Some people need a quick and free way to access a Shadowsocks server.
At the same time, other people are willing to provide free Shadowsocks servers, if they are in the public interest.
One thing that puts people off from providing free Shadowsocks servers is that you are effectively acting as an exit node. Whatever anyone does on your server can be blamed on you.
The architecture in this post addresses this problem. It makes it safer for anyone to offer free public-interest Shadowsocks servers.
+-------------+ +--------+--------+
| SS | | SS | Tor |
| Client +------->+ Server + Client +------> TOR NETWORK
| | | | |
+-------------+ +--------+--------+
The free server accepts SS traffic, but forces it into the Tor network. The risk is shunted to the knowledgeable and well-resourced organizations who host Tor exit nodes.
Also, since Tor will be slower than a commercial VPN, your server will not be exploited by cheap people who want a VPN but want someone else to pay for it.
Here is how to set up such a server.
Set Up Tor Client
Install the prerequisite package to access the Tor repositories:
apt install -y apt-transport-https
Create /etc/apt/sources.list.d/tor.list like the example below (the distribution here is Ubuntu 22.04 also known as jammy):
deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org jammy main
Get the Tor signing key:
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
Install Tor:
apt update && apt install -y tor deb.torproject.org-keyring
By default, Tor listens for SOCKS traffic on port 9050:
systemctl status tor@default
ss -tulpn | grep 9050
SS Server
Choose a port:
echo $((1024 + $RANDOM))
Choose a password:
< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-24};echo;
Install the latest version of Xray to host your SS server:
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install --beta -u root
Edit the Xray configuration file /usr/local/etc/xray/config.json. Make it look like this. Note that Tor handles TCP only, and therefore the SS input must also be TCP only. (Firefox has a feature to send DNS queries through a SOCKS tunnel.)
{
"inbounds": [
{
"port": <PORT-NUMBER>,
"protocol": "shadowsocks",
"settings": {
"clients": [
{
"password": "<PASSWORD>",
"method": "chacha20-poly1305"
}
],
"network": "tcp"
}
}
],
"outbounds": [
{
"protocol": "socks",
"settings": {
"servers": [
{
"address": "127.0.0.1",
"port": 9050
}
]
}
}
]
}
Restart Xray with your configuration:
systemctl restart xray && systemctl status xray
Communicate Shadowsocks Parameters
Supply the server IP address, port, password, and encryption method to the public. You can also supply them as a URL-style ss:// link or as a QR code. Most SS clients can import server parameters from a URL or on-screen QR code.