Tor + Shadowsocks-Rust pre-proxy

The scenario in this article is that you want to reach the Tor network, but a restrictive firewall is preventing you from connecting. You decide to set up a Shadowsocks-Rust pre-proxy so that Tor Browser can connect through it to the Tor network. The instructions that follow are for a Linux server and a Windows PC client.

1. Set up Shadowsocks-Rust pre-proxy server

You will need a Debian or Ubuntu virtual private server (VPS) to host your pre-proxy server.

Launch Window PowerShell.

SSH into your server as root. For example:

ssh [email protected]

Replace 123.45.67.89 in the above by your actual server IP address.

Update your server:

apt update && apt upgrade -y && apt autoremove -y

Now follow either the quick method of running from the command line, or the service method of running under systemd.

1.1. Quick method

In a browser on your PC, visit https://github.com/shadowsocks/shadowsocks-rust/releases and determine the most recent release of Shadowsocks-Rust.

On your server, download the most recent release. Example:

apt install curl -y

curl -L https://github.com/shadowsocks/shadowsocks-rust/releases/download/v1.21.2/shadowsocks-v1.21.2.x86_64-unknown-linux-gnu.tar.xz -O

Extract the archive:

tar -xf shadowsocks-v1.21.2.x86_64-unknown-linux-gnu.tar.xz

Unless you have already decided on a port number, generate a pseudorandom port number for Shadowsocks-Rust input:

echo $(($RANDOM + 10000))

Example:

25765

Open your server firewall and/or security groups for TCP input on this port (tcp/25765 in our example).

Generate a 256-bit key to serve as a password for Shadowsocks-Rust:

./ssservice genkey -m "2022-blake3-aes-256-gcm"

Example:

f3JM0SpB0ToJbTZwWe0oG5OnTOrnl1Kk4HJbRNp/Eow=

Create a configuration file:

vi config.json

Use the following as a model to create your own configuration file:

{
  "server": "0.0.0.0",
  "server_port": 25765,
  "password": "f3JM0SpB0ToJbTZwWe0oG5OnTOrnl1Kk4HJbRNp/Eow=",
  "method": "2022-blake3-aes-256-gcm"
}

Save the file.

For a really quick method, you can run ssserver from the command line. However, for a slightly better method, run ssserver in a screen session. That way you can detach from the screen session and exit your SSH session with the server.

If necessary, install screen (it is already included in most Linux distributions):

apt install screen -y

Start a screen session named, for example, ssserver (it doesn't have to have the same name as the binary you will run in it):

screen -S ssserver

Run ssserver with your configuration file:

./ssserver -c config.json

Detach from the screen session by pressing Ctrl+a immediately followed by d. (You can resume the named screen session at any time with the command screen -r ssserver.)

Exit your SSH session:

exit

1.2. Service method

Running from the command line is fine for a quick test, but for regular use you will want your Shadowsocks-Rust server to be running continually. In this section, you're going to install Shadowsocks-Rust as a snap, then run it as a systemd service.

Install the snap daemon:

apt install snapd -y

Install Shadowsocks-Rust as a snap:

snap install shadowsocks-rust

Exit your SSH session, then re-SSH into your server.

Check that the Shadowsocks-Rust snap has been installed:

shadowsocks-rust.ssserver --version

Example:

shadowsocks 1.21.2

Unless you have already decided on a port number, generate a pseudorandom port number for Shadowsocks-Rust input:

echo $(($RANDOM + 10000))

Example:

25765

Open your server firewall and/or security groups for TCP input on this port (tcp/25765 in our example).

Generate a 256-bit key to serve as a password for Shadowsocks-Rust:

openssl rand -base64 32

Example:

f3JM0SpB0ToJbTZwWe0oG5OnTOrnl1Kk4HJbRNp/Eow=

The Shadowsocks-Rust snap expects your configuration file to be in a fixed location. Edit your configuration file in that location:

vi /var/snap/shadowsocks-rust/common/etc/shadowsocks-rust/config.json

Use this as your model and edit it accordingly:

{
  "server": "0.0.0.0",
  "server_port": 25765,
  "password": "f3JM0SpB0ToJbTZwWe0oG5OnTOrnl1Kk4HJbRNp/Eow=",
  "method": "2022-blake3-aes-256-gcm"
}

Substitute in your own values for the parameters.

Save the file.

Test your configuration file by trying to run Shadowsocks-Rust from the command line:

shadowsocks-rust.ssserver -c /var/snap/shadowsocks-rust/common/etc/shadowsocks-rust/config.json

Press Ctrl+c to end the test run.

Start the systemd service running:

snap start --enable shadowsocks-rust.ssserver-daemon

Check the status of the systemd service:

systemctl status snap.shadowsocks-rust.ssserver-daemon

Exit your SSH session:

exit

2. Set up Shadowsocks-Rust pre-proxy client

Follow either the quick method of running from the command line, or the service method of running as a Windows service.

2.1. Quick method

Download the most recent Windows binary for Shadowsocks-Rust from https://github.com/shadowsocks/shadowsocks-rust/releases. Example:

shadowsocks-v1.21.2.x86_64-pc-windows-msvc.zip

Unzip the .zip file.

Create a file config.json in the same folder as the executable. For example, in Downloads\shadowsocks-v1.21.2.x86_64-pc-windows-msvc, use Notepad to create a file like this.

