Tom

Tom

How to use ShadowTLS

1. Introduction#

The advantage of ShadowTLS lies in its use of TLS obfuscation, but it does not require a website-side certificate and can use any website certificate for obfuscation. Currently, there is no official Windows client for ShadowTLS, and there is no GUI client available. If you want to use it, you need a certain level of expertise, so it is still relatively niche. It is very easy to install, just run the binary file directly, and the parameters are not complicated. Because it is a tool designed for obfuscation, an encryption program needs to be separately enabled on the server, such as Shadowsocks or snell.

The process is as follows: SS listens on a port -> ShadowTLS configures a port -> ShadowTLS listens on a port -> the client configures the ShadowTLS listening port.

2. Installing the Encryption Proxy Program#

It is recommended to use TeddySun's Docker installation method. For specific instructions, please refer to: https://hub.docker.com/r/teddysun/shadowsocks-rust

If you can't access it, I will mainly write the configuration below.

# Create the configuration file
mkdir -p /etc/shadowsocks-rust
# Write the configuration file, modify the password and you can leave the port number unchanged so that you don't need to modify many commands when starting the docker
# If you need to modify the port number, pay attention to the mapping of the port number inside and outside the container. If you don't understand, you can search or refer to my docker notes.
cat > /etc/shadowsocks-rust/config.json <<EOF
{
    "server":"0.0.0.0",
    "server_port":9000,
    "password":"password0",
    "timeout":300,
    "method":"aes-256-gcm",
    "nameserver":"8.8.8.8",
    "mode":"tcp_and_udp"
}
EOF
# Pull the image and start the container
docker pull teddysun/shadowsocks-rust
docker run -d -p 9000:9000 -p 9000:9000/udp --name ss-rust --restart=always -v /etc/shadowsocks-rust:/etc/shadowsocks-rust teddysun/shadowsocks-rust

If you only use Surge, you can consider using Snell. The following is a comparison between the two by the author of Surge:

  • Completely without characteristics: Such as shadowsocks, VMess, and other derivative protocols. Encrypted traffic of this kind does not have any characteristics at all, making it easier to be blocked as a specific feature.
  • Random characteristics: Snell is designed in a way that the Snell client generates random characteristics, and the characteristics generated depend on the current session (Surge reloads the configuration once to count as a new session), PSK hash, and other inputs, making the traffic characteristics of each user different. (Please rest assured, the characteristics are weak and the algorithm is irreversible, and the characteristics will be updated every time Surge is restarted. They will never be used to track users.) This solution is currently performing well.

Snell is also relatively niche. If needed, you can use it by referring to the Surge manual. It can also be run directly as a binary. However, I am already using ShadowTLS, so the encryption used at the underlying level is no longer important.

3. Configuring ShadowTLS#

Refer to the official GitHub: https://github.com/ihciah/shadow-tls/releases

There are two ways to do it: modify the provided docker-compose.yml file and run it using Docker, or download the binary file and run it.

I am using the binary method:

# Download the binary file to /usr/bin. I downloaded the latest version at the moment. If there are updates in the future, you need to find them in the releases yourself.
cd /usr/bin
wget https://github.com/ihciah/shadow-tls/releases/download/v0.2.23/shadow-tls-x86_64-unknown-linux-musl
# Add executable permissions
chmod +x shadow-tls-x86_64-unknown-linux-musl
# Modify the startup service file:
cat > /etc/systemd/system/shadow-tls.service <<EOF
[Unit]
Description=Shadow-TLS Custom Server Service
Documentation=man:sstls-server(1)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/shadow-tls-x86_64-unknown-linux-musl --v3 server --listen 0.0.0.0:45632 --password I6knDArfHW2TPhRdB7 --server 127.0.0.1:9000 --tls www.bing.com:443

[Install]
WantedBy=multi-user.target
EOF

# The above I6knDArfHW2TPhRdB7 is the password file, --v3 is the running version, --listen is the port to listen on, which should be 45632 in the client configuration. --server corresponds to the port of the encryption proxy configured above, which is 9000. --tls is the website certificate for obfuscation, do not fill in websites like Google.
# Then refresh and start the service
systemctl daemon-reload
systemctl enable shadow-tls.service
systemctl start shadow-tls.service

4. Configuring the Client#

When configuring the client, please note that the proxy type or method should be set to an encryption proxy, such as ss or snell. Enter the ShadowTLS listening port for the port, and enter the password used in the encryption proxy. In the separate Shadow-TLS configuration field, enter the corresponding version: v3. For the Shadow-TLS Password, enter the password used when starting Shadow-TLS. Enter the corresponding website address for SNI, which was specified with --tls when starting.

If you are using Windows, you will need to use sing-box. For specific instructions, please refer to: https://sing-box.sagernet.org/zh/examples/shadowtls/

You need to write the configuration document yourself. I recommend using NekoBox, which comes with the ability to set up a chain of proxies. In the settings, select sing-box as the core, and then create configurations for ShadowTLS and ss based on the official instructions. For ShadowTLS, you need to use a custom outbound configuration. For more details, please refer to the official manual: https://matsuridayo.github.io/n-configuration/#_13

Here is an excerpt:

Example: Using the ShadowTLS server in NekoBox.

  1. Create a custom outbound (Configuration 1).
{
  "type": "shadowtls",
  "tag": "shadowtls-out",
  "server": "server IP address",
  "server_port": 45632,
  "tls": {
    "enabled": true,
    "server_name": "www.bing.com"
  }
}
  1. Create a Shadowsocks outbound (Configuration 2). You can create it through the visual interface.
  2. Compose the chain proxy in the order of Configuration 1 and Configuration 2.

By using the chain proxy in NekoBox, even if you don't use ShadowTLS, you can forward the traffic to your own server through a cloud service to avoid the server being banned. If you are interested, you can try the cloud service I use, Renzhe Cloud.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.