How to Set Up a Shadowsocks Proxy Server: Complete Guide for 2026
Shadowsocks is one of the fastest, most lightweight encrypted proxy protocols available - and setting it up no longer requires renting a VPS, opening firewall ports, or configuring a remote Linux server. This guide covers everything: what Shadowsocks is and how it differs from a VPN, how to create a Shadowsocks proxy in the Localtonet dashboard in under two minutes, how to connect from any device using Outline Client or any compatible Shadowsocks app, and how to troubleshoot the most common connection problems. Works on Windows, macOS, Linux, Android, and iOS.
What Is Shadowsocks?
Shadowsocks is an open-source encrypted proxy protocol based on SOCKS5. It was created in 2012 by a Chinese programmer known as "clowwindy" with a single purpose: bypassing censorship in a way that was lightweight, fast, and extremely difficult for firewalls to detect. Unlike a VPN, Shadowsocks does not create a virtual network interface that routes all of your device's traffic through a remote server. Instead, it acts as a selective proxy - you can configure specific applications or traffic to pass through it while leaving everything else untouched.
The protocol disguises your traffic to look like ordinary HTTPS traffic, which makes it much harder for Deep Packet Inspection (DPI) tools to identify and block it. Modern Shadowsocks implementations use AEAD (Authenticated Encryption with Associated Data) ciphers like ChaCha20-Poly1305 and AES-256-GCM for strong, low-overhead encryption between your device and the proxy server.
Today, Shadowsocks is actively maintained by a global community of contributors, with implementations in Rust (shadowsocks-rust), C (shadowsocks-libev), and more. It remains one of the most widely used privacy tools worldwide.
Shadowsocks vs VPN: What Is the Difference?
People often confuse Shadowsocks with a VPN because both can route traffic through a remote server and help access restricted content. They are fundamentally different tools designed for different purposes.
| Feature | Shadowsocks | VPN |
|---|---|---|
| What it encrypts | Traffic between your device and the proxy server only | All traffic from device to VPN server, end-to-end |
| Traffic scope | Selective - only apps you configure use the proxy | Global - all device traffic routed through the tunnel by default |
| Speed | Very fast - lightweight encryption, low overhead | Slower - heavier encryption and full traffic routing |
| Detection resistance | High - traffic looks like standard HTTPS to firewalls | Lower - VPN traffic patterns are often identifiable by DPI |
| IP anonymity | Partial - only for proxied traffic | Full - hides your IP for all traffic |
| UDP support | Yes (with compatible implementations) | Yes (most modern VPN protocols) |
| Best use case | Bypassing censorship, app-level proxying, developer testing, encrypted tunnel without overhead | Full device privacy, torrenting, public Wi-Fi protection, streaming |
| Setup complexity | Simple - one URL to share with clients | Variable - requires server setup or subscription |
Use Shadowsocks when you need a fast, lightweight encrypted proxy for specific apps or when you are in a network environment where standard VPN protocols are blocked or throttled. Use a VPN when you need full-device encryption, complete IP anonymity, or protection on public Wi-Fi for all your applications at once. Both can be used at the same time - some VPN providers even offer Shadowsocks as a built-in protocol option.
Why Use Localtonet for Shadowsocks?
Traditionally, setting up a Shadowsocks server meant renting a VPS, SSHing into a Linux machine, installing shadowsocks-libev or shadowsocks-rust, configuring JSON files, opening firewall ports, and troubleshooting connection issues. That is a reasonable workflow for experienced sysadmins but a significant barrier for developers, privacy-conscious users, and anyone who just wants an encrypted proxy without managing remote infrastructure.
Localtonet handles the server side entirely. You create a Shadowsocks proxy in the dashboard, click Start, and Localtonet gives you a ready-to-use ss:// connection URL. There is no VPS to rent, no SSH session, no JSON configuration files, and no firewall rules to manage. The proxy is backed by Localtonet's infrastructure and reachable from any network on any supported platform.
What You Need Before Starting
Setting up a Shadowsocks proxy with Localtonet requires almost nothing compared to a self-hosted setup:
Step 1: Create a Shadowsocks Proxy in the Localtonet Dashboard
Open the Proxy Server page
Log in to your Localtonet account and navigate to Proxy Server in the left sidebar. This is where all proxy types - including Shadowsocks - are created and managed.
