Installing shadowsocks on a NAT VPS

Important note: I do not mean this tutorial to help users in China or Russia evade internet censorship. These national firewalls often block shared IPs provided by NAT VPS provider’s.

Shadowsocks is a piece of software that allows anyone with a VPS to create an obfuscated proxy server. It is very popular in China, where the “Great Firewall” not only blocks any website’s that Winnie the Pooh, I mean Xi Jinping dislikes, but also blocks all common VPN protocols that are used to bypass that internet censorship.

I mean this article for Western users who want to set-up a VPN on a cheap NAT (shared IP) but may find some advantage in using Shadowsocks. At the moment, the main for someone in the west in using Shadowsocks is as a universal double-hop VPN set-up that even works on mobile devices (using Shadowsocks FOSS and OpenVPN for Android together, for example).

Before following this tutorial, you will need following:

A VPS with a shared Ipv4 address and Debian 10 or 11 installed

Highly Recommended use public key authentication (DigitalOcean has a good tutorial for this)

Highly Recommended Set up automatic updates

Part 1: Noting down your port range

As the Ipv4 address on a NAT VPS service are shared across many users, your provider will allow you to access a few specific ports to host services from. Normally. they will allocate you around 20 ports (1 port for SSH and 19 for other uses).

Though, each NAT provider will often have a different way of telling you what ports that are assigned. Some providers even require you to calculate your ports based on the Shared public IP address and your internal NAT IP address.

Fortunately for me, the VPS used is from Gullo Hosting, who have a Calculator that you put your internal NAT IP address. This calculator (based on the NAT IP) returns; the shared IP address, your assigned ports and your SSH ports.

Part 2: Update your VPS

Almost all VPS providers are running outdated Operating System images. Unless you want to back hacked within hours (and probably cry about the VPS being terminated over that on LET), update the VPS as soon as possible.

Updating is simple, just run (add sudo to the front of the commands if not logged in as root);

apt update;apt-upgrade -y

Then reboot.

Part 3: Installing shadowsocks-libev

Even though it’s recommended to install Shadowsocks-libev using snaps, cheaper VPSs that use OpenVZ 7 have capability issues with snap. Instead, we will install it using apt.

Use the following command to install shadowsocks-libev (add sudo to the front of the commands if not logged in as root):

apt install shadowsocks-libev

Next, we need to generate a random password and copy it for the configuration file. To generate the password, use the following command:

openssl rand -base64 16

Now we have the password, we need to configure shadowsocks-libev. Open the configuration file with the following command (add sudo to the start if not logged in as root):

nano /etc/shadowsocks-libev/config.json

Now you’ve opened config.json, delete the existing contents with ctrl+k and

replace with the following (in bold):

{

"server":["::0","0.0.0.0"],

"server_port":Your-Port,

"method":"chacha20-ietf-poly1305",

"password":"Your Password",

"mode":"tcp_and_udp",

"fast_open":false

}

Replace Your-Port with one port your NAT VPS provider assigned you and replace Your Password with the one generated beforehand (remember to keep the quote marks).

Finally, it is time to start the server and enable automatic starting on reboot. Issue the follow command (add sudo to both commands if not root).

systemctl restart shadowsocks-libev;systemctl enable shadowsocks-libev

Now you should have a working shadowsocks server.

Published: 3rd January 2022