0%

The official OpenVPN client for Windows offers per-IP split tunneling. Some proprietary clients also offer per-app split tunneling.

To look up IP addresses, open a Windows terminal (Command Prompt or Windows PowerShell) and issue the command:

1
nslookup whatismyipaddress.com

Sample response:

1
2
3
4
Non-authoritative answer:
Name: whatismyipaddress.com
Addresses: 104.16.155.36
104.16.154.36

To send only two IP addresses through the VPN tunnel:

  1. Disconnect the client from the server
  2. Edit the client configuration file
  3. Add these lines at the end before reconnecting
1
2
3
4
5
6
route 104.16.154.36 255.255.255.255 vpn_gateway
route 104.16.155.36 255.255.255.255 vpn_gateway
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

To send everything except two IP addresses through the VPN tunnel:

1
2
route 104.16.154.36 255.255.255.255 net_gateway
route 104.16.155.36 255.255.255.255 net_gateway

This post shows you how to use a Windows computer as a VPN server. This might be helpful in many scenarios. For example:

  • Employees need to connect to a company LAN from outside the office
  • You want to securely access the Internet from a coffee shop or airport
  • You have a friend in a foreign country who needs unblocked access to the Internet

After you’ve followed along with this tutorial, you’ll have a working L2TP/IPsec server on your Windows computer.

Step 1. Open Firewall

For traffic to reach an L2TP/IPsec server, you need to open ports 500/udp, 1701/udp, and 4500/udp in your computer’s firewall. On your Windows computer, you do that like this:

  1. In the Windows search box (next to the Start button), type firewall
  2. Select Windows Defender Firewall with Advanced Security
  3. In the left pane, click Inbound Rules
  4. In the Actions pane on the right, click New Rule…
  5. In the New Inbound Rule Wizard window, select Port, and click Next
  6. In the Protocol and Ports window, select UDP, and in the Specific local ports field, type 500, 1701, 4500 and click Next
  7. In the Action window, select Allow the connection, and click Next
  8. Check all profiles, and click Next
  9. Enter a Name such as L2TP/IPsec, and click Finish
  10. Close the Windows Defender Firewall with Advanced Security

Windows Defender Firewall with Advanced Security new rule specifying protocol and ports

In a typical home network, where you are behind a router, you also need to:

  • Open ports 500/udp, 1701/udp, and 4500/udp for input
  • Port forward these ports from your router to your PC

Instructions for doing the above vary from router to router. Consult your router documentation to learn how to do these steps on your particular make and model of router.

One more point about home PCs! You need a Power Plan that ensures your computer will not be asleep when clients try to connect. You can change the power settings on a Windows PC like this:

  1. Right-click on the Windows Start button, and select Settings
  2. Click System
  3. Select Power & sleep
  4. Change the settings for Sleep to Never
  5. When you’re done, close the Settings app.

Step 2. Download SoftEther VPN Server

Now for the download of the SoftEther VPN installer:

  1. Open a browser
  2. Visit https://www.softether.org
  3. Click Download
  4. Click Download SoftEther VPN
  5. Select SoftEther VPN (Freeware)
  6. Select Component SoftEther VPN Server
  7. Select Platform Windows
  8. Select CPU Intel (x86 and x64)
  9. Download the latest build

Download SoftEther VPN Server for Windows

Step 3. Run the Installer

In your Downloads folder, find the Installer executable. It will have a name that looks like softether-vpnserver_vpnbridge-v4.38-9760-rtm-2021.08.17-windows-x86_x64-intel.

Run the installer executable.

  1. Read the initial information screen, then click Next
  2. If User Account Control pops up, click Yes to allow changes to your device
  3. Select software component SoftEther VPN Server, and click Next
  4. Read the End User License Agreement, check the box to agree to the End User License Agreement, and click Next
  5. Read the Important Notices, and click Next
  6. Accept the default directory, C:\Program Files\SoftEther VPN Server, and click Next
  7. On the Ready to Install screen, click Next

Wait while the installer runs. A SoftEther VPN Server Manager icon is created on your desktop. At the end of the installation, leave the box checked to immediately run SoftEther VPN Server Manager, and click Finish.

