Free Public-Interest Shadowsocks Servers

Some people need a quick and free way to access a Shadowsocks server.

At the same time, other people are willing to provide free Shadowsocks servers, if they are in the public interest.

One thing that puts people off from providing free Shadowsocks servers is that you are effectively acting as an exit node. Whatever anyone does on your server can be blamed on you.

The architecture in this post addresses this problem. It makes it safer for anyone to offer free public-interest Shadowsocks servers.

+-------------+        +--------+--------+
| SS          |        | SS     | Tor    |
| Client      +------->+ Server + Client +------> TOR NETWORK
|             |        |        |        |
+-------------+        +--------+--------+

The free server accepts SS traffic, but forces it into the Tor network. The risk is shunted to the knowledgeable and well-resourced organizations who host Tor exit nodes.

Also, since Tor will be slower than a commercial VPN, your server will not be exploited by cheap people who want a VPN but want someone else to pay for it.

Here is how to set up such a server.

Set Up Tor Client

Install the prerequisite package to access the Tor repositories:

apt install -y apt-transport-https

Create /etc/apt/sources.list.d/tor.list like the example below (the distribution here is Ubuntu 22.04 also known as jammy):

deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] jammy main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] jammy main

Get the Tor signing key:

wget -qO- | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null

Install Tor:

apt update && apt install -y tor

By default, Tor listens for SOCKS traffic on port 9050:

systemctl status tor@default
ss -tulpn | grep 9050

SS Server

Choose a port:

echo $((1024 + $RANDOM))

Choose a password:

< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-24};echo;

Install the latest version of Xray to host your SS server:

bash -c "$(curl -L" @ install --beta -u root

Edit the Xray configuration file /usr/local/etc/xray/config.json. Make it look like this. Note that Tor handles TCP only, and therefore the SS input must also be TCP only. (Firefox has a feature to send DNS queries through a SOCKS tunnel.)

    "inbounds": [
            "port": <PORT-NUMBER>,
            "protocol": "shadowsocks",
            "settings": {
                "clients": [
                        "password": "<PASSWORD>",
                        "method": "chacha20-poly1305"
                "network": "tcp"
    "outbounds": [
            "protocol": "socks",
            "settings": {
                "servers": [
                        "address": "",
                        "port": 9050

Restart Xray with your configuration:

systemctl restart xray && systemctl status xray

Communicate Shadowsocks Parameters

Supply the server IP address, port, password, and encryption method to the public. You can also supply them as a URL-style ss:// link or as a QR code. Most SS clients can import server parameters from a URL or on-screen QR code.

It’s a bad idea in general to provide public shadowsocks service because this protocol is not designed for that. Password is used as a key material for encryption, therefore sharing it publicly will allow to decrypt all shadowsocks sessions. There is already some VPN provider called nthLink which uses shadowsocks for all users and has such fatal flaw:

  1. [EN] Stripping nthLink VPN encryption |
  2. [RU] Снимаем шифрование nthLink VPN / Хабр