How To Install Shadowsocks on Rocky Linux 10

Setting up a secure and efficient proxy server has become essential for maintaining internet privacy and bypassing geographical restrictions. Shadowsocks emerges as a powerful solution that combines robust encryption with high-performance networking capabilities, making it an ideal choice for users seeking reliable proxy services. Rocky Linux 10, with its enterprise-grade stability and cutting-edge security features, provides the perfect foundation for hosting a Shadowsocks server that delivers exceptional performance and reliability.

This comprehensive guide walks through every aspect of installing and configuring Shadowsocks on Rocky Linux 10, from initial system preparation to advanced optimization techniques. Whether you’re a system administrator managing enterprise infrastructure or an individual user seeking enhanced online privacy, this tutorial provides the expertise needed to deploy a production-ready Shadowsocks server.

What is Shadowsocks and Why Use It?

Understanding Shadowsocks Protocol

Shadowsocks represents a sophisticated proxy protocol that utilizes the SOCKS5 framework enhanced with military-grade encryption capabilities. Unlike traditional VPN solutions that create full tunnel connections, Shadowsocks operates through a client-server model where encrypted traffic flows through a lightweight proxy server. The protocol employs Authenticated Encryption with Associated Data (AEAD) ciphers, providing both confidentiality and integrity protection for transmitted data.

The architecture separates the client and server components, allowing for flexible deployment scenarios and efficient resource utilization. This design enables Shadowsocks to maintain high throughput while preserving strong security characteristics that protect against various network attacks and surveillance techniques.

Benefits of Shadowsocks

The primary advantages of Shadowsocks include exceptional performance characteristics that surpass traditional VPN solutions, particularly in high-latency network environments. Modern AEAD encryption methods such as AES-256-GCM and ChaCha20-Poly1305 provide robust security while maintaining minimal computational overhead. The protocol’s stealth capabilities make it highly effective at circumventing sophisticated network censorship systems.

Resource efficiency stands as another significant benefit, with Shadowsocks requiring minimal CPU and memory resources compared to heavyweight VPN protocols. This efficiency translates to better battery life on mobile devices and improved performance on resource-constrained servers, making it suitable for both personal and enterprise deployments.

Rocky Linux 10 Overview and Requirements

About Rocky Linux 10

Rocky Linux 10, codenamed “Red Quartz,” represents the latest enterprise-grade Linux distribution that maintains binary compatibility with Red Hat Enterprise Linux 10. This release introduces significant architectural improvements, including mandatory support for x86_64-v3 instruction set extensions and enhanced security frameworks. The distribution provides long-term stability with predictable release cycles, making it ideal for production Shadowsocks deployments.

The enterprise focus ensures comprehensive hardware support, robust security features, and extensive package ecosystems that simplify Shadowsocks installation and maintenance procedures.

System Requirements

Rocky Linux 10 implements specific hardware requirements that ensure optimal performance and security. The minimum specifications include a 64-bit processor with x86_64-v3 support (Intel Haswell or AMD Excavator from 2013 onwards), 1 GB RAM for basic operation, and 10 GB storage space. Production deployments benefit from 2 GB RAM or more to handle concurrent connections efficiently.

Supported architectures extend beyond x86_64 to include aarch64, ppc64le, s390x, and riscv64, providing flexibility for various hardware platforms. Network connectivity requirements include stable internet access with sufficient bandwidth to handle expected proxy traffic volumes. The x86_64-v3 requirement ensures availability of advanced vector instructions that improve cryptographic performance significantly.

Prerequisites and Preparation

Server Setup Requirements

Successful Shadowsocks deployment requires a properly configured server environment with specific access privileges and network connectivity. Essential prerequisites include a VPS or dedicated server running Rocky Linux 10 with root or sudo administrative access for system-level configuration changes. SSH access enables secure remote management, while basic Linux command-line knowledge ensures effective troubleshooting and maintenance.

Network infrastructure must provide stable internet connectivity with adequate bandwidth allocation for expected proxy traffic. Server specifications should align with anticipated user load, with higher-performance hardware supporting larger numbers of concurrent connections.

Security Considerations

Initial security hardening establishes the foundation for secure Shadowsocks operation. Essential steps include updating all system packages to latest versions, configuring firewall rules to restrict unnecessary network access, and implementing strong authentication mechanisms. Regular security audits and monitoring systems help maintain operational security over time.

Consider implementing fail2ban or similar intrusion prevention systems to protect against brute-force attacks. Disable unnecessary services and ports to minimize the attack surface, and establish comprehensive logging for security event monitoring.

