How To Install Shadowsocks on Debian 13

Internet privacy and censorship circumvention have become critical concerns for users worldwide. Shadowsocks, a lightweight and secure SOCKS5 proxy protocol, offers an effective solution for bypassing internet restrictions while maintaining high performance. With the release of Debian 13 “Trixie” in August 2025, system administrators and privacy-conscious users now have a stable, modern platform for deploying their own Shadowsocks server.

This comprehensive guide walks you through the complete installation and configuration process of Shadowsocks on Debian 13. You’ll learn multiple installation methods, security hardening techniques, performance optimization strategies, and troubleshooting solutions. Whether you’re a seasoned Linux administrator or someone taking their first steps into self-hosted proxy solutions, this tutorial provides everything you need to establish a secure, efficient Shadowsocks server.

Understanding Shadowsocks

Core Functionality

Shadowsocks functions as an encrypted SOCKS5 proxy designed specifically to circumvent internet censorship while maintaining excellent performance characteristics. Unlike traditional VPN protocols that encapsulate all network traffic, Shadowsocks operates at the application layer, offering greater flexibility and efficiency.

The protocol excels at evading deep packet inspection (DPI) systems used by firewalls and content filters. Its traffic appears similar to standard HTTPS connections, making it significantly harder to detect and block compared to conventional VPN protocols like OpenVPN or IPSec.

Primary use cases include bypassing geographical restrictions, protecting browsing privacy on untrusted networks, accessing region-locked content, and maintaining secure communications in restrictive network environments. The lightweight design makes it particularly suitable for resource-constrained servers and mobile devices.

Technical Architecture

Shadowsocks implements a client-server architecture where the client encrypts outgoing requests and forwards them to the remote server, which then decrypts and relays the traffic to the intended destination. Return traffic follows the reverse path, maintaining end-to-end encryption between client and server.

Modern implementations support advanced encryption methods including ChaCha20-IETF-Poly1305 and AES-256-GCM, both providing authenticated encryption with associated data (AEAD). ChaCha20-IETF-Poly1305 delivers exceptional performance on systems without AES hardware acceleration, while AES-256-GCM leverages CPU instruction sets like AES-NI for optimal speed on modern processors.

The protocol’s performance advantages stem from its minimalist design and efficient encryption algorithms. Compared to OpenVPN, Shadowsocks typically exhibits lower latency and higher throughput, particularly on connections with packet loss or high latency.

System Requirements and Prerequisites

Hardware and Software Requirements

Your Debian 13 Trixie system should meet minimum specifications to ensure smooth Shadowsocks operation. A server with at least 512MB of RAM suffices for light usage, though 1GB or more is recommended for production deployments handling multiple concurrent connections.

Ensure you have a fresh Debian 13 installation or a properly upgraded system from Debian 12. The Trixie release includes updated kernel components, OpenSSL improvements, and modernized networking stack that enhance Shadowsocks performance.

Root or sudo privileges are essential for package installation, system configuration, and firewall management. An active internet connection with unrestricted access to Debian repositories is required for downloading packages and dependencies.

Required Knowledge

Basic familiarity with Linux command line operations is necessary. You should be comfortable executing commands, editing configuration files using text editors like nano or vim, and navigating the filesystem.

Understanding SSH access helps manage remote servers securely. Knowledge of basic networking concepts including IP addresses, ports, and firewall rules proves beneficial when configuring Shadowsocks and troubleshooting connectivity issues.

Server Recommendations

For optimal performance, consider deploying Shadowsocks on a Virtual Private Server (VPS) from reputable providers such as DigitalOcean, Vultr, Linode, or similar cloud infrastructure platforms. Server location significantly impacts latency and accessibility, so choose a geographic region that aligns with your connectivity needs.

Network bandwidth and latency characteristics affect user experience. Select servers with generous bandwidth allocations and low-latency connections to your target regions. Most providers offer 1TB or more monthly bandwidth, which proves adequate for personal use.