SoftEther VPN Setup Wizard finished

Step 4. Set the VPN Server Password

The SoftEther VPN Server Manager is started for you by the installer.

SoftEther VPN Server Manager

Leave the server localhost (This server) selected, then press the Connect button. The first time you do this, you will be prompted to enter and confirm a password for the server. Click OK when you’re done.

SoftEther VPN Server Manager change administrator password

Click OK on seeing the password change confirmation box.

Step 5. SoftEther VPN Server Easy Setup

The first time into the server, a wizard walks you through the SoftEther VPN Server Easy Setup process.

Step 5a. Create Virtual Hub

Check the box for Remote Access VPN Server, and click Next.

SoftEther virtual hub for remote access VPN server

A message appears saying that the settings of this VPN Server will be initialized. The box asks if you really want to do this. Click Yes.

Give the Virtual Hub a Name, such as the default of VPN, and click OK.

Step 5b. Dynamic DNS Function

SoftEther automatically assigns you a dynamic DNS name. It will look like vpn322055929.softether.net.

Click Exit.

SoftEther Dynamic DNS Function

Step 5c. IPsec / L2TP / EtherIP/ L2TPv3 Server Settings

Check the box for Enable L2TP Server Function (L2TP over IPsec).

Enter a preshared key in the IPsec Pre-Shared Key box. It must be eight characters – for example, abcd1234.

Click OK.

SoftEther IPsec / L2TP / EtherIP/ L2TPv3 Server Settings

Step 5d. VPN Azure Service Settings

Select the radio button for Disable VPN Azure.

Click OK.

SoftEther VPN Azure Service Settings

Step 5e. Create User

Click the button Create Users.

  1. Enter a username
  2. Enter the full name for this user
  3. Select Auth Type Password Authentication
  4. Enter and confirm the password
  5. Click OK
  6. When the confirmation box appears, click OK
  7. Since we need only one user for now, click Exit

SoftEther create user

Stef 5f. Enable SecureNAT

SecureNAT function is an innovative proprietary technology developed for SoftEther that enables the creation of a more secure network. SecureNAT provides two functions: virtual NAT and virtual DHCP.

On the screen to manage the VPN server on localhost:

  1. Select the row for the default Virtual Hub, which we named just VPN
  2. Click Manage Virtual Hub
  3. Click Virtual NAT and Virtual DHCP Server (SecureNAT)
  4. Click Enable SecureNAT
  5. Click OK
  6. Click Exit
  7. Click Exit

SoftEther virtual hub with SecureNAT enabled

You server work is done for now. Let’s test it with your first client.

Step 6. Install and Configure Client

An L2TP/IPsec client is built in to many devices. We will use a Windows client to test the server. The client PC must be a different PC, and at a different location, from the server PC.

On the client PC, in the Settings app, open the Network & Internet section. Select the VPN screen. Click Add VPN.

  1. For the VPN Provider, select Windows (built-in)
  2. Put a connection name of your choice, e.g. New York
  3. For server address, put the one assigned to your server, e.g. vpn322055929.softether.net
  4. For the VPN type, select L2TP/IPsec with pre-shared key
  5. For the Pre-shared key, type the one you specified on the server, e.g. abcd1234
  6. For Type of sign-in info, select User name and password
  7. For the User name, type the one you set up on the server
  8. For the Password, type the one you set up on the server
  9. Check Remember my sign-in info
  10. Check Save

Windows built-in VPN client for L2TP/IPsec with pre-shared key

Step 7. Test Client to Server Connnection

On the row for the VPN connection you just added, click Connect. The status changes to Connected.

Open a browser, and visit https://whatismyipaddress.com.

You should see the IP address and location of your VPN server, not your client.

Congratulations!

You now have a working VPN server, ready to receive client connections.