Installing Shadowsocks on Rocky Linux 10

Step 1: System Update and Preparation

Begin the installation process by ensuring the Rocky Linux 10 system contains the latest security updates and required tools. Execute the following commands to update all packages and install essential utilities:

sudo dnf update -y
sudo dnf install -y wget curl nano vim htop

The system update process ensures compatibility with the latest security patches and resolves potential dependency conflicts. Essential utilities like wget and curl facilitate downloading required packages, while text editors like nano and vim enable configuration file management. Monitoring tools such as htop provide system resource visibility during installation and operation.

Verify the update completion by checking the system kernel version and ensuring all critical packages have been updated successfully. This preparation step prevents installation issues and establishes a stable foundation for Shadowsocks deployment.

Step 2: Installing Required Repositories

Rocky Linux 10 requires additional repositories to access optimized Shadowsocks packages. The GetPageSpeed repository provides professionally maintained Shadowsocks-libev packages with enhanced performance optimizations and security updates:

sudo dnf -y install https://extras.getpagespeed.com/release-latest.rpm
sudo dnf makecache

This repository installation enables access to current Shadowsocks implementations that include performance enhancements and security improvements not available in standard Rocky Linux repositories. Verify repository installation by listing available packages and confirming GetPageSpeed repository activation.

Alternative installation methods include compiling from source code, though repository installation provides easier maintenance and automatic security updates.

Step 3: Installing Shadowsocks-libev

Shadowsocks-libev represents the most stable and performant implementation of the Shadowsocks protocol, optimized for Linux environments. Install the package using the DNF package manager:

sudo dnf -y install shadowsocks-libev

The installation process downloads and configures all required dependencies, including cryptographic libraries and system service files. Shadowsocks-libev provides superior performance compared to Python implementations, particularly under high-load conditions with numerous concurrent connections.

Monitor the installation progress and verify successful completion by checking for error messages or dependency conflicts. The package installation creates necessary system users, configuration directories, and service files required for proper operation.

Step 4: Installation Verification

Confirm successful Shadowsocks installation by executing verification commands that check version information and service availability:

ss-server --version
which ss-server
systemctl status shadowsocks-libev
ls -la /etc/shadowsocks-libev/

These commands verify the presence of essential Shadowsocks binaries, display version information, and confirm service configuration. The installation creates multiple utilities including ss-server for running the proxy server, ss-local for client connections, and ss-manager for advanced server management.

Examine the service status output to ensure proper systemd integration and identify any configuration issues that require resolution before proceeding with server configuration.

Configuring Shadowsocks Server

Understanding Configuration Options

Shadowsocks server configuration requires careful consideration of multiple parameters that affect security, performance, and connectivity. Critical configuration elements include server binding addresses, port selections, authentication credentials, encryption methods, and timeout specifications.

The server parameter determines network interface binding, with “0.0.0.0” enabling connections from all interfaces while specific IP addresses restrict access to designated networks. Server_port selections should consider both security and accessibility, with common choices including 8388 (default), 443 (HTTPS stealth), or custom high-numbered ports.

Password configuration demands strong, unique credentials generated using cryptographically secure methods. Encryption method selection balances security requirements with performance characteristics, with modern AEAD ciphers providing optimal protection. Timeout values control connection lifecycle management and resource utilization.

Step 1: Creating Configuration File

Generate the primary Shadowsocks configuration file using a secure text editor with appropriate syntax highlighting:

sudo nano /etc/shadowsocks-libev/config.json

Create a comprehensive configuration that includes all necessary parameters:

{
    "server": "0.0.0.0",
    "server_port": 8388,
    "local_port": 1080,
    "password": "your_secure_password_here",
    "timeout": 60,
    "method": "aes-256-gcm",
    "fast_open": false,
    "workers": 1,
    "prefer_ipv6": false
}

Each parameter serves specific functional requirements. The server binding of “0.0.0.0” enables connections from any network interface, while port 8388 provides the standard Shadowsocks service port. Local_port defines client-side connection endpoints, typically using SOCKS standard port 1080.

Timeout values control connection persistence and resource cleanup, with 60 seconds providing balanced performance for most deployment scenarios. The fast_open parameter enables TCP Fast Open optimization on supported systems, while worker count determines process parallelism.

Step 2: Security and Password Configuration

Generate cryptographically secure passwords using dedicated tools that ensure sufficient entropy and complexity:

sudo dnf -y install pwgen
pwgen --secure --symbols 32 1

Password generation should prioritize randomness over memorability, as Shadowsocks passwords are typically stored in configuration files rather than manually entered. Consider using password lengths of 32 characters or more with mixed character sets including uppercase, lowercase, numbers, and symbols.

Encryption method selection significantly impacts both security and performance characteristics. Modern AEAD ciphers like “aes-256-gcm” and “chacha20-ietf-poly1305” provide authenticated encryption that prevents tampering and replay attacks. AES-256-GCM offers excellent performance on systems with hardware AES acceleration, while ChaCha20-Poly1305 provides superior performance on systems without dedicated cryptographic hardware.