Select SHADOWSOCKS as the Proxy Type
From the Proxy Type dropdown menu, choose SHADOWSOCKS. Localtonet will automatically configure the cipher and generate a secure random password for the proxy.
Create and start the proxy
Click Create Proxy, then click Start to activate the tunnel. The proxy will be assigned a public address and port on Localtonet's infrastructure.
Copy your connection URL
Localtonet generates a Shadowsocks access URL in the standard ss:// format. It looks like this:
ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTp4ZkcwcUxCZ25i@7vura1ftm.localto.net:3442This URL encodes everything the client needs: the cipher (ChaCha20-Poly1305), the password, the server address, and the port. You do not need to enter these fields manually - just paste the full URL into your client app.
The ss:// URL functions like a password. Anyone who has it can use your proxy. Do not post it publicly, share it in public chats, or commit it to a public repository. If it is ever leaked or shared unintentionally, delete the proxy in the Localtonet dashboard and create a new one - the old URL will stop working immediately.
Step 2: Install Outline Client
Outline Client is the recommended way to connect to your Shadowsocks proxy. It is developed by Jigsaw (a Google subsidiary), fully open-source, and available on every major platform. It accepts the standard ss:// URL format, which means it works directly with the URL Localtonet generates - no additional configuration needed.
| Platform | Download | Notes |
|---|---|---|
| Windows | getoutline.org → Download for Windows | Installs as a desktop app. Encrypts all traffic from the device when connected (since v1.2). |
| macOS | Mac App Store or getoutline.org | Works on Intel and Apple Silicon (M1/M2/M3/M4). Requires macOS 10.14 or later. |
| Linux | getoutline.org → Download for Linux (.AppImage) | Run the AppImage directly - no installation required. Works on Ubuntu, Debian, Fedora, and most major distros. |
| Android | Google Play Store → search "Outline" | Works on Android 5.0 and later. Available for tablets and phones. |
| iOS | App Store → search "Outline" | Works on iPhone and iPad (iOS 11 or later). Developed by Jigsaw Operations LLC. |
| ChromeOS | Google Play Store (Outline for Android) | Install the Android version via Play Store on supported Chromebooks. |
Step 3: Connect to Your Proxy
Once Outline Client is installed, connecting takes about 30 seconds regardless of which platform you are on.
Open Outline Client and add a server
On the main screen, tap or click Add Server (or the + button depending on version). You will see a text field labelled "Paste your access key."
Paste the ss:// URL from Localtonet
Paste the full connection URL you copied from the Localtonet dashboard. Outline will automatically decode it and display the server name and region.
ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTp4ZkcwcUxCZ25i@7vura1ftm.localto.net:3442Tap Connect
Click or tap Connect. Outline will establish the Shadowsocks tunnel. On mobile devices you may be asked to allow a VPN configuration - this is normal and required for the proxy to route traffic system-wide.
Verify the connection
Outline shows a green connected indicator when the tunnel is active. You can verify the proxy is working by visiting whatismyip.com - your displayed IP address should be Localtonet's server address rather than your home IP.
Alternative Shadowsocks Clients
While Outline Client is the easiest option, the standard ss:// URL format is supported by many other Shadowsocks clients. Use these if you need more control over routing, PAC mode, or per-app proxy settings.
