Featured image of post Private Virtual Network VPN (1): Setting Up a VPN with Shadowsocks on a Cloud Server
Software

Private Virtual Network VPN (1): Setting Up a VPN with Shadowsocks on a Cloud Server

Set up a Shadowsocks service on a cloud server for secure internet access

Motivation

Due to copyright issues, many video and music resources are unavailable abroad. Therefore, I wanted to set up a VPN to access these resources from abroad. I rented a server from a cloud service provider in China and set up a Shadowsocks service on it to achieve this goal. I encountered several problems during this process, and I am documenting how I solved them.

This article is the first in the “Private Virtual Network VPN” series, and subsequent articles will introduce the basic concepts of VPNs and how to use Tailscale to set up a private virtual network. The other articles in this series are as follows:

Prerequisites

  • A cloud server located in China

Installing Shadowsocks

The process of installing Shadowsocks mainly refers to this article: Shadowsocks Tutorial for Beginners. However, following the steps in this article, I failed many times because there are many pitfalls in this article. Here, I mainly record how I solved these problems.

Cloud Server Network

The tutorial for installing Shadowsocks above requires downloading some resources located on GitHub. However, due to well-known reasons, GitHub is inaccessible in China. Therefore, we need to solve this problem first. That is, if we want to bypass the Great Firewall and access resources in China from abroad, we need to allow the cloud server in China to access the internet.

If it were an ordinary computer in China, we could just use some common VPN software. But our cloud server runs in command-line mode, so we need to bypass the firewall in the command line. There are two solutions here:

Solution 1: Use SSH Proxy

First of all, since we are already abroad, we don’t need to buy a VPN specifically for our cloud server in China, we just need to use our computer abroad.

  1. SSH from the computer abroad (hereinafter referred to as “computer”) to the cloud server in China (hereinafter referred to as “cloud server”):

    1

    ssh username@cloud_server_ip

  2. SSH from the cloud server to the computer, using a proxy port (the port number can be any number from 1 to 65535; here I chose 11111):

    1

    ssh -D 11111 username@foreign_computer_ip

  3. Set the network proxy for the cloud server, with the proxy port set to 11111:

    1

    export ALL_PROXY=socks5://127.0.0.1:11111

    This way, all network requests from the cloud server will be forwarded to port 11111, and then tunneled through SSH to the computer. This allows the cloud server to access foreign networks through the computer’s network, effectively bypassing the firewall.

  4. Check the IP address of the cloud server at this time:

    1

    curl ipinfo.io

    If the displayed IP address is the computer’s IP address, then we have succeeded.

Then follow the steps in the tutorial above to install Shadowsocks, but I found that there were still problems. The problem seems to be that the script for installing Shadowsocks in the tutorial uses wget to download some files, but wget does not seem to go through the proxy we set, so it still prompts a connection timeout. However, curl can go through our proxy network, so we can replace all wget requests in the script with curl requests, which can solve this problem.

Solution 2: Download Locally and Upload to Cloud Server

The above solution is relatively complex to set up and may encounter various issues. In fact, I may not frequently use the cloud server to connect to foreign networks in the future. If it is just for this one-time need, I can completely download the required files in advance and then upload them to the cloud server.

Using this solution means we cannot use the single command from the tutorial above; we need to split this command:

  1. Download the Shadowsocks installation script on the computer:

    1

    wget --no-check-certificate -O shadowsocks-all.sh https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks-all.sh

  2. Upload the script to the cloud server:

    1

    scp shadowsocks-all.sh root@cloud_server_ip:/root

  3. Install Shadowsocks on the cloud server:

    1

    bash shadowsocks-all.sh 2>&1 | tee shadowsocks-all.log

    It is important to note that running this installation script now will still fail for two reasons:

    • Unable to connect to GitHub to download some files
    • Unable to find the installation package for Python

Python Version

The above installation script requires the use of python (python2), but the apt source in Ubuntu 22 does not have python, and it is necessary to explicitly specify the Python version, such as clearly indicating python2 or python3.

Therefore, two things need to be done here:

  1. Change python in apt_depends in the script to python2, and python-dev to python2-dev
  2. Create a symbolic link in the /usr/bin directory to point python to python2
    1

    ln -s /usr/bin/python2 /usr/bin/python

Then follow the installation steps in the tutorial above. The version of Shadowsocks I chose to install is Shadowsocks-Python.

Complete Shadowsocks Installation

Confirm Shadowsocks is Running Normally

After the installation is complete, we can use the following command to check the running status of Shadowsocks:

1

/etc/init.d/shadowsocks status

If the displayed message is Shadowsocks (pid xxxxx) is running..., then it means Shadowsocks is running normally.

Open Firewall Ports on Cloud Server

It is necessary to open the Shadowsocks port (default is 8388) in the firewall of the cloud server, otherwise, you will not be able to connect to the Shadowsocks service. Run the following command:

1
2

ufw allow 8388
ufw enable

Then check the status of the firewall:

1

ufw status

If the displayed message is Status: active, and the port used by Shadowsocks is in the ALLOW state, then it means the firewall has been opened.

Enable Port in Cloud Server Management Interface

For many cloud servers, it is not enough to just open the firewall in the command line; you also need to enable the port in the cloud server’s management interface. Find the Security Group in the management interface, and then add an inbound rule to set the port to the one used by Shadowsocks (default is 8388), set the protocol to TCP, and set the source address to 0.0.0.0/0.

Use Shadowsocks to Bypass Restrictions

Download the Shadowsocks client, and then configure the Shadowsocks client. Set the server address to the IP address of the cloud server, set the port to the one used by Shadowsocks (default is 8388), set the password to the password of the Shadowsocks service, and ensure that the encryption method is consistent with that of the Shadowsocks server.

If the previous settings are all normal, you can now connect to the domestic network.

shadowsocks VPN
Licensed under CC BY-NC-SA 4.0
Last updated on Jul 18, 2025 00:00 UTC
comments powered by Disqus