Shadowsocks with kcptun Acceleration
kcptun can accelerate your TCP connection between a client and a server in situations of congestion on the line. This remote port forwarding tool converts a TCP stream into a UDP stream in KCP protocol in order to achieve higher throughput and lower latency. It includes rich options for performance tuning.
We give instructions for the example of a Windows client, although clients for other platforms are also available. We use Debian 11 for server. The server in our examples has IP address
Since Shadowsocks will be tunneled through kcptun, we will just use the default port
8388 for Shadowsocks itself. However, you will need a port number for kcptun and also a strong password for Shadowsocks.
First generate a random port number from the command line of a Linux computer like this:
echo $((1024 + $RANDOM))
The shell function RANDOM gives you a pseudo-random integer between 0 and 32767, so after evaluating the arithmetical expression, you will end up with a port number between 1024 and 33791. In our examples on the rest of this page, we will use the result:
Also generate a random password from the command line of a Linux computer:
openssl rand -base64 24
openssl rand -base64 function gives you a random number, expressed in base-64 notation. Because of the argument
24, it will be based on 24 bytes or 192 bits. The result will have 32 base-64 characters. In our examples on the rest of this page, we will use the result:
A server firewall is recommended but optional. There are multiple ways to implement a firewall on a Debian/Ubuntu server: nftables, iptables, ufw, and firewalld. We will use nftables in our examples, but you can use another method if you prefer.
SSH into your server as
Issue each of the following commands in turn to install and start nftables:
apt update && apt upgrade -y
apt install nftables -y
systemctl enable nftables
systemctl start nftables
Configure the firewall to accept related traffic and internal traffic on the loopback interface:
nft add rule inet filter input ct state related,established counter accept
nft add rule inet filter input iif lo counter accept
Configure the firewall to accept
ping requests so that you can test latency:
nft add rule inet filter input ip protocol icmp icmp type echo-request counter accept
nft add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type echo-request counter accept
22 for SSH. If you can restrict the port
22 rule so that only certain source IP addresses are whitelisted for SSH access, then so much the better. For example, if you always connect to your server from source IP address
nft add rule inet filter input tcp dport 22 ip saddr XX.XX.XX.XX/32 counter accept
If you cannot restrict the port
22 rule, then you will have to open the port to the whole world instead:
nft add rule inet filter input tcp dport 22 counter accept
Open the server for KCPTUN UDP input on your chosen port:
nft add rule inet filter input udp dport 2977 counter accept
Drop all unexpected input:
nft add rule inet filter input counter drop
Save the rules:
nft list ruleset > /etc/nftables.conf
Increase the number of open files on your server:
ulimit -n 65535
Also edit the file
~/.bashrc and insert a line
ulimit -n 65535 so that it applies to all future sessions.
Edit the system control configuration file:
Insert lines for these parameters for better handling of UDP packets:
Write the file to disk and quit the editor. Activate:
Use the snap method to install Shadowsocks:
apt install snapd -y
Restart your SSH session to get
/snap/bin in path:
Then carry on with the snap install:
snap install core; snap refresh core
snap install shadowsocks-rust
Start Shadowsocks running in its own
screen session. Notice that it only needs to listen on localhost port
8388, because that is where kcptun will sends its traffic.
screen -S ssserver
shadowsocks-rust.ssserver -k chVMBNntf0Bvsu2927k486bB546yGJ7B -m chacha20-ietf-poly1305 -s 127.0.0.1:8388 --timeout 300
You can alternatively create a configuration file for Shadowsocks. Use
shadowsocks-rust.ssserver --help for a full list of options.
Do Ctrl+a then d to detach from the Shadowsocks server screen session.
In a browser on your workstation, visit https://github.com/xtaci/kcptun/releases to determine the latest release. Then, in your SSH session with the server, download the binary for that release. For example:
Extract the compressed archive:
tar -xf kcptun-linux-amd64-20220628.tar.gz
Copy the binary into your path:
cp server_linux_amd64 /usr/local/bin
Start kcptun running in its own
screen session. It listens for UDP traffic on port
2977 in our example, and sends the traffic to Shadowsocks on port
screen -S kcptun
server_linux_amd64 -t "127.0.0.1:8388" -l ":2977" -mode fast3 -nocomp -sockbuf 16777217 -dscp 46
The meanings of the parameters are:
-ttarget server address
-llocal listen address
-sockbufper-socket buffer in bytes
-dscpDifferentiated Services Code Point
Your work on the server is done, so you can exit your SSH session now:
We are going to use the example of a Windows client. Clients for other platforms are also available.
You will need to install 7-zip to extract the archive.
In a browser on your workstation, visit https://github.com/xtaci/kcptun/releases to determine the latest release. Then download the binary for that release. In our example, it is
Extract the inner
tar file. It contains a binary named
Open a Windows Command Prompt window. Run the client:
client_windows_amd64.exe -r "126.96.36.199:2977" -l ":8388" -mode fast3 -nocomp -autoexpire 900 -sockbuf 16777217 -dscp 46
In the above command, replace the server IP address and port with the correct values for your server IP address and your chosen port number for kcptun. In our example, the kcptun client is communicating with the kcptun server using UDP on port
If Windows Defender Firewall pops up, click Allow access.
Leave the Command Prompt window open with the client running in it.
Download the Shadowsocks for Windows client from GitHub, e.g.
Unzip the zip file.
Run the program
If necessary, click More info and Run anyway.
Enter values that will send Shadowsocks traffic to kcptun, which is listening on localhost port
- Server IP
- Server port
- Proxy port
Find the Shadowsocks icon in the system tray at the bottom right of your desktop.
Right-click to bring up the context menu.
Click System Proxy.
Open a browser and try to visit https://ipchicken.com.
For documentation on kcptun, consult the GitHub page.
Report kcptun issues on the GitHub issues page.