Install Shadowsocks-libev from Debian Repositories

Step 1: Update System Packages

Begin by updating your Debian 13 system to ensure all packages reflect the latest versions. Open your terminal and execute the following commands with root or sudo privileges:

sudo apt update
sudo apt upgrade -y

The first command refreshes package lists from Debian repositories, while the second upgrades installed packages to their newest versions. This process ensures compatibility and incorporates security patches. Debian 13 includes APT 3.0 with improved dependency resolution and faster package operations.

After the upgrade completes, consider rebooting if kernel updates were installed. Check for pending reboots with ls /var/run/reboot-required – if this file exists, restart your system before proceeding.

Step 2: Install Shadowsocks-libev Package

Shadowsocks-libev, the C implementation of Shadowsocks, is available directly in Debian 13 repositories. Install it using the following command:

sudo apt install shadowsocks-libev -y

The package manager automatically resolves and installs required dependencies including libev, libsodium, libmbedtls, and other cryptographic libraries. Debian 13 typically includes shadowsocks-libev version 3.3.5 or newer, incorporating the latest security enhancements and performance optimizations.

Installation takes only a few moments on modern systems. The package includes both server components (ss-server) and client tools (ss-local, ss-tunnel), providing a complete Shadowsocks solution.

Step 3: Verify Installation

Confirm successful installation by checking the installed version and verifying systemd service files:

ss-server --help
systemctl status shadowsocks-libev

The first command displays version information and available options for the Shadowsocks server. The second shows the current status of the systemd service. On fresh installations, the service may be stopped or running with default configuration.

Verify binary locations to ensure proper installation:

which ss-server
which ss-local

These commands should return /usr/bin/ss-server and /usr/bin/ss-local, confirming binaries are correctly placed in the system path.

Advantages of Repository Method

Installing from official Debian repositories offers multiple benefits. This method provides the easiest and most reliable installation approach, particularly suitable for users new to Shadowsocks or Linux server administration.

Automatic security updates arrive through the standard APT package management system. When Debian security team releases patches, your Shadowsocks installation updates alongside other system packages during regular maintenance cycles.

Native systemd integration simplifies service management. The package includes pre-configured service units that handle automatic startup, logging, and process supervision without manual configuration.

Configuring Shadowsocks Server

Understanding the Configuration File

Shadowsocks uses JSON-formatted configuration files located in /etc/shadowsocks-libev/. The primary server configuration file is config.json, which defines server behavior, encryption settings, and connection parameters.

JSON structure requires precise formatting with proper brackets, commas, and quotation marks. Syntax errors prevent service startup, so maintain careful attention to formatting when editing configuration files.

Key parameters control server listening addresses, ports, authentication credentials, encryption methods, timeout values, and operational modes. Understanding each parameter enables optimal configuration for your specific use case.

Creating Server Configuration

Before modifying the default configuration, create a backup for reference and recovery purposes:

sudo cp /etc/shadowsocks-libev/config.json /etc/shadowsocks-libev/config.json.backup

Open the configuration file using your preferred text editor:

sudo nano /etc/shadowsocks-libev/config.json

Replace the existing content with the following optimized configuration template:

{
    "server":["::0","0.0.0.0"],
    "server_port":8388,
    "local_address":"127.0.0.1",
    "local_port":1080,
    "password":"YourStrongPasswordHere",
    "timeout":300,
    "method":"chacha20-ietf-poly1305",
    "mode":"tcp_and_udp",
    "fast_open":false
}

The server parameter accepts both IPv4 (0.0.0.0) and IPv6 (::0) addresses, enabling the server to listen on all available network interfaces. This dual-stack configuration ensures compatibility with both IPv4 and IPv6 clients.

Set server_port to your chosen listening port. Port 8388 serves as the conventional default, though selecting a random high port (1024-65535) may reduce automated scanning attempts.

The password field requires a strong, unique passphrase for client authentication. Never use default or weak passwords, as they compromise security and enable unauthorized access.

Configure timeout between 60 and 300 seconds based on your network characteristics. Lower values free resources faster but may disconnect clients on unstable connections.

The mode parameter determines protocol handling. Options include tcp_only, udp_only, or tcp_and_udp. Most deployments benefit from tcp_and_udp for maximum compatibility.