X-UI provides a graphical user interface for managing servers and users. You can visually build servers for Shadowsocks, V2ray, Xray, Trojan, and other popular protocols. You can also monitor VPS performance and traffic usage in real time. X-UI replaces the older V2-UI panel.

Preparation

Before you begin, you need to do three or four things:

  1. Get a virtual private server or VPS. You can get a VPS from many providers. Some popular ones are AWS, Google Cloud, Microsoft Azure, DigitalOcean, Hetzner, and Vultr. In our example we use a Debian 11 VPS, but the X-UI install script supports Ubuntu 16+, Debian 8+, or CentOS 7+. You need to have ports 80 and 443 on your VPS open for TCP input. Also open port 54321 for TCP input.
  2. Get a domain name. Some low-cost registrars are Porkbun, Namesilo, and Namecheap.
  3. Create a DNS A record pointing from your host name to your VPS.
  4. Optionally, add your domain to Cloudflare. This will allow you to insert a content distribution network or CDN in between you and your server. However, if you are going to add a CDN, do not turn on proxying in Cloudflare until the end. For now, just use the DNS features of Cloudflare. Adding your domain to Cloudflare is optional, and you can continue to use your domain name registrar’s nameservers if you prefer. In any case, not all protocols support the use of CDN proxying.

Update Server

SSH into your server. On Windows you can use the built-in PowerShell app, or you can install a terminal emulator such as PuTTY or XSHELL.

SSH into a server using XSHELL

Get your server up to date:

1
apt update && apt upgrade -y

Also install curl and socat:

1
apt install curl socat -y

Install Acme Script

Download and install the Acme script for getting a free SSL certificate:

1
curl https://get.acme.sh | sh

Get Free SSL Certificate

Set the default provider to Let’s Encrypt:

1
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt

Register your account for a free SSL certificate. In the next command, replace xxxx@xxxx.com by your actual email address:

1
~/.acme.sh/acme.sh --register-account -m xxxx@xxxx.com

Obtain an SSL certificate. In the next command, replace host.mydomain.com by your actual host name:

1
~/.acme.sh/acme.sh --issue -d host.mydomain.com --standalone

After a minute or so, the script terminates. On success, you will receive feedback as to the location of the certificate and key:

1
2
3
4
Your cert is in: /root/.acme.sh/host.mydomain.com/host.mydomain.com.cer
Your cert key is in: /root/.acme.sh/host.mydomain.com/host.mydomain.com.key
The intermediate CA cert is in: /root/.acme.sh/host.mydomain.com/ca.cer
And the full chain certs is there: /root/.acme.sh/host.mydomain.com/fullchain.cer

You cannot use the certificate and key in their current locations, as these may be temporary. Therefore install the certificate and key to a permanent location. In the next command, replace host.mydomain.com by your actual host name:

1
~/.acme.sh/acme.sh --installcert -d host.mydomain.com --key-file /root/private.key --fullchain-file /root/cert.crt

Install certificate and key issued by Acme script

Run the X-UI Install Script

Download and run the one-click install script provided by the developer:

1
bash <(curl -Ls https://raw.githubusercontent.com/vaxilu/x-ui/master/install.sh)

Common Panel Commands

From the command line, you can control the server with various commands:

Command Effect
x-ui Display the management menu
x-ui start Start the X-UI panel
x-ui stop Stop the X-UI panel
x-ui restart Restart the X-UI panel
x-ui status View X-UI status
x-ui enable Set X-UI to start automatically after boot
x-ui disable Cancel X-UI boot from start
x-ui log View X-UI log
x-ui update Update the X-UI panel
x-ui install Install X-UI panel
x-ui uninstall Uninstall X-UI panel

First Time Login

You can get to the X-UI panel on your PC by opening a browser and typing your server IP address and port 54321. For example:

1
http://123.45.67.89:54321

By default, the login user name is admin, and the password is also admin.

