Shadowsocks with kcptun Acceleration
kcptun can accelerate your TCP connection between a client and a server in situations of congestion on the line. This remote port forwarding tool converts a TCP stream into a UDP stream in KCP protocol in order to achieve higher throughput and lower latency. It includes rich options for performance tuning.
We give instructions for the example of a Windows client, although clients for other platforms are also available. We use Debian 11 for server. The server in our examples has IP address 12.34.56.78
.
1. Server
1.1. Generate Port Number and Password
Since Shadowsocks will be tunneled through kcptun, we will just use the default port 8388
for Shadowsocks itself. However, you will need a port number for kcptun and also a strong password for Shadowsocks.
First generate a random port number from the command line of a Linux computer like this:
echo $((1024 + $RANDOM))
The shell function RANDOM gives you a pseudo-random integer between 0 and 32767, so after evaluating the arithmetical expression, you will end up with a port number between 1024 and 33791. In our examples on the rest of this page, we will use the result:
2977
Also generate a random password from the command line of a Linux computer:
openssl rand -base64 24
The openssl rand -base64
function gives you a random number, expressed in base-64 notation. Because of the argument 24
, it will be based on 24 bytes or 192 bits. The result will have 32 base-64 characters. In our examples on the rest of this page, we will use the result:
chVMBNntf0Bvsu2927k486bB546yGJ7B
1.2. Open Firewall
A server firewall is recommended but optional. There are multiple ways to implement a firewall on a Debian/Ubuntu server: nftables, iptables, ufw, and firewalld. We will use nftables in our examples, but you can use another method if you prefer.
SSH into your server as root
.
Issue each of the following commands in turn to install and start nftables:
apt update && apt upgrade -y
apt install nftables -y
systemctl enable nftables
systemctl start nftables
Configure the firewall to accept related traffic and internal traffic on the loopback interface:
nft add rule inet filter input ct state related,established counter accept
nft add rule inet filter input iif lo counter accept
Configure the firewall to accept ping
requests so that you can test latency:
nft add rule inet filter input ip protocol icmp icmp type echo-request counter accept
nft add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type echo-request counter accept
Open port 22
for SSH. If you can restrict the port 22
rule so that only certain source IP addresses are whitelisted for SSH access, then so much the better. For example, if you always connect to your server from source IP address XX.XX.XX.XX
:
nft add rule inet filter input tcp dport 22 ip saddr XX.XX.XX.XX/32 counter accept
If you cannot restrict the port 22
rule, then you will have to open the port to the whole world instead:
nft add rule inet filter input tcp dport 22 counter accept
Open the server for KCPTUN UDP input on your chosen port:
nft add rule inet filter input udp dport 2977 counter accept
Drop all unexpected input:
nft add rule inet filter input counter drop
Save the rules:
nft list ruleset > /etc/nftables.conf
1.3. Tune Kernel Parameters
Increase the number of open files on your server:
ulimit -n 65535
Also edit the file ~/.bashrc
and insert a line ulimit -n 65535
so that it applies to all future sessions.
Edit the system control configuration file:
vi /etc/sysctl.conf
Insert lines for these parameters for better handling of UDP packets:
net.core.rmem_max=26214400
net.core.rmem_default=26214400
net.core.wmem_max=26214400
net.core.wmem_default=26214400
net.core.netdev_max_backlog=2048
Write the file to disk and quit the editor. Activate:
sysctl -p
1.4. Install Shadowsocks on Server
Use the snap method to install Shadowsocks:
apt install snapd -y
Restart your SSH session to get /snap/bin
in path:
exit
ssh [email protected]
Then carry on with the snap install:
snap install core; snap refresh core
snap install shadowsocks-rust
1.5. Run Shadowsocks Server
Start Shadowsocks running in its own screen
session. Notice that it only needs to listen on localhost port 8388
, because that is where kcptun will sends its traffic.
screen -S ssserver
shadowsocks-rust.ssserver -k chVMBNntf0Bvsu2927k486bB546yGJ7B -m chacha20-ietf-poly1305 -s 127.0.0.1:8388 --timeout 300
You can alternatively create a configuration file for Shadowsocks. Use shadowsocks-rust.ssserver --help
for a full list of options.
Do Ctrl+a then d to detach from the Shadowsocks server screen session.
1.6. Install kcptun on Server
In a browser on your workstation, visit https://github.com/xtaci/kcptun/releases to determine the latest release. Then, in your SSH session with the server, download the binary for that release. For example:
wget https://github.com/xtaci/kcptun/releases/download/v20220628/kcptun-linux-amd64-20220628.tar.gz
Extract the compressed archive:
tar -xf kcptun-linux-amd64-20220628.tar.gz
Copy the binary into your path:
cp server_linux_amd64 /usr/local/bin
1.7. Start kcptun Server
Start kcptun running in its own screen
session. It listens for UDP traffic on port 2977
in our example, and sends the traffic to Shadowsocks on port 8388
.
screen -S kcptun
server_linux_amd64 -t "127.0.0.1:8388" -l ":2977" -mode fast3 -nocomp -sockbuf 16777217 -dscp 46
The meanings of the parameters are:
-t
target server address-l
local listen address-mode
profile-nocomp
disable compression-sockbuf
per-socket buffer in bytes-dscp
Differentiated Services Code Point46
=telephony
1.8. Exit SSH on Server
Your work on the server is done, so you can exit your SSH session now:
exit
2. Client
We are going to use the example of a Windows client. Clients for other platforms are also available.
2.1. Download kcptun client
You will need to install 7-zip to extract the archive.
In a browser on your workstation, visit https://github.com/xtaci/kcptun/releases to determine the latest release. Then download the binary for that release. In our example, it is kcptun-windows-amd64-20220628.tar.gz
.
Extract the tar.gz
file.
Extract the inner tar
file. It contains a binary named client_windows_amd64.exe
.
2.2. Run kcptun client
Open a Windows Command Prompt window. Run the client:
cd Downloads
client_windows_amd64.exe -r "12.34.56.78:2977" -l ":8388" -mode fast3 -nocomp -autoexpire 900 -sockbuf 16777217 -dscp 46
In the above command, replace the server IP address and port with the correct values for your server IP address and your chosen port number for kcptun. In our example, the kcptun client is communicating with the kcptun server using UDP on port 2977
.
If Windows Defender Firewall pops up, click Allow access.
Leave the Command Prompt window open with the client running in it.
2.3. Download Shadowsocks Client
Download the Shadowsocks for Windows client from GitHub, e.g. Shadowsocks-4.4.1.0.zip
.
Unzip the zip file.
2.4. Run Shadowsocks Client
Run the program Shadowsocks.exe
.
If necessary, click More info and Run anyway.
Enter values that will send Shadowsocks traffic to kcptun, which is listening on localhost port 8388
:
- Server IP
127.0.0.1
- Server port
8388
- Password
chVMBNntf0Bvsu2927k486bB546yGJ7B
- Encryption
chacha20-ietf-poly1305
- Proxy port
1080
Click Apply.
Click OK.
2.5. Set System Proxy
Find the Shadowsocks icon in the system tray at the bottom right of your desktop.
Right-click to bring up the context menu.
Click System Proxy.
Select Global.
2.6. Test Browser
Open a browser and try to visit https://ipchicken.com.
3. Get Help and Report Issues
For documentation on kcptun, consult the GitHub page.
Report kcptun issues on the GitHub issues page.
Updated 2022-07-06