AlmaLinuxRHEL Based

How To Install Shadowsocks on AlmaLinux 10

r00t

Install Shadowsocks on AlmaLinux 10

Setting up a secure and private network connection has become essential for modern digital infrastructure. Shadowsocks represents one of the most efficient proxy protocols available today, offering superior performance compared to traditional VPN solutions while maintaining robust security features. This comprehensive guide will walk through the complete process of installing and configuring Shadowsocks on AlmaLinux 10, providing system administrators and privacy-conscious users with the knowledge needed to implement this powerful networking tool successfully.

AlmaLinux 10, as an enterprise-grade RHEL alternative, provides an ideal foundation for Shadowsocks deployment with enhanced security features and stable package management systems. The combination of AlmaLinux 10’s reliability and Shadowsocks’ lightweight architecture creates an optimal environment for secure proxy services.

Understanding Shadowsocks Architecture

Shadowsocks operates as a SOCKS5 proxy protocol with integrated encryption, designed to circumvent network restrictions while maintaining high performance and low resource consumption. Unlike traditional VPNs that create tunnel interfaces, Shadowsocks works at the application layer, providing selective proxy capabilities that can be configured per application or system-wide.

The protocol utilizes a client-server architecture where encrypted traffic flows between a local client and remote server, effectively masking the nature of the transmitted data. This design makes Shadowsocks particularly effective against deep packet inspection and other network analysis techniques commonly used for traffic filtering.

Modern Shadowsocks implementations support AEAD (Authenticated Encryption with Associated Data) encryption methods, including ChaCha20-Poly1305 and AES-256-GCM, providing both confidentiality and integrity protection. The protocol has evolved significantly with the introduction of Shadowsocks 2022, which offers improved security through enhanced encryption methods and resistance to replay attacks.

Prerequisites and System Requirements

Before beginning the installation process, ensure your AlmaLinux 10 system meets the necessary requirements and has been properly prepared. The system should have a minimum of 2GB RAM and 20GB of available disk space, with a stable internet connection for package downloads and updates.

Update the system using the DNF package manager to ensure all components are current:

sudo dnf update -y
sudo dnf install -y wget curl nano vim

Verify that you have root or sudo privileges by running administrative commands. This access level is essential for installing packages, configuring services, and modifying system settings required for Shadowsocks deployment.

Check the current firewall status and network configuration to ensure proper connectivity. AlmaLinux 10 includes firewalld by default, which will need configuration to allow Shadowsocks traffic through the appropriate ports.

Install essential development tools and dependencies that may be required during the installation process:

sudo dnf groupinstall -y "Development Tools"
sudo dnf install -y epel-release

The EPEL (Extra Packages for Enterprise Linux) repository provides additional software packages not included in the standard AlmaLinux repositories, including various proxy and networking tools.

Installation Methods Overview

Several approaches exist for installing Shadowsocks on AlmaLinux 10, each with distinct advantages depending on specific requirements and technical preferences. The primary methods include installing the C-based Shadowsocks-libev implementation, using the Python-based version, or compiling from source code for maximum customization.

Shadowsocks-libev represents the recommended approach for most production deployments due to its superior performance characteristics, lower memory footprint, and active maintenance status. This C implementation provides better resource efficiency and stability compared to alternative versions.

The Python-based implementation offers easier installation through pip package management and may be preferred in environments where Python is already extensively used. However, it generally consumes more system resources and may not provide the same level of performance as the libev version.

Method 1: Installing Shadowsocks-libev

This section covers the recommended installation approach using Shadowsocks-libev, which provides optimal performance and stability for AlmaLinux 10 environments.

System Preparation and Repository Setup

Begin by ensuring your AlmaLinux 10 system has the latest updates and necessary repositories configured. Execute the following commands to update the system and add required repositories:

sudo dnf update -y
sudo dnf install -y epel-release
sudo dnf config-manager --enable powertools

The PowerTools repository provides additional development packages that may be required for building or configuring Shadowsocks components. Enable this repository to ensure access to all necessary dependencies.

