使用Shadowsocks科学上网(服务器篇)

简介

  • 本文将会讲到如何利用shadowsocks-libev科学上网并总结整理维护SS的经验,欢迎来交流探讨。
  • 本文主要基于Ubuntu 18.04及其以上版本,具体原因本文会讲解到。
  • 本文主要讲解如何手动从零编译安装shadowsocks-libev,其他更为简单的方式也会略微提及。
  • 为什么要这么折腾的编译安装呢?没办法,爱折腾,喜欢原汁原味的东西,可以学到更多的知识。
  • 以下将shadowsocks-libev简称为SS服务,没错,就是这么懒,这么任性。

准备环境

  • 首先,无论采用何种方式安装SS服务,你都要有一个国外的VPS(云服务器)。
  • 可选的有:AWSVultr青云阿里云腾讯云百度云
  • 在如何选择云服务商,如何享受最优的价格及服务,此处就不过多介绍了,如有疑问,可私聊我。
  • 为什么使用Ubuntu 18.04及其以上版本的系统:内核为4.9以上的版本,内置支持BBR拥塞控制算法。

部署服务

使用仓库安装

  • 此方法暂时仅支持Ubuntu 14.04Ubuntu 16.04的版本。
  • 使用SS的作者为大家提供的软件源仓库,安装SS服务非常便捷。
  • 添加软件源:
1
echo "deb http://ppa.launchpad.net/max-c-lv/shadowsocks-libev/ubuntu $(lsb_release -cs) main" > /etc/apt/sources.list.d/ss.list
  • 更新软件包索引:
1
apt update
  • 安装SS服务:
1
apt install -y shadowsocks-libev

手动编译安装

  • 参照《CentOS/Ubuntu的国内软件源》更换软件源,由于使用的为国外的VPS,其实无需更换,习惯性操作,请忽视。
  • 更新软件包索引、更新系统及其依赖、卸载无用的软件包:
1
apt update && apt dist-upgrade -y && apt autoremove -y
  • 执行完,以上操作请重启VPS,以应用新的内核:
1
shutdown -r now
  • 调整服务器的时区及时间:
1
2
apt install -y chrony
cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
  • 安装必要的编译工具(耐心等待):
1
apt install -y gcc g++ make automake autoconf libtool asciidoc gettext xmlto libpcre3-dev libev-dev libc-ares-dev
  • 编译安装Libsodium
1
2
3
4
5
6
7
8
export libsodium_version="2018-08-10"
wget https://download.libsodium.org/libsodium/releases/libsodium-stable-${libsodium_version}.tar.gz
tar -zxf libsodium-stable-${libsodium_version}.tar.gz
pushd libsodium-stable/
./configure --prefix=/usr && make && make install
popd
rm -rf libsodium-stable*
ldconfig
  • 编译安装MbedTLS
1
2
3
4
5
6
7
8
export mbedtls_version="2.12.0"
wget https://tls.mbed.org/download/mbedtls-${mbedtls_version}-gpl.tgz
tar -zxf mbedtls-${mbedtls_version}-gpl.tgz
pushd mbedtls-${mbedtls_version}/
make SHARED=1 CFLAGS=-fPIC && make install DESTDIR=/opt/mbedtls
popd
rm -rf mbedtls-${mbedtls_version}*
ldconfig
  • 编译安装shadowsocks-libev
1
2
3
4
5
6
7
export ss_version="3.2.0"
wget https://github.com/shadowsocks/shadowsocks-libev/releases/download/v${ss_version}/shadowsocks-libev-${ss_version}.tar.gz
tar -zxf shadowsocks-libev-${ss_version}.tar.gz
pushd shadowsocks-libev-${ss_version}/
./configure && make -j 4 && make install
popd
rm -rf shadowsocks-libev-${ss_version}*
  • 检查SS服务的动态链接库:
1
ldd $(which ss-server)

优化服务

VIM

  • 稍微简单配置一下VIM
1
vim /etc/vim/vimrc
1
2
3
4
5
set tabstop=4
set shiftwidth=4
set softtabstop=4
set nohlsearch
set expandtab

加载BBR模块

  • 加载BBR内核模块(需要4.9以上的内核):
1
2
modprobe tcp_bbr
echo "tcp_bbr" >> /etc/modules-load.d/modules.conf

调整内核运行参数

  • 通过sysctl调整内核运行参数:
1
vim /etc/sysctl.d/ss-server.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# Enable fast open
net.ipv4.tcp_fastopen = 3

# Enable BBR
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

# forward ipv4
net.ipv4.ip_forward = 1

# max open files
fs.file-max = 1024000
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096

# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1
  • 加载内核运行参数:
1
sysctl -qp

调整打开文件描述符的最大值

1
2
3
echo "*    soft    nofile    512000" >> /etc/security/limits.conf
echo "* hard nofile 1024000" >> /etc/security/limits.conf
echo "ulimit -SHn 1024000" >> /etc/profile

限制端口最大并发链接数

1
vim /etc/profile.d/ss-server.sh
1
2
3
4
5
6
7
8
9
10
#!/bin/bash

PORTS=(21 443)

iptables -F && iptables -X && iptables -Z

for PORT in ${PORTS[@]}
do
iptables -A INPUT -p tcp --syn --dport ${PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset
done

