2021-05-26 11:05:53 +00:00
# Shadowsocks
2023-06-14 14:17:07 +00:00
The [Shadowsocks ](https://en.wikipedia.org/wiki/Shadowsocks ) protocol is compatible with most other implementations of Shadowsocks.
2021-05-26 11:05:53 +00:00
2023-06-14 14:17:07 +00:00
The current compatibility is as follows:
2021-05-26 11:05:53 +00:00
2023-06-14 14:17:07 +00:00
- Supports TCP and UDP packet forwarding, with the option to selectively disable UDP.
- Recommended encryption methods:
2023-03-04 16:39:44 +00:00
- 2022-blake3-aes-128-gcm
- 2022-blake3-aes-256-gcm
- 2022-blake3-chacha20-poly1305
2023-06-14 14:17:07 +00:00
- Other encryption methods:
2023-03-04 16:39:44 +00:00
- aes-256-gcm
- aes-128-gcm
2023-06-14 14:17:07 +00:00
- chacha20-poly1305 or chacha20-ietf-poly1305
- xchacha20-poly1305 or xchacha20-ietf-poly1305
- none or plain
2021-05-26 11:05:53 +00:00
2023-06-14 14:17:07 +00:00
The Shadowsocks 2022 new protocol format improves performance and includes complete replay protection, addressing the following security issues in the old protocol:
2021-05-26 11:05:53 +00:00
2023-06-14 14:17:07 +00:00
- [Serious vulnerabilities in Shadowsocks AEAD encryption, which cannot guarantee the integrity of the communication content ](https://github.com/shadowsocks/shadowsocks-org/issues/183 )
- Increasing false positive rate of the original TCP replay filter over time
- Lack of UDP replay protection
- TCP behaviors that can be used for active probing
2021-05-26 11:05:53 +00:00
::: danger
2023-06-14 14:17:07 +00:00
Traffic transmitted without encryption using the "none" method will be in plain text. Do not use it on public networks for security reasons.
2021-05-26 11:05:53 +00:00
:::
## InboundConfigurationObject
```json
{
"settings": {
2023-06-14 14:17:07 +00:00
"password": "password",
2023-03-04 16:39:44 +00:00
"method": "aes-256-gcm",
"level": 0,
"email": "love@xray.com",
2021-05-26 11:05:53 +00:00
"network": "tcp,udp"
}
}
```
> `network`: "tcp" | "udp" | "tcp,udp"
2023-06-14 14:17:07 +00:00
The supported network protocol type. For example, when specified as `"tcp"` , it will only handle TCP traffic. The default value is `"tcp"` .
2021-05-26 11:05:53 +00:00
## ClientObject
```json
{
"password": "密码",
"method": "aes-256-gcm",
"level": 0,
"email": "love@xray.com"
}
```
> `method`: string
2023-06-14 14:17:07 +00:00
Required.
2021-05-26 11:05:53 +00:00
> `password`: string
2023-06-14 14:17:07 +00:00
Required.
2023-03-04 16:39:44 +00:00
- Shadowsocks 2022
2023-06-14 14:17:07 +00:00
Use a pre-shared key similar to WireGuard as the password.
2023-03-04 16:39:44 +00:00
2023-06-14 14:17:07 +00:00
Use `openssl rand -base64 <length>` to generate a compatible key with shadowsocks-rust, where the length depends on the encryption method used.
2023-03-04 16:39:44 +00:00
2023-06-14 14:17:07 +00:00
| Encryption Method | Key Length |
| ----------------------------- | ---------: |
| 2022-blake3-aes-128-gcm | 16 |
| 2022-blake3-aes-256-gcm | 32 |
| 2022-blake3-chacha20-poly1305 | 32 |
2023-03-04 16:39:44 +00:00
2023-06-14 14:17:07 +00:00
In the Go implementation, a 32-byte key always works.
2023-03-04 16:39:44 +00:00
2023-06-14 14:17:07 +00:00
- Other encryption methods
2021-05-26 11:05:53 +00:00
2023-06-14 14:17:07 +00:00
Any string. There is no limitation on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a password of 16 characters or longer.
2021-05-26 11:05:53 +00:00
> `level`: number
2023-06-14 14:17:07 +00:00
The user level that the connection will use to determine the corresponding [Local Policy ](../policy.md#levelpolicyobject ).
2021-05-26 11:05:53 +00:00
2023-06-14 14:17:07 +00:00
The value of `level` corresponds to the value of `level` in the [policy ](../policy.md#policyobject ). If not specified, the default value is 0.
2021-05-26 11:05:53 +00:00
> `email`: string
2023-06-14 14:17:07 +00:00
The user's email, used to differentiate traffic from different users (logs, statistics).