Install essential build tools and libraries:

sudo dnf groupinstall -y "Development Tools"
sudo dnf install -y autoconf automake libtool gcc gcc-c++
sudo dnf install -y pcre-devel mbedtls-devel libsodium-devel

These packages provide the compilation environment and cryptographic libraries required for Shadowsocks-libev functionality. The libsodium library is particularly important as it provides high-performance cryptographic functions used by modern Shadowsocks implementations.

Shadowsocks-libev Installation Process

Install Shadowsocks-libev directly from the EPEL repository using the DNF package manager:

sudo dnf install -y shadowsocks-libev

This command downloads and installs the pre-compiled Shadowsocks-libev package along with all required dependencies. The installation process automatically creates system users, directories, and basic configuration files needed for operation.

Verify the installation by checking the installed package version and available binaries:

rpm -qi shadowsocks-libev
which ss-server

The installation should provide several executables including ss-server (server component), ss-local (local client), and ss-redir (transparent proxy). Each component serves different functions within the Shadowsocks ecosystem.

Check the systemd service status to ensure proper integration:

sudo systemctl status shadowsocks-libev

Initial Configuration Setup

Create the main configuration directory and file for Shadowsocks-libev:

sudo mkdir -p /etc/shadowsocks-libev
sudo nano /etc/shadowsocks-libev/config.json

Configure the server with the following JSON structure:

{
    "server": "0.0.0.0",
    "server_port": 8388,
    "local_port": 1080,
    "password": "YourSecurePasswordHere",
    "method": "chacha20-ietf-poly1305",
    "timeout": 300,
    "mode": "tcp_and_udp",
    "fast_open": true
}

This configuration binds the server to all available network interfaces using port 8388 for incoming connections. The ChaCha20-IETF-Poly1305 encryption method provides excellent security and performance characteristics suitable for most deployment scenarios.

Set appropriate file permissions to protect the configuration:

sudo chmod 600 /etc/shadowsocks-libev/config.json
sudo chown root:root /etc/shadowsocks-libev/config.json

Method 2: Python-based Shadowsocks Installation

For environments where the Python implementation is preferred, follow these alternative installation steps that utilize Python’s package management system.

Python Environment Preparation

AlmaLinux 10 includes Python 3.12 by default, but additional packages are required for Shadowsocks installation. Install the necessary Python development tools and dependencies:

sudo dnf install -y python3-pip python3-devel python3-setuptools
sudo dnf install -y libffi-devel openssl-devel

The development packages provide headers and libraries necessary for compiling Python extensions that may be required by cryptographic modules used in Shadowsocks.

Upgrade pip to the latest version to ensure compatibility with modern packages:

sudo python3 -m pip install --upgrade pip

Shadowsocks Python Package Installation

Install Shadowsocks using pip package manager:

sudo pip3 install shadowsocks

This command downloads and installs the Python-based Shadowsocks implementation along with its dependencies. The installation creates command-line utilities for both server and client operation.

Verify the installation by checking available commands:

which ssserver
which sslocal
ssserver --version

The Python implementation provides ssserver for server operation and sslocal for client functionality, similar to the libev version but with different command names and options.

Service Configuration for Python Version

Create a systemd service file for automatic startup:

sudo nano /etc/systemd/system/shadowsocks.service

Add the following service definition:

[Unit]
Description=Shadowsocks Server
After=network.target

[Service]
Type=forking
User=nobody
ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks.json -d start
ExecStop=/usr/local/bin/ssserver -c /etc/shadowsocks.json -d stop
Restart=on-abort

[Install]
WantedBy=multi-user.target

This service file ensures automatic startup during system boot and provides proper process management through systemd. The service runs under the ‘nobody’ user account for enhanced security.