{
  "server": "YOUR.SERVER.IP.ADDRESS",
  "server_port": 25765,
  "password": "f3JM0SpB0ToJbTZwWe0oG5OnTOrnl1Kk4HJbRNp/Eow=",
  "method": "2022-blake3-aes-256-gcm",
  "local_address": "127.0.0.1",
  "local_port": 10808
}

Enter the value of YOUR.SERVER.IP.ADDRESS and customize all other values.

Save the file. Make sure Notepad does not add an extra .txt at the end of the file name.

Open a command prompt window, and set sslocal.exe running with your configuration file:

cd Downloads\shadowsocks-v1.21.2.x86_64-pc-windows-msvc

sslocal.exe -c config.json

Leave the command prompt window open, with Shadowsocks-Rust running in it.

2.2. Service method

Running from the command line is fine for a quick test, but for regular use you will want your Shadowsocks-Rust client running continually. In this section, you are going to install Shadowsocks-Rust as a Windows service.

Open a browser. Visit https://visualstudio.microsoft.com/visual-cpp-build-tools. Follow the instructions to download and install Visual Studio C++ Build tools. Check the desktop workloads:

• Desktop development with C++
• .NET desktop build tools

Click Install. This is a large download and install. It will take a while to run.

Once you have Visual Studio C++ Build tools installed, you can install Rust for Windows. Visit https://www.rust-lang.org/tools/install. Follow the instructions to download rustup-init.exe for your platform (32-bit or 64-bit).

Run rustup-init.exe. When the command prompt window appears, enter 1 for a standard installation. At the end of the installation, press Enter to close the command prompt window.

Restart your computer.

Open a command prompt window. Issue the command:

echo %PATH%

The results should include your .cargo/bin.

Issue the command:

cargo --version

Example:

cargo 1.83.0

Make a new directory for Shadowsocks-Rust. For example:

mkdir C:\shadowsocks-rust

Open a browser and visit https://github.com/shadowsocks/shadowsocks-rust. Download the code .zip file, for example, shadowsocks-rust-master.zip.

Extract the .zip file, placing the resultant folder shadowsocks-rust-master inside the C:\shadowsocks-rust folder you created a moment ago.

In your command prompt window, change into the source code directory:

cd C:\shadowsocks-rust\shadowsocks-rust-master

Build the Windows binary, includin the sswinservice option that is not normally included in the release binaries:

cargo build --release --bin "sswinservice" --features "winservice"

The resultant executable, sswinservice.exe, is placed in C:\shadowsocks-rust\shadowsocks-rust-master\target\release.

Create a file config.json in C:\shadowsocks-rust. Use the following as a model:

{
  "server": "YOUR.SERVER.IP.ADDRESS",
  "server_port": 25765,
  "password": "f3JM0SpB0ToJbTZwWe0oG5OnTOrnl1Kk4HJbRNp/Eow=",
  "method": "2022-blake3-aes-256-gcm",
  "local_address": "127.0.0.1",
  "local_port": 10808
}

Enter the value of YOUR.SERVER.IP.ADDRESS and customize all other values.

Save the file. Make sure Notepad does not add an extra .txt at the end of the file name.

Now you are ready to install the Shadowsocks-Rust local client as a Windows Service. Open Windows PowerShell with Run as Administrator. Issue the New-Service cmdlet:

New-Service -Name "shadowsocks-local-service" -DisplayName "Shadowsocks Local Service" -BinaryPathName "C:\shadowsocks-rust\shadowsocks-rust-master\target\release\sswinservice.exe local -c C:\shadowsocks-rust\config.json"

Now open the Windows Services app.

Locate the row for Shadowsocks Local Service. Right-click on that row. Start the Shadowsocks Local Service.

Close the Services app.

3. Test Shadowsocks-Rust pre-proxy connection

At this stage, you can test your connection to the Shadowsocks-Rust server.

If you have not already done so, download and install the Firefox browser from https://www.mozilla.org.

From the Firefox hamburger menu select Settings > General > Network Settings > Settings.

Set Manual proxy configuration, SOCKS Host 127.0.0.1, Port 10808, SOCKS v5, Proxy DNS when using SOCKS v5.

Test you connectivity to the web in Firefox.

When you are done testing, set the Firefox Network Settings back to Use system proxy settings.

4. Install Tor Browser

If necessary in your environment, connect your Shadowsocks-Rust client to your Shadowsocks-Rust server before you try to reach the Tor Project web site.

Now open Firefox and visit https://www.torproject.org/download.

Download the Tor Browser installer for Windows.

Run the installer. The shortcut to Tor Browser ends up either on your desktop or in some other folder you specified during installation.

5. Configure Tor Browser to use pre-proxy

Do these steps with your Shadowsocks-Rust client running and connected to your Shadowsocks-Rust server.

1. In the folder you chose for Tor Browser during the installation, click the Tor Browser shortcut.
2. Click Configure connection.
3. Scroll down to where it says Advanced.
4. On the row where it says Configure how Tor Browser connects to the internet, click Settings.
5. Check the box for I use a proxy to connect to the internet.
6. In the drop-down box for Proxy type, select SOCKS5.
7. Fill in Address 127.0.0.1.
8. Fill in Port 10808.
9. Click OK.
10. Click Connect.

6. Test Tor Browser together with pre-proxy

To test your connectivity, follow the steps of the Standard testing procedure.