github
/
Xray-docs-next
mirror of https://github.com/XTLS/Xray-docs-next
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ee405ff6b2'
${ noResults }
Xray-docs-next/docs/en/config/outbounds/shadowsocks.md

112 lines
3.2 KiB
Raw Blame History

# Shadowsocks
[Shadowsocks](https://en.wikipedia.org/wiki/Shadowsocks) protocol is compatible with most other implementations.
Here are the features and compatibility of Shadowsocks:
- It supports TCP and UDP packet forwarding, with the option to disable UDP.
- Recommended encryption methods:
- 2022-blake3-aes-128-gcm
- 2022-blake3-aes-256-gcm
- 2022-blake3-chacha20-poly1305
- Other encryption methods:
- aes-256-gcm
- aes-128-gcm
- chacha20-poly1305 (also known as chacha20-ietf-poly1305)
- none or plain
The new protocol format of Shadowsocks 2022 improves performance and includes full replay protection, addressing security issues present in the old protocol:
- [Serious vulnerabilities in Shadowsocks AEAD encryption methods that compromise the integrity of communications](https://github.com/shadowsocks/shadowsocks-org/issues/183)
- Increasing false-positive rate of TCP replay filters over time
- Lack of replay protection for UDP
- TCP behaviors that can be used for active probing
::: danger
Using the "none" encryption method will transmit traffic in plaintext. It is not recommended to use "none" encryption on public networks to ensure security.
:::
## OutboundConfigurationObject
```json
{
"servers": [
{
"email": "love@xray.com",
"address": "127.0.0.1",
"port": 1234,
"method": "encryption method",
"password": "password",
"uot": true,
"level": 0
}
]
}
```
> `servers`: \[[ServerObject](#serverobject)\]
An array representing a group of Shadowsocks server settings, where each item is a [ServerObject](#serverobject).
### ServerObject
```json
{
"email": "love@xray.com",
"address": "127.0.0.1",
"port": 1234,
"method": "encryption method",
"password": "password",
"uot": true,
"level": 0
}
```
> `email`: string
Email address (optional) used to identify the user.
> `address`: address
The address of the Shadowsocks server, supporting IPv4, IPv6, and domain names. Required.
> `port`: number
The port of the Shadowsocks server. Required.
> `method`: string
Encryption method. Required.
> `password`: string
Password. Required.
> `uot`: bool
When enabled, UDP over TCP (UOT) will be used.
- Shadowsocks 2022
Use a pre-shared key (PSK) similar to WireGuard as the password.
To generate a compatible key with shadowsocks-rust, use `openssl rand -base64 <length>`, where the length depends on the encryption method used.
| Encryption Method | Key Length |
| ----------------------------- | ---------: |
| 2022-blake3-aes-128-gcm | 16 |
| 2022-blake3-aes-256-gcm | 32 |
| 2022-blake3-chacha20-poly1305 | 32 |
In the Go implementation, a 32-byte key always works.
- Other encryption methods
Any string can be used as a password. There is no limit on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a password of 16 characters or longer.
> `level`: number
User level. Connections will use the corresponding [local policy](../policy.md#levelpolicyobject) associated with this user level.
The `level` value corresponds to the `level` value in the [policy](../policy.md#policyobject). If not specified, the default value is 0.
Reference in new issue View Git Blame Copy Permalink