Since the inception of the Great Firewall of China (GFW), people there have needed to bypass that restriction in order to access many of the Internets' most popular sites and apps.

VPNs are commonly used to access blocked content and services, however, in 2012, for a variety of reasons, a developer created Shadowsocks (SS) to circumvent Internet censorship and subsequently shared it on GitHub. SS became very popular very quickly among the affected netizens.

What's a VPN?

A VPN unblocks websites, by building a private network to transfer data at the network layer. A VPN or virtual private network, encrypts your communication online and internet access is provided by this private network. Communication between you and the VPN can also be encrypted depending on which system you choose

Where does SS come in?

SS was created to help get past the GFW. The developer felt it would be good to unblock websites on a fast internet connection whilst being difficult to detect.

ShadowsocksR (SSR) followed in 2015 when another developer determined that SS was now too easily detected by the GFW.

Subsequently, since SSR had been forked and shared by numerous people  it has developed into a number of newer iterations. SSRR would be one well known example.

How does SS work?

SS and SSR both work in basically the same way in that they are proxies based on SOCKS5. SOCKS proxies transfer data packets regardless of the transfer protocol, making them faster than other application layer proxies. SOCKS5 proxies pass data requests through a connection to the  proxy server which, in turn, forwards it to the desired destination. The data request doesn't pass through a dedicated tunnel or require nor  receive any additional processing during this process.

So if  you wish to check your Gmail, you send a request to a server in X via a SOCKS5 connection which in turn, upon receiving the request, will visit Google and return the result of the request directly to you.

SS was designed to bypass a specific geographical restriction. It is based on the SOCKS5 proxy and as a result, it has some features specifically designed to help it over the GFW.

There is no established private tunnel between client and server, all communication with the actual server is via the proxy server and all data is transferred through  there.

What are the principal differences between a VPN and SS

Utilising a VPN service requires connection to a private network. All traffic travels via this private network to it's destination. During this process, the user's IP address becomes the address designated by the VPN. Users can mask their IP addresses with those of the VPN servers and appear to be in a different location.

SS is good at disguising traffic as normal HTTP / SOCKS type traffic making it difficult to detect, whilst VPNs can be more easily identified and blocked. However, SS is only capable of redirecting traffic but a VPN encrypts the traffic and, thereby, enhances security.

SS allow users to decide which traffic goes through the proxy server by means of three different modes of operation:

  • Direct connection mode doesn't redirect your traffic through the proxy server.
  • PAC mode puts traffic through a proxy server when accessing websites blocked by the GFW.
  • Global mode reroutes all traffic through the proxy server.

Whereas with a VPN, all traffic has to be routed through that network.

Additionally, SOCKS5, for instance, does not require a handshake other than a Transmission Control Protocol (TCP) connection. Each request forwards one connection and doesn't require a connection all the times, so it is relatively fast and uses less power, a handy feature for those on battery-driven or mobile devices.

Finally, SS is open source and so is constantly evolving.

In conclusion.......

SS/SSR are a solid choice for anyone wanting to avoid Internet censorship. The cost is relatively low by comparison with VPNs.

SS Case Study

Outline is a suite of open source software developed for journalists to allow them to safely access their networks and the internet while traveling in territories where their activities may be monitored.

The Outline platform is ideal for a wide range of users, especially those who are less technically inclined and who may have little understanding of how VPNs or proxies work.

Outline consists of two parts, Manager and Clients.

The Outline Manager is a tool you can use to setup remote Outline Servers on your own devices.

The Outline Clients connects to the Outline Servers you have configured in order to keep your traffic secure.

Technically, Outline is not a VPN but uses an open source SOCKS5 proxy called Shadowsocks which protects your Internet traffic.

That stated, Outline client applications make use of the VPN capabilities of your OS to send your traffic through your Outline Server but without the requirement to re-configure every application to use the proxy so for many users there is little difference between using a regular VPN and the Outline server.

Shadowsocks has the benefit of being lighter than Open VPN and is better suited for use on mobile devices as it doesn't require a constant connection. It has existed since 2012 and it is widely used in countries where censorship resistant functionality is required or desirable. It is difficult t  impossible to detect and block Shadowsocks traffic automatically.

Outline  & Shadowsocks cannot provide the same degree of anonymity as  projects like Tor. The principal purpose for Outline is to keep traffic hidden from malicious ISPs and national mass surveillance. It's a good solution for protecting your data on public networks, but if you need to stay hidden there are more effective solutions available.

Outline has been developed by Jigsaw, which is a subsidiary of Alphabet Inc.  i.e. Google! Neither Jigsaw nor Google can see your internet traffic when using Outline because you will be installing the Outline Server on your device, not Google's.

Outline is completely open source and was audited in 2017 by Radically Open Security and in 2018 by Cure53, and both security firms supported Jigsaw's security claims. For more information on the data Jigsaw is able to collect when using  Outline, see their article on data collection.

A brief guide to deploying Outline / Shadowsocks

Prerequisites

All you need is a computer running Windows, macOS or Linux plus some basic computer skills such as How to SSH in to your server.

Step 1 — Download & Install Outline Manager

Outline allows you to setup and configure your servers from an easy-to-use management console on Outline Manager, which can be downloaded from getoutline.org.

Step 2 — Choose a Server Provider

Outline  has the ability to create servers on three different providers automatically: DigitalOcean, Google Cloud, and Amazon Web Services.

However,  keep in mind that the server provider you choose—like any VPN provider—will have the technical ability to read your internet traffic.  This is much less likely to happen when using a cloud provider versus a  commercial VPN, which is why we recommend self-hosting.

Additionally, keep in mind that many US-based cloud providers block all network traffic to and from countries sanctioned by the United States, including AWS and Google Cloud. Users in those countries may need to find a European based hosting provider .

Step 3 — Configure Your Server

First, update our system and install curl.

Connect to your server via SSH and enter the following commands:

sudo apt update
sudo apt upgrade
sudo apt install curl

Next open Outline Manager on your local machine and you should be  given 4 options to configure a server. Select the "Set Up" button under  the "Advanced, Set up Outline anywhere" option.

Step 4 — Connect Your Devices

Download the Outline app onto the device to which you want to connect.
Outline has applications for the following operating systems:

You should be able to use any Shadowsocks client, including alternative clients for each operating system and a client for OpenWRT routers.
In Outline Manager, select your server in the sidebar and follow the directions from there to connect the devices as well as manage the configuration Shadowsocks client needing to add your server!
Once added, press 'connect' and all your traffic will be proxied through  your server. This connection can be used to keep your traffic safe when you're on public WiFi networks and keep your browsing hidden from your  ISP.Closing comments.........

Do not share your access key, if wish  to grant other users access, click "Add a new key" in Outline Manager  and produce their own unique key. Don't send keys over unencrypted  channels, look to use Signal, Riot, or Threema if you don't already have a secure messaging app.

With Outline, there is no need to worry about the security of your server, everything will automatically update with no intervention required. Also note that the port on your Outline server is randomly generated. This is to ensure that it cannot be blocked by national/ISP level censors, however, the VPN may not function on networks that only allow access to  port 80/443 or on servers that only allow traffic on specific ports. If  this is the case, you may require a more technical solution.