- Reformulated - Added description for `clients` parameter - Added example for proper password generation
3.6 KiB
Shadowsocks
The Shadowsocks protocol is compatible with most other implementations of Shadowsocks. The server supports TCP and UDP packet forwarding, with an option to selectively disable UDP.
Supported Encryption Methods
The currently supported methods are following:
- Recommended encryption methods:
2022-blake3-aes-128-gcm
2022-blake3-aes-256-gcm
2022-blake3-chacha20-poly1305
- Other encryption methods:
aes-256-gcm
aes-128-gcm
chacha20-poly1305
/chacha20-ietf-poly1305
xchacha20-poly1305
/xchacha20-ietf-poly1305
none
/plain
The Shadowsocks 2022 new protocol format improves performance and includes complete replay protection, addressing the following security issues in the old protocol:
- Serious vulnerabilities in Shadowsocks AEAD encryption, which cannot guarantee the integrity of the communication content
- Increasing false positive rate of the original TCP replay filter over time
- Lack of UDP replay protection
- TCP behaviors that can be used for active probing
::: danger Traffic transmitted without encryption using the "none" method will be in plain text. Do not use it on public networks for security reasons. :::
InboundConfigurationObject
{
"settings": {
"clients": [],
"password": "password",
"method": "aes-256-gcm",
"level": 0,
"email": "love@xray.com",
"network": "tcp,udp"
}
}
clients
: a list ofClientObject
, empty list considered valid
The password
parameter can be specified for the server at all, but also in the ClientObject
being dedicated to the given user. Server-level password
is not guaranteed to override the client-specific one.
network
: "tcp" | "udp" | "tcp,udp"
The supported network protocol type. For example, when specified as "tcp"
, it will only handle TCP traffic. The default value is "tcp"
.
ClientObject
{
"password": "密码",
"method": "aes-256-gcm",
"level": 0,
"email": "love@xray.com"
}
method
: string, any of the supported methods
Required.
password
: string
Required. For Shadowsocks 2022 a pre-shared base64
random key similar to WireGuard's keys should be used as the password. The command
openssl rand -base64 <length>
could used to generate a key. The length of the required key for shadowsocks-rust
implementation depends on the encryption method:
Encryption Method | Key Length |
---|---|
2022-blake3-aes-128-gcm |
16 |
2022-blake3-aes-256-gcm |
32 |
2022-blake3-chacha20-poly1305 |
32 |
In the go-shadowsocks
implementation written in Golang, a 32-byte key always works.
For any other encryption method any string could be used. There is no limitation on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a random-generated password of 16 characters or longer. The following example generates 40-characters length password:
sudo strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 40 | tr -d '\n'; echo
level
: number
The user level that the connection will use to determine the corresponding Local Policy.
The value of level
corresponds to the value of level
in the policy. If not specified, the default value is 0.
The user's email, used to differentiate traffic from different users for logs or statistics.