First-time login to X-UI panel

Side Menu

After you have logged in, the side menu offers these options:

Chinese English
系统状态 System status
入站列表 Inbound list
面板设置 Panel settings
其他 Other
退出登录 Sign out

Side menu on X-UI panel

Enable HTTPS on Panel

You will notice that, at first, you used plain text HTTP to reach the panel. This is not secure.

To enable HTTPS, choose 面板设置 (Panel settings).

You will need to specify your certificate and key.

1
2
3
4
面板证书公钥文件路径
填写一个 '/' 开头的绝对路径,重启面板生效
Panel certificate public key file path
Fill in an absolute path starting with'/', restart the panel to take effect

Fill in /root/cert.crt.

1
2
3
4
面板证书密钥文件路径
填写一个 '/' 开头的绝对路径,重启面板生效
Panel certificate key file path
Fill in an absolute path starting with'/', restart the panel to take effect

Fill in /root/private.key.

Specifying certificate and key in X-UI panel settings

Save these options.

Now in your SSH session issue the command:

1
x-ui restart

Now you can reach the panel using HTTPS. For example:

1
https://host.mydomain.com:54321

HTTPS login to X-UI panel

Change Admin Password

The default admin user name admin and password admin are the same for all installations. This is not secure. Input the old values of admin and admin, and choose new, unique values:

Chinese English
原用户名 Original user name
原密码 Old password
新用户名 New user name
新密码 New password

X-UI panel change user name and password

Save the new values.

Sign out, then sign in again with the new user name and password.

HTTPS login with new user name and password

Add VLESS+XTLS Xray User

We are going to add an inbound user account using VLESS and Xray. VLESS is an an updated version of the older Vmess protocol. After several developers found flaws in Vmess protocol and showed that the Vmess protocol can be detected by deep packet inspection or DPI, VLESS was developed. (Note that it is plain Vmess that can be detected; Vmess+WS+TLS is still secure and supports the use of a CDN.) Xray core was developed as an alternative to the older V2Ray core. According to the Xray developers, Xray is more stable, better for UDP gaming, and 30% faster than V2Ray. XTLS speeds up TLS by reducing double-encryption.

On the side menu, select 入站列表 (Inbound list).

Click the plus sign to add a new inbound user.

The 添加入站 (Add inbound) box appears.

Enter fields as follows.

Field Contents
Remark Put a unique and meaningful description
Enable On
Protocol vless
监听 IP Listening IP Leave blank
端口 Port 443
总流量(GB) Total bandwidth (GB) 0 means unlimited
到期时间 Expiry date Blank
Id Leave the generated UUID as is
Flow xtls-rprx-direct
Fallbacks None
传输 Transmission tcp
HTTP 伪装 masquerading Off
TLS Off
XTLS On
域名 Domain name Put your host name, e.g. host.mydomain.com
公钥文件路径 Public key file path /root/cert.crt
密钥文件路径 Key file path /root/private.key
Sniffing On

Adding a new VLESS+XTLS user

Save the new user.

Click the 操作 (operating) button at the start of its row to display the QR code for the new user.

Displaying QR code in X-UI panel

Client

Clients are available for Android, iOS, Windows, macOS, and Linux. Examples are v2rayNG, Shadowrocket, and Qv2ray.

Add the profile in the QR code to your client.

Example of Qv2ray client

You can check that your connection is working by opening a browser and going to https://whatismyipaddress.com.

whatismyipaddress.com

By following this post, you can create an SS + V2Ray plugin server without having to buy a domain name.

The server in this post runs Debian 11, and the client runs Windows 11.

Install Nginx on Server

1
apt install nginx

Create Self-Signed CA Certificate

Create a directory to hold your certificates:

1
mkdir /etc/openssl

Change into the directory that will hold your certificates:

1
cd /etc/openssl

Generate a private key for your CA certificate:

1
openssl ecparam -out ca.key -name secp384r1 -genkey

Generate a certificate signing request:

1
openssl req -new -sha256 -key ca.key -out ca.csr

Enter anything you like for Country Name, State or Province Name, Locality Name, Organization Name, and Organizational Unit Name. For example:

1
2
3
4
5
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:

For Common Name, put Private CA.

