How To Install Shadowsocks on CentOS Stream 10

Setting up a secure and reliable proxy server has become increasingly important for privacy-conscious users and system administrators. Shadowsocks stands out as one of the most effective SOCKS5 proxy solutions available today. CentOS Stream 10, with its cutting-edge features and enhanced security framework, provides an excellent platform for deploying this powerful proxy technology.

CentOS Stream 10 introduces significant improvements including Linux kernel 6.12, Python 3.12, and x86_64_v3 microarchitecture requirements that leverage modern AVX, AVX2, and FMA instruction sets. These enhancements make it an ideal choice for running performance-critical applications like Shadowsocks servers. This comprehensive guide will walk through every aspect of installing, configuring, and optimizing Shadowsocks on CentOS Stream 10.

Whether deploying for personal use, organizational needs, or commercial applications, this tutorial covers three distinct installation methods, advanced security configurations, performance optimization techniques, and comprehensive troubleshooting strategies. The guide emphasizes best practices for maintaining a secure, high-performance proxy server that can handle substantial traffic loads while remaining undetectable by sophisticated traffic analysis systems.

Prerequisites and System Requirements

CentOS Stream 10 System Requirements

CentOS Stream 10 introduces strict hardware requirements that significantly impact installation compatibility. The most critical requirement is x86_64_v3 microarchitecture support, which mandates processors with AVX, AVX2, and FMA instruction sets. Modern Intel processors from Haswell generation (2013) and AMD processors from Excavator generation (2015) meet these requirements.

Memory requirements start at 2GB RAM minimum for basic installations, though 4GB or more is recommended for production Shadowsocks deployments. Storage requirements vary depending on installation method, with at least 20GB available disk space recommended for system updates and log files.

Network connectivity requires either a static IP address or properly configured dynamic DNS. Outbound internet access is essential for downloading packages and updates. Root or sudo privileges are mandatory for system-level configurations and service management.

Network and Security Prerequisites

Firewall configuration plays a crucial role in Shadowsocks deployment success. Default CentOS Stream 10 installations use firewalld, which requires specific port configurations for proxy traffic. Understanding basic iptables concepts helps troubleshoot complex networking scenarios.

Domain name configuration, while optional, significantly enhances security and usability. DNS propagation timing should be considered when planning deployments. SSL/TLS certificate management becomes important for advanced configurations involving traffic obfuscation.

Basic Linux command-line proficiency is essential for following this guide effectively. Familiarity with systemd service management, text editors like nano or vim, and package management using dnf will streamline the installation process.

Understanding Shadowsocks Variants

Shadowsocks-libev vs Shadowsocks Python Performance Analysis

Shadowsocks-libev represents the high-performance C implementation optimized for resource efficiency and speed. Written in C, it delivers superior memory management and CPU utilization compared to Python implementations. Production environments typically favor shadowsocks-libev for its stability and performance characteristics.

The original Python implementation remains popular for development and testing scenarios. It offers easier customization and debugging capabilities. However, Python’s Global Interpreter Lock (GIL) can limit performance under high concurrent connection loads.

Memory footprint differences are substantial. Shadowsocks-libev typically consumes 10-20MB RAM during normal operations, while Python implementations may use 50-100MB or more. CPU overhead shows similar patterns, with libev demonstrating better efficiency under load.

Security Features and Encryption Methods

Modern Shadowsocks implementations support AEAD (Authenticated Encryption with Associated Data) ciphers that provide both confidentiality and integrity protection. Recommended encryption methods include chacha20-ietf-poly1305 and aes-256-gcm, both offering excellent security profiles.

Deprecated stream ciphers like rc4-md5 and aes-256-cfb should be avoided due to known vulnerabilities. Traffic analysis resistance varies by encryption method, with AEAD ciphers providing superior protection against passive monitoring and active probing attacks.

Compatibility with CentOS Stream 10

CentOS Stream 10’s updated component stack provides excellent compatibility with modern Shadowsocks implementations. The included Python 3.12 supports all current Shadowsocks Python features, while updated compiler toolchains ensure optimal performance for compiled variants.

The rolling-release model of CentOS Stream means continuous security updates and performance improvements. This approach aligns well with Shadowsocks security requirements, ensuring access to latest cryptographic libraries and kernel-level optimizations.

