Well, what does "protect" mean here? For values, if it's a string it needs quotes, while numbers do not need to be double quoted. ss+v2ray-plugin+nginx+tls https not working, https://blog.icpz.dev/articles/bypass-gfw/shadowsocks-with-v2ray-plugin/, https://overclockers.ru/blog/Indigo81/show/31739/shadowsocks-cherez-cloudflare-cdn-povyshaem-bezopasnost-v-seti. do we need a webserver for the ss+v2ray+tls to work? It is recommended to use AEAD ciphers (cipher could be aes-256-gcm, aes-128-gcm, chacha20-poly1305 for enabling AEAD), OTA will be invalid when enabling AEAD; The simple-obfs plugin of Shadowsocks has been deprecated and you can use the new V2Ray-based obfuscation plugin (but V2Ray's Websocket/http2 + TLS also works); You can use V2Ray's transport layer configuration (see. ss-local -c config.json -p 443 --plugin v2ray-plugin --plugin-opts " mode=quic;host=mydomain.me " Issue a cert for TLS and QUIC v2ray-plugin will look for TLS certificates signed by acme.sh by default. will read more and try installing another version with nginx. JSON, or JavaScript Object Notation, in short is objects in Javascript. One JSON file contains one and only one JSON object, beginning with "{" and ending with "}". Check access.log and error.log in /var/log/nginx to see if your request is received and processed. By the way, until now I don't know where to register a domain name at an acceptable cost(not a subdomain name) to utilize CLOUDFLARE service. For example: Leave the extra attributes (challenge password and company name) blank. For Password put your chosen password, e.g. Are you sure you want to create this branch? if yes, then could we do it with Apache? In the Microsoft Management Console: Click File. hopefully this time it will work :). modified, and redistributed. However, UDP doesn't seem to work. nohup ss-server -c /path/to/config.json >> /path/to/log.txt &, Installing Shadowsocks and Get it Running. Once you've finished editing the config file (suppose the file name is config.json), you can start the shadowsocks server by executing the following command. I have successfully run ss-libev on my VPS (CentOS 8 x64 ) without any plugins. yup, all internet surfing working fine :) saw a post before saying that we could inspect the traffic header to make sure no 'thumbprint' so will not flag by by gfw's dpi, ss will only work for http/https traffic, any other protocol will be route(go directly) to the destination? A typical object is like below: V2Ray supports comments in JSONannotated by "//" or "/* */". However, because V2Ray supports many functions, the configuration is inevitably more complicated. That being said, other configuration formats may be introduced in the furture. Because of the protocol bug, OTA (one-time authentication) of Shadowsocks has been deprecated and switched to AEAD (authenticated encryption with associated data). thanks alot. ss-server -c config.json -p 443 --plugin v2ray-plugin --plugin-opts "server;mode=quic;host=mydomain.me" to your account. the problem here is v2ray-plugin behind nginx with tls does not work. Work fast with our official CLI. Modules with tagged versions give importers more predictable builds. You can find commands for issuing certificates for other DNS providers at acme.sh. config.json-shadowsocks client from toutyrater This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. V2Ray uses protobuf -based configuration. Install 7-Zip from https://www.7-zip.org if you do not have it on your PC already. No. Once you've finished editing the config file (suppose the file name is config.json), you can start the shadowsocks server by executing the following command. Pure SS will work with any TCP/UDP traffic. At the end of the install script, the parameters are redisplayed: Add lines for the plugin and plugin options, like this: Remember the comma after what used to be the last option. This article discusses the details of why AEAD based encryption algorithms are safer than stream encryption + OTA algorithms. I found a detailed instruction on setting-up vray-plugins and nginx server for Chinese-speaking rookies. Download the most recent release of Shadowsocks for Windows. Shadowsocks protocol, for both inbound and outbound connections. go build; Alternatively, you can grab the latest nightly from Circle CI by logging into Circle CI or adding #artifacts at the end of URL like such: . For Server