Set fast_open to false initially for broadest compatibility. TCP Fast Open reduces latency but requires kernel 3.7.1 or newer and proper system configuration.

Choosing Encryption Methods

Selecting the appropriate encryption method significantly impacts both security and performance. Modern AEAD cipher recommendations include:

ChaCha20-IETF-Poly1305: This method delivers exceptional performance on ARM processors and systems without AES hardware acceleration. It represents the recommended choice for most VPS environments and mobile devices.

AES-256-GCM: When running on recent Intel or AMD processors with AES-NI instruction sets, this cipher leverages hardware acceleration for optimal throughput. Modern x86_64 servers typically achieve better performance with AES-256-GCM compared to ChaCha20.

AES-128-GCM: Offers slightly better performance than AES-256-GCM while maintaining strong security. The 128-bit key length provides more than adequate protection for proxy traffic.

Avoid deprecated stream ciphers including AES-256-CFB, AES-128-CFB, RC4-MD5, and other non-AEAD methods. These older algorithms lack authenticated encryption and suffer from various cryptographic weaknesses.

Generating Secure Passwords

Create cryptographically strong passwords using OpenSSL’s random number generator:

openssl rand -base64 32

This command generates a 32-byte random value encoded in Base64, producing a 44-character password with excellent entropy. Copy the output directly into your configuration file’s password field.

Password length should exceed 16 characters minimum, though longer passwords provide additional security margin. Include diverse character types without relying on predictable patterns or dictionary words.

Opening Required Firewall Ports

UFW Configuration

Debian 13 typically includes UFW (Uncomplicated Firewall) for simplified firewall management. If UFW isn’t installed, add it using:

sudo apt install ufw -y

Before enabling UFW, configure SSH access to prevent lockout from remote systems:

sudo ufw allow 22/tcp

This rule permits incoming SSH connections on port 22. Adjust the port number if you’ve configured SSH on a non-standard port.

Open your chosen Shadowsocks port (replace 8388 with your configured port):

sudo ufw allow 8388/tcp
sudo ufw allow 8388/udp

Enable UFW to activate the firewall rules:

sudo ufw enable

Verify active rules to confirm proper configuration:

sudo ufw status verbose

The output displays all active firewall rules. Ensure SSH and Shadowsocks ports appear in the allowed list.

iptables Alternative

For direct iptables manipulation, use these commands to permit Shadowsocks traffic:

sudo iptables -A INPUT -p tcp --dport 8388 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 8388 -j ACCEPT

Save rules to persist across reboots:

sudo apt install iptables-persistent -y
sudo netfilter-persistent save

The iptables-persistent package automatically restores firewall rules during system startup.

Cloud Provider Firewall

Many VPS providers implement additional security groups or cloud firewalls external to your server. Log into your provider’s control panel and configure inbound rules permitting traffic on your Shadowsocks port.

Amazon AWS users must modify Security Group rules. DigitalOcean requires Cloud Firewall configuration. Consult your provider’s documentation for specific procedures.

Service Management with Systemd

Start Shadowsocks Service

Launch the Shadowsocks server using systemd service management:

sudo systemctl start shadowsocks-libev

Enable automatic service startup at system boot:

sudo systemctl enable shadowsocks-libev

Verify the service is running properly:

sudo systemctl status shadowsocks-libev

The status output displays active (running) in green if the service started successfully. Any errors appear in red with diagnostic messages indicating configuration problems.

Service Management Commands

Systemd provides comprehensive service control commands for managing Shadowsocks:

Stop the service:

sudo systemctl stop shadowsocks-libev

Restart the service (useful after configuration changes):

sudo systemctl restart shadowsocks-libev

Reload configuration without disconnecting active clients:

sudo systemctl reload shadowsocks-libev

Disable automatic startup:

sudo systemctl disable shadowsocks-libev

Monitoring and Logs

View real-time service logs using journalctl:

sudo journalctl -u shadowsocks-libev -f

The -f flag follows log output, displaying new entries as they occur. Press Ctrl+C to exit log viewing.