Method 1: Installing Shadowsocks-libev via Snap

Installing Snap Package Manager

Snap package management provides containerized application deployment with automatic updates and security sandboxing. CentOS Stream 10 requires manual snap installation since it’s not included by default.

Begin by adding the EPEL repository, which contains additional packages not included in the base CentOS distribution:

sudo dnf install -y epel-release

Update the system to ensure all repositories are synchronized:

sudo dnf update -y

Install the snapd daemon that manages snap packages:

sudo dnf install -y snapd

Enable and start the snapd service:

sudo systemctl enable --now snapd.socket

Create the symbolic link required for snap functionality:

sudo ln -s /var/lib/snapd/snap /snap

Installing Shadowsocks-libev via Snap

Install shadowsocks-libev using the snap package manager:

sudo snap install shadowsocks-libev

Verify the installation by checking package information:

snap info shadowsocks-libev

The snap installation creates isolated directories for configuration and data storage. Configuration files are located in /var/snap/shadowsocks-libev/common/ instead of traditional system directories.

Advantages and Limitations of Snap Installation

Snap packages offer several significant advantages for Shadowsocks deployment. Automatic updates ensure access to latest security patches without manual intervention. The sandboxed environment provides additional security isolation from the host system.

However, snap packages have some drawbacks. They consume more disk space due to bundled dependencies. Performance may be slightly reduced compared to native installations due to the containerization overhead.

The snap approach works well for users prioritizing convenience and automatic updates over maximum performance optimization. It’s particularly suitable for development and testing environments where ease of management outweighs performance considerations.

Method 2: Installing Shadowsocks Python Version

Installing Python Dependencies

CentOS Stream 10 includes Python 3.12 by default, providing excellent compatibility with current Shadowsocks Python implementations. Additional packages are required for cryptographic operations and package management.

Install Python development tools and pip package manager:

sudo dnf install -y python3 python3-pip python3-devel

Install M2Crypto library for cryptographic operations:

sudo dnf install -y m2crypto python3-setuptools

Install additional development tools that may be required for some Python packages:

sudo dnf install -y gcc openssl-devel libffi-devel

Installing Shadowsocks via pip

Install Shadowsocks using Python’s package manager:

sudo pip3 install shadowsocks

Verify the installation by checking available commands:

ssserver --help
sslocal --help

Create a dedicated user for running Shadowsocks services:

sudo useradd --system --no-create-home --shell /bin/false shadowsocks

Python Version Considerations

The Python implementation offers advantages in specific scenarios. It provides easier debugging and customization capabilities. Development teams often prefer Python implementations for rapid prototyping and feature development.

Performance characteristics differ significantly from compiled implementations. Python’s interpreted nature and Global Interpreter Lock can limit concurrent connection handling. However, for moderate traffic loads, performance differences may be negligible.

Memory usage patterns show the Python implementation consuming more resources, particularly during high connection loads. CPU utilization also tends to be higher compared to equivalent C implementations.

Method 3: Compiling from Source

Installing Build Dependencies

Source compilation provides access to latest features and optimizations not available in packaged versions. This method requires installing comprehensive development tools and libraries.

Install development tools group:

sudo dnf groupinstall -y "Development Tools"

Install specific libraries required for Shadowsocks compilation:

sudo dnf install -y autoconf automake libtool pcre-devel asciidoc
sudo dnf install -y libev-devel libsodium-devel mbedtls-devel

Install Git for source code retrieval:

sudo dnf install -y git

Downloading and Compiling Shadowsocks-libev

Clone the official Shadowsocks-libev repository:

git clone https://github.com/shadowsocks/shadowsocks-libev.git
cd shadowsocks-libev

Initialize the build system:

./autogen.sh

Configure the build with optimization flags:

./configure --prefix=/usr/local

Compile the source code:

make -j$(nproc)

Install the compiled binaries:

sudo make install

Update the library cache:

sudo ldconfig

Source Compilation Benefits

Source compilation offers several advantages over packaged installations. Access to cutting-edge features and bug fixes not yet available in distribution packages. Custom compilation flags can optimize performance for specific hardware configurations.

The ability to apply patches or modifications provides flexibility for specialized requirements. Security-conscious users can audit source code before compilation, ensuring no backdoors or vulnerabilities exist.