IP, put the IP address of your server, e.g. Therefore, it is recommended to understand the format of JSON before the actual configuration. They will be referenced in the rest of docs. If you do not already have Firefox installed, install Firefox now from https://www.mozilla.org/en-US/firefox/new. May be a relative path . This means the HTTP connection is not good. The implementation of Shadowsocks in V2Ray is compatible with Shadowsocks-libev, Go-shadowsocks2 and other clients based on the Shadowsocks protocol. V2Ray can be configured as either a Shadowsocks server or a client. Just configure V2Ray and just look at it here. When AEAD encryption is used, this field has no effect. shadowsocks-libev is a lightweight secured socks5 proxy for embedded devices and low end boxes. See command line args for advanced usages. lets say we use the setup here correctly and add a cdn, what IP address will 'whatismyip' show? ss will only work with IPv4 only, IPv6 will be route(go directly) to the destination? Sign the certificate signing request, creating your certificate: Generate a private key for your server certificate: Make the server private key readable by Nginx: Delete the default contents, and enter contents as below: Change /abcdefgh to a secret path of your choice. Therefore, it is recommended to understand the format of JSON before the actual configuration. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. By entering ss-server -h in the console, all the parameters of the command ss-server are given. I have tested nginx tls, it works. Yet another SIP003 plugin for shadowsocks, based on v2ray, https://circleci.com/gh/shadowsocks/v2ray-plugin/20#artifacts, Alternatively, you can grab the latest nightly from Circle CI by logging into Circle CI or adding. Here is a brief introduction of JSON data types. Open the program installation manual. here is my visualization of how the traffics flow- Before this section is finished, I would like to talk more about some details about the configuration. sudo apt install shadowsocks-libev. It is a port of shadowsocks created by @clowwindy maintained by @madeye and @linusyang.. Based on alpine with latest version shadowsocks-libev and v2ray-plugin, xray-plugin.. Docker images are built for quick deployment in various computing cloud providers. by default it is disabled. If you're not logged in as root, then become root as follows. In this way all your traffic is encrypted. Difficulty getting nginx and shadowsocks-libev with v2ray-plugin to work. By following this post, you can create an SS + V2Ray plugin server without having to buy a domain name. I use namesilo and search for domains with cheapest renewal prices. Sometimes its faster than directly connecting to your vps (depending on the vps location). Case: Fractal Design Define 7 XL Power Supply: Corsair RM750X 80+ Gold Motherboard: Supermicro X11SPI-TF CPU: Intel Xeon Silver 4210T (10c/20t) Cascade Lake 2.3/3.2 GHz 95 W RAM: 3x 64 GB + 1x 32 GB DDR4 2400 ECC LRDIMM Extra SAS: Passthrough HPE H220 (LSI 9205-8i) - FW P20.00.07.00 Boot Pool: 2x Intel DC S3500 480 GB SSD - Mirrored Storage pool: 4x 6TB HGST Ultrastar 7K6000 - Striped Mirrors Note that you would need extra configuration on your client shadowsocks application so that obfuscation works. is there way for us to check if the setup/obfuscation working fine? SS works as with IPv4, so with IPv6. V2Ray. Used for user identification. And each protocol may have its own transport, such as TCP, mKCP, WebSocket, etc. Shadowsocks is a secure socks5 proxy and was designed to protect your internet traffic. here is the config content. i do have apache installed but i change apache 443 to 8443 and use 443 for ss and client connection. If nothing happens, download GitHub Desktop and try again. Cautious users should refrain from using this mode. Copy the binary into the same folder as the extracted shadowsocks binaries. The type of its elements is usually the same, e.g., [string] is an array of strings. In this section, the obfuscation configuration using v2ray-plugin will be introduced. Copy v2ray-plugin_windows_amd64.exe into the Shadowsocks folder Downloads\Shadowsocks-4.4.0.185. In this section, the obfuscation configuration using v2ray-plugin will be introduced. are you part of the cool team that develop this? Objects are unordered, so the order of the contents enclosed by braces { } doesn't