| Client | Platform | Best for |
|---|---|---|
| Outline Client | Windows, macOS, Linux, Android, iOS, ChromeOS | Easiest setup. Paste the URL and connect. Recommended for most users. |
| shadowsocks-windows | Windows | Advanced users who need PAC mode (proxy only specific sites), system proxy toggle, or per-connection QR codes. |
| ShadowsocksX-NG | macOS | Native macOS menu bar app with PAC mode, global mode, and rule-based routing. |
| shadowsocks-android | Android | More granular routing control and per-app proxy rules compared to Outline. |
| Potatso / Shadowrocket | iOS | Paid apps on the App Store with advanced rule-based routing and multiple server management. |
| shadowsocks-libev (CLI) | Linux, macOS | Headless setup on servers, Raspberry Pi, or routers (OpenWrt). Uses the ss-local command. |
Understanding Shadowsocks Ciphers
The cipher determines how your traffic is encrypted between your device and the proxy server. Localtonet uses ChaCha20-Poly1305 by default, which is the current recommended standard. Here is what you need to know about each option you might encounter when using third-party Shadowsocks servers:
| Cipher | Security | Performance | Use when |
|---|---|---|---|
| ChaCha20-Poly1305 | Excellent - AEAD, authenticated | Very fast, especially on mobile/ARM CPUs without AES hardware acceleration | Default choice. Recommended for all platforms. Localtonet uses this. |
| AES-256-GCM | Excellent - AEAD, authenticated | Very fast on modern Intel/AMD CPUs with AES-NI hardware acceleration | Desktop/server use where the CPU has AES hardware acceleration. |
| AES-128-GCM | Very good - AEAD, authenticated | Slightly faster than AES-256-GCM with marginally smaller key size | When you want AES with slightly lower overhead. Negligible real-world difference. |
| RC4-MD5, AES-256-CFB | Weak - legacy, no authentication | Fast but unsafe | Avoid. These are old ciphers without authentication. Do not use. |
Modern Shadowsocks implementations use AEAD (Authenticated Encryption with Associated Data) ciphers. These provide both encryption and message authentication in a single step, which means an attacker cannot tamper with your traffic undetected. Older Shadowsocks configs using stream ciphers like RC4-MD5 or AES-256-CFB do not have this property and should be replaced. Localtonet uses ChaCha20-Poly1305, which is an AEAD cipher, so you are protected by default.
Sharing Your Proxy with Others
Sharing access to your Localtonet Shadowsocks proxy is as simple as sharing the ss:// URL. Each person who has the URL can connect using any Shadowsocks-compatible client. There is no need to set up separate accounts or manage per-user credentials - a single URL is all that is needed.
Copy the ss:// URL from your Localtonet dashboard
Navigate to your proxy in the Proxy Server page. The connection URL is displayed below the proxy status. Copy it exactly, including the ss:// prefix.
Send it securely
Share the URL over an encrypted messaging channel (Signal, WhatsApp, iMessage, or a password manager shared vault). Avoid sending it unencrypted over email or posting it publicly. Anyone with the URL can use the proxy.
The recipient pastes it into their client
They open Outline Client (or any Shadowsocks app), tap Add Server, and paste the URL. The connection is ready immediately - no further setup is needed on their end.
Rotate the URL if needed
If you want to revoke access for someone, delete the proxy in the Localtonet dashboard and create a new one. The old URL stops working immediately. Share the new URL only with the people you still want to have access.
Connecting via CLI on Linux (shadowsocks-libev)
For headless Linux setups - Raspberry Pi, home servers, or machines without a GUI - you can connect to your Localtonet Shadowsocks proxy using shadowsocks-libev's ss-local command. This creates a local SOCKS5 proxy on your machine that applications can use to route traffic through the encrypted tunnel.
Install shadowsocks-libev
sudo apt update
sudo apt install -y shadowsocks-libevCreate the config file
Decode the values from your ss:// URL and create a config file. The URL format is ss://BASE64(cipher:password)@host:port. Your Localtonet dashboard also shows the individual fields if you expand the proxy details.
