How to use ShadowTLS

1. Introduction#

The advantage of ShadowTLS is that it uses TLS obfuscation, but it does not require a website certificate on the server side. It can use any website certificate for obfuscation. Currently, there is no official Windows client for ShadowTLS, and there is no GUI client available. If you want to use it, you need a certain level of expertise, so it is still relatively niche. It is very easy to install, just run the binary file directly, and the parameters are not complicated. Because it is a tool designed for obfuscation, an encryption program such as Shadowsocks or snell needs to be separately enabled on the server.

The process is as follows: SS listens on a port -> ShadowTLS configures the port -> ShadowTLS listens on the port -> Client configures ShadowTLS listening port.

2. Installing the Encryption Proxy Program#

It is recommended to use Teddysun's Docker installation method. For specific instructions, please refer to:

If you cannot access it, I will write the main configuration below.

# Create the configuration file
mkdir -p /etc/shadowsocks-rust
# Write the configuration file, modify the password yourself, the port number can be unchanged, so that many instructions do not need to be modified when starting the docker
# If you need to modify the port number, pay attention to the mapping of internal and external port numbers in the container. If you don't understand, you can search or refer to my docker notes.
cat > /etc/shadowsocks-rust/config.json <<EOF
# Pull the image and start the container
docker pull teddysun/shadowsocks-rust
docker run -d -p 9000:9000 -p 9000:9000/udp --name ss-rust --restart=always -v /etc/shadowsocks-rust:/etc/shadowsocks-rust teddysun/shadowsocks-rust

If you only use Surge, you can consider using Snell. Here is a comparison between the two by the author of Surge:

  • Completely without features: Such as shadowsocks, VMess, and other derivative protocols, currently this type of encrypted traffic does not have any features at all, but it is easy to be blocked as a feature.
  • Random features: Snell's design, the Snell client will randomly generate some features, and the random generation depends on the current session (Surge reloads the configuration once as a new session), PSK hash and other inputs, so that the traffic features of each user are different. (Please rest assured, the features are weak and the algorithm is irreversible, and the features will be updated every time Surge is restarted, so they cannot be used for user tracking) This solution is currently performing well.

Snell is also relatively niche. If you need it, you can use it in the Surge manual. It can also be run directly as a binary file. However, since ShadowTLS is already being used, the encryption method used by Snell is no longer important.

3. Configuring ShadowTLS#

Refer to the official GitHub:

There are two ways to do this: modify the provided docker-compose.yml file and use Docker to run it, or download the binary file and run it.

I used the binary method:

# Download the binary file to /usr/bin. I downloaded the latest version at the time, if there are updates in the future, you need to find them in the releases yourself.
cd /usr/bin
# Add execution permissions
chmod +x shadow-tls-x86_64-unknown-linux-musl
# Modify the startup service file:
cat > /etc/systemd/system/shadow-tls.service <<EOF
Description=Shadow-TLS Custom Server Service

ExecStart=/usr/bin/shadow-tls-x86_64-unknown-linux-musl --v3 server --listen --password I6knDArfHW2TPhRdB7 --server --tls


# The above I6knDArfHW2TPhRdB7 is the password file, --v3 is the running version, --listen is the listening port on 45632, which means the port configured by the client should be 45632, --server corresponds to the port of the encryption proxy configured above, which is 9000, --tls is the website certificate for obfuscation, do not fill in websites like google.
# Then refresh and start the service
systemctl daemon-reload
systemctl enable shadow-tls.service
systemctl start shadow-tls.service

4. Configuring the Client#

When configuring the client, please note that the proxy type or method should be selected as the encryption proxy, such as ss or snell. The port should be set to the listening port of ShadowTLS, and the password should be the password used in the encryption proxy. In the separate Shadow-TLS configuration field, enter the corresponding version: v3. The Shadow-TLS Password corresponds to the password entered when starting Shadow-TLS, and SNI should be filled in with the corresponding website address used in --tls when starting.

If you are using Windows, you will need to use sing-box. For specific instructions, please refer to:

You need to write the configuration document yourself. I recommend using NekoBox, which comes with the ability to set up a chain proxy. In the settings, select sing-box as the core, and then create separate configurations for ShadowTLS and ss according to the official instructions. ShadowTLS requires a custom outbound configuration. For details, please refer to the official manual:

Here is an excerpt:

Example: Using ShadowTLS server in NekoBox.

  1. Create a custom outbound (Configuration 1)
  "type": "shadowtls",
  "tag": "shadowtls-out",
  "server": "server IP address",
  "server_port": 45632,
  "tls": {
    "enabled": true,
    "server_name": ""
  1. Create a Shadowsocks outbound (Configuration 2) can be created through the visual interface
  2. Compose the chain proxy in the order of Configuration 1 and Configuration 2

Using NekoBox's chain proxy, even if you don't use ShadowTLS, you can forward traffic to your own server through the airport to avoid the server being banned. If you are interested, you can try the airport I use Renzhe Cloud

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.