Shadowsocks

Shadowsocks protocol is compatible with most other implementations.

Here are the features and compatibility of Shadowsocks:

• It supports TCP and UDP packet forwarding, with the option to disable UDP.
• Recommended encryption methods:
  • 2022-blake3-aes-128-gcm
  • 2022-blake3-aes-256-gcm
  • 2022-blake3-chacha20-poly1305
• Other encryption methods:
  • aes-256-gcm
  • aes-128-gcm
  • chacha20-poly1305 (also known as chacha20-ietf-poly1305)
  • none or plain

The new protocol format of Shadowsocks 2022 improves performance and includes full replay protection, addressing security issues present in the old protocol:

• Serious vulnerabilities in Shadowsocks AEAD encryption methods that compromise the integrity of communications
• Increasing false-positive rate of TCP replay filters over time
• Lack of replay protection for UDP
• TCP behaviors that can be used for active probing

Danger

Using the "none" encryption method will transmit traffic in plaintext. It is not recommended to use "none" encryption on public networks to ensure security.

OutboundConfigurationObject

{
  "servers": [
    {
      "email": "love@xray.com",
      "address": "127.0.0.1",
      "port": 1234,
      "method": "encryption method",
      "password": "password",
      "uot": true,
      "level": 0
    }
  ]
}

servers: [ServerObject]

An array representing a group of Shadowsocks server settings, where each item is a ServerObject.

ServerObject

{
  "email": "love@xray.com",
  "address": "127.0.0.1",
  "port": 1234,
  "method": "encryption method",
  "password": "password",
  "uot": true,
  "level": 0
}

email: string

Email address (optional) used to identify the user.

address: address

The address of the Shadowsocks server, supporting IPv4, IPv6, and domain names. Required.

port: number

The port of the Shadowsocks server. Required.

method: string

Encryption method. Required.

password: string

Password. Required.

uot: bool

When enabled, UDP over TCP (UOT) will be used.

• Shadowsocks 2022

Use a pre-shared key (PSK) similar to WireGuard as the password.

To generate a compatible key with shadowsocks-rust, use openssl rand -base64 <length>, where the length depends on the encryption method used.

Encryption Method	Key Length
2022-blake3-aes-128-gcm	16
2022-blake3-aes-256-gcm	32
2022-blake3-chacha20-poly1305	32

In the Go implementation, a 32-byte key always works.

• Other encryption methods

Any string can be used as a password. There is no limit on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a password of 16 characters or longer.

level: number

User level. Connections will use the corresponding local policy associated with this user level.

The level value corresponds to the level value in the policy. If not specified, the default value is 0.