Docs Config Shadowsocks

Shadowsocks

The classic lightweight proxy protocol — simple encryption, great performance, and with plugins it can disguise traffic in all sorts of ways. One of the most common protocols among providers and self-hosted nodes alike.

Example Config

config.yaml YAML
proxies:
  - name: "ss1"
    type: ss
    server: server
    port: 443
    cipher: aes-128-gcm
    password: "password"
    udp: true
    udp-over-tcp: false
    plugin: obfs
    plugin-opts:
      mode: tls

Basic Fields

passwordRequired

The connection password; for the SS2022 cipher family, this is the EIH key.

cipherRequired

The encryption method. Common choices are aes-128-gcm/aes-256-gcm/chacha20-ietf-poly1305/xchacha20-ietf-poly1305, plus the newer SS2022 family: 2022-blake3-aes-128-gcm/2022-blake3-aes-256-gcm/2022-blake3-chacha20-poly1305. The older aes-*-ctr/aes-*-cfb families are also supported, but are less secure and slower than the AEAD family — not recommended for new nodes.

udp-over-tcp / udp-over-tcp-versionOptional

Disguises UDP traffic as TCP for forwarding — useful for getting around networks that only allow TCP.

The plugin Field

The plugin field supports obfs/v2ray-plugin/gost-plugin/shadow-tls/restls/kcptun, each with its own plugin-opts.

obfs (simple-obfs)
YAML obfs
plugin: obfs
plugin-opts:
  mode: tls # or http
  host: bing.com

Disguises traffic to look like a TLS or HTTP handshake — the simplest form of obfuscation, with limited resistance to deep packet inspection.

shadow-tls
YAML shadow-tls
plugin: shadow-tls
client-fingerprint: chrome
plugin-opts:
  host: "cloud.tencent.com"
  password: "shadow_tls_password"
  version: 3 # Supports 1/2/3

Wraps SS traffic in a real TLS handshake (host points to an actual real website), giving it a more convincing disguise than simple obfs — currently one of the stronger anti-censorship options available.

restls
YAML restls
plugin: restls
client-fingerprint: chrome # One of chrome/ios/firefox/safari
plugin-opts:
  host: "www.microsoft.com" # Should be a TLS 1.3 server
  password: [YOUR_RESTLS_PASSWORD]
  version-hint: "tls13"
  restls-script: "300?100<1,400~100,350~100,600~100,300~200,300~100"

A step further than shadow-tls — uses restls-script to precisely control traffic behavior after the handshake, hiding "TLS in TLS" style fingerprints.

v2ray-plugin
YAML v2ray-plugin
plugin: v2ray-plugin
plugin-opts:
  mode: websocket
  # tls: true
  # host: bing.com
  # path: /path

Wraps SS traffic in WebSocket, letting it go through a CDN — good compatibility, though QUIC mode isn't supported yet.

There's also the kcptun plugin, which converts traffic to the KCP protocol to improve transfer efficiency on poor networks. It has quite a few fields (key/crypt/mode/mtu, etc.) and is rarely used, so we won't cover it in detail here.