --plugin-opts "server;mode=quic;host=mydomain.me" In this way all your traffic is encrypted. I found a detailed instruction on setting-up vray-plugins and nginx server for Chinese-speaking rookies. Today I'd like to try the v2ray plugin but I came to similar problems. Install required Ubuntu packages. When a project reaches major version v1 it is considered stable. UDP bypasses the plugin (by shadowsocks design) and will try to connect to plain shadowsocks. Required. By deploying the Shadowsocks server in 443 port, your Shadowsocks data stream looks more like a data stream for web browsing via HTTPS. Theme NexT works best with JavaScript enabled, openssl ecparam -out ca.key -name secp384r1 -genkey, openssl req -new -sha256 -key ca.key -out ca.csr, State or Province Name (full name) [Some-State]:NSW. The difference is that we use Shadowsocks protocol and its parameters. v2ray (net/v2ray) Updated: 1 week, 1 day ago Add to my watchlist 4 A proxy server for bypassing network restrictions. When AEAD encryption is used, this field has no effect. In the end I suggest that you enable SSL. As protobuf format is less readable, V2Ray also supports configuration in JSON. nohup ss-server -c /path/to/config.json >> /path/to/log.txt &, Installing Shadowsocks and Get it Running. gistv2ray config.json . That being said, other configuration formats may be introduced in the furture. thanks alot. chacha20-poly1305 a.k.a. sign in I have successfully run ss-libev on my VPS (CentOS 8 x64 ) without any plugins. v2ray-plugin through nginx with tls is not working properly. Server may choose to enable, disable or auto. If you are among its target users, you would know. client. Yet another SIP003 plugin for shadowsocks, based on v2ray. Warning: HTTP only provides a moderate (but lightweight) traffic obfuscation. The resolution of the name localhost to one or more IP addresses is normally configured by the following lines in the operating system's hosts file: config.json could be as following: is that ok? Shadowsocks is a secure socks5 proxy and was designed to protect your internet traffic. The client-server must have an incoming and outgoing configuration. as the other forums(linux, ubuntu, etc) dont hv this topic. It will be named something like v2ray-plugin-windows-amd64-v1.3.1.tar.gz. It's also worth mentioning that some Wi-Fi networks have firewalls that stop connections to other ports except for normal ports such as 443, 80, 22, etc. p/s - bcoz of the pandemic, not sure when could travel to china, so hopefully could setup eveyrthing and make sure its running when we can travel. Learn more about the CLI. SS+any plugin will work only with any TCP traffic. You can find commands for issuing certificates for other DNS providers at acme.sh. In Settings, on the General page, under Network Settings, click Settings. By the way, until now I don't know where to register a domain name at an acceptable cost(not a subdomain name) to utilize CLOUDFLARE service. Check access.log and error.log in /var/log/nginx to see if your request is received and processed. 2018-11-09 Adapt to v4.0+ configuration format. Alternatively, you can specify path to your certificates using option cert and key. ss will only work with IPv4 only, IPv6 will be route(go directly) to the destination? URI of the configuration. and one last question - would using a webserver(nginx proxy_pass) more secure? Configuration. Please In the Microsoft Management Console: Click File. Default value is false. Otherwise, itd be great if we could just have an option to pass plugin options as a string (for v2ray plugin) or as a JSON file (for cloak plugin). Then continue like this: Open a browser and go to https://github.com/shadowsocks/shadowsocks-windows/releases. V2Ray's Shadowsocks protocol has been followed by AEAD, but it is still compatible with OTA. Password in Shadowsocks protocol. V2Ray can be configured as either a Shadowsocks server or a client. There was a problem preparing your codespace, please try again. openssl dhparam -out /etc/nginx/dhparam 2048; ssl_certificate /etc/openssl/example.com.crt; ssl_certificate_key /etc/openssl/example.com.key; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; wget https://github.com/shadowsocks/v2ray-plugin/releases/download/v1.3.1/v2ray-plugin-linux-amd64-v1.3.1.tar.gz, tar -xf v2ray-plugin-linux-amd64-v1.3.1.tar.gz, cp v2ray-plugin_linux_amd64 /usr/bin/v2ray-plugin, wget https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks-libev-debian.sh, #############################################################, # Install Shadowsocks-libev server for Debian or Ubuntu #, # Intro: https://teddysun.com/358.html #, # Author: Teddysun #, # Github: https://github.com/shadowsocks/shadowsocks-libev #, [Info] Latest version: shadowsocks-libev-3.3.5. In an editor that doesn't support comments, they may get displayed as errors, but comments actually work fine in V2Ray. There is no issue. Once you've finished editing the config file (suppose the file name is config.json), you can start the shadowsocks server by executing the following command. so here's the full text of the/etc/nginx/nginx.conf. To review, open the file in an editor that reveals hidden Unicode characters. v2ray-plugin will look for TLS certificates signed by acme.sh by default. Required. Sequence of characters, surrounded by quotation mark. See command line args for advanced usages. Instead of using cert to pass the certificate file, certRaw could be used to pass in PEM format certificate, that is the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- without the line breaks. Our example is socKsecreT2021%d. Use Git or checkout with SVN using the web URL. Here's some sample commands for issuing a certificate using CloudFlare. thought i did something wrong when it shows my vps ip instead of the cdn's ip. solution for Go. This package is not in the latest version of its module. Are you sure you want to create this branch? I have tested nginx tls, it works. Open a Run box ( Win + r ), type mmc, and click OK. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Shadowsocks-libev Docker Image by Teddysun. Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: openssl x509 -req -sha256 -days 365 -in ca.csr -signkey ca.key -out ca.crt, openssl ecparam -out example.com.key -name secp384r1 -genkey, openssl req -new -sha256 -key example.com.key -out example.com.csr, openssl x509 -req -in example.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.com.crt -days 365 -sha256. For the purpose of installing plugins for obfuscation (in the following section), the Shadowsocks-libev is chosen here. Unfortunately when I tried to run ss with v2ray plugin Download shadowsocks-rust for Linux 64-bit from GitHub. I've setup a Google Cloud instance, firewall has port 3128 open. One JSON file contains one and only one JSON object, beginning with "{" and ending with "}". Email address. Boolean value, has to be either true or false, without quotation mark. On Windows, you can either use PowerShell or a graphical user interface (GUI) such as PuTTY or XSHELL. ss-local -c config.json -p 443 --plugin v2ray-plugin --plugin-opts " mode=quic;host=mydomain.me " Issue a cert for TLS and QUIC v2ray-plugin will look for TLS certificates signed by acme.sh by default. You can find commands for issuing certificates for other DNS providers at acme.sh. sudo apt install shadowsocks-libev. And each protocol may have its own transport, such as TCP, mKCP, WebSocket, etc. @vanyaindigo thats the best news for today as i hv read, learn and setup a ss+v2ray+tls+cdn without proxy reverse. Unzip Shadowsocks-4.4.0.185.zip. Can be any string. If you have configured Shadowsocks-libev before, compare with it, and you will able to understand the example in this section. Here's some sample commands for issuing a certificate using CloudFlare. Do you use "official" shadowsocks and v2ray plugin client? yes, I read a lot of articles, all told it should work but it did not weird it seems the issue of nginx reverse proxying websocket with tls. This means the HTTP connection is not good. As protobuf format is less readable, V2Ray also supports configuration in JSON. Thus, it has been suggested that AES based algorithms shall be used for desktop clients, while chacha based algorithms shall be used for mobile clients. i did try installing before from the reddit post, but somehow stuck at getting the certificate - authentication error, so after many tries, i decide to try another method.