Leave Email Address blank.

Leave the ‘extra’ attributes (challenge password and company name) blank.

Sign the certificate signing request, creating your certificate:

1
openssl x509 -req -sha256 -days 365 -in ca.csr -signkey ca.key -out ca.crt

Create Server Certificate

Generate a private key for your server certificate:

1
openssl ecparam -out example.com.key -name secp384r1 -genkey

Generate a certificate signing request:

1
openssl req -new -sha256 -key example.com.key -out example.com.csr

Enter anything you like for Country Name, State or Province Name, Locality Name, Organization Name, and Organizational Unit Name. For example:

1
2
3
4
5
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:

For Common Name, put example.com.

Leave Email Address blank.

Leave the ‘extra’ attributes (challenge password and company name) blank.

Sign the certificate signing request, creating your certificate:

1
openssl x509 -req -in example.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.com.crt -days 365 -sha256

Make the server private key readable by Nginx:

1
chmod +r example.com.key

Configure Nginx

Generate Diffie-Hellman parameters:

1
openssl dhparam -out /etc/nginx/dhparam 2048;

This may take a long time.

Edit the Nginx default site:

1
vi /etc/nginx/sites-available/default

Delete the default contents, and enter contents as below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
ssl_certificate /etc/openssl/example.com.crt;
ssl_certificate_key /etc/openssl/example.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam;
ssl_ecdh_curve secp384r1;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;

location /abcdefgh {
proxy_redirect off;
proxy_pass http://127.0.0.1:8008;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
}

}

Change /abcdefgh to a secret path of your choice.

Save the configuration file.

Restart Nginx with your revised configuration file:

1
systemctl restart nginx

Download V2Ray Plugin to Server

Put software v2ray-plugin into directory /usr/bin/ like this:

1
2
3
4
5
6
7
cd ~

wget https://github.com/shadowsocks/v2ray-plugin/releases/download/v1.3.1/v2ray-plugin-linux-amd64-v1.3.1.tar.gz

tar -xf v2ray-plugin-linux-amd64-v1.3.1.tar.gz

cp v2ray-plugin_linux_amd64 /usr/bin/v2ray-plugin

Install Shadowsocks on Server

Download the Shadowsocks-libev install script for Debian from GitHub by issuing this command in your terminal emulator:

1
wget https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks-libev-debian.sh

Make the script executable by issuing the command to set the execution bit:

1
chmod +x shadowsocks-libev-debian.sh

Think up a password. Our example is socKsecreT2021%d.

Think up a port number. Our example is 8008.

Choose an encryption method. Our example is aes-256-gcm.

Run the install script by issuing the command:

1
./shadowsocks-libev-debian.sh

Enter your choise of password, port, and encryption method. Your run of the script will look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#############################################################
# Install Shadowsocks-libev server for Debian or Ubuntu #
# Intro: https://teddysun.com/358.html #
# Author: Teddysun <i@teddysun.com> #
# Github: https://github.com/shadowsocks/shadowsocks-libev #
#############################################################

[Info] Latest version: shadowsocks-libev-3.3.5

Please input password for shadowsocks-libev:
(Default password: teddysun.com):socKsecreT2021%d

---------------------------
password = socKsecreT2021%d
---------------------------

Please enter a port for shadowsocks-libev [1-65535]
(Default port: 19302):8008

---------------------------
port = 8008
---------------------------

Please select stream cipher for shadowsocks-libev:
1) aes-256-gcm
2) aes-192-gcm
3) aes-128-gcm
4) aes-256-ctr
5) aes-192-ctr
6) aes-128-ctr
7) aes-256-cfb
8) aes-192-cfb
9) aes-128-cfb
10) camellia-128-cfb
11) camellia-192-cfb
12) camellia-256-cfb
13) xchacha20-ietf-poly1305
14) chacha20-ietf-poly1305
15) chacha20-ietf
16) chacha20
17) salsa20
18) rc4-md5
Which cipher you'd select(Default: aes-256-gcm):1

---------------------------
cipher = aes-256-gcm
---------------------------

Press any key to start...or press Ctrl+C to cancel

Press any key to continue.

