Bypass firewalls using Shadowsocks + Cloak

Shadowsocks is a fast proxy that allows you to bypass restrictive firewalls. It can be used in combination with another program called Cloak that can obfuscate the traffic by making it look like an innocent protocol such as HTTPS.

You can use the shadowsocks.sh script to quickly set up your own Shadowsocks server.

Ingredients

You’ll need:

• a VPS server
• basic Linux command line skills

Installation

SSH into your server and run the installer (as root):

# download
wget https://raw.githubusercontent.com/karmishin/shadowsocks.sh/master/shadowsocks.sh

# check the contents
less shadowsocks.sh

# mark as executable
chmod +x shadowsocks.sh

# execute the actual script
./shadowsocks.sh -c

If the script runs successfully, the following message will be displayed:

############################
# Installation successful! #
############################

SHADOWSOCKS configuration:

Password: QZRiJHnxQ7d6gfj7DWn0TI6xnqj8bmvM
Encryption method: aes-256-gcm

CLOAK configuration:

Address: 198.51.123.45
Port: 443
EncryptionMethod: plain
Browser: chrome
Transport: direct
Proxy method: shadowsocks
Server name: yandex.ru
UID: 680onRmkblyCMJSujMVUkw==
Public key: p52laG1orgNYya/XIGAS7pR2nsQqP2yAG8pPmUhu720=
Stream timeout: 300

We can use these parameters to configure our clients.

Client configuration

Note that while technically Cloak supports UDP, the Shadowsocks’ plugin system does not. You probably won’t be able to use certain apps’ functionality that relies on UDP. This may include voice calls, video conferencing, online games, etc

Android

Download shadowsocks-android from Google Play or F-Droid.

Download cloak-android from the project’s GitHub releases page and install the .apk file.

In the Shadowsocks app on your phone, press “Add profile” - “Manual settings”. In the server settings section set the following parameters:

• Server: enter the public IP address of your server (198.51.123.45 in the example above)
• Port: 443 (the port on which Cloak listens on)
• Password: enter the password from the script’s output
• Encrypt method: AES-256-GCM

Scroll down and press “Plugin”, select Cloak. In plugin settings you have to set:

• Transport: direct
• Proxy method: shadowsocks
• Encryption method: plain
• UID and Public key: copy them from the Cloak section of script’s output
• Server name: enter any domain that is accessible from your restricted network (yandex.ru in my case)
• Browser signature: chrome
• Stream timeout: 300

Save all settings and go back to the app’s main screen. Select the newly added profile in the list so that it becomes active, and click on the airplane icon at the bottom of the screen.

That’s it! By default, shadowsocks-android runs as a VPN and will proxy all traffic on your device. You can change it in the profile settings if you want (“Feature settings” - “Route”).

iOS

Install Shadowrocket from App Store. Note that this is a paid application ($2.99 USD at the time of writing).

Launch it and click the “Add server” button at the top right of the screen.

There you’ll need to specify the following settings:

• Type: Shadowsocks
• Address: public IP of your server
• Port: 443 (although this probably doesn’t matter as we’ll config Cloak later)
• Password: your password from the Shadowsocks section of the script’s output
• Method: aes-256-gcm

Leave everything else as is.

Before you leave this screen, click on the “Plugin” button. Here we need to select our plugin (Cloak, obviously) and then configure it.

• Plugin: cloak
• Address: public IP of your server
• Port: 443
• Encryption method: plain
• Browser: chrome
• Transport: direct
• Proxy method: shadowsocks
• Server name: yandex.ru
• UID and Public key: copy them from the Cloak section of script’s output
• Stream timeout: 300

Hit “Back” to exit the plugin configuration screen, and then tap on “Save” to save your config. Your server should now appear in the main screen of the app. Tap on it and switch the toggle that says “Not connected”.

That’s it, you can now go check your connection at https://dnsleaktest.com or some other IP checking website.

If something doesn’t work

The script we’re using in this guide is pretty simple, and may not account for every problem that may occur during installation. For example, it doesn’t deal with firewall settings or mandatory access control configuration (AppArmor/SELinux/etc).

So if for some reason you can’t access your Shadowsocks instance try the following:

• Check your firewall settings. For example, many VPS providers preinstall ufw that blocks everything but ssh by default. Cloak needs tcp/443 to be open in order to function correctly.
• If you’re using an RHEL-based distro (CentOS/Rocky/Alma) there’s a chance that SELinux is doing something funky. Setting it to permissive mode might help.

Tools like telnet or curl on your local machine might also help with debugging your server.

# make sure your Cloak server accepts TCP connections on port 443

curl -v telnet://198.51.123.45:443

# make sure your Cloak server answers HTTP requests

curl -vk https://198.51.123.45

Also don’t forget to check the status of shadowsocks/cloak-server services on your server with systemctl status <service> (or rc-service <service> status if you’re using OpenRC).

Good luck!