Review recent log entries without following:

sudo journalctl -u shadowsocks-libev -n 50

This command shows the last 50 log lines from the Shadowsocks service. Adjust the number to view more or fewer entries.

Common log messages include client connections, authentication attempts, and error conditions. Monitor logs during initial setup to identify configuration issues quickly.

Setting Up Shadowsocks Client

Linux Desktop Client

On your Debian or Ubuntu desktop system, install the shadowsocks-libev client package:

sudo apt install shadowsocks-libev -y

Stop the server service since desktop systems only require client functionality:

sudo systemctl stop shadowsocks-libev
sudo systemctl disable shadowsocks-libev

Create a client configuration file with a descriptive name:

sudo nano /etc/shadowsocks-libev/us-west.json

Insert the following configuration, matching your server settings:

{
    "server":"your-server-ip",
    "server_port":8388,
    "local_address":"127.0.0.1",
    "local_port":1080,
    "password":"YourStrongPasswordHere",
    "timeout":300,
    "method":"chacha20-ietf-poly1305"
}

Replace your-server-ip with your Shadowsocks server’s public IP address.

Start the client using the template service:

sudo systemctl start shadowsocks-libev-local@us-west
sudo systemctl enable shadowsocks-libev-local@us-west

The ss-local process now listens on 127.0.0.1:1080, ready to proxy applications through your Shadowsocks server.

Windows Client Setup

Download Shadowsocks-Windows from the official GitHub repository. Extract the archive and launch the executable.

Click the paper airplane icon in the system tray and select “Servers” > “Edit Servers”. Enter your server configuration:

• Server IP: Your Shadowsocks server address
• Server Port: 8388 (or your custom port)
• Password: Your configured password
• Encryption: chacha20-ietf-poly1305

Save the configuration and enable “System Proxy” mode. Windows now routes traffic through your Shadowsocks server.

Android Client

Install the official Shadowsocks Android app from Google Play Store or F-Droid. Launch the app and tap the plus icon to add a server profile.

Enter your server details manually or use the QR code import feature. If using manual entry, provide the server address, port, password, and encryption method matching your server configuration.

Tap the connection button to establish the proxy tunnel. Android routes all traffic through Shadowsocks when the VPN icon appears in the status bar.

iOS/macOS Client

For iOS devices, install Shadowrocket, Potatso Lite, or similar Shadowsocks-compatible apps from the App Store. These apps require one-time purchase or subscription fees.

macOS users can install ShadowsocksX-NG, an open-source client with native integration. Download from the GitHub releases page and drag to Applications folder.

Configure the client with your server credentials. Enable the proxy to route macOS network traffic through your Shadowsocks server.

Verify Shadowsocks Functionality

Connection Testing Methods

Test your Shadowsocks connection using curl with SOCKS5 proxy support:

curl --socks5 127.0.0.1:1080 https://ifconfig.me

This command routes the request through your local Shadowsocks client to the server. The output displays your Shadowsocks server’s public IP address if configured correctly.

Configure your browser to use SOCKS5 proxy at 127.0.0.1:1080 for comprehensive testing. Firefox offers built-in proxy configuration under Settings > Network Settings > Manual proxy configuration.

Visit IP checking websites like ifconfig.me, whatismyip.com, or ipleak.net to verify your IP address appears as your Shadowsocks server location.

Performance Testing

Measure connection performance using speed test tools through your proxy. Run speed tests with and without Shadowsocks to compare performance impact.

Execute ping tests to assess latency:

ping -c 10 your-server-ip

Lower latency values indicate better responsiveness. Typical values range from 10-50ms for same-continent servers and 100-300ms for intercontinental connections.

Troubleshooting Connection Issues

If connections fail, verify the server is listening on the configured port:

sudo ss -tulpn | grep ss-server

This command displays active network listeners. Confirm ss-server appears on your configured port.

Test server reachability from your client:

telnet your-server-ip 8388

Successful connection indicates the server is accessible and firewall rules permit traffic. Connection refused suggests firewall blockage or service not running.