Firewall Configuration and Network Setup

Step 1: Configuring firewalld

Rocky Linux 10 includes firewalld as the default firewall management system, requiring specific configuration to enable Shadowsocks traffic flow. Configure firewall rules to permit both TCP and UDP traffic on the designated Shadowsocks port:

sudo firewall-cmd --permanent --add-port=8388/tcp
sudo firewall-cmd --permanent --add-port=8388/udp
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports

Both TCP and UDP protocols require firewall exceptions because Shadowsocks utilizes TCP for primary proxy connections while UDP enables DNS resolution and certain optimization features. Verify rule application by listing active ports and confirming proper configuration.

Consider implementing port stealth techniques by configuring Shadowsocks on port 443, which appears as HTTPS traffic to network monitoring systems. This configuration provides additional protection against deep packet inspection and traffic analysis systems.

Step 2: Network Interface Configuration

Advanced network configurations may require specific interface binding to control traffic routing and enhance security. Review network interface configuration and routing tables to ensure proper connectivity:

ip addr show
ip route show
netstat -tulpn | grep :8388

Single-interface systems typically use “0.0.0.0” binding for maximum compatibility, while multi-homed systems may benefit from specific interface binding to control traffic flow. Consider security implications of broad binding versus specific interface restrictions based on deployment requirements.

Network performance optimization includes adjusting TCP buffer sizes, enabling TCP window scaling, and configuring appropriate routing metrics for optimal throughput.

Starting and Managing Shadowsocks Service

Service Management Commands

SystemD service management provides comprehensive control over Shadowsocks server lifecycle, including startup, shutdown, and monitoring capabilities:

sudo systemctl start shadowsocks-libev
sudo systemctl enable shadowsocks-libev
sudo systemctl status shadowsocks-libev

The enable command configures automatic service startup during system boot, ensuring Shadowsocks availability after server restarts or power failures. Service status monitoring provides real-time information about operational state, process identification, and resource utilization.

Implement service monitoring scripts or use systemd timers to automatically restart failed services and maintain high availability. Configure service dependencies to ensure network interfaces and DNS resolution are available before Shadowsocks startup.

Service Verification and Monitoring

Comprehensive service monitoring includes log analysis, network port verification, and performance metric collection:

sudo journalctl -u shadowsocks-libev -f
netstat -tulpn | grep 8388
ss -tulpn | grep 8388

Log monitoring provides real-time visibility into service operation, connection attempts, and error conditions. Network port verification confirms proper service binding and accessibility from external clients.

Implement automated monitoring solutions using tools like Nagios, Zabbix, or Prometheus to track service availability, performance metrics, and security events. Configure alert notifications for service failures, unusual traffic patterns, or security incidents.

Client Configuration and Connection

Windows Client Setup

Windows Shadowsocks clients provide user-friendly interfaces for connecting to Rocky Linux 10 servers. Download the official Shadowsocks-Windows client from GitHub releases and install following standard Windows procedures.

Configure client connections using server IP addresses, port numbers, passwords, and encryption methods matching the server configuration. Enable system proxy mode to route all application traffic through the Shadowsocks connection, or configure specific applications for selective proxying.

Test connectivity by accessing geo-restricted websites or services and verifying IP address changes through online tools. Troubleshoot connection issues by examining client logs and verifying server accessibility.

macOS Client Setup

ShadowsocksX-NG provides comprehensive macOS integration with system-wide proxy configuration and application-specific routing options. Install the application through official distribution channels and configure server connections using the graphical interface.

macOS clients support advanced features including PAC (Proxy Auto-Configuration) files for intelligent routing, global proxy modes for system-wide operation, and manual proxy configuration for specific applications. Configure DNS settings to prevent DNS leakage and maintain privacy protection.

Mobile Client Setup

Android and iOS platforms offer official Shadowsocks clients with comprehensive feature sets optimized for mobile usage patterns. Android users can install Shadowsocks-Android from Google Play Store or F-Droid, while iOS users access Shadowsocks clients through the App Store.

Mobile client configuration includes power management optimization to preserve battery life, automatic connection management for network transitions, and traffic monitoring to track data usage. Configure clients to automatically connect through trusted networks while maintaining manual control over untrusted connections.

Performance Optimization

System-Level Optimizations

Rocky Linux 10 kernel parameters significantly impact Shadowsocks performance under high-load conditions. Create system-level optimizations through sysctl configuration:

sudo nano /etc/sysctl.d/shadowsocks.conf

Add performance optimizations:

net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_slow_start_after_idle = 0
fs.file-max = 65536

Apply configurations:

sudo sysctl -p /etc/sysctl.d/shadowsocks.conf

These optimizations increase network buffer sizes, enable BBR congestion control for improved throughput, and increase file descriptor limits for handling numerous concurrent connections. Monitor system performance under load to validate optimization effectiveness.