However, source compilation requires ongoing maintenance. Security updates must be manually tracked and applied. The compilation process demands significant technical knowledge and troubleshooting skills.

Server Configuration

Creating Shadowsocks User and Directory Structure

Security best practices mandate running network services with minimal privileges. Create a dedicated system user for Shadowsocks operations:

sudo useradd --system --no-create-home --shell /bin/false --comment "Shadowsocks Service" shadowsocks

Establish proper directory structure for configuration files:

sudo mkdir -p /etc/shadowsocks
sudo mkdir -p /var/log/shadowsocks
sudo mkdir -p /var/lib/shadowsocks

Set appropriate ownership and permissions:

sudo chown shadowsocks:shadowsocks /var/log/shadowsocks /var/lib/shadowsocks
sudo chmod 755 /etc/shadowsocks
sudo chmod 750 /var/log/shadowsocks /var/lib/shadowsocks

Essential Configuration Parameters

Create the main configuration file /etc/shadowsocks/config.json:

{
    "server": ["::0", "0.0.0.0"],
    "server_port": 8388,
    "password": "your_secure_password_here",
    "method": "chacha20-ietf-poly1305",
    "timeout": 60,
    "fast_open": true,
    "mode": "tcp_and_udp",
    "nameserver": "8.8.8.8"
}

The server parameter binding to both IPv4 and IPv6 addresses ensures maximum compatibility. Using ["::0", "0.0.0.0"] enables dual-stack operation, supporting both protocol versions simultaneously.

Port selection significantly impacts security and functionality. Default port 8388 is commonly blocked by firewalls. Consider using ports 80, 443, or other common service ports to avoid detection.

Password strength directly correlates with security effectiveness. Generate cryptographically secure passwords using tools like openssl rand -base64 32 or dedicated password managers.

Advanced Configuration Options

Enable TCP Fast Open to reduce connection latency:

"fast_open": true

Configure both TCP and UDP protocol support:

"mode": "tcp_and_udp"

Specify custom DNS servers for domain resolution:

"nameserver": "1.1.1.1"

Add connection timeout settings:

"timeout": 300

Enable detailed logging for troubleshooting:

"verbose": true

Configuration File Security

Protect configuration files from unauthorized access:

sudo chmod 600 /etc/shadowsocks/config.json
sudo chown shadowsocks:shadowsocks /etc/shadowsocks/config.json

Consider using environment variables for sensitive data like passwords. This approach prevents credentials from appearing in process lists or configuration backups.

Regular configuration validation helps prevent service failures. Test configuration syntax using JSON validators or the shadowsocks server test mode.

Creating Systemd Service

Service File Creation

Systemd service management provides reliable process supervision and automatic restart capabilities. Create the service definition file /etc/systemd/system/shadowsocks.service:

[Unit]
Description=Shadowsocks-libev Server
Documentation=man:ss-server(1)
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
User=shadowsocks
Group=shadowsocks
LimitNOFILE=51200
ExecStart=/usr/local/bin/ss-server -c /etc/shadowsocks/config.json -u
ExecReload=/bin/kill -HUP $MAINPID
TimeoutStartSec=10
TimeoutStopSec=10
RestartSec=1
Restart=on-failure

[Install]
WantedBy=multi-user.target

Service Security Hardening

Enhance service security with additional systemd directives:

[Service]
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
ReadWritePaths=/var/log/shadowsocks /var/lib/shadowsocks
PrivateTmp=true

Service Management Commands

Reload systemd configuration after creating the service file:

sudo systemctl daemon-reload

Start the Shadowsocks service:

sudo systemctl start shadowsocks

Enable automatic startup:

sudo systemctl enable shadowsocks

Check service status:

sudo systemctl status shadowsocks

Monitor service logs:

sudo journalctl -u shadowsocks -f

Service Troubleshooting

Service startup failures often result from configuration errors or permission issues. Check service logs for detailed error messages:

sudo journalctl -u shadowsocks --since "5 minutes ago"

Validate configuration file syntax before starting the service. Test configuration using:

sudo -u shadowsocks /usr/local/bin/ss-server -c /etc/shadowsocks/config.json -t

Permission problems frequently cause service failures. Ensure the shadowsocks user can read configuration files and write to log directories.