自动调整MTU值

1
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

开启NAT转发

1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

配置服务

添加SS服务的配置文件

  • 创建配置目录:
1
mkdir -p /etc/ss-conf
  • 创建使用aes-256-cfb加密协议的配置文件:
1
vim /etc/ss-conf/ss-21.json
1
2
3
4
5
6
7
8
9
{
"server": "*",
"server_port": 21,
"password": "PASSWORD",
"timeout": 120,
"method": "aes-256-cfb",
"fast_open": true,
"workers": 1
}
  • 创建使用chacha20-ietf-poly1305加密协议的配置文件:
1
vim /etc/ss-conf/ss-443.json
1
2
3
4
5
6
7
8
9
{
"server": "*",
"server_port": 443,
"password": "PASSWORD",
"timeout": 120,
"method": "chacha20-ietf-poly1305",
"fast_open": true,
"workers": 1
}
  • 选择一个合适的端口,有利于优化速度呦,常用的端口:21222580443
  • 不建议多人共用一个端口,不稳定,会造成访问速度减慢。
  • 谨记,一定为云服务器设置防火墙,仅打开你所需要开放的端口即可。
  • 各平台的客户端配置请参阅使用Shadowsocks科学上网(客户端篇)

运行服务

nohup

  • 通过nohup命令运行服务:
1
2
nohup /usr/local/bin/ss-server -u -c /etc/ss-conf/ss-21.json &
nohup /usr/local/bin/ss-server -u -c /etc/ss-conf/ss-443.json &
  • 通过nohup命令启动服务,服务进程既不稳定也不方便管理(启动、停止、重启)。
  • 如何解决这一问题呢?下面请出我们的主角,那就是supervisor

supervisor

安装supervisor

  • 目前supervisor还暂不支持Python 3PyPiGitHub
  • 使用PIP的安装supervisor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apt install -y python-minimal unzip python3-distutils

wget https://files.pythonhosted.org/packages/d3/3e/1d74cdcb393b68ab9ee18d78c11ae6df8447099f55fe86ee842f9c5b166c/setuptools-40.0.0.zip
unzip -q setuptools-40.0.0.zip
pushd setuptools-40.0.0/
python setup.py install
python3 setup.py install
popd
rm -rf setuptools-40.0.0*

wget https://files.pythonhosted.org/packages/69/81/52b68d0a4de760a2f1979b0931ba7889202f302072cc7a0d614211bc7579/pip-18.0.tar.gz
tar -zxf pip-18.0.tar.gz
pushd pip-18.0/
python setup.py install
python3 setup.py install
popd
rm -rf pip-18.0*

ln -sf /usr/local/bin/pip2 /usr/local/bin/pip
pip install -U setuptools pip supervisor
pip3 install -U setuptools pip python-dateutil

配置supervisor

  • 创建配置目录:
1
mkdir -p /etc/supervisord.d/ /var/log/supervisor
  • 创建配置文件
1
vim /etc/supervisord.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
; Sample supervisor config file.

[unix_http_server]
file = /tmp/supervisor.sock
chmod = 0700
chown = root:root
username = PASSWORD
password = PASSWORD

[supervisord]
logfile = /var/log/supervisor/supervisord.log
logfile_maxbytes = 50MB
logfile_backups = 10
loglevel = info
user = root
pidfile = /tmp/supervisord.pid
nodaemon = false
minfds = 1024
minprocs = 200

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[supervisorctl]
serverurl = unix:///tmp/supervisor.sock
username = PASSWORD
password = PASSWORD

[include]
files = /etc/supervisord.d/*.conf

添加管理SS的配置文件

  • 创建使用supervisord管理SS服务的进程,每一个端口创建一个配置文件:
1
vim /etc/supervisord.d/ss-21.conf
1
2
3
4
5
6
7
[program:ss-21]
command = /usr/local/bin/ss-server -u -c /etc/ss-conf/ss-21.json
user = root
autostart = true
autoresart = true
redirect_stderr = true
stdout_logfile = /var/log/supervisor/ss-21.log
1
vim /etc/supervisord.d/ss-443.conf
1
2
3
4
5
6
7
[program:ss-443]
command = /usr/local/bin/ss-server -u -c /etc/ss-conf/ss-443.json
user = root
autostart = true
autoresart = true
redirect_stderr = true
stdout_logfile = /var/log/supervisor/ss-443.log

通过systemd管理supervisord

  • 创建supervisord.service配置文件:
1
vim /etc/systemd/system/supervisord.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[Unit]
Description=Supervisor process control system for UNIX
Documentation=http://supervisord.org
After=network.target

[Service]
ExecStart=/usr/local/bin/supervisord -n -c /etc/supervisord.conf
ExecStop=/usr/local/bin/supervisorctl shutdown
ExecReload=/usr/local/bin/supervisorctl reload
Restart=always
RestartSec=60s
KillMode=process

[Install]
WantedBy=multi-user.target

supervisord管理SS服务

  • 首先,通过systemd管理supervisord服务,使其可以开机自启。
1
2
3
systemctl daemon-reload
systemctl enable supervisord.service
systemctl restart supervisord.service
  • 然后,通过supervisord管理SS服务,使SS服务稳定运行。
  • 获取SS服务的运行状态:
1
supervisorctl status
  • 重新读取SS服务的配置文件(*.json):
1
supervisorctl reload
  • 更新管理SS服务的配置文件(*.conf):
1
supervisorctl update
  • 启动所有的SS服务:
1
supervisorctl start all
  • 停止所有的SS服务:
1
supervisorctl stop all
  • 重启所有的SS服务:
1
supervisorctl restart all
  • 启动单个SS服务:
1
supervisorctl start ss-21
  • 停止单个的SS服务:
1
supervisorctl stop ss-21
  • 重启单个的SS服务:
1
supervisorctl restart ss-21

问题集锦

华为手机

  • 华为手机无法访问Google Play,尝试如下办法:
1
echo '216.58.197.195 services.googleapis.cn' >> /etc/hosts

有你就有世界,感谢有你,昕!
0%