Shadowsocks: was ist das, wie funktioniert es, Vergleich mit VPN

We talk about the protocol, how it works, its pros and cons, and also compare it with VPN.

What is Shadowsocks

Shadowsocks is a free tool for those who want to bypass blocks in a simple but unpopular way. It is a network protocol with data encryption. It also helps protect traffic and personal data. Based on SOCKS5 technologies, the source code is available on GitHub.

The project started in 2012. Chinese developer with the nickname Clowwindy uploaded the first developments of Shadowsocks to GitHub. The protocol helped to bypass the restrictions of the "Great Firewall", the famous Chinese firewall. The project became popular worldwide after its removal from GitHub, which attracted the attention of the media. Journalists speculated a connection between the removal and the attack on GitHub, which occurred a few days later.

Clowwindy stopped the development in 2015 at the request of the Chinese law enforcement agencies. Since then, the Shadowsocks community has been developing it.

​

​

The map from the Freedom House website clearly demonstrates in which countries Shadowsocks can be useful.

Shadowsocks is necessary for similar tasks as VPN:

• Bypassing blocks. The protocol is used to access blocked resources both in the country and by providers and operators.
• Protecting personal data. It is more difficult to access traffic and personal data.
• Secure connection from unsecured points, for example, through free Wi-Fi.

How it works

With a standard network connection, the user goes directly to the Internet through their provider. For example, if they want to visit a specific website, they connect first to the provider's router, and then to the website itself. If the government wants to block this site, they ask the provider to block access to its IP address.

In order to bypass this restriction, proxies are used. In this case, a "mediator" - a proxy server - is established between the provider and the website. The connection still goes through the provider, but it only knows that the request goes to the proxy. Therefore, the connection to the website occurs without restrictions, and the traffic goes back to the user's device. But there are some problems, for example:

• Sites and providers can determine that you are using bypass tools.
• The connection is not protected. However, you can use a proxy with encryption or a VPN, which often encrypts traffic.

Shadowsocks is needed to solve these problems. It encrypts data and presents it as regular HTML traffic. The protocol is based on SOCKS5, about which there is an article on our blog. It helps protect the connection through the AEAD algorithm.

AEAD uses the same principle as SSH tunneling, but in the case of AEAD, encrypted data includes information about the source and recipient. This makes life difficult for attackers. Even if they intercept a message, they cannot tamper with the data transmission.

In general, AEAD ciphers are not considered to be as secure, judging by the discussions on Stack Exchange. But they are sufficient for reliable connections and data protection.

The principle of Shadowsocks operation: for SS programs, it is arranged like a regular SOCKS5, only with the IP address 127.0.0.1. This IP is called Localhost, and the connection is made locally. That is, any program, such as a browser, connects to the same device where it is running. Then a connection is made between the local Shadowsocks component and the server, and in this bundle, the traffic is already encrypted.

You can find out more details from the video about bypassing the Chinese firewall.

You can connect other applications to Shadowsocks, and the proxy will work only for selected applications. If some of them do not support a proxy, use, for example, Proxifier.

​

​

In order to install and configure Shadowsocks, you need to understand connections a little. What you need to start with:

• Buy and set up a VPS server in a country where the desired content is not blocked, or use a ready-made proxy server, which can be found on websites with Shadowsocks proxies.
• Client-server. There is a mobile application on Google Play, the PC program can be downloaded for Windows and Linux.

​

​

Then just install and launch the client, then configure the connection to the server: add the server's IP address, port, password, and encryption method.

Shadowsocks offers three connection modes.

1. Direct connection mode does not redirect your traffic through the proxy server. Pre-configured settings for some applications work in this mode.
2. PAC mode: traffic will pass through the proxy server when accessing blocked websites.
3. In global mode, all traffic is redirected through the proxy server.

Shadowsocks can mimic an HTTPS connection to a remote server. This is necessary to mask traffic. Thus, the provider will not understand what the user is browsing and what blocks are being bypassed. This technique is possible after installing the simple-obfs traffic obfuscation plugin on the server.

Obfuscation is the masking and obfuscation of traffic. It can protect traffic from detection: the provider will not be able to know that you are using Shadowsocks. Usually, encryption of code, renaming variables to gibberish, adding extra code, or simply using solutions like Cloak, Stunnel, OpenVPN Scramble, and others are used for this purpose.

The Chinese manage to track Shadowsocks operation through passive traffic analysis and active probing, and then block connections, despite obfuscation. First, the firewall looks for possible Shadowsocks connections; and in the second stage, it connects to the servers involved in these connections from its IP addresses, as if it were a Shadowsocks client, and monitors the server's responses.

You can read the details and mechanics of solving the problem on GitHub, but in any case, Shadowsocks still works better than VPN.

Pros

1) Selective traffic obfuscation. You can specify which traffic to send through the provider and which through Shadowsocks. This will help bypass blocks while still having access to certain services.