Comprehensive Configuration Guide

Proper configuration is crucial for optimal Shadowsocks performance and security. This section covers advanced configuration parameters and optimization techniques.

Server Configuration File Structure

The Shadowsocks configuration file uses JSON format with specific parameters that control server behavior, security settings, and performance characteristics. Understanding each parameter enables fine-tuning for specific deployment requirements.

Create a detailed configuration file:

{
    "server": ["::0", "0.0.0.0"],
    "server_port": 8388,
    "local_address": "127.0.0.1",
    "local_port": 1080,
    "password": "ComplexSecurePassword123!",
    "method": "chacha20-ietf-poly1305",
    "timeout": 300,
    "mode": "tcp_and_udp",
    "fast_open": true,
    "workers": 1,
    "prefer_ipv6": false,
    "no_delay": true,
    "reuse_port": true
}

The server parameter accepts both IPv4 and IPv6 addresses, allowing dual-stack operation. Setting both “::0” and “0.0.0.0” enables the server to accept connections on all available network interfaces.

Password security is critical for preventing unauthorized access. Use a strong password containing uppercase and lowercase letters, numbers, and special characters. Consider using a password manager or random generator for maximum security.

The timeout parameter (measured in seconds) determines how long idle connections remain active before being closed. A value of 300 seconds (5 minutes) provides a good balance between resource conservation and user experience.

Encryption Method Selection and Security

Modern Shadowsocks implementations support multiple AEAD encryption methods that provide both confidentiality and authentication. Selecting the appropriate method impacts both security and performance characteristics.

Recommended encryption methods include:

  • chacha20-ietf-poly1305: Excellent performance on systems without hardware AES acceleration
  • aes-256-gcm: Optimal for systems with AES-NI instruction support
  • 2022-blake3-aes-256-gcm: Latest Shadowsocks 2022 protocol method with enhanced security

The ChaCha20-IETF-Poly1305 method provides superior performance on most server hardware while maintaining strong security properties. This algorithm is particularly effective on ARM-based systems and older x86 processors without dedicated AES instructions.

For maximum compatibility and security, avoid deprecated methods such as:

  • RC4-based ciphers (completely broken)
  • Non-AEAD methods like AES-256-CFB
  • Weak encryption algorithms

Advanced Configuration Parameters

Additional parameters enable performance optimization and specialized functionality:

{
    "fast_open": true,
    "workers": 4,
    "reuse_port": true,
    "no_delay": true,
    "mptcp": false
}

TCP Fast Open reduces connection establishment latency by allowing data transmission during the initial TCP handshake. Enable this feature on both client and server for optimal performance benefits.

The workers parameter controls the number of worker processes. Set this value based on CPU core count and expected concurrent connections. Start with 1 worker and increase based on performance testing results.

Firewall Configuration and Security

Proper firewall configuration ensures secure Shadowsocks operation while preventing unauthorized access and maintaining system security integrity.

Firewalld Configuration for AlmaLinux 10

Configure the firewall to allow Shadowsocks traffic through the designated port:

sudo firewall-cmd --permanent --add-port=8388/tcp
sudo firewall-cmd --permanent --add-port=8388/udp
sudo firewall-cmd --reload

This configuration opens both TCP and UDP ports for Shadowsocks operation. The permanent flag ensures rules persist across system reboots.

Create a dedicated firewall service definition for better management:

sudo nano /etc/firewalld/services/shadowsocks.xml

Add the service definition:

<?xml version="1.0" encoding="utf-8"?>
<service>
    <short>Shadowsocks</short>
    <description>Shadowsocks proxy server</description>
    <port protocol="tcp" port="8388"/>
    <port protocol="udp" port="8388"/>
</service>

Apply the custom service:

sudo firewall-cmd --permanent --add-service=shadowsocks
sudo firewall-cmd --reload

Enhanced Security Measures

Implement additional security layers to protect the Shadowsocks server from potential attacks and unauthorized access attempts.

