How to Set Up a Secure Shadowsocks Proxy on a Dedicated Server

In this guide, we will walk you through setting up a modern, secure, and blazing-fast Shadowsocks proxy on a Linux dedicated server.

What Other Tutorials Get Wrong

Before we begin, it's important to understand why we are using the methods below. Most older tutorials on the web make a few critical mistakes:

• Using Deprecated Implementations: Tutorials recommending the original Python version or shadowsocks-libev are outdated. Both have been largely abandoned. The modern standard is Shadowsocks-Rust, which offers superior performance, memory safety, and active maintenance.
• Recommending Weak Encryption & Default Ports: Older guides often tell you to use ciphers like aes-256-cfb and stick to the default port 8388. These are highly vulnerable to active probing by modern firewalls (like the Great Firewall). We will use the Shadowsocks-2022 AEAD ciphers (specifically 2022-blake3-aes-256-gcm) and a randomized high-number port to defeat active detection.
• Poor Password Generation: Modern 2022 ciphers require fixed-length, Base64-encoded cryptographic keys. Typing in a standard text password like "MySecureProxy!" will cause the server to crash.
• Ignoring TCP BBR: Shadowsocks proxies can feel sluggish if the server's TCP congestion control isn't optimized. Enabling BBR is mandatory for a fast proxy experience.

Prerequisites

• A Dedicated Server or VPS running Ubuntu 24.04 LTS or Debian 12.
• Root or sudo access to the server.
• Basic familiarity with the Linux command line.

Step 1: Optimize Network with TCP BBR

To ensure your proxy delivers maximum throughput with minimal latency, we need to enable Google's BBR TCP congestion control algorithm.

Open your sysctl configuration file:

sudo nano /etc/sysctl.conf

Paste the following two lines at the very bottom of the file:

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

Apply the changes immediately:

sudo sysctl -p

Step 2: Install Shadowsocks-Rust

We will pull the latest compiled binary directly from the official Shadowsocks-Rust GitHub repository. To do this reliably, we will use jq to parse the GitHub API.

Update your system packages and install jq:

sudo apt update && sudo apt upgrade -y && sudo apt install jq -y

Download and extract the latest Linux x86_64 release. Run these commands to automatically fetch and unpack the binary:

LATEST_URL=$(curl -s https://api.github.com/repos/shadowsocks/shadowsocks-rust/releases/latest | jq -r '.assets[] | select(.name | test("x86_64-unknown-linux-gnu.tar.xz")) | .browser_download_url')
wget $LATEST_URL -O shadowsocks.tar.xz
tar -xvf shadowsocks.tar.xz

Move the server binary to your system bin path so it can be executed globally:

sudo mv ssserver /usr/local/bin/

(You can safely delete the remaining extracted files, as we only need ssserver for a dedicated server setup).

Step 3: Generate a Cryptographic Key

The modern 2022-blake3-aes-256-gcm cipher requires a 32-byte key encoded in Base64. Do not use a standard password.

Generate a secure key right from your terminal using OpenSSL:

openssl rand -base64 32

Copy the output. It will look something like this: vF8aT9xY...= (Keep this safe; you will need it for both the server and your client apps).

Step 4: Configure the Server

We need to create a JSON configuration file to tell Shadowsocks how to run.

Create a directory for Shadowsocks:

sudo mkdir /etc/shadowsocks-rust

Create and open the configuration file:

sudo nano /etc/shadowsocks-rust/config.json

Paste the following configuration. Replace YOUR_BASE64_KEY_HERE with the key you generated in Step 3. We are using a random high port (42911) to evade automated scanners.

{
    "server": "0.0.0.0",
    "server_port": 42911,
    "password": "YOUR_BASE64_KEY_HERE",
    "method": "2022-blake3-aes-256-gcm",
    "mode": "tcp_and_udp",
    "fast_open": true,
    "timeout": 300
}

Save and exit (Press CTRL + X, then Y, then ENTER).

sudo chown nobody:nogroup /etc/shadowsocks-rust/config.json
sudo chmod 600 /etc/shadowsocks-rust/config.json

Step 5: Create a Systemd Service

To ensure Shadowsocks runs automatically in the background and restarts if your server reboots, we must create a systemd service.

Create a new service file:

sudo nano /etc/systemd/system/shadowsocks.service

Paste the following block:

[Unit]
Description=Shadowsocks-Rust Server
After=network.target

[Service]
Type=simple
User=nobody
ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks-rust/config.json
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

Reload systemd, enable the service, and start it:

sudo systemctl daemon-reload
sudo systemctl enable shadowsocks
sudo systemctl start shadowsocks

Verify it is running smoothly:

sudo systemctl status shadowsocks

(You should see an "active (running)" status in green).

Step 6: Configure the Firewall

You must open the port you selected in your configuration file (42911) so traffic can reach your proxy. If you are using UFW (Uncomplicated Firewall):

sudo ufw allow 42911/tcp
sudo ufw allow 42911/udp
sudo ufw reload

Step 7: Connect Your Client

Your proxy is now live! Download a modern Shadowsocks client for your device (such as ShadowsocksX-NG for Mac, v2rayNG for Android, or the Shadowsocks-Rust client for Windows).

Input your server's IP address, the port (42911), your generated Base64 password, and select 2022-blake3-aes-256-gcm as the encryption method.