Wait while the installs and compiles take place. This may take a long time.

At the end of the install script, the parameters are redisplayed:

1
2
3
4
5
6
7
8
Congratulations, Shadowsocks-libev server install completed!
Your Server IP : 123.45.67.89
Your Server Port : 8008
Your Password : socKsecreT2021%d
Your Encryption Method: aes-256-gcm

Welcome to visit:https://teddysun.com/358.html
Enjoy it!

Configure Shadowsocks on Server

Edit the Shadowsocks configuration file:

1
vi /etc/shadowsocks-libev/config.json

Add lines for the plugin and plugin options, like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
{
"server":"0.0.0.0",
"server_port":8008,
"password":"socKsecreT2021%d",
"timeout":300,
"user":"nobody",
"method":"aes-256-gcm",
"fast_open":false,
"nameserver":"1.0.0.1",
"mode":"tcp_and_udp",
"plugin":"/usr/bin/v2ray-plugin",
"plugin_opts":"server;path=/abcdefgh"
}

Remember the comma after what used to be the last option.

Save the edited file.

Restart Shadowsocks on Server

Restart Shadowsocks with your configuration file which now specifies the V2Ray plugin:

1
/etc/init.d/shadowsocks restart

End work on server:

1
exit

Download CA Certificate to Client

Now you are going to work on the Windows PC that will be your client.

Open Windows PowerShell (right-click on Windows Start button, then select Windows Terminal).

Issue the command below, replacing 123.45.67.89 by your actual server IP address:

1
scp root@123.45.67.89:/etc/openssl/ca.crt Downloads/ca.crt

Close Windows PowerShell.

Import CA Certificate on Client

Open a Run box (Win+r), type mmc, and click OK.

In the Microsoft Management Console:

  1. Click File
  2. Select the option Add/Remove Snap-in
  3. In the window Add or Remove Snap-ins, select Certificates
  4. Click the Add button
  5. Select Computer account, and click Next
  6. Select Local computer, and click Finish
  7. Click OK

Expand the tree in the left pane. Then continue like this:

  1. Right-click on Trusted Root Certification Authorities
  2. Select All Tasks
  3. Select Import
  4. Click Next
  5. Browse to your ca.crt file in the Downloads folder
  6. Click Open
  7. Click Next
  8. Click Next
  9. Click Finish
  10. Click OK

Close the Microsoft Management Console.

Download Shadowsocks to Windows Client

Open a browser and go to https://github.com/shadowsocks/shadowsocks-windows/releases.

Download the most recent release of Shadowsocks for Windows. For example, right now the most recent release is Shadowsocks-4.4.0.185.zip.

Unzip Shadowsocks-4.4.0.185.zip. This creates a folder Downloads\Shadowsocks-4.4.0.185.

Install 7-Zip

Install 7-Zip from https://www.7-zip.org if you do not have it on your PC already.

Download V2Ray Plugin to Windows Client

In your browser, download the most recent V2Ray plugin for Windows from https://github.com/shadowsocks/v2ray-plugin/releases. It will be named something like v2ray-plugin-windows-amd64-v1.3.1.tar.gz.

Right-click on the download, and use 7-Zip to extract v2ray-plugin-windows-amd64-v1.3.1.tar.

Right-click on that, and use 7-Zip again to extract from this the application v2ray-plugin_windows_amd64.exe.

Copy v2ray-plugin_windows_amd64.exe into the Shadowsocks folder Downloads\Shadowsocks-4.4.0.185.

Configure Shadowsocks on Windows Client

Start Shadowsocks.exe for the first time.