matter, for example: The above two JSONs are actually equivalent. v2ray/xray [-h | help] [options]-h, help -v, version start V2Ray stop V2Ray restart V2Ray status V2Ray new v2ray json update V2Ray Release update [version] V2Ray update.sh multi-v2ray . A domain name costs much less than your VPS. , // Whether enable OTA, default is false, we don't recommand enable this as decrepted by Shadowsocks. Import CA Certificate on Client. sudo nano /etc/init.d/v2ray. i did try installing before from the reddit post, but somehow stuck at getting the certificate - authentication error, so after many tries, i decide to try another method. If you are among its target users, you would know. chacha20-poly1305 a.k.a. The resolution of the name localhost to one or more IP addresses is normally configured by the following lines in the operating system's hosts file: config.json could be as following: Have a question about this project? gistv2ray config.json . Finally, the shadowsocks server can be started as the previous section mentioned. A JSON object contains a list of key value pairs. Your run of the script will look like this: Wait while the installs and compiles take place. The server received the packets but it seems shadowsocks with v2-ray plugin on the server side cannot handle the UDP packet. However, using obfuscation will reduce the speed of your shadowsocks. Installation I think listening on 80 at the same time won't impact anything of tls. As a proxy protocol toolbox, V2Ray supports the Shadowsocks protocol. Congratulations, Shadowsocks-libev server install completed! super******.mooo.com is a subdomain name I registered linked to my VPS. 4. It comes with a list of key value pairs. SS+any plugin will work only with any TCP traffic. Download the v2ray-plugin for Linux 64-bit from GitHub. Shadowsocks-libev Docker Image by Teddysun. I almost give up, but I succeed with last attempt. If not, you can install it by following this instruction. Vice versa. Extract the contents of the archive. I checked the profile.db-wal with notepad and incorrect arguments are passed to the plugin, thats why it never connects. The Go module system was introduced in Go 1.11 and is the official dependency management It does work. Extract the contents of the archive. is that correct? so here's the full text of the/etc/nginx/nginx.conf. It's http://localhost:8388; NOT http://localhost:8388/; . shadowsocks-libev. Boolean value, has to be either true or false, without quotation mark. Supports OTA . By the way. Step 1 Logging In as Root. All strings must be enclosed in double quotes " ", as all keys strings, so keys should also be enclosed in double quotes. https://blog.icpz.dev/articles/bypass-gfw/shadowsocks-with-v2ray-plugin/. V2Ray can be configured as either a Shadowsocks server or a client. Change the config files to suit your preferences, using the configuration section of the official wiki for guidance and read our protocol explanation below. The server received the packets but it seems shadowsocks with v2-ray plugin on the server side cannot handle the UDP packet. This tutorial illustrates steps for setting up a Shadowsocks server on Ubuntu system. Or, perhaps Nginx couldn't handle the UDP packets. Learn more about bidirectional Unicode characters . . Download shadowsocks-rust for Linux 64-bit from GitHub. Unzip Shadowsocks-4.4.0.185.zip. On Windows, you can either use PowerShell or a graphical user interface (GUI) such as PuTTY or XSHELL. Test configuration, output any errors and then exit.-config. Domain name is the easiest part. In Settings, on the General page, under Network Settings, click Settings. I think you're almost there. Cautious users should refrain from using this mode. By deploying the Shadowsocks server in 443 port, your Shadowsocks data stream looks more like a data stream for web browsing via HTTPS. This is because sometimes localhost are resolved to ipv6 address. Today I'd like to try the v2ray plugin but I came to similar problems. Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: openssl x509 -req -sha256 -days 365 -in ca.csr -signkey ca.key -out ca.crt, openssl ecparam -out example.com.key -name secp384r1 -genkey, openssl req -new -sha256 -key example.com.key -out example.com.csr, openssl x509 -req -in example.