{
"server": "YOUR_SUBDOMAIN.localto.net",
"server_port": YOUR_PORT,
"local_address": "127.0.0.1",
"local_port": 1080,
"password": "YOUR_PASSWORD",
"method": "chacha20-ietf-poly1305",
"timeout": 300,
"mode": "tcp_and_udp"
}Start ss-local
# Start in foreground (for testing)
ss-local -c /etc/shadowsocks-libev/localtonet.json
# Or run as a background service
sudo systemctl enable shadowsocks-libev-local@localtonet
sudo systemctl start shadowsocks-libev-local@localtonet
sudo systemctl status shadowsocks-libev-local@localtonet● shadowsocks-libev-local@localtonet.service - Shadowsocks-Libev Local Client
Loaded: loaded (/lib/systemd/system/shadowsocks-libev-local@.service)
Active: active (running)
[INFO] starting local at 127.0.0.1:1080Use the local SOCKS5 proxy in your applications
With ss-local running, your machine has a SOCKS5 proxy at 127.0.0.1:1080. Configure applications to use it:
# Test with curl
curl --socks5 127.0.0.1:1080 https://api.ipify.org
# Returns the Localtonet server's IP, not yours
# Use proxychains to route any application through the proxy
sudo apt install proxychains4
# Edit /etc/proxychains4.conf: add "socks5 127.0.0.1 1080" at the end
proxychains4 wget https://example.comTroubleshooting Common Shadowsocks Problems
| Problem | Likely cause | Fix |
|---|---|---|
| "Connection failed" in Outline Client | Proxy is not running in Localtonet dashboard, or the proxy was stopped | Log in to localtonet.com → Proxy Server → confirm the Shadowsocks proxy status is "Running." Click Start if it is stopped. |
| Outline says "Connected" but sites are not loading | DNS resolution issue, or the Localtonet proxy is active but not routing correctly | Try disconnecting and reconnecting. Check the Localtonet proxy logs in the dashboard for errors. Try accessing a site by IP to rule out DNS. |
| Invalid access key / URL not recognized | The ss:// URL was copied incorrectly, truncated, or contains extra whitespace | Copy the URL again from the Localtonet dashboard. Make sure to copy the entire string including the ss:// prefix. Avoid copying via a chat app that might convert URLs. |
| Very slow speeds through the proxy | Network congestion, server load, or the client app routing more traffic than needed | Try a different time of day. If using shadowsocks-windows or ShadowsocksX-NG, switch to PAC mode to only proxy necessary traffic rather than routing everything. |
| UDP traffic not working through the proxy | UDP tunneling requires specific client support and may be affected by the local network | Confirm your client app has UDP enabled (in Outline, this is on by default). If using ss-local, ensure "mode": "tcp_and_udp" is set in the config. Some corporate or restrictive networks block UDP entirely. |
| iOS VPN configuration prompt keeps appearing | Normal behavior - iOS requires a VPN configuration profile to route traffic through a proxy system-wide | Tap Allow when prompted. This is a standard iOS permission for proxy apps. The configuration is managed by Outline and does not affect your device in any other way. |
| ss-local: "error: invalid cipher" | Cipher name in the config does not match the format expected by the installed version | Use chacha20-ietf-poly1305 (note the hyphens). Older versions may not support the -ietf- variant name - try chacha20-poly1305 or update shadowsocks-libev. |
| Proxy works but my real IP is still visible on some sites | WebRTC leak in browser, or the application is not configured to use the proxy | When using Outline Client in global mode, all device traffic is proxied. If using ss-local in SOCKS5 mode, only applications explicitly configured to use the proxy are affected. Disable WebRTC in your browser or use a WebRTC-blocking extension. |
Common Use Cases for Shadowsocks
| Use case | How Shadowsocks helps | Recommended client |
|---|---|---|
| Developer testing behind a firewall | Route API calls or web requests through an encrypted proxy without touching corporate firewall rules | ss-local + proxychains on Linux/macOS, or Outline Client on Windows |
| Encrypted proxy for a specific app | Configure only one application (browser, Telegram, etc.) to use the proxy - everything else continues normally | shadowsocks-windows (PAC mode), ShadowsocksX-NG on macOS |
| Sharing a proxy with a small team | One Localtonet proxy URL shared among teammates - everyone uses the same encrypted tunnel | Outline Client on any platform |
| Mobile encrypted proxy (Android / iOS) | Route all mobile traffic through an encrypted proxy while on public Wi-Fi or mobile networks | Outline Client on Android or iOS |
| Bypassing restrictive network policies | Shadowsocks traffic is disguised as standard HTTPS and is much harder to detect and block than typical VPN protocols | Outline Client - automatic cipher negotiation and traffic obfuscation |
| Raspberry Pi / home server outbound proxy | Run ss-local on a Raspberry Pi as a shared SOCKS5 proxy for all devices on your home network | shadowsocks-libev (ss-local) as a systemd service |
Frequently Asked Questions
Is Shadowsocks a VPN?
No. Shadowsocks is an encrypted proxy protocol, not a VPN. A VPN creates a virtual network interface that encrypts and routes all traffic from your device through a remote server. Shadowsocks routes only the traffic from applications you configure to use the proxy. The encryption only protects traffic between your device and the proxy server - it does not provide the full-device privacy and IP anonymity that a VPN does. For complete online privacy, a VPN is more suitable. For lightweight encrypted proxying of specific applications or bypassing censorship, Shadowsocks is faster and harder to detect.
