- How to set up a low-latency, secure, and lightweight proxy on Ubuntu 24.04?
- Prerequisites and location selection
- Installing Shadowsocks-libev on Ubuntu 24.04
- Create a basic configuration file
- Starting and managing systemd services
- Configuring firewall and network rules
- Network and performance optimization (BBR, TCP Fast Open, sysctl)
- Clients and connectivity testing
- Practical security and user management
- Advanced scenarios: multiple ports, transparent proxy, and plugins
- Maintenance, monitoring and scalability
- Final tips related to services and location selection
- Frequently Asked Questions
How to set up a low-latency, secure, and lightweight proxy on Ubuntu 24.04?
This step-by-step guide is written for server administrators, developers, network administrators, and users who need a lightweight, low-latency, and secure proxy. Shadowsocks-libev It is a lightweight and fast implementation of the Shadowsocks protocol, designed to bypass filtering and create a secure proxy tunnel.
The following explains installation on Ubuntu 24.04, proper configuration (including AEAD), firewall setup, network optimization (BBR, TCP Fast Open), and security and practical tips for use in trading, gaming, and web services. It also mentions services including 85+ global locations, trading-specific VPS, and anti-DDoS servers to make choosing a location and plan easier.
Prerequisites and location selection
Prerequisites:
- An Ubuntu 24.04 server with access root Or a user with
sudo. - Open port (e.g. 8388) and firewall access.
- Choose the right location: For the lowest ping in the game or trade, choose a location close to the destination server (e.g. Frankfurt, London, Singapore, Tokyo, New York).
- If you are concerned about DDoS attacks, use anti-DDoS servers or CDN/BGP services.
Installing Shadowsocks-libev on Ubuntu 24.04
The fast and stable method using the official apt package is suitable for the majority of users. If you need the latest features or new plugins, you can use GitHub packages or PPAs, but for most cases apt will suffice.
Quick method (from the official apt package)
sudo apt update && sudo apt install -y shadowsocks-libevTo confirm installation:
ss-server --versionCreate a basic configuration file
Default config file: /etc/shadowsocks-libev/config.json
{
"server":"0.0.0.0",
"server_port":8388,
"password":"VeryStrongPasswordHere!",
"method":"chacha20-ietf-poly1305",
"mode":"tcp_and_udp",
"timeout":300,
"fast_open":true
}Key points:
- method: From AEAD methods such as chacha20-ietf-poly1305 Or aes-256-gcm Use these methods; they are safer and more effective.
- mode: Amount “tcp_and_udp” Enable if you need UDP forwarding (for gaming or VoIP).
- fast_open: Only enable sysctl if the kernel supports it and is configured appropriately.
sudo chown root:root /etc/shadowsocks-libev/config.json
sudo chmod 600 /etc/shadowsocks-libev/config.jsonStarting and managing systemd services
You can run the service as default or with an instance name to have multiple configs/ports.
A) Using the default file
sudo systemctl enable --now shadowsocks-libev
sudo systemctl status shadowsocks-libevb) Using an instance (for multiple configurations/ports)
If you save the file as /etc/shadowsocks-libev/config-server1.json Save:
sudo systemctl enable --now shadowsocks-libev@config-server1
sudo systemctl status shadowsocks-libev@config-server1View log:
sudo journalctl -u shadowsocks-libev -f
sudo journalctl -u shadowsocks-libev@config-server1 -fConfiguring firewall and network rules
UFW (simple)
sudo ufw allow 22/tcp # SSH
sudo ufw allow 8388/tcp
sudo ufw allow 8388/udp
sudo ufw enable
sudo ufw statusiptables (example of limiting connections for security)
sudo iptables -I INPUT -p tcp --dport 8388 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -I INPUT -p udp --dport 8388 -j ACCEPT
# rate limiting to mitigate brute-force
sudo iptables -A INPUT -p tcp --dport 8388 -m recent --name ss --set
sudo iptables -A INPUT -p tcp --dport 8388 -m recent --name ss --update --seconds 10 --hitcount 20 -j DROPTo save rules:
sudo apt install -y iptables-persistent
sudo netfilter-persistent saveNetwork and performance optimization (BBR, TCP Fast Open, sysctl)
To reduce latency and increase throughput, it is recommended to enable BBR and some sysctl settings.
Enabling BBR and recommended settings
sudo tee /etc/sysctl.d/99-sysctl.conf <<EOF
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_syncookies = 1
net.core.somaxconn = 4096
net.core.netdev_max_backlog = 5000
net.ipv4.ip_forward = 1
EOF
sudo sysctl --systemTo confirm:
sysctl net.ipv4.tcp_congestion_control
ss -tuna | grep bbrClients and connectivity testing
Simple test with curl (after running ss-local on port 1080)
On the client side:
ss-local -s SERVER_IP -p 8388 -l 1080 -k "VeryStrongPasswordHere!" -m chacha20-ietf-poly1305 &
curl --socks5-hostname 127.0.0.1:1080 https://api.ipify.orgIf the returned IP is the server IP, the connection is successful.
Common clients
- Windows: Shadowsocks-Windows Or V2RayN
- macOS: ShadowsocksX-NG
- Android: Shadowsocks (F-Droid or PlayStore)
- Linux:
ss-local/ss-redirFrom the package shadowsocks-libev Or GUIs like Outline
UDP forwarding (For gaming or VoIP) Requires UDP support on both sides and setup “mode”:”tcp_and_udp” It is.
Practical security and user management
- Strong password: Use unique and strong passwords and choose AEAD methods.
- Log monitoring: From
journalctlOr use monitoring tools. - IP access restriction: Allow only specific IPs in the firewall (e.g., the broker's IP for VPS trading).
Using fail2ban
cat > /etc/fail2ban/jail.d/shadowsocks.conf <<EOF
[shadowsocks]
enabled = true
filter = shadowsocks
port = 8388
logpath = /var/log/syslog
maxretry = 5
bantime = 3600
EOFAdvanced scenarios: multiple ports, transparent proxy, and plugins
Multiple services and ports
Use multiple config files and systemd instances to provide multiple accounts/ports:
/etc/shadowsocks-libev/config-user1.json
/etc/shadowsocks-libev/config-user2.json
sudo systemctl enable --now shadowsocks-libev@config-user1
sudo systemctl enable --now shadowsocks-libev@config-user2transparent proxy with ss-redir
Example for redirecting traffic to internal servers:
ss-redir -c /etc/shadowsocks-libev/redir-config.json &
sudo iptables -t nat -N SHADOWSOCKS
sudo iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
sudo iptables -t nat -A SHADOWSOCKS -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 12345(Port 12345 is the ss-redir port)
Using plugins (v2ray-plugin or obfs)
To bypass DPI and detect packets from plugins like v2ray-plugin Use. Example options in the config:
{
"plugin":"v2ray-plugin",
"plugin_opts":"server;tls;host=example.com;path=/ws"
}Maintenance, monitoring and scalability
Using monitoring tools like Prometheus + Grafana or simpler netdata Use for monitoring.
To check consumption: top, htop, iftop, nload.
If the load increases, use a cloud server with autoscaling or Load Balancer, or choose servers with strong packet forwarding and BGP network plans.
Final tips related to services and location selection
Having 85+ global locations allows for server placement closest to the trading destination, game server, or end users to achieve the lowest ping and instability.
For trading with low ping requirements, locations such as Frankfurt, London, New York, and Singapore are suitable. Services including dedicated VPS for trading with optimized ping and Anti-DDoS servers are also available.
For large data transfers (e.g. in AI processing or rendering), you will need high bandwidth; GPU services can be combined with a proxy solution, but consider bandwidth.