Application-Level Optimizations

Shadowsocks-specific optimizations include worker process scaling, connection pooling, and encryption method selection based on hardware capabilities. Configure multiple worker processes for CPU-intensive deployments:

{
    "workers": 4,
    "prefer_ipv6": false,
    "fast_open": true
}

Enable TCP Fast Open for reduced connection latency and improved performance characteristics. Monitor CPU utilization and memory consumption to determine optimal worker process counts for specific hardware configurations.

Consider implementing connection limiting and rate limiting to prevent resource exhaustion under attack conditions while maintaining service availability for legitimate users.

Security Best Practices

Encryption and Authentication

Modern Shadowsocks deployments must prioritize AEAD encryption methods that provide both confidentiality and authentication. Recommended encryption methods include aes-256-gcm for hardware-accelerated systems and chacha20-ietf-poly1305 for software-optimized implementations.

Password management requires regular rotation schedules, preferably using automated systems that update both server and client configurations simultaneously. Implement password complexity requirements that ensure sufficient entropy to resist brute-force attacks.

Consider implementing multi-user configurations with individual authentication credentials for tracking and access control purposes. Monitor authentication attempts and implement intrusion detection systems to identify potential security threats.

Operational Security

Comprehensive operational security includes regular security audits, log analysis, and threat monitoring. Implement centralized logging systems that aggregate security events from multiple sources and provide real-time alerting capabilities.

Configure network monitoring to detect unusual traffic patterns, connection anomalies, and potential security incidents. Establish incident response procedures that include service isolation, forensic analysis, and recovery protocols.

Regular security updates and patch management ensure protection against newly discovered vulnerabilities. Subscribe to security advisories and implement automated update systems where possible.

Troubleshooting Common Issues

Connection Problems

Common connectivity issues include firewall blockades, DNS resolution problems, port blocking by ISPs, and client-server configuration mismatches. Systematic troubleshooting begins with network layer verification:

telnet server_ip 8388
nc -zv server_ip 8388

DNS problems may require alternative resolution methods or custom DNS server configurations. ISP port blocking necessitates alternative port selection, potentially using port 443 for stealth operation.

Client-server configuration mismatches typically involve password discrepancies, encryption method incompatibilities, or protocol version differences. Verify configuration synchronization and test with minimal configurations before adding complexity.

Performance Issues

Performance bottlenecks may originate from network congestion, server resource constraints, encryption overhead, or client-side limitations. Diagnostic procedures include bandwidth testing, resource monitoring, and connection analysis:

iperf3 -s # Server mode
htop # Resource monitoring
ss -i # Connection statistics

Network optimization may require MTU adjustments, congestion control algorithm selection, or routing optimization. Server resource scaling involves CPU, memory, or storage upgrades based on identified bottlenecks.

Encryption method selection balances security requirements with performance characteristics, considering hardware acceleration availability and client compatibility requirements.

Service Management Issues

Service startup failures typically result from configuration errors, permission problems, or resource conflicts. Diagnostic approaches include log analysis, configuration validation, and dependency verification:

sudo journalctl -u shadowsocks-libev --no-pager
sudo systemctl list-dependencies shadowsocks-libev
sudo ss-server -c /etc/shadowsocks-libev/config.json -v

Configuration validation identifies syntax errors, parameter conflicts, or missing dependencies. Permission problems may require user account adjustments or file ownership corrections.

Resource conflicts include port binding failures, memory allocation errors, or file descriptor exhaustion. Implement resource monitoring and alerting to proactively identify potential issues.

Maintenance and Updates

Regular Maintenance Tasks

Sustainable Shadowsocks deployment requires systematic maintenance procedures including security updates, performance monitoring, configuration backups, and capacity planning. Establish automated maintenance schedules that minimize service disruption while ensuring system security.

Security update procedures should include testing phases, rollback capabilities, and change documentation. Performance monitoring provides trend analysis and capacity planning data for infrastructure scaling decisions.

Configuration backup systems ensure rapid recovery from system failures, misconfigurations, or security incidents. Implement automated backup verification and restoration testing to ensure backup integrity.

Update Procedures

Safe update procedures include pre-update testing, staged deployment, and comprehensive rollback planning. Test updates in isolated environments that replicate production configurations and validate functionality before production deployment.

Monitor service performance and user connectivity during and after update deployment to identify potential issues quickly. Establish communication channels for user notifications and support during maintenance windows.

Document all changes, including configuration modifications, performance impacts, and lessons learned for future reference and troubleshooting support.

Congratulations! You have successfully installed Shadowsocks. Thanks for using this tutorial for installing Shadowsocks on Rocky Linux 10 system. For additional help or useful information, we recommend you check the official Shadowsocks website.