Shadowsocks
The classic lightweight proxy protocol — simple encryption, great performance, and with plugins it can disguise traffic in all sorts of ways. One of the most common protocols among providers and self-hosted nodes alike.
Example Config
proxies: - name: "ss1" type: ss server: server port: 443 cipher: aes-128-gcm password: "password" udp: true udp-over-tcp: false plugin: obfs plugin-opts: mode: tls
Basic Fields
passwordRequiredThe connection password; for the SS2022 cipher family, this is the EIH key.
cipherRequiredThe encryption method. Common choices are aes-128-gcm/aes-256-gcm/chacha20-ietf-poly1305/xchacha20-ietf-poly1305, plus the newer SS2022 family: 2022-blake3-aes-128-gcm/2022-blake3-aes-256-gcm/2022-blake3-chacha20-poly1305. The older aes-*-ctr/aes-*-cfb families are also supported, but are less secure and slower than the AEAD family — not recommended for new nodes.
udp-over-tcp / udp-over-tcp-versionOptionalDisguises UDP traffic as TCP for forwarding — useful for getting around networks that only allow TCP.
The plugin Field
The plugin field supports obfs/v2ray-plugin/gost-plugin/shadow-tls/restls/kcptun, each with its own plugin-opts.
plugin: obfs plugin-opts: mode: tls # or http host: bing.com
Disguises traffic to look like a TLS or HTTP handshake — the simplest form of obfuscation, with limited resistance to deep packet inspection.
plugin: shadow-tls client-fingerprint: chrome plugin-opts: host: "cloud.tencent.com" password: "shadow_tls_password" version: 3 # Supports 1/2/3
Wraps SS traffic in a real TLS handshake (host points to an actual real website), giving it a more convincing disguise than simple obfs — currently one of the stronger anti-censorship options available.
plugin: restls client-fingerprint: chrome # One of chrome/ios/firefox/safari plugin-opts: host: "www.microsoft.com" # Should be a TLS 1.3 server password: [YOUR_RESTLS_PASSWORD] version-hint: "tls13" restls-script: "300?100<1,400~100,350~100,600~100,300~200,300~100"
A step further than shadow-tls — uses restls-script to precisely control traffic behavior after the handshake, hiding "TLS in TLS" style fingerprints.
plugin: v2ray-plugin plugin-opts: mode: websocket # tls: true # host: bing.com # path: /path
Wraps SS traffic in WebSocket, letting it go through a CDN — good compatibility, though QUIC mode isn't supported yet.
There's also the kcptun plugin, which converts traffic to the KCP protocol to improve transfer efficiency on poor networks. It has quite a few fields (key/crypt/mode/mtu, etc.) and is rarely used, so we won't cover it in detail here.