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.com.crt -days 365 -sha256. Default value is false. Sequence of characters, surrounded by quotation mark. Thus, it has been suggested that AES based algorithms shall be used for desktop clients, while chacha based algorithms shall be used for mobile clients. It seems the SQLite file is password protected, how can I find out the password so I can modify this file by hand and fix the arguments? Shadowsocks_With_V2Ray.md Installing Packages sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y && sudo apt-get clean && sudo apt-get install build-essential haveged -y sudo apt-get install linux-headers-$(uname -r) sudo apt-get install curl -y sudo apt-get install shadowsocks-libev -y . There could be a lot of reasons leading to this. There is no issue. Email address. The nginx service seems to be working well, since when trying to visit super******.mooo.com, it will be forwarded to www.bing.com. Server may choose to enable, disable or auto. Open Windows PowerShell (right-click on Windows Start button, then select Windows Terminal). In the window Add or Remove Snap-ins, select Certificates. Avilable formats are: Path to the local config file. Copy the binary into the same folder as the extracted shadowsocks binaries. v2ray-plugin will look for TLS certificates signed by acme.sh by default. after reading that, it seems hving a webserver is a good idea for 'camouflage'. Theme NexT works best with JavaScript enabled, openssl ecparam -out ca.key -name secp384r1 -genkey, openssl req -new -sha256 -key ca.key -out ca.csr, State or Province Name (full name) [Some-State]:NSW. The client-server must have an incoming and outgoing configuration. The nginx access log above shows you're getting http 499 responses. From the Firefox hamburger menu, choose Settings. solution for Go. The server in this post runs Debian 11, and the client runs Windows 11. Otherwise, itd be great if we could just have an option to pass plugin options as a string (for v2ray plugin) or as a JSON file (for cloak plugin). V2Ray uses protobuf-based configuration. See Encryption methods for available values. Usually non-negative integers, without quotation mark. ss-client -> gfw -> cdn -> vps/ss-server -> website, then it travels back(in reverse) to ss-client. what is the UDP Fallback use for in SS Client on Android? tls;host=example.com;path=/wss;loglevel=none. Alternatively, you can specify path to your certificates using option cert and key. In this section, we will give the instructions about configuring Shadowsocks protocol with V2Ray. Create a config.json file like this: Shadowsocks server address. On Linux and macOS, you can use the terminal command ssh to reach your server. Nginx access.log. V2ray configuration file format. Instead of using cert to pass the certificate file, certRaw could be used to pass in PEM format certificate, that is the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- without the line breaks. When a project reaches major version v1 it is considered stable. chacha20-ietf-poly1305. Right-click on that, and use 7-Zip again to extract from this the application v2ray-plugin_windows_amd64.exe. After trial and error for nearly 2 hours, hmm.Eventually I got 404 Nothing in Error.log Very frustrating Both ss & vray_plugin android clients are downloaded from the GooglePlay Store. Configure Firefox network settings to use the SOCKS5 proxy server that is now listening on 127.0.0.1 port 1080. In your browser, download the most recent V2Ray plugin for Windows from https://github.com/shadowsocks/v2ray-plugin/releases. Alternatively, you can specify path to your certificates using option cert and key. May be IPv4, IPv6 or domain address. The easiest way to check is if the traffic is running, then everything is fine. However, because V2Ray supports many functions, the configuration is inevitably more complicated. Required. Issue the command below, replacing 123.45.67.89 by your actual server IP address: Open a Run box (Win+r), type mmc, and click OK. In Firefox, visit https://whatismyipaddress.com. the vps or cdn? Download shadowsocks-rust for Linux 64-bit from GitHub. Start Shadowsocks.exe for the first time. The implementation of Shadowsocks in V2Ray is compatible with Shadowsocks-libev, Go-shadowsocks2 and other clients based on the Shadowsocks protocol. ps: why I start it using this command, it is because if I use systemctl start shadowsocks-libev, it cannot start v2ray-plugin, but this way works. Therefore