Oil and Fish

Shadowsocks with kcptun Acceleration

kcptun can accelerate your TCP connection between a client and a server in situations of congestion on the line. This remote port forwarding tool converts a TCP stream into a UDP stream in KCP protocol in order to achieve higher throughput and lower latency. It includes rich options for performance tuning.

We give instructions for the example of a Windows client, although clients for other platforms are also available. We use Debian 11 for server. The server in our examples has IP address 12.34.56.78.

1. Server

1.1. Generate Port Number and Password

Since Shadowsocks will be tunneled through kcptun, we will just use the default port 8388 for Shadowsocks itself. However, you will need a port number for kcptun and also a strong password for Shadowsocks.

First generate a random port number from the command line of a Linux computer like this:

echo $((1024 + $RANDOM))

The shell function RANDOM gives you a pseudo-random integer between 0 and 32767, so after evaluating the arithmetical expression, you will end up with a port number between 1024 and 33791. In our examples on the rest of this page, we will use the result:

2977

Also generate a random password from the command line of a Linux computer:

openssl rand -base64 24

The openssl rand -base64 function gives you a random number, expressed in base-64 notation. Because of the argument 24, it will be based on 24 bytes or 192 bits. The result will have 32 base-64 characters. In our examples on the rest of this page, we will use the result:

chVMBNntf0Bvsu2927k486bB546yGJ7B

1.2. Open Firewall

A server firewall is recommended but optional. There are multiple ways to implement a firewall on a Debian/Ubuntu server: nftables, iptables, ufw, and firewalld. We will use nftables in our examples, but you can use another method if you prefer.

SSH into your server as root.

Issue each of the following commands in turn to install and start nftables:

apt update && apt upgrade -y

apt install nftables -y

systemctl enable nftables

systemctl start nftables

Configure the firewall to accept related traffic and internal traffic on the loopback interface:

nft add rule inet filter input ct state related,established counter accept

nft add rule inet filter input iif lo counter accept

Configure the firewall to accept ping requests so that you can test latency:

nft add rule inet filter input ip protocol icmp icmp type echo-request counter accept

nft add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type echo-request counter accept

Open port 22 for SSH. If you can restrict the port 22 rule so that only certain source IP addresses are whitelisted for SSH access, then so much the better. For example, if you always connect to your server from source IP address XX.XX.XX.XX:

nft add rule inet filter input tcp dport 22 ip saddr XX.XX.XX.XX/32 counter accept

If you cannot restrict the port 22 rule, then you will have to open the port to the whole world instead:

nft add rule inet filter input tcp dport 22 counter accept

Open the server for KCPTUN UDP input on your chosen port:

nft add rule inet filter input udp dport 2977 counter accept

Drop all unexpected input:

nft add rule inet filter input counter drop

Save the rules:

nft list ruleset > /etc/nftables.conf

1.3. Tune Kernel Parameters

Increase the number of open files on your server:

ulimit -n 65535

Also edit the file ~/.bashrc and insert a line ulimit -n 65535 so that it applies to all future sessions.

Edit the system control configuration file:

vi /etc/sysctl.conf

Insert lines for these parameters for better handling of UDP packets:

net.core.rmem_max=26214400
net.core.rmem_default=26214400
net.core.wmem_max=26214400
net.core.wmem_default=26214400
net.core.netdev_max_backlog=2048

Write the file to disk and quit the editor. Activate:

sysctl -p

1.4. Install Shadowsocks on Server

Use the snap method to install Shadowsocks:

apt install snapd -y

Restart your SSH session to get /snap/bin in path:

exit

ssh root@12.34.56.78

Then carry on with the snap install:

snap install core; snap refresh core

snap install shadowsocks-rust

1.5. Run Shadowsocks Server

Start Shadowsocks running in its own screen session. Notice that it only needs to listen on localhost port 8388, because that is where kcptun will sends its traffic.

screen -S ssserver

shadowsocks-rust.ssserver -k chVMBNntf0Bvsu2927k486bB546yGJ7B -m chacha20-ietf-poly1305 -s 127.0.0.1:8388 --timeout 300

You can alternatively create a configuration file for Shadowsocks. Use shadowsocks-rust.ssserver --help for a full list of options.

Do Ctrl+a then d to detach from the Shadowsocks server screen session.

1.6. Install kcptun on Server

In a browser on your workstation, visit https://github.com/xtaci/kcptun/releases to determine the latest release. Then, in your SSH session with the server, download the binary for that release. For example:

wget https://github.com/xtaci/kcptun/releases/download/v20220628/kcptun-linux-amd64-20220628.tar.gz

Extract the compressed archive:

tar -xf kcptun-linux-amd64-20220628.tar.gz

Copy the binary into your path:

cp server_linux_amd64 /usr/local/bin

1.7. Start kcptun Server

Start kcptun running in its own screen session. It listens for UDP traffic on port 2977 in our example, and sends the traffic to Shadowsocks on port 8388.

screen -S kcptun

server_linux_amd64 -t "127.0.0.1:8388" -l ":2977" -mode fast3 -nocomp -sockbuf 16777217 -dscp 46

The meanings of the parameters are:

• -t target server address
• -l local listen address
• -mode profile
• -nocomp disable compression
• -sockbuf per-socket buffer in bytes
• -dscp Differentiated Services Code Point 46=telephony

Do Ctrl+a then d to detach from the kcptun server screen session.

1.8. Exit SSH on Server

Your work on the server is done, so you can exit your SSH session now:

exit

2. Client

We are going to use the example of a Windows client. Clients for other platforms are also available.

2.1. Download kcptun client

You will need to install 7-zip to extract the archive.

In a browser on your workstation, visit https://github.com/xtaci/kcptun/releases to determine the latest release. Then download the binary for that release. In our example, it is kcptun-windows-amd64-20220628.tar.gz.

Extract the tar.gz file.

Extract the inner tar file. It contains a binary named client_windows_amd64.exe.

2.2. Run kcptun client

Open a Windows Command Prompt window. Run the client:

cd Downloads

client_windows_amd64.exe -r "12.34.56.78:2977" -l ":8388" -mode fast3 -nocomp -autoexpire 900 -sockbuf 16777217 -dscp 46

In the above command, replace the server IP address and port with the correct values for your server IP address and your chosen port number for kcptun. In our example, the kcptun client is communicating with the kcptun server using UDP on port 2977.

If Windows Defender Firewall pops up, click Allow access.

Leave the Command Prompt window open with the client running in it.

2.3. Download Shadowsocks Client

Download the Shadowsocks for Windows client from GitHub, e.g. Shadowsocks-4.4.1.0.zip.

Unzip the zip file.

2.4. Run Shadowsocks Client

Run the program Shadowsocks.exe.

If necessary, click More info and Run anyway.

Enter values that will send Shadowsocks traffic to kcptun, which is listening on localhost port 8388:

• Server IP 127.0.0.1
• Server port 8388
• Password chVMBNntf0Bvsu2927k486bB546yGJ7B
• Encryption chacha20-ietf-poly1305
• Proxy port 1080

Click Apply.

Click OK.

2.5. Set System Proxy

Find the Shadowsocks icon in the system tray at the bottom right of your desktop.

Right-click to bring up the context menu.

Click System Proxy.

Select Global.

2.6. Test Browser

Open a browser and try to visit https://ipchicken.com.

3. Get Help and Report Issues

For documentation on kcptun, consult the GitHub page.

Report kcptun issues on the GitHub issues page.

Updated 2022-07-06

This site is provided for information only. It cannot replace the advice of a trained security professional. If lives or safety depend on your security, please seek the advice of an expert.