When the Edit Servers box appears:

  • For Server IP, put the IP address of your server, e.g. 123.45.67.89
  • For Server Port, put 443
  • For Password put your chosen password, e.g. socKsecreT2021%d
  • For Encryption, select your chosen method, e.g. aes-256-gcm
  • For Plugin Program, put v2ray-plugin_windows_amd64.exe
  • For Plugin Options, put path=/abcdefgh;host=example.com;tls
  • Replacing /abcdefgh in the above by the secret path you configured Nginx to use

Click Apply.

Shadowsocks with V2Ray plugin specified on Windows client

Click OK.

Install Firefox Browser

If you do not already have Firefox installed, install Firefox now from https://www.mozilla.org/en-US/firefox/new.

Configure Firefox Browser

From the Firefox hamburger menu, choose Settings.

In Settings, on the General page, under Network Settings, click Settings.

Configure Firefox to use a Manual proxy configuration.

Specify the SOCKS Host at IP address 127.0.0.1, Port 1080.

Check the box to proxy DNS requests when using SOCKS v5.

Click OK.

Test Windows Client to Server Connection

In Firefox, visit https://whatismyipaddress.com.

You should see the IP address and location of your server, not your client.

Xray is a fork of V2Ray. By following this post, you can create an Xray Vmess + TLS + WebSocket server without having to buy a domain name.

The server in this post runs Debian 11, and the client runs Windows 11.

Install Nginx on Server

1
apt install nginx

Create Self-Signed Certificate

Create a directory to hold your certificate:

1
mkdir /etc/openssl

Change into the directory that will hold your certificate:

1
cd /etc/openssl

Generate a private key for your certificate:

1
openssl ecparam -out example.com.key -name secp384r1 -genkey

Generate a certificate signing request:

1
openssl req -new -sha256 -key example.com.key -out example.com.csr

Enter anything you like for Country Name, State or Province Name, Locality Name, Organization Name, and Organizational Unit Name. For example:

1
2
3
4
5
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:

For Common Name, put example.com.

Leave Email Address blank.

Leave the ‘extra’ attributes (challenge password and company name) blank.

Sign the certificate signing request, creating your certificate:

1
openssl x509 -req -sha256 -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt

Make the server private key readable:

1
chmod +r example.com.key

Configure Nginx

Generate Diffie-Hellman parameters:

1
openssl dhparam -out /etc/nginx/dhparam 2048;

This may take a long time.

Edit the Nginx default site:

1
vi /etc/nginx/sites-available/default

Delete the default contents, and enter contents as below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/openssl/example.com.crt;
ssl_certificate_key /etc/openssl/example.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

location /abcdefgh {
proxy_redirect off;
proxy_pass http://127.0.0.1:12345;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

}

Change /abcdefgh to a secret path of your choice.

Save the configuration file.

Restart Nginx:

1
systemctl restart nginx

Install V2Ray on Server

Change back to the home directory:

1
cd ~

Download the installation script:

1
wget https://raw.githubusercontent.com/XTLS/Xray-install/main/install-release.sh

Make the install script executable:

1
chmod +x install-release.sh

Run the installer:

1
./install-release.sh

Configure V2Ray on Server

Edit the configuration file:

1
vi /usr/local/etc/xray/config.json

Delete existing contents and insert as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{
"log": {
"loglevel": "warning",
"access": "/var/log/xray/access.log",
"error": "/var/log/xray/error.log"
},
"inbounds": [
{
"port": 12345,
"listen": "127.0.0.1",
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "abe98b93-bd82-432f-8a41-0328a8aa5f5a",
"alterId": 64
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/abcdefgh"
}
}
}
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
}
]
}

Change /abcdefgh to the secret path of your choice that you configured Nginx to use.

Change abe98b93-bd82-432f-8a41-0328a8aa5f5a to the UUID of your choice.

Save the file with your edits.

Restart V2Ray on Server

1
systemctl restart xray

End work on server:

1
exit

Download V2Ray to Windows Client

Now work on your Windows PC that will be the client.