Validate JSON configuration syntax using jq or online validators:

cat /etc/shadowsocks-libev/config.json | jq .

The jq tool highlights syntax errors preventing service startup.

Security Best Practices

Server Security

Enhance SSH security by implementing key-based authentication. Generate an SSH key pair on your local machine:

ssh-keygen -t ed25519 -C "your-email@example.com"

Copy the public key to your server:

ssh-copy-id user@your-server-ip

Disable password authentication by editing /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

Set these parameters:

PasswordAuthentication no
PermitRootLogin prohibit-password

Restart SSH service to apply changes:

sudo systemctl restart sshd

Install and configure fail2ban to block repeated failed authentication attempts:

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Maintain regular system updates to incorporate security patches:

sudo apt update && sudo apt upgrade -y

Schedule automatic updates using unattended-upgrades:

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades

Shadowsocks Security Enhancements

Use only modern AEAD encryption methods providing authenticated encryption. Avoid deprecated stream ciphers vulnerable to cryptographic attacks.

Implement password rotation every 90 days to limit exposure from potential credential compromise. Update both server configuration and client profiles when changing passwords.

Consider changing the default port from 8388 to a random high port. Non-standard ports reduce automated scanning and opportunistic attack attempts.

Disable unused protocols if your clients don’t require UDP functionality. TCP-only mode reduces attack surface:

"mode":"tcp_only"

Set appropriate timeout values balancing resource utilization and connection stability. Values between 180-300 seconds work well for most scenarios.

Traffic Obfuscation

Advanced users may implement obfuscation plugins to further disguise Shadowsocks traffic. The simple-obfs plugin wraps traffic to resemble standard HTTP or TLS connections.

Install simple-obfs from Debian repositories:

sudo apt install simple-obfs -y

Modify your Shadowsocks configuration to utilize the plugin:

{
    "server":["::0","0.0.0.0"],
    "server_port":8388,
    "password":"YourStrongPasswordHere",
    "timeout":300,
    "method":"chacha20-ietf-poly1305",
    "plugin":"obfs-server",
    "plugin_opts":"obfs=tls"
}

The v2ray-plugin offers more sophisticated obfuscation, though configuration complexity increases significantly.

Monitoring and Intrusion Detection

Establish log monitoring to detect unusual activity patterns. Review logs regularly for authentication failures, connection floods, or suspicious client behavior.

Implement connection rate limiting to prevent resource exhaustion attacks. While Shadowsocks lacks built-in rate limiting, iptables rules can restrict connections per IP:

sudo iptables -A INPUT -p tcp --dport 8388 -m connlimit --connlimit-above 10 -j REJECT

This rule rejects connections exceeding 10 simultaneous sessions per source IP.

Optimizing Shadowsocks Performance

TCP Tuning

Optimize Linux kernel parameters for improved network performance. Edit /etc/sysctl.conf:

sudo nano /etc/sysctl.conf

Add these optimizations:

net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.tcp_wmem = 4096 65536 33554432
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_congestion_control = bbr

Apply changes immediately:

sudo sysctl -p

These settings increase socket buffer sizes and enable BBR congestion control, significantly improving throughput on high-latency connections.

Enable TCP Fast Open for reduced connection establishment latency:

echo "net.ipv4.tcp_fastopen = 3" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Update Shadowsocks configuration to utilize TCP Fast Open:

"fast_open":true

Resource Allocation

Adjust systemd service limits for high-traffic deployments. Create an override file:

sudo systemctl edit shadowsocks-libev

Add resource limit configurations:

[Service]
LimitNOFILE=51200

This increases the maximum open file descriptors, preventing connection refusal under heavy load.

Encryption Method Selection

Benchmark different encryption methods on your specific hardware. ChaCha20-IETF-Poly1305 generally performs better on ARM processors and older x86 CPUs without AES-NI.

Modern Intel and AMD processors with AES-NI instruction sets achieve superior throughput using AES-256-GCM. Check CPU capabilities:

cat /proc/cpuinfo | grep aes

If “aes” appears in the output, your CPU supports hardware-accelerated AES encryption.