Configure fail2ban for intrusion prevention:

sudo dnf install -y fail2ban
sudo systemctl enable --now fail2ban

Create a fail2ban filter for Shadowsocks:

sudo nano /etc/fail2ban/filter.d/shadowsocks.conf

Add the filter definition:

[Definition]
failregex = ^.*ERROR.*can.t decrypt payload.*<HOST>.*$
ignoreregex =

Configure SELinux policies if enabled:

sudo setsebool -P httpd_can_network_connect 1
sudo semanage port -a -t http_port_t -p tcp 8388

SELinux integration ensures Shadowsocks operates within the security framework provided by AlmaLinux 10 without compromising system security policies.

Service Management and Automation

Proper service management ensures reliable Shadowsocks operation with automatic startup, monitoring, and recovery capabilities.

Systemd Integration and Service Control

Enable and start the Shadowsocks service:

sudo systemctl enable --now shadowsocks-libev
sudo systemctl status shadowsocks-libev

The systemctl enable command configures automatic startup during system boot, while the –now flag starts the service immediately.

Monitor service logs for troubleshooting:

sudo journalctl -u shadowsocks-libev -f

Create service monitoring scripts:

#!/bin/bash
# Shadowsocks health check script
if ! systemctl is-active --quiet shadowsocks-libev; then
    echo "Shadowsocks service is down, restarting..."
    sudo systemctl restart shadowsocks-libev
    logger "Shadowsocks service restarted automatically"
fi

Add this script to crontab for automated monitoring:

crontab -e
*/5 * * * * /path/to/shadowsocks-check.sh

Process Management and Resource Monitoring

Monitor Shadowsocks resource usage and performance:

sudo ss -tulpn | grep :8388
sudo netstat -tulpn | grep shadowsocks

These commands display active network connections and listening ports associated with Shadowsocks processes.

Track memory and CPU usage:

sudo ps aux | grep shadowsocks
sudo top -p $(pgrep ss-server)

Client Configuration and Connection Testing

Proper client configuration ensures seamless connectivity between client applications and the Shadowsocks server.

Desktop Client Setup for AlmaLinux 10

Install a Shadowsocks client on the same system for testing:

sudo dnf install -y shadowsocks-libev-devel

Create a client configuration file:

nano ~/.config/shadowsocks/client.json

Configure the client connection:

{
    "server": "your-server-ip",
    "server_port": 8388,
    "local_address": "127.0.0.1",
    "local_port": 1080,
    "password": "YourSecurePasswordHere",
    "method": "chacha20-ietf-poly1305",
    "timeout": 300
}

Start the local client:

ss-local -c ~/.config/shadowsocks/client.json -v

The verbose flag (-v) provides detailed logging information useful for troubleshooting connection issues.

Browser and Application Configuration

Configure web browsers to use the SOCKS5 proxy:

For Firefox:

  1. Open Preferences → Network Settings
  2. Select “Manual proxy configuration”
  3. Set SOCKS Host: 127.0.0.1, Port: 1080
  4. Select “SOCKS v5”

For system-wide proxy configuration:

export http_proxy=socks5://127.0.0.1:1080
export https_proxy=socks5://127.0.0.1:1080

Connection Testing and Verification

Test the connection using curl:

curl --socks5-hostname 127.0.0.1:1080 http://httpbin.org/ip

This command routes the HTTP request through the Shadowsocks proxy and returns the external IP address as seen by the destination server.

Verify DNS resolution through the proxy:

curl --socks5-hostname 127.0.0.1:1080 https://dns.google.com/resolve?name=example.com

Performance Optimization and Tuning

Optimize Shadowsocks performance through system-level adjustments and configuration fine-tuning.

