-
Notifications
You must be signed in to change notification settings - Fork 265
How to Run
We support Linux and MacOS now(including android). On windows you can use our implementation via WSL.
Also, you can try other implementations like sing-box.
Comparing to other implementations, we can provide best performance(on Linux and MacOS) and newest features.
There are 2 ways to run, run with docker or run binary directly.
Global parameters(shadow-tls --help):
-
-t, --threads <THREADS>: (optional)Set thread count manually. Normally you don't have to set it. -
-d, --disable-nodelay: (optional)Disable TCP_NODELAY. Unless you know what you are doing, do not use this parameter. -
--v3: (optional)Enable V3 protocol. If you enable it, it must be enabled on both sides. On next major version, this parameter will be removed, and v3 will be enabled by default.
Client Mode(shadow-tls client --help):
-
--listen <LISTEN>: Listen address(with port). Usually this port is used by shadowsocks client. -
--server <SERVER_ADDR>: ShadowTLS server address(with port). -
--sni <TLS_NAMES>: SNI list. You can provide multiple SNIs likecaptive.apple.com;cloud.tencent.com. Different SNIs are seprated by;. -
--password <PASSWORD>: Must be the same as the ShadowTLS server. -
--alpn <ALPN>: (optional)Set ALPN ext. You can set multiple ALPN seprated by;. Unless you know what you are doing, do not use this parameter.
Server Mode(shadow-tls server --help):
-
--listen <LISTEN>: Listen address(with port). -
--server <SERVER_ADDR>: Data server address(with port). Usually this port is listened by shadowsocks server. -
--tls <TLS_ADDR>: TLS names. There must be a fallback server name at the last, and there can be multiple mappings. Mappings can be represented asServerName:Host:Port.Hostcan be omitted, in this case ServerName is used asHost.Portcan be omitted too, which is443by default. Parts are seprated by;. For example, all of these are valid:cloud.tencent.com,cloud.tencent.com:443,cloudflare.com:1.1.1.1:443;captive.apple.com;cloud.tencent.com. -
--password <PASSWORD>: Must be the same as the ShadowTLS client.
Pass global parameters first(if any), then mode, then mode parameters. For example: shadow-tls --threads 1 server --listen 0.0.0.0:4430 --server 127.0.0.1:8888 --tls captive.apple.com --password 1.
On server side you need to run both shadowsocks and shadow-tls. You can start both of them manually, or with systemd.
The easiest way is running them with docker-compose. Install docker and docker-compose if you don't have them.
Then copy the example file to your server and edit it. Then run it with docker-compose up -d.
You need to run both shadow-tls and shadowsocks client. There are serveal ways to start them.
- Start shadow-tls client on a server inside the firewall, then connect it on any device with shadowsocks protocol. This requires you to have an additional server with public ip and sufficient bandwidth, you may have to pay for additional traffic.
- (Recommended)Run shadow-tls client with docker-compose.
- Manually start the binary.
- (Recommended)Start the binary automatially.
- Manually start the binary.
- Run shadow-tls client with docker-compose. Note: you have to modify the network mode because docker on MacOS does not support host mode. It is not efficient enough since docker started a linux kernel in vm and forward the traffic.
- Use supported client:
- Surge for Mac: Only support v2 now(doc). Works correctly and easy to configure.
- Clash.Meta: But I haven't tried it.
- v2ray_simple: I haven't tried either.
- sing-box: A good implementation. I haven't tried either.
- We don't have windows support since our runtime Monoio does not support it yet. So you can only use WSL or docker on windows to run our binary.
- (Recommended)Use supported client mentioned in the previous paragraph(other implementations).
- (Recommended)Use supported client.
- Run our binary with terminal and use any client that support shadowsocks.
- (Recommended)Use supported client.
- ShadowRocket: It works but maybe with bugs. Under my testing, using SNI like
www-jp.feishu.cncannot work properly, but withcaptive.apple.comworks. - Surge: Only support v2 now(doc). Works correctly and easy to configure.
- ShadowRocket: It works but maybe with bugs. Under my testing, using SNI like
- Low latency: Test on your vps to make sure the destination is with low latency. You can do the checking with ping for simple, but with curl will be more accurate.
- Trusted by the firewall: It must be a legal service, and widely used.
- Using TLS servers that support tls1.3 can reduce latency. You can test it will curl setting tls version:
curl -I --tlsv1.3 --tls-max 1.3 -vvv https://example.com.
Not much servers support tls1.3. But you can alway trust services by 宇宙厂 :)
By default, shadow-tls use INFO log level.
For io performance, you can change it to ERROR by setting an environment variable RUST_LOG=error.
It is recommended after you make sure everything works fine. It will only print error info if you change it this way.
If you use docker, seccomp will be enabled by default. You can disable it for better performance by adding these into docker-compose.yml:
security_opt:
- seccomp:unconfined
-
unable to build monoio runtime,OutOfMemory: Since we use io-uring when available, we need lock some memory. But on some linux the default lock memory limitation is far from enough. There are 2 ways to solve it:- (Recommended)Set a larger limitation: Link | 中文链接 | Another related issue
- Disable io-uring and use epoll: Set env
MONOIO_FORCE_LEGACY_DRIVER=1. With this env, the cpu usage may become a little bit higher.
-
I want to use port 443, but it is already used by nginx: Shadow-tls support multiple SNI now, so it can be used as a SNI proxy. Let your nginx listen on
127.0.0.1:8443, and use tls settings likeyour.domain:127.0.0.1:8443;captive.apple.com;www.feishu.cn. -
Pull image too slow: You can try to use another registry. We have pushed image to 3 registries:
ghcr.io/ihciah/shadow-tlsihciah/shadow-tlsregistry.gitlab.com/ihciah/shadow-tls
Also, you can use docker hub mirrors.