free-public-interest-shadowsocks-servers

Ник Пост Дата

computerscot(computerscot)

Ник	Пост	Дата
computerscot(computerscot)	Some people need a quick and free way to access a Shadowsocks server. At the same time, other people are willing to provide free Shadowsocks servers, if they are in the public interest. One thing that puts people off from providing free Shadowsocks servers is that you are effectively acting as an exit node. Whatever anyone does on your server can be blamed on you. The architecture in this post addresses this problem. It makes it safer for anyone to offer free public-interest Shadowsocks servers. `+-------------+ +--------+--------+ \| SS \| \| SS \| Tor \| \| Client +------->+ Server + Client +------> TOR NETWORK \| \| \| \| \| +-------------+ +--------+--------+` The free server accepts SS traffic, but forces it into the Tor network. The risk is shunted to the knowledgeable and well-resourced organizations who host Tor exit nodes. Also, since Tor will be slower than a commercial VPN, your server will not be exploited by cheap people who want a VPN but want someone else to pay for it. Here is how to set up such a server. Set Up Tor Client Install the prerequisite package to access the Tor repositories: `apt install -y apt-transport-https` Create `/etc/apt/sources.list.d/tor.list` like the example below (the distribution here is Ubuntu 22.04 also known as `jammy`): `deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main` Get the Tor signing key: `wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc \| gpg --dearmor \| tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null` Install Tor: `apt update && apt install -y tor deb.torproject.org-keyring` By default, Tor listens for SOCKS traffic on port `9050`: `systemctl status tor@default` `ss -tulpn \| grep 9050` SS Server Choose a port: `echo $((1024 + $RANDOM))` Choose a password: `< /dev/urandom tr -dc A-Z-a-z-0-9 \| head -c${1:-24};echo;` Install the latest version of Xray to host your SS server: `bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install --beta -u root` Edit the Xray configuration file `/usr/local/etc/xray/config.json`. Make it look like this. Note that Tor handles TCP only, and therefore the SS input must also be TCP only. (Firefox has a feature to send DNS queries through a SOCKS tunnel.) `{ "inbounds": [ { "port": <PORT-NUMBER>, "protocol": "shadowsocks", "settings": { "clients": [ { "password": "<PASSWORD>", "method": "chacha20-poly1305" } ], "network": "tcp" } } ], "outbounds": [ { "protocol": "socks", "settings": { "servers": [ { "address": "127.0.0.1", "port": 9050 } ] } } ] }` Restart Xray with your configuration: `systemctl restart xray && systemctl status xray` Communicate Shadowsocks Parameters Supply the server IP address, port, password, and encryption method to the public. You can also supply them as a URL-style `ss://` link or as a QR code. Most SS clients can import server parameters from a URL or on-screen QR code.	2023-09-21T18:57:32.270Z
Snawoot	It’s a bad idea in general to provide public shadowsocks service because this protocol is not designed for that. Password is used as a key material for encryption, therefore sharing it publicly will allow to decrypt all shadowsocks sessions. There is already some VPN provider called nthLink which uses shadowsocks for all users and has such fatal flaw: [EN] Stripping nthLink VPN encryption \| Snawoot.github.io [RU] Снимаем шифрование nthLink VPN / Хабр	2023-09-21T19:17:41.715Z

Some people need a quick and free way to access a Shadowsocks server.

At the same time, other people are willing to provide free Shadowsocks servers, if they are in the public interest.

One thing that puts people off from providing free Shadowsocks servers is that you are effectively acting as an exit node. Whatever anyone does on your server can be blamed on you.

The architecture in this post addresses this problem. It makes it safer for anyone to offer free public-interest Shadowsocks servers.

+-------------+        +--------+--------+
| SS          |        | SS     | Tor    |
| Client      +------->+ Server + Client +------> TOR NETWORK
|             |        |        |        |
+-------------+        +--------+--------+

The free server accepts SS traffic, but forces it into the Tor network. The risk is shunted to the knowledgeable and well-resourced organizations who host Tor exit nodes.

Also, since Tor will be slower than a commercial VPN, your server will not be exploited by cheap people who want a VPN but want someone else to pay for it.

Here is how to set up such a server.

Set Up Tor Client

Install the prerequisite package to access the Tor repositories:

apt install -y apt-transport-https

Create /etc/apt/sources.list.d/tor.list like the example below (the distribution here is Ubuntu 22.04 also known as jammy):

deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main

Get the Tor signing key:

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

Install Tor:

apt update && apt install -y tor deb.torproject.org-keyring

By default, Tor listens for SOCKS traffic on port 9050:

systemctl status tor@default

ss -tulpn | grep 9050

SS Server

Choose a port:

echo $((1024 + $RANDOM))

Choose a password:

< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-24};echo;

Install the latest version of Xray to host your SS server:

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install --beta -u root

Edit the Xray configuration file /usr/local/etc/xray/config.json. Make it look like this. Note that Tor handles TCP only, and therefore the SS input must also be TCP only. (Firefox has a feature to send DNS queries through a SOCKS tunnel.)

{
    "inbounds": [
        {
            "port": <PORT-NUMBER>,
            "protocol": "shadowsocks",
            "settings": {
                "clients": [
                    {
                        "password": "<PASSWORD>",
                        "method": "chacha20-poly1305"
                    }
                ],
                "network": "tcp"
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "socks",
            "settings": {
                "servers": [
                    {
                        "address": "127.0.0.1",
                        "port": 9050
                    }
                ]
             }
        }
    ]
}

Restart Xray with your configuration:

systemctl restart xray && systemctl status xray

Communicate Shadowsocks Parameters

Supply the server IP address, port, password, and encryption method to the public. You can also supply them as a URL-style ss:// link or as a QR code. Most SS clients can import server parameters from a URL or on-screen QR code.

2023-09-21T18:57:32.270Z

Snawoot

It’s a bad idea in general to provide public shadowsocks service because this protocol is not designed for that. Password is used as a key material for encryption, therefore sharing it publicly will allow to decrypt all shadowsocks sessions. There is already some VPN provider called nthLink which uses shadowsocks for all users and has such fatal flaw:

2023-09-21T19:17:41.715Z