Is Shadowsocks legal?
Shadowsocks is legal software in most countries. It is an open-source project with legitimate uses in privacy, developer tooling, and network testing. However, using any proxy or VPN to bypass government censorship may be restricted in certain countries (notably China, Iran, Russia, and others with strict internet regulation). The legality depends on your jurisdiction and how you use it - not on the software itself. Always check the laws applicable in your country before using any circumvention tool.
Can I use Shadowsocks to bypass the Great Firewall of China?
Shadowsocks was specifically designed for this purpose and has historically been effective at bypassing the Great Firewall because it disguises traffic as standard HTTPS. However, China's deep packet inspection capabilities have improved significantly since 2012, and the effectiveness of any circumvention tool depends on the server location, implementation details, and current enforcement intensity. Shadowsocks-over-WebSockets (supported by Outline Client v1.15.0+) adds an additional layer of obfuscation that can improve reliability in heavily monitored environments.
Does Shadowsocks support UDP?
Yes. Modern Shadowsocks implementations support both TCP and UDP proxy tunneling. Localtonet supports TCP and UDP proxy tunneling for Shadowsocks. UDP support is important for real-time applications like voice calls, gaming, and DNS queries. Note that UDP availability may vary depending on the client application and the network you are connecting from - some corporate or restrictive networks block outbound UDP traffic entirely.
What is the difference between Shadowsocks and Outline?
Shadowsocks is the underlying proxy protocol. Outline (developed by Google's Jigsaw team) is a suite of applications built on top of Shadowsocks that simplifies deployment and client connectivity. The Outline Client is one of the most widely used Shadowsocks-compatible clients because of its cross-platform support and ease of use. When you create a Shadowsocks proxy in Localtonet, the generated ss:// URL is compatible with Outline Client and any other Shadowsocks client - you are not locked into using Outline specifically.
Can multiple people use the same Shadowsocks proxy at the same time?
Yes. Multiple users can connect to the same Shadowsocks proxy simultaneously using the same ss:// URL. All users share the same proxy bandwidth. If you want to give different users different access credentials (so you can revoke access individually), you would need to create separate proxies in Localtonet and share a different URL with each person. For small teams sharing a proxy, a single URL works well in practice.
Do I need to keep the Localtonet client running on my machine?
No. Unlike Localtonet's TCP/UDP tunnel feature (which requires the Localtonet client running locally to forward connections), the Shadowsocks proxy is hosted entirely on Localtonet's infrastructure. You do not need the Localtonet client installed on any local machine - the proxy runs in the cloud. All you need is the ss:// connection URL and a client app on the device you want to proxy traffic from.
Security Best Practices
| Practice | Why it matters |
|---|---|
| Keep the ss:// URL private | Anyone with the URL can route traffic through your proxy. Treat it like a password and share it only through encrypted channels. |
| Rotate the URL if it is ever leaked | Delete the proxy in the Localtonet dashboard and create a new one. The old URL becomes invalid immediately. |
| Use AEAD ciphers only | Only use ChaCha20-Poly1305 or AES-256-GCM. Avoid older stream ciphers (RC4, AES-CFB) - they lack message authentication and are vulnerable to replay attacks. |
| Do not use Shadowsocks as a replacement for full-device privacy | Shadowsocks encrypts traffic between your device and the proxy, but your traffic is decrypted at the proxy server before reaching the destination. For complete anonymity, combine with a full VPN or use HTTPS sites. |
| Disable the proxy when not needed | Disconnect from the proxy in Outline Client when you no longer need it to reduce unnecessary proxy traffic and preserve bandwidth. |
Create a Shadowsocks Proxy on Localtonet in Under Two Minutes
No VPS to rent. No server to configure. No firewall ports to open. Log in to your Localtonet dashboard, select Shadowsocks from the Proxy Server page, click Create and Start, and paste the generated URL into Outline Client. That is the entire setup - available on Windows, macOS, Linux, Android, and iOS.
Create Your Shadowsocks Proxy →