System-level Network Optimization

Modify kernel network parameters for improved performance:

sudo nano /etc/sysctl.conf

Add the following optimizations:

# TCP optimization
net.core.rmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_default = 262144
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

# Connection tracking
net.netfilter.nf_conntrack_max = 1000000
net.netfilter.nf_conntrack_tcp_timeout_established = 7200

# TCP congestion control
net.ipv4.tcp_congestion_control = bbr

Apply the changes:

sudo sysctl -p

These kernel parameter adjustments increase network buffer sizes and optimize TCP behavior for high-throughput proxy operations.

Shadowsocks-specific Performance Tuning

Configure worker processes based on system capabilities:

{
    "workers": 4,
    "prefer_ipv6": false,
    "reuse_port": true,
    "no_delay": true,
    "mptcp": false
}

The workers parameter should typically match the number of CPU cores available on the system. Start with fewer workers and increase based on actual performance testing results.

Enable TCP_NODELAY for reduced latency:

echo 'net.ipv4.tcp_nodelay = 1' | sudo tee -a /etc/sysctl.conf

Monitor connection statistics:

ss -s
netstat -i

Troubleshooting Common Issues

Address frequent problems encountered during Shadowsocks deployment and operation.

Connection and Network Diagnostics

Test port connectivity from external sources:

sudo netstat -tulpn | grep :8388
sudo ss -tulpn | grep :8388

Verify firewall rules are correctly applied:

sudo firewall-cmd --list-all
sudo iptables -L -n

Check for port conflicts or binding issues:

sudo lsof -i :8388
sudo fuser -v 8388/tcp

Configuration and Service Problems

Validate JSON configuration syntax:

python3 -m json.tool /etc/shadowsocks-libev/config.json

This command parses the configuration file and reports any syntax errors that might prevent Shadowsocks from starting correctly.

Check service status and error messages:

sudo systemctl status shadowsocks-libev --no-pager -l
sudo journalctl -u shadowsocks-libev --since "1 hour ago"

Performance and Stability Issues

Monitor system resources during operation:

sudo htop
sudo iotop
sudo nethogs

These tools provide real-time monitoring of CPU, disk I/O, and network usage, helping identify resource bottlenecks or unusual behavior patterns.

Check for memory leaks:

sudo smem -p | grep shadowsocks
sudo ps -o pid,vsz,rss,comm -p $(pgrep ss-server)

Review system logs for errors:

sudo dmesg | grep -i error
sudo journalctl --since "24 hours ago" | grep -i shadowsocks

Security Best Practices and Maintenance

Implementing comprehensive security measures ensures long-term reliable operation and protection against potential threats.

Regular Security Updates

Establish a maintenance schedule for system and package updates:

sudo dnf update shadowsocks-libev
sudo dnf update --security

Configure automatic security updates:

sudo dnf install -y dnf-automatic
sudo systemctl enable --now dnf-automatic-install.timer

The automatic update system ensures critical security patches are applied promptly without manual intervention.

Access Control and Monitoring

Implement connection logging and monitoring:

sudo tail -f /var/log/shadowsocks.log

Set up log rotation to prevent disk space issues:

sudo nano /etc/logrotate.d/shadowsocks

Add log rotation configuration:

/var/log/shadowsocks.log {
    daily
    rotate 7
    compress
    delaycompress
    missingok
    notifempty
    postrotate
        systemctl reload shadowsocks-libev
    endscript
}

Password and Key Management

Regularly rotate passwords and encryption keys:

openssl rand -base64 32

This command generates a cryptographically secure random password suitable for Shadowsocks authentication. Update the configuration file and restart the service after password changes.

Consider implementing key-based authentication for enhanced security:

{
    "server_port": 8388,
    "password": "user1:pass1,user2:pass2",
    "method": "chacha20-ietf-poly1305"
}

Congratulations! You have successfully installed Shadowsocks. Thanks for using this tutorial for installing Shadowsocks on AlmaLinux OS 10 system. For additional help or useful information, we recommend you check the official Shadowsocks website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button