Open a browser and go to https://github.com/XTLS/Xray-core/releases.

Download the most recent release of Xray-windows-64.zip.

Unzip Xray-windows-64.zip.

Configure Xray on Windows Client

Copy and paste the configuration below into Windows Notepad:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
"inbounds": [
{
"port": 1080,
"listen": "127.0.0.1",
"protocol": "socks",
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"settings": {
"auth": "noauth",
"udp": false
}
}
],
"outbounds": [
{
"protocol": "vmess",
"settings": {
"vnext": [
{
"address": "123.45.67.89",
"port": 443,
"users": [
{
"id": "abe98b93-bd82-432f-8a41-0328a8aa5f5a",
"alterId": 64
}
]
}
]
},
"streamSettings": {
"network": "ws",
"security": "tls",
"tlsSettings": {
"allowInsecure": true,
"serverName": "example.com"
},
"wsSettings": {
"path": "/abcdefgh",
"headers": {
"Host": "example.com"
}
}
}
}
]
}

Replace 123.45.67.89 by your server IP address.

Change /abcdefgh to the secret path of your choice that you configured Nginx to use.

Change abe98b93-bd82-432f-8a41-0328a8aa5f5a to the UUID of your choice.

Save this in a file named config.json (with no .txt on the end) in the same folder as the Xray application, Downloads\Xray-windows-64.

Close Notepad.

Connect Windows Client to Server

Open the Windows Run box with Win+r, type cmd, and click OK. This opens a Windows Command Prompt.

Change into the Xray directory:

1
cd Downloads\Xray-windows-64

Run Xray with your configuration file:

1
xray.exe -c config.json

If Windows Defender Firewall intervenes, click Allow access.

Install Firefox Browser

If you do not already have Firefox installed, install Firefox now from https://www.mozilla.org/en-US/firefox/new.

Configure Firefox Browser

In Settings, under Network Settings, configure Firefox to use a SOCKSv5 proxy server at IP address 127.0.0.1, port 1080. Check the box to proxy DNS requests when using SOCKS v5.

Test Windows Client to Server Connection

In Firefox, visit https://whatismyipaddress.com.

You should see the IP address and location of your server, not your client.

Introduction

Shadowsocks is one of the easiest tools you can use for censorship circumvention. In this tutorial, you’ll learn how to set up your own Shadowsocks server. You’ll also see how to connect to your server from a Windows client.

For ease and convenience, we’ll use a prewritten script to carry out the installation.

The version of Shadowsocks we install here is Shadowsocks-libev. This version is characterized by small memory footprint and is written in the C programming language for low CPU consumption. It is so efficient you can even run it on a router.

The tutorial demonstrates the set-up of a single-user Shadowsocks server. Shadowsocks-libev does not support multiple users each on their own port. If you need multiple users and ports, please install the Python, Go, or Rust version of Shadowsocks. The only way you can support multiple ports with Shadowsocks-libev is to create multiple instances of Shadowsocks.

So let’s get started.

Research VPS Providers

You’re going to need to do some research first. To run Shadowsocks, you need both a client and a server. You already have a client, which is your PC. But you need to rent a virtual private server, or VPS, to run the Shadowsocks server. Therefore you must research possible VPS providers. There are hundreds of them out there. We’ll mention only a few.

Enterprise VPS providers aim to provide servers reliable enough for a business to depend on. The top enterprise VPS providers are Amazon, Microsoft, and Google. Usually they offer a free trial for a limited time. After the free trial is over, they can become expensive. A fixed-cost alternative is Amazon Lightsail. Oracle is currently advertising an “always free” tier of services.

All the enterprise VPS providers require you to input a credit card number so that they can eventually bill you. Some of the mid-tier and smaller providers accept PayPal.

Mid-tier providers are less expensive than the enterprise VPS providers. Examples are DigitalOcean, Linode, Vultr, Hetzner, Exoscale, OVH, RamNode, LunaNode