Firewall Configuration

Firewalld Configuration

CentOS Stream 10 uses firewalld by default for network traffic management. Configure firewall rules to allow Shadowsocks traffic:

sudo firewall-cmd --permanent --add-port=8388/tcp
sudo firewall-cmd --permanent --add-port=8388/udp

Reload firewall configuration:

sudo firewall-cmd --reload

Verify current firewall rules:

sudo firewall-cmd --list-all

Advanced Firewall Rules

Create custom firewall zones for enhanced security:

sudo firewall-cmd --permanent --new-zone=shadowsocks
sudo firewall-cmd --permanent --zone=shadowsocks --add-port=8388/tcp
sudo firewall-cmd --permanent --zone=shadowsocks --add-port=8388/udp

Implement rate limiting to prevent abuse:

sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='0.0.0.0/0' port protocol='tcp' port='8388' accept limit value='100/m'"

Alternative iptables Configuration

For users preferring traditional iptables management:

sudo dnf install -y iptables-services
sudo systemctl disable --now firewalld
sudo systemctl enable --now iptables

Add iptables rules:

sudo iptables -A INPUT -p tcp --dport 8388 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 8388 -j ACCEPT
sudo service iptables save

Security Hardening

Encryption Method Selection

Modern AEAD ciphers provide the highest security levels for Shadowsocks deployments. Recommended encryption methods prioritize both security and performance:

• chacha20-ietf-poly1305: Excellent performance on systems without AES hardware acceleration. Provides strong security with efficient software implementation.
• aes-256-gcm: Optimal choice for systems with AES-NI hardware support. Offers excellent security with hardware-accelerated performance.
• aes-128-gcm: Balanced option providing good security with better performance than 256-bit variants. Suitable for resource-constrained environments.

Avoid deprecated stream ciphers like rc4-md5, aes-256-cfb, and chacha20. These methods lack authenticated encryption and are vulnerable to various attacks.

Password Security Best Practices

Generate cryptographically secure passwords using system random generators:

openssl rand -base64 32

Password complexity should exceed 20 characters with mixed character types. Avoid dictionary words, personal information, or predictable patterns.

Consider using passphrase-based passwords for better memorability while maintaining security. Tools like diceware generate secure passphrases using random word selection.

Traffic Obfuscation Considerations

Simple traffic obfuscation techniques can enhance resistance to deep packet inspection. Port selection plays a crucial role in avoiding detection:

• Port 80: HTTP traffic mimicry
• Port 443: HTTPS traffic mimicry
• Port 53: DNS traffic mimicry

Advanced obfuscation requires additional tools like simple-obfs or v2ray-plugin. These tools modify traffic patterns to resemble legitimate protocols.

Monitoring and Detection Resistance

Implement logging controls to balance security monitoring with privacy protection:

{
    "verbose": false,
    "log_file": "/var/log/shadowsocks/shadowsocks.log"
}

Log rotation prevents disk space exhaustion:

sudo tee /etc/logrotate.d/shadowsocks << EOF
/var/log/shadowsocks/*.log {
    daily
    rotate 7
    compress
    delaycompress
    copytruncate
    create 644 shadowsocks shadowsocks
}
EOF

Client Configuration Examples

Linux Client Setup

Install Shadowsocks client using snap:

sudo snap install shadowsocks-libev

Create client configuration /var/snap/shadowsocks-libev/common/client-config.json:

{
    "server": "your_server_ip",
    "server_port": 8388,
    "local_address": "127.0.0.1",
    "local_port": 1080,
    "password": "your_secure_password",
    "method": "chacha20-ietf-poly1305",
    "timeout": 60
}

Start the client service:

sudo systemctl start snap.shadowsocks-libev.ss-local-daemon

Windows and Mobile Configuration

Windows clients like Shadowsocks-Windows require similar configuration parameters. Download official clients from verified sources to avoid malware.

Mobile applications for Android and iOS provide user-friendly interfaces for configuration management. QR code scanning simplifies setup by encoding configuration parameters.

Browser Proxy Configuration

Configure browsers to use SOCKS5 proxy:

• Proxy address: 127.0.0.1
• Proxy port: 1080
• Protocol: SOCKS5

Browser extensions like SwitchyOmega provide advanced proxy management with automatic switching based on website patterns.

