Shadowsocks-rust — Fast Encrypted SOCKS5 Proxy in Rust

Introduction

Shadowsocks is a secure split-proxy protocol that encrypts traffic between a local SOCKS5 client and a remote server. The Rust implementation delivers memory-safe, high-throughput performance and supports the latest AEAD 2022 ciphers.

What Shadowsocks-rust Does

• Runs an encrypted SOCKS5 proxy with a lightweight protocol designed to resist traffic analysis
• Supports AEAD ciphers (AES-256-GCM, ChaCha20-Poly1305) and the newer AEAD-2022 specification
• Provides both client (sslocal) and server (ssserver) binaries in one package
• Handles TCP and UDP relay for full protocol coverage
• Supports multi-server configurations with automatic load balancing

Architecture Overview

The client listens locally as a SOCKS5 or HTTP proxy, encrypts outbound traffic with a symmetric cipher, and forwards it to the remote server over TCP or UDP. The server decrypts and forwards requests to their destination. The AEAD-2022 protocol adds replay protection and header encryption. The Rust async runtime (Tokio) handles thousands of concurrent connections efficiently.

Self-Hosting & Configuration

• Install via cargo, pre-built binaries, or Docker (ghcr.io/shadowsocks/ssserver-rust)
• Configuration via JSON file or command-line flags
• Server requires only a port, password, and cipher selection
• ACL (Access Control List) rules can bypass the proxy for specific destinations
• Supports SIP003 plugins like v2ray-plugin for traffic obfuscation over WebSocket/TLS

Key Features

• AEAD-2022 cipher support with per-session subkeys and replay protection
• Multi-server load balancing with latency-based selection
• UDP relay support including UDP-over-TCP for restricted networks
• Plugin system (SIP003/SIP003u) for transport obfuscation
• DNS resolution over the tunnel to prevent DNS leaks

Comparison with Similar Tools

• V2Ray/Xray — multi-protocol proxy with more transport options; Shadowsocks-rust is simpler and lighter
• Trojan — TLS-based proxy mimicking HTTPS traffic; Shadowsocks uses its own lighter protocol
• WireGuard — full VPN tunneling all system traffic; Shadowsocks is a per-application SOCKS5 proxy
• TUIC — QUIC-based proxy for lower latency; Shadowsocks-rust supports TCP and UDP but not QUIC natively
• Original Python/Go Shadowsocks — functional but slower; the Rust version offers better throughput and memory safety

FAQ

Q: Is Shadowsocks a VPN? A: No. It is a SOCKS5 proxy that encrypts traffic per-application. Use it with a system-wide proxy setting or tools like proxychains to route all traffic through it.

Q: What cipher should I use? A: 2022-blake3-aes-256-gcm for the latest spec with replay protection, or aes-256-gcm for maximum client compatibility.

Q: Can I run both client and server on the same machine for testing? A: Yes. Point sslocal at 127.0.0.1 where ssserver listens. This is useful for validating configurations before deploying to a remote server.

Q: How does Shadowsocks compare to a commercial VPN? A: Shadowsocks gives you full control over the server and protocol, with no logging by third parties. It requires you to provision and maintain your own server.

Sources

• https://github.com/shadowsocks/shadowsocks-rust
• https://shadowsocks.org