Debian 13 includes OpenSSL 3.0 with enhanced cryptographic performance and modern algorithm support, benefiting all encryption operations.

Advanced Setup Options

Multiple Users Setup

Configure Shadowsocks manager mode for multi-user deployments with individual authentication. Create separate configuration profiles for each user with unique passwords and ports.

Generate port assignments systematically:

# User 1: Port 8388
# User 2: Port 8389
# User 3: Port 8390

Create individual configuration files:

sudo nano /etc/shadowsocks-libev/user1.json

Start multiple instances using templated services:

sudo systemctl start shadowsocks-libev@user1
sudo systemctl start shadowsocks-libev@user2

DNS Configuration

Prevent DNS leaks by specifying custom DNS servers in client configurations. Add these parameters:

{
    "nameserver":"1.1.1.1",
    "mode":"tcp_and_udp"
}

Cloudflare’s 1.1.1.1 and Google’s 8.8.8.8 serve as popular public DNS options.

Implement DNS-over-HTTPS (DoH) on client systems for enhanced privacy. Install cloudflared or dnscrypt-proxy to encrypt DNS queries.

IPv6 Support

Debian 13 offers excellent IPv6 support out of the box. Configure dual-stack listening in your Shadowsocks configuration:

"server":["::0","0.0.0.0"]

This configuration accepts both IPv4 and IPv6 connections simultaneously.

For IPv6-only deployments, specify only the IPv6 address:

"server":"::0"

Test IPv6 connectivity from clients:

curl -6 --socks5 127.0.0.1:1080 https://ifconfig.me

Troubleshooting Guide

Installation Issues

Package not found errors: Ensure your APT sources list includes main repositories:

sudo nano /etc/apt/sources.list

Verify lines include “main” component:

deb http://deb.debian.org/debian trixie main

Update package lists:

sudo apt update

Dependency conflicts: Resolve using:

sudo apt --fix-broken install

Connection Problems

Connection refused errors: Verify service is running:

sudo systemctl status shadowsocks-libev

Check listening ports:

sudo ss -tulpn | grep 8388

Confirm firewall permits traffic:

sudo ufw status

Timeout issues: Increase timeout value in configuration:

"timeout":600

Test server reachability:

ping your-server-ip

Authentication failures: Verify password matches between server and client exactly. JSON configuration is case-sensitive and whitespace-sensitive.

Wrong encryption method symptoms: Clients connecting with mismatched encryption methods fail silently or display generic connection errors. Ensure both server and all clients specify identical method parameters.

Performance Issues

Slow connection speeds: Test without Shadowsocks to isolate the issue:

curl -o /dev/null https://speed.cloudflare.com/__down?bytes=100000000

Compare results with proxy enabled:

curl --socks5 127.0.0.1:1080 -o /dev/null https://speed.cloudflare.com/__down?bytes=100000000

Enable TCP BBR congestion control and increase buffer sizes as described in the performance optimization section.

High latency troubleshooting: Measure per-hop latency using mtr:

mtr -r -c 100 your-server-ip

Identify network segments introducing delay. Consider relocating your server closer to your geographic location.

CPU usage optimization: Switch to AES-256-GCM if your processor supports AES-NI hardware acceleration:

lscpu | grep aes

Monitor resource consumption:

top -u nobody

Service Management Issues

Service fails to start: Examine detailed error messages:

sudo journalctl -u shadowsocks-libev -n 100 --no-pager

Configuration file errors: Validate JSON syntax:

python3 -m json.tool /etc/shadowsocks-libev/config.json

Valid JSON produces formatted output. Syntax errors display specific line numbers and error descriptions.

Permission problems: Ensure configuration files have appropriate ownership:

sudo chown root:root /etc/shadowsocks-libev/config.json
sudo chmod 644 /etc/shadowsocks-libev/config.json

Keeping Shadowsocks Updated

Regular Maintenance Tasks

Establish a systematic update schedule. Monthly system updates incorporate security patches and bug fixes:

sudo apt update
sudo apt upgrade -y
sudo apt autoremove -y

Check Shadowsocks version periodically:

ss-server --help | head -1

Compare against the latest release on the official GitHub repository.

