You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
Riobard 07b789296f Update README 1 week ago
.github/workflows Updated workflow 1 week ago
core Deprecate all stream ciphers 1 week ago
internal implements BloomRing and saltfilter 1 week ago
nfutil Split Netfilter and pf code into subpackages 1 week ago
pfutil Split Netfilter and pf code into subpackages 1 week ago
shadowaead integrate cipher with saltfilter 1 week ago
socks Better var naming 2 years ago
Dockerfile chore(docker): update build image to go 1.12.7 7 months ago
LICENSE Applied Apache License 2.0 1 year ago
Makefile Updated workflow 1 week ago
README.md Update README 1 week ago
go.mod Split Netfilter and pf code into subpackages 1 week ago
go.sum Split Netfilter and pf code into subpackages 1 week ago
log.go Fix plugin crash without -verbose flag 2 months ago
main.go Better plugin life-cycle management 5 months ago
plugin.go Better finding the plugin 5 months ago
tcp.go fix UDP associate 7 months ago
tcp_darwin.go Split Netfilter and pf code into subpackages 1 week ago
tcp_linux.go Split Netfilter and pf code into subpackages 1 week ago
tcp_other.go Split Netfilter and pf code into subpackages 1 week ago
udp.go Robust UDP socks5 support. 2 years ago

README.md

go-shadowsocks2

A fresh implementation of Shadowsocks in Go.

GoDoc at https://godoc.org/github.com/shadowsocks/go-shadowsocks2/

Build and test

Features

  • SOCKS5 proxy with UDP Associate
  • Support for Netfilter TCP redirect on Linux (IPv6 should work but not tested)
  • Support for Packet Filter TCP redirect on MacOS/Darwin (IPv4 only)
  • UDP tunneling (e.g. relay DNS packets)
  • TCP tunneling (e.g. benchmark with iperf3)
  • SIP003 plugins
  • Replay attack mitigation

Install

Pre-built binaries for common platforms are available at https://github.com/shadowsocks/go-shadowsocks2/releases

Install from source

go get -u -v github.com/shadowsocks/go-shadowsocks2

Basic Usage

Server

Start a server listening on port 8488 using AEAD_CHACHA20_POLY1305 AEAD cipher with password your-password.

go-shadowsocks2 -s 'ss://AEAD_CHACHA20_POLY1305:your-password@:8488' -verbose

Client

Start a client connecting to the above server. The client listens on port 1080 for incoming SOCKS5 connections, and tunnels both UDP and TCP on port 8053 and port 8054 to 8.8.8.8:53 and 8.8.4.4:53 respectively.

go-shadowsocks2 -c 'ss://AEAD_CHACHA20_POLY1305:your-password@[server_address]:8488' \
    -verbose -socks :1080 -u -udptun :8053=8.8.8.8:53,:8054=8.8.4.4:53 \
                             -tcptun :8053=8.8.8.8:53,:8054=8.8.4.4:53

Replace [server_address] with the server's public address.

Advanced Usage

Netfilter TCP redirect on Linux

The client offers -redir and -redir6 (for IPv6) options to handle TCP connections redirected by Netfilter on Linux. The feature works similar to ss-redir from shadowsocks-libev.

Start a client listening on port 1082 for redirected TCP connections and port 1083 for redirected TCP IPv6 connections.

go-shadowsocks2 -c 'ss://AEAD_CHACHA20_POLY1305:your-password@[server_address]:8488' -redir :1082 -redir6 :1083

TCP tunneling

The client offers -tcptun [local_addr]:[local_port]=[remote_addr]:[remote_port] option to tunnel TCP. For example it can be used to proxy iperf3 for benchmarking.

Start iperf3 on the same machine with the server.

iperf3 -s

By default iperf3 listens on port 5201.

Start a client on the same machine with the server. The client listens on port 1090 for incoming connections and tunnels to localhost:5201 where iperf3 is listening.

go-shadowsocks2 -c 'ss://AEAD_CHACHA20_POLY1305:your-password@[server_address]:8488' -tcptun :1090=localhost:5201

Start iperf3 client to connect to the tunneld port instead

iperf3 -c localhost -p 1090

SIP003 Plugins (Experimental)

Both client and server support SIP003 plugins. Use -plugin and -plugin-opts parameters to enable.

Client:

go-shadowsocks2 -c 'ss://AEAD_CHACHA20_POLY1305:your-password@[server_address]:8488' \
    -verbose -socks :1080 -u -plugin v2ray

Server:

go-shadowsocks2 -s 'ss://AEAD_CHACHA20_POLY1305:your-password@:8488' -verbose \
    -plugin v2ray -plugin-opts "server"

Note:

It will look for the plugin in the current directory first, then $PATH.

UDP connections will not be affected by SIP003.

Replay Attack Mitigation

By default a Bloom filter is deployed to defend against replay attacks. Use the following environment variables to fine-tune the mechanism:

  • SHADOWSOCKS_SF_CAPACITY: Number of recent connections to track. Default 1e6 (one million). Setting it to 0 disables the feature.
  • SHADOWSOCKS_SF_FPR: False positive rate of the Bloom filter. Default 1e-6 (0.0001%). This should be enough for most cases.
  • SHADOWSOCKS_SF_SLOT: The Bloom filter is divided into a number (default 10) of slots. When the Bloom filter is full, the oldest slot will be cleared for recycling. In general you should not change this number unless you understand what you are doing.
SHADOWSOCKS_SF_CAPACITY=1e6 SHADOWSOCKS_SF_FPR=1e-6 SHADOWSOCKS_SF_SLOT=10 go-shadowsocks2 ...

Design Principles

The code base strives to

  • be idiomatic Go and well organized;
  • use fewer external dependences as reasonably possible;
  • only include proven modern ciphers;