we directly give the example configuration. Your can still access your vps even if it is blocked by gfw. But unfortunately the plugin asks for a cert file which is incorrect, it shouldnt ask for that when in client mode, it should ask for that only in server mode. Yet another SIP003 plugin for shadowsocks, based on v2ray. so is it ok to ask question here in future, or where else would you suggest we get help? Use let's encrypt to obtain valid certificates (I use acme.sh for managing certificates). UDP bypasses the plugin (by shadowsocks design) and will try to connect to plain shadowsocks. "password":"yourshadowsocksserverpassword", "plugin_opts":"path=/yourpath;host=your.host.name;tls". Only two booleans are true and false. By clicking Sign up for GitHub, you agree to our terms of service and (I searched about JSON on Google The article is rather long-winded, I guess its for programmers, so we dont need to get confused. Here's some sample commands for issuing a certificate using CloudFlare. A key value pair usually ends with a comma ",", but must not ends with a comma if it is the last element of the object. p/s - bcoz of the pandemic, not sure when could travel to china, so hopefully could setup eveyrthing and make sure its running when we can travel. Since V2ray is taking over the http traffic, the port specified in ss-libev is actually served by v2ray, and then the decoded traffic is passed to ss-libev through a insignificant port number. it actually can not be visited here since DNS pollution. Unlike Shadowsocks, V2ray supports numerous protocols, both inbound and outbound. Instead of using cert to pass the certificate file, certRaw could be used to pass in PEM format certificate, that is the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- without the line breaks. Build. An address with port, such as "8.8.8.8:53" or "www.v2ray.com:80". VMess hi @vanyaindigo sorry for so many questions, i hv read a lot(bits here and there on the internet rgd this), but never had chance to ask someone knowledgeable like you. My phone is rooted so I have no issue with pushing the file back to the phone. The configuration file of V2Ray is in JSON format, and the configuration of Shadowsocks is also in JSON format. Also set Firefox to proxy DNS queries over the SOCKS5 server. And what's more, vray_plugin should listen both ipv4 and ipv6. Better yet, V2Ray has built in obfuscation to hide traffic in TLS, and can run in parallel with web servers. and one last question - would using a webserver(nginx proxy_pass) more secure? Before V2Ray runs, it automatically converts JSON config into protobuf. If you would like to shut down the server, use ps -ef | grep ss-server to get the pid of your shadowsocks server, and then kill the process using kill. First, check you client. Our example is socKsecreT2021%d. Using either Shadowrocket on iOS or Shadowsocks-NG on MacOS, I can't connect. Type: Inbound / Outbound. V2Ray Protocols Explained. Thus you see the port number changing between ss-libev service restarts. If you run the server with -u and open up the UDP port it will work, but it will be just regular shadowsocks over UDP. Array of elements. The text was updated successfully, but these errors were encountered: remove = from location = /ssm like location /ss, i dont belive you can pass nginx -t with your config; remove last / from http://127.0.0.1:9999/ like http://127.0.0.1:9999. if you just want use tls, remove all location = /ss { } code block from your 80 listen. If true and the incoming connection doesn't enable OTA, V2Ray will reject this connection. Finally, i get where the bug is! A key is a string, and a value may be various of types, such as string, number, boolean, array or another object. Caution "server":["[::1]", "127.0.0.1"], What'more, I found a detailed instruction on setting-up vray-plugins and nginx server for Chinese-speaking rookies. In addition, I think I need to add a few points to the introduction of the document: All punctuation marks in JSON file must use half-width symbols (English symbols). Theme NexT works best with JavaScript enabled. Nope https, I'm now working through https. Regarding the format of JSON, you can see V2Ray Document (opens new window). For the tcp port, it's working properly. Do you use "official" shadowsocks and v2ray plugin client? Time to embrace a bigger world!
v2ray shadowsocks config json