Backup configuration files before updates:

sudo cp /etc/shadowsocks-libev/config.json /etc/shadowsocks-libev/config.json.backup-$(date +%Y%m%d)

Implement log rotation to prevent disk space exhaustion:

sudo nano /etc/logrotate.d/shadowsocks-libev

Add rotation configuration:

/var/log/shadowsocks-libev/*.log {
    daily
    rotate 7
    compress
    delaycompress
    missingok
    notifempty
}

Upgrading Shadowsocks

Debian’s package management system handles Shadowsocks updates automatically during system upgrades. Check for available updates:

sudo apt list --upgradable | grep shadowsocks

Install Shadowsocks updates specifically:

sudo apt install --only-upgrade shadowsocks-libev

Review release notes for breaking changes before major version upgrades. Test new versions in non-production environments first.

Rollback procedures involve reinstalling previous package versions:

sudo apt install shadowsocks-libev=<previous-version>

Monitoring Server Health

Track resource utilization using monitoring tools:

sudo apt install htop -y
htop

Monitor active connections:

sudo ss -s

Implement automated health checks using cron jobs:

crontab -e

Add monitoring script execution:

*/5 * * * * systemctl is-active --quiet shadowsocks-libev || systemctl restart shadowsocks-libev

This automatically restarts Shadowsocks if the service stops unexpectedly.

Installing Shadowsocks from Source Code

When to Compile from Source

Most users should rely on Debian repository packages for stability and automatic updates. Compile from source only when requiring bleeding-edge features unavailable in packaged versions, implementing custom modifications, or needing specific version compatibility.

Prerequisites for Building

Install development tools and dependencies:

sudo apt install -y --no-install-recommends \
    gettext build-essential autoconf libtool \
    libpcre3-dev asciidoc xmlto libev-dev \
    libudns-dev automake libmbedtls-dev \
    libsodium-dev git python3-m2crypto \
    libc-ares-dev

Debian 13 includes GCC 14.2, providing modern C compiler features and optimizations.

Compilation Steps

Clone the official repository:

cd /opt
sudo git clone https://github.com/shadowsocks/shadowsocks-libev.git
cd shadowsocks-libev

Initialize submodules:

sudo git submodule update --init --recursive

Generate build configuration:

sudo ./autogen.sh
sudo ./configure

Compile and install:

sudo make
sudo make install

Create systemd service file manually:

sudo nano /etc/systemd/system/shadowsocks-libev.service

Add service configuration following templates from Debian package or official documentation.

Maintenance Considerations

Source installations require manual updates. Monitor the GitHub repository for security advisories and new releases.

No automatic security updates arrive through APT. Establish procedures for regularly pulling updates and recompiling.

This approach suits advanced users comfortable with manual system administration. Production deployments should strongly prefer package-based installations.

Responsible Use Guidelines

Legal Compliance

Understand local regulations regarding proxy server operation and usage. Some jurisdictions restrict or prohibit circumvention tools. Research applicable laws in your country and server location before deployment.

Review terms of service for your VPS provider. Some hosting companies prohibit proxy services or implement usage restrictions. Violating TOS may result in service termination.

Appropriate use cases include personal privacy protection, secure remote access to home networks, development and testing environments, and legitimate business purposes. Avoid facilitating illegal activities or violating third-party terms of service.

Ethical Usage

Deploy Shadowsocks for personal privacy protection rather than commercial resale without proper authorization. Respect intellectual property rights and content licensing agreements.

Don’t share server access indiscriminately. Each additional user increases security risks and resource consumption. Implement proper authentication and access controls for any shared deployments.

Consider privacy implications for users. While Shadowsocks encrypts traffic between client and server, the server operator can theoretically monitor forwarded traffic. Establish clear privacy policies if operating servers for others.

Congratulations! You have successfully installed Shadowsocks. Thanks for using this tutorial for installing Shadowsocks on Debian 13 “Trixie” system. For additional help or useful information, we recommend you check the official Shadowsocks website.