Shadowsocks

The Shadowsocksopen in new tag protocol is compatible with most other implementations of Shadowsocks. The server supports TCP and UDP packet forwarding, with an option to selectively disable UDP.

Supported Encryption Methods

The currently supported methods are following:

Recommended encryption methods:
- 2022-blake3-aes-128-gcm
- 2022-blake3-aes-256-gcm
- 2022-blake3-chacha20-poly1305
Other encryption methods:
- aes-256-gcm
- aes-128-gcm
- chacha20-poly1305/chacha20-ietf-poly1305
- xchacha20-poly1305/xchacha20-ietf-poly1305
- none/plain

The Shadowsocks 2022 new protocol format improves performance and includes complete replay protection, addressing the following security issues in the old protocol:

Serious vulnerabilities in Shadowsocks AEAD encryption, which cannot guarantee the integrity of the communication contentopen in new tag
Increasing false positive rate of the original TCP replay filter over time
Lack of UDP replay protection
TCP behaviors that can be used for active probing

Danger

Traffic transmitted without encryption using the "none" method will be in plain text. Do not use it on public networks for security reasons.

InboundConfigurationObject

{
  "settings": {
    "clients": [],
    "password": "password",
    "method": "aes-256-gcm",
    "level": 0,
    "email": "love@xray.com",
    "network": "tcp,udp"
  }
}

clients: a list of ClientObject, empty list considered valid

The password parameter can be specified for the server at all, but also in the ClientObject being dedicated to the given user. Server-level password is not guaranteed to override the client-specific one.

network: "tcp" | "udp" | "tcp,udp"

The supported network protocol type. For example, when specified as "tcp", it will only handle TCP traffic. The default value is "tcp".

ClientObject

{
  "password": "密码",
  "method": "aes-256-gcm",
  "level": 0,
  "email": "love@xray.com"
}

method: string, any of the supported methods

Required.

password: string

Required. For Shadowsocks 2022 a pre-shared base64 random key similar to WireGuard's keys should be used as the password. The command

openssl rand -base64 <length>

could used to generate a key. The length of the required key for shadowsocks-rust implementation depends on the encryption method:

Encryption Method	Key Length
`2022-blake3-aes-128-gcm`	16
`2022-blake3-aes-256-gcm`	32
`2022-blake3-chacha20-poly1305`	32

In the go-shadowsocks implementation written in Golang, a 32-byte key always works.

For any other encryption method any string could be used. There is no limitation on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a random-generated password of 16 characters or longer. The following example generates 40-characters length password:

sudo strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 40 | tr -d '\n'; echo

level: number

The user level that the connection will use to determine the corresponding Local Policy.

The value of level corresponds to the value of level in the policy. If not specified, the default value is 0.

email: string

The user's email, used to differentiate traffic from different users for logs or statistics.