Performance Optimization

System-Level Optimizations

Optimize network stack parameters for high-performance proxy operations:

echo 'net.core.rmem_max = 134217728' | sudo tee -a /etc/sysctl.conf
echo 'net.core.wmem_max = 134217728' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv4.tcp_rmem = 4096 16384 134217728' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv4.tcp_wmem = 4096 65536 134217728' | sudo tee -a /etc/sysctl.conf

Apply sysctl changes:

sudo sysctl -p

Increase file descriptor limits for high concurrent connections:

echo '* soft nofile 51200' | sudo tee -a /etc/security/limits.conf
echo '* hard nofile 51200' | sudo tee -a /etc/security/limits.conf

Shadowsocks-Specific Tuning

Enable TCP Fast Open for reduced connection latency:

echo 'net.ipv4.tcp_fastopen = 3' | sudo tee -a /etc/sysctl.conf

Optimize TCP congestion control:

echo 'net.ipv4.tcp_congestion_control = bbr' | sudo tee -a /etc/sysctl.conf

Configure connection tracking for high traffic volumes:

echo 'net.netfilter.nf_conntrack_max = 1000000' | sudo tee -a /etc/sysctl.conf

Monitoring Performance Metrics

Install system monitoring tools:

sudo dnf install -y htop iotop nethogs

Monitor CPU usage specific to Shadowsocks processes:

top -p $(pgrep ss-server)

Track network connection statistics:

ss -tuln | grep :8388

Monitor bandwidth usage:

nethogs -p ss-server

Troubleshooting Common Issues

Connection Problems

Port accessibility testing helps identify network connectivity issues:

nmap -p 8388 your_server_ip

Test local service binding:

netstat -tlnp | grep :8388

Verify DNS resolution functionality:

dig @8.8.8.8 google.com

Service-Related Issues

Analyze service logs for error patterns:

sudo journalctl -u shadowsocks --since "1 hour ago" | grep -i error

Common log error messages and solutions:

• “Address already in use”: Check for conflicting services on the same port
• “Permission denied”: Verify file permissions and user privileges
• “No route to host”: Check firewall rules and network connectivity

Validate configuration file syntax:

python3 -m json.tool /etc/shadowsocks/config.json

Performance Issues

Monitor resource utilization during high traffic:

sudo iotop -o -d 1

Identify memory leaks:

valgrind --leak-check=full ss-server -c /etc/shadowsocks/config.json

Network latency optimization:

ping -c 10 your_server_ip
traceroute your_server_ip

Security Concerns

Detect potential blocking attempts:

sudo grep "refused" /var/log/shadowsocks/shadowsocks.log

Monitor unusual connection patterns:

sudo netstat -an | grep :8388 | wc -l

Analyze traffic patterns for anomalies:

sudo tcpdump -i any port 8388 -c 100

Maintenance and Updates

Regular Update Procedures

Snap package automatic updates:

sudo snap refresh shadowsocks-libev

System package updates compatible with CentOS Stream’s rolling model:

sudo dnf update -y

Source compilation updates require manual tracking:

cd shadowsocks-libev
git pull origin master
make clean && make -j$(nproc) && sudo make install

Backup and Recovery

Create comprehensive configuration backups:

sudo tar -czf shadowsocks-backup-$(date +%Y%m%d).tar.gz /etc/shadowsocks /etc/systemd/system/shadowsocks.service

Automate backup procedures:

sudo tee /etc/cron.daily/shadowsocks-backup << 'EOF'
#!/bin/bash
tar -czf /backup/shadowsocks-$(date +%Y%m%d).tar.gz /etc/shadowsocks
find /backup -name "shadowsocks-*.tar.gz" -mtime +30 -delete
EOF
sudo chmod +x /etc/cron.daily/shadowsocks-backup

Monitoring and Alerting

Basic service monitoring script:

#!/bin/bash
if ! systemctl is-active --quiet shadowsocks; then
    echo "Shadowsocks service is down" | mail -s "Service Alert" admin@example.com
    systemctl restart shadowsocks
fi

Log management and rotation ensure sustainable operations:

sudo journalctl --vacuum-time=7d

Congratulations! You have successfully installed Shadowsocks. Thanks for using this tutorial for installing Shadowsocks fast tunnel proxy on CentOS Stream 10 system. For additional help or useful information, we recommend you check the official Shadowsocks website.