Example: simultaneous use of sites like Instagram and state online services. The first may be unavailable to your country, while the rest only work with local IP addresses. If you use VPN, you can browse Instagram, but cannot access local services. However, some VPNs support split tunneling. With Shadowsocks, you can solve this problem: you can mask Instagram traffic and simultaneously use other services.

2) Protection against DPI. DPI is a technology for checking traffic to track the use of specific applications. Shadowsocks is almost impossible to detect and block because it mimics a regular HTTPS connection. Therefore, the provider cannot detect "non-standard" user behavior.

3) Reliability. Shadowsocks will not disappear even in case of connection loss if you configure the connection only through it. If the connection to the VPN server is lost, the traffic will go directly and the provider will see all the information. This problem is partially solved by KillSwitch: an emergency button that disconnects from the Internet. But sometimes it doesn't work or it's not available.

4) Good bandwidth. With proper configuration, Shadowsocks works faster than other encryption methods, such as SSH tunneling and VPN. The approximate loss of speed is no more than 3-5%.

5) Versatility. There are client programs for all operating systems - Windows, MacOS, Linux (various distributions), Android, and iOS.

6) Reduced computational load during encryption. From the client's point of view, this saves battery life (relevant for mobile devices), and from the server's point of view, it saves on VPS/VDS hosting for Shadowsocks.

7) Cost savings. The cheapest VPS server is suitable for Shadowsocks. Ideally, if the hosting provider offers unlimited traffic with the use of VPS/VDS. This is much more profitable than a paid VPN service. You can also use other people's proxies, but options like WannaFlix, 12VPN are much more expensive than your own server, about $10 per month.

For comparison: you can rent a VPS with 5 GB of memory, 0.5 GB of RAM, and unlimited traffic for $0.87. This is quite enough for Shadowsocks. The cheapest VPN services usually cost about $2 per month, which is twice as expensive, and you need to pay for a subscription for 2-3 years in advance. Free VPNs are not considered, as they transmit data, limit speed, and traffic.

Cons

1) Complexity of use. You need to understand how PCs and connections work, but the configuration fits into 5 lines. VPN is much easier.

2) Risk of reduced connection speed. Depending on the obfuscators used, there is a chance that Shadowsocks will significantly reduce internet speed.

3) Limited applicability. Shadowsocks can be tried for changing the region of Netflix, but this scheme will not work for long: the service tracks different bypass systems. It is also not the most reasonable solution for torrent files: if you rent a server, it is easy to track your name and card and then accuse you of copyright infringement.

4) Limited availability. Despite the popularity of Shadowsocks, it is difficult to purchase or connect to reliable VPS servers in some regions.

5) No official audit. Many specialists have reviewed the open-source code of Shadowsocks. But it has not undergone an official audit like OpenVPN. An official audit could have been conducted by the OSTIF (Open Source Technology Improvement Fund), which was created specifically to strengthen the security of such projects. At the same time, Shadowsocks' code is quite simple, which creates a risk of spreading fake software packages.

VPN vs Shadowsocks

VPN and Shadowsocks are different tools. The first is a virtual private network, about which we wrote in our blog, and the second is a proxy protocol. Technically, they both:

• Encrypt traffic
• Help bypass blocks

But Shadowsocks involves simpler encryption and does not allow for anonymity on the Internet. The project was originally developed not so much for security as for bypassing the Chinese firewall. However, the ShadowsocksR partially fixed this problem, and we will talk about it at the end of the article. In VPN, complex AES-256 algorithms are usually used.

VPN services often have many additional features. For example, KillSwitch. VPN is a "bridge," so if it stops working, traffic will go directly. In this case, it is easy to compromise the real IP address. KillSwitch protects against this: it instantly disconnects from the Internet if access to the VPN server is lost.

Finally, VPNs have a huge network of servers. You can access the Internet from different countries - each time the IP address changes to the country of the selected server.

Conclusion: VPN is more convenient, secure, and simpler. If you have access to it and it handles your tasks, use it. If you have difficulties, then Shadowsocks should solve the problem: it works much better in countries where VPNs are blocked and where restrictions are difficult to bypass. With it, data looks like HTTPS traffic and does not arouse suspicion. The use of multiple TCP connections helps achieve high speed. It is more cost-effective for simple bypassing of blocks.

Shadowsocks vs VPN

SSR (ShadowsocksR)

Now Shadowsocks has a community and its own website. Therefore, enthusiasts can launch their solutions based on it. For example, after Shadowsocks was shut down in 2015, another developer breakwa11 claimed that SS was easy to detect. He created ShadowsocksR based on Shadowsocks with support for traffic obfuscation. Thus, ShadowsocksR is a fork of the original protocol, written in Python, with traffic obfuscation.

But more often, users recommend using the current version of Shadowsocks-Rust based on the Rust language.

Conclusion

Shadowsocks is an affordable and convenient tool for bypassing blocks. Perhaps it will also be useful for protecting connections. Of course, it includes fewer features than a VPN service, but it is slightly faster. However, for solving simple tasks, such as restoring access to blocked sites, it is optimal. It is easy to use and configure: there are many instructions on the network on how to do it.