Shadowsocks: what it is, how it works, comparison with VPN

We talk about the protocol, its mechanics, advantages, disadvantages, and also compare it with VPN.

What is Shadowsocks

Shadowsocks is a free tool for those who want to bypass blocks in a simple but unpopular way. It is a network protocol with data encryption. It also helps protect traffic and personal data. It is based on SOCKS5 technologies, and the source code is available on GitHub.

The project started in 2012. Chinese developer Clowwindy released the first developments of Shadowsocks on GitHub. The protocol helped bypass the restrictions of the "Great Firewall", the great Chinese firewall. The project became popular worldwide after it was removed from GitHub, which attracted the attention of the media. Journalists suggested a connection between the removal and the attack on GitHub, which occurred a few days later.

Clowwindy stopped development in 2015 at the request of the Chinese authorities. Since then, the Shadowsocks community has been developing the project.

​

​

The map from the Freedom House website demonstrates in which countries Shadowsocks will definitely be useful.

Shadowsocks is needed for similar tasks to VPN:

• Bypassing blocks. Protocols are used to access blocked resources both in the country and by providers and operators.
• Protection of personal data. It is more difficult to access traffic and personal data.
• Secure connection from unprotected points - for example, through free Wi-Fi.

How it works

With a standard network connection, the user connects to the internet directly through their provider. For example, if they want to visit a certain website, they first connect to the provider's router, and then to the website itself. If the state wants to block this website, they ask the provider to block access to its IP address.

To bypass this restriction, proxies are used. In this case, a "mediator" - a proxy server - is formed between the provider and the website. The connection still goes through the provider, but it only knows that the request is going to the proxy. Therefore, the connection to the website is unrestricted, and the traffic goes back to the user's device. But there are several problems here, for example:

• Sites and providers can detect that you are using bypass tools.
• The connection is not secure. However, you can use a proxy with encryption or a VPN, which most often encrypts traffic.

Shadowsocks is needed to solve these problems. It encrypts data and presents it as regular HTML traffic. The protocol is based on SOCKS5, which has an article in our blog. It helps protect the connection through the AEAD algorithm.

AEAD uses the same principle as SSH tunneling, but in the case of AEAD, encrypted data also includes information about the source and recipient. This complicates the life of hackers. Even if they intercept a message, they cannot tamper with the data transmission.

In general, AEAD ciphers are considered not so secure, judging by discussions on Stack Exchange. But they are sufficient for a reliable connection and data protection.

The principle of Shadowsocks operation: for SS programs, it is organized like a regular SOCKS5, only with the IP address 127.0.0.1. This IP is called Localhost, and the connection is made locally. That is, any program, such as a browser, connects to the same device where it is running. Then, a connection is established between the local Shadowsocks component and the server, in this bundle, the traffic is already encrypted.

You can find out more details from the video about bypassing the Great Chinese Firewall.

You can connect other applications to Shadowsocks, and the proxy will only work for selected applications. If one of them does not support a proxy, you can use, for example, Proxifier.

​

​

To install and configure Shadowsocks, you need to have some understanding of connections. What you need to start with:

• Buy and configure a VPS server in a country where the desired content is not blocked, or use a ready-made proxy server, which can be found on sites with Shadowsocks proxies.
• Client-server. There is a mobile application on Google Play, the program for PC can be downloaded for Windows and Linux.

​

​

Then, simply install and launch the client, and then configure the connection to the server: add the server's IP address, port, password, and encryption method.

Shadowsocks offers three connection modes.

1. Direct connection mode does not redirect your traffic through a proxy server. Preconfigured settings for some applications work in this mode.
2. PAC mode: traffic will go through a proxy server when accessing blocked websites.
3. In global mode, all traffic is redirected through a proxy server.

Shadowsocks can simulate an HTTPS connection to a remote server. This is necessary for traffic masking. In this case, the provider will not understand what the user is viewing and what blocks are being bypassed. This trick is possible after installing the simple-obfs traffic obfuscation plugin on the server.

Obfuscation is the masking and confusing of traffic. With its help, you can protect it from detection: the provider will not be able to find out that you are using Shadowsocks. Usually, this is achieved by encrypting the code, renaming variables into nonsense, adding unnecessary code, or simply using solutions like Cloak, Stunnel, OpenVPN Scramble, and others.

The Chinese manage to track the operation of Shadowsocks through passive traffic analysis and active "probing", and then block the connections, despite obfuscation. First, the firewall looks for possible Shadowsocks connections; and in the second stage, it connects to the servers participating in these connections, from its own IP addresses, as if it were a Shadowsocks client, and observes the server's responses.

You can read the details and mechanics of solving the problem on GitHub, but in any case, Shadowsocks still works better than VPN.

Advantages

1) Selective traffic masking. You can specify which traffic to send through the provider and which through Shadowsocks. This will help bypass blocks and maintain access to certain services simultaneously.

