Bypass firewalls using Shadowsocks + Cloak

Protocol fingerprinting makes basic VPNs easy to block. This guide combines Shadowsocks and Cloak to create undetectable tunnels through restrictive networks.

While setting them up correctly can be challenging, there’s a script that handles everything for you! It’s called shadowsocks.sh.

What is Shadowsocks?

shadowsocks-rust is a fast proxy server written in Rust. While it can be used in standalone mode, in this article we’ll be using it together with Cloak. Cloak can be used to obfuscate your traffic by making it look like some innocent internet protocol (HTTPS).

Ingredients

You’ll need:

• a rented VPS server (some popular provider options are DigitalOcean, Vultr, and Linode)
• basic Linux command line skills (you know what a terminal is, how to SSH into a server, etc)

Installation

SSH into your server and run the installer (as root):

# download
wget https://raw.githubusercontent.com/karmishin/shadowsocks.sh/master/shadowsocks.sh

# mark as executable
chmod +x shadowsocks.sh

# execute the actual script (use 'sudo' if you're not root)
./shadowsocks.sh -c

If the script runs successfully, the following message will be displayed:

############################
# Installation successful! #
############################

SHADOWSOCKS configuration:

Password: QZRiJHnxQ7d6gfj7DWn0TI6xnqj8bmvM
Encryption method: aes-256-gcm

CLOAK configuration:

Address: 198.51.123.45
Port: 443
EncryptionMethod: plain
Browser: chrome
Transport: direct
Proxy method: shadowsocks
Server name: yandex.ru
UID: 680onRmkblyCMJSujMVUkw==
Public key: p52laG1orgNYya/XIGAS7pR2nsQqP2yAG8pPmUhu720=
Stream timeout: 300

We can use these parameters to configure our clients.

Client configuration

Android

Download shadowsocks-android from Google Play or F-Droid.

Download cloak-android from the project’s GitHub releases page and install the .apk file.

In the Shadowsocks app on your phone, press “Add profile” - “Manual settings”. In the server settings section set the following parameters:

• Server: enter the public IP address of your server (198.51.123.45 in the example above)
• Port: 443 (the port on which Cloak listens on)
• Password: enter the password from the script’s output
• Encrypt method: AES-256-GCM

Scroll down and press “Plugin”, select Cloak. In plugin settings you have to set:

• Transport: direct
• Proxy method: shadowsocks
• Encryption method: plain
• UID and Public key: copy them from the Cloak section of script’s output
• Server name: enter any domain that is accessible from your restricted network (in my case it’s ya.ru)
• Browser signature: chrome
• Stream timeout: 300

Save all settings and go back to the app’s main screen. Select the newly added profile in the list so that it becomes active, and click on the airplane icon at the bottom of the screen.

By default, shadowsocks-android runs as a VPN and will proxy all traffic on your device. You can change it in the profile settings if you want (“Feature settings” - “Route”).

iOS

Install Shadowrocket from App Store (paid).

Launch it and click the “Add server” button at the top right of the screen.

There you’ll need to specify the following settings:

• Type: Shadowsocks
• Address: public IP of your server
• Port: 443 (although this probably doesn’t matter as we’ll config Cloak later)
• Password: your password from the Shadowsocks section of the script’s output
• Method: aes-256-gcm

Leave everything else as is.

Before you leave this screen, click on the “Plugin” button. Here we need to select our plugin (Cloak, obviously) and then configure it.

• Plugin: cloak
• Address: public IP of your server
• Port: 443
• Encryption method: plain
• Browser: chrome
• Transport: direct
• Proxy method: shadowsocks
• Server name: yandex.ru
• UID and Public key: copy them from the Cloak section of script’s output
• Stream timeout: 300

Hit “Back” to exit the plugin configuration screen, and then tap on “Save” to save your config. Your server should now appear in the main screen of the app. Tap on it and switch the toggle that says “Not connected”.

Troubleshooting

If for some reason you can’t access your Shadowsocks instance, try the following:

• Check if you can establish a TCP connection to your server on port 443. Open the terminal on your client machine and run (replace 198.51.123.45 with the IP address of your server):

telnet 198.51.123.45 443

• Check the firewall settings on your VPS. Most providers install ufw that blocks everything by default. This should do the trick (run as root or with sudo):

ufw allow 443

• Check the status of the shadowsocks/cloak services on your server:

systemctl status shadowsocks
systemctl status cloak-server

• Check the server logs:

journalctl -u shadowsocks -e
journalctl -u cloak-server -e