Example: simultaneous operation of sites like Instagram and state online services. The first may be inaccessible to your country, while the latter only work with local IP addresses. If you use VPN, you can browse Instagram, but you won't be able to access local services. However, some VPNs support separate tunneling. With Shadowsocks, you can solve this problem: you can mask Instagram traffic and use other services in parallel.

2) Protection against DPI. DPI is a traffic inspection technology for monitoring work with specific applications. Shadowsocks is almost impossible to detect and block because it mimics a regular HTTPS connection. Therefore, the provider cannot detect "non-standard" user behavior.

3) Reliability. Shadowsocks does not disappear even in the event of a connection failure, if the connection is configured only through it. In the event of a loss of connection to the VPN server, the traffic will go directly, and the provider will see all the information. KillSwitch partially solves this problem: the emergency button disconnects from the internet. But sometimes it does not work or there is no such function.

4) Good bandwidth. When properly configured, Shadowsocks works faster than other encryption methods, such as SSH tunneling and VPN. Approximate speed loss is no more than 3-5%.

5) Universality. There are client programs for any operating system - Windows, MacOS, Linux (various distributions), Android, and iOS.

6) Reduced computational load during encryption. From the client's point of view, this saves battery power (relevant for mobile devices), and from the server's point of view, it saves on VPS/VDS hosting for Shadowsocks.

7) Cost savings. The cheapest VPS server is suitable for Shadowsocks. Ideally, if the hosting provider provides unlimited traffic using VPS/VDS. This is much more cost-effective than a paid VPN service. You can also use other people's proxies, but options from WannaFlix, 12VPN are much more expensive than your own server, about $10 per month.

For comparison: you can rent a VPS with 5 GB of memory, 0.5 GB of RAM, and unlimited traffic for $0.87. This is sufficient for Shadowsocks. The cheapest VPN services usually cost around $2 per month, which is twice as expensive, and you need to pay for a subscription for 2-3 years upfront. Free VPNs are not considered - they transfer data, limit speed and traffic.

Disadvantages

1) Complexity of use. You need to understand how PCs and connections work, but the configuration fits in 5 lines. VPN is much easier.

2) Risk of connection speed reduction. Depending on the obfuscators used, there is a chance that Shadowsocks will significantly reduce internet speed.

3) Limited usability. Shadowsocks can be tried to change the region of Netflix, but such a scheme will not work for long: the service monitors different bypass systems. It is also not a wise solution for torrent files: if you rent a server, it is easy to find out your name and card and then accuse you of copyright infringement.

4) Limited availability. Despite the popularity of Shadowsocks, it is difficult to purchase or connect to reliable VPS servers in some regions.

5) No official audit. Many specialists have studied the open source code of Shadowsocks. But it has not undergone an official audit like OpenVPN, for example. An official audit could have been conducted by the OSTIF (Open Source Technology Improvement Fund), which was created precisely to enhance the protection of similar projects. At the same time, the code of Shadowsocks is quite simple, which creates the risk of distributing fake software packages.

VPN vs Shadowsocks

VPN and Shadowsocks are different tools. The first is a virtual private network, which we wrote about in our blog, and the second is a proxy protocol. Technically, they both:

• Encrypt traffic
• Help bypass blocks

But Shadowsocks assumes simpler encryption and does not allow achieving anonymity on the internet. The project was initially developed not so much for security as for bypassing the Chinese firewall. However, this problem was partially addressed in ShadowsocksR, which we will talk about at the end of the article. VPNs usually use a complex AES-256 algorithm.

VPN services often have many additional features. For example, KillSwitch. VPN is a "tunnel", so if it stops working, the traffic will go directly. In this case, it is easy to compromise the real IP address. KillSwitch protects against this: it instantly cuts off the internet connection if access to the VPN server is lost.

Finally, VPNs have a huge network of servers. You can access the internet from different countries - each time the IP address changes to the country of the selected server.

Conclusion: VPN is more convenient, safer, and easier. If you have access to it and it meets your needs, use it. If there are difficulties, then Shadowsocks should solve the problem: it works much better in countries where VPNs are blocked and restrictions are difficult to bypass. With it, data looks similar to HTTPS traffic and does not raise suspicions. Using multiple TCP connections helps achieve high speed. It is more cost-effective for simple bypassing of blocks.

Shadowsocks vs VPN

SSR (ShadowsocksR)

Currently, Shadowsocks has a community and its own website. Therefore, enthusiasts can create their own solutions based on it. For example, after Shadowsocks was closed in 2015, another developer, breakwa11, claimed that SS is easy to detect. He created ShadowsocksR based on Shadowsocks with support for traffic obfuscation. Thus, ShadowsocksR is a branch of the original protocol, written in Python, with traffic obfuscation.

But more often, users recommend using the current version of Shadowsocks-Rust based on Rust.

Conclusion

Shadowsocks is an affordable and convenient tool for bypassing blocks. It may also be useful for protecting connections. Of course, it includes fewer features than a VPN service, but it is slightly faster. However, for solving simple tasks, such as restoring access to blocked sites, it is optimal. It is easy to use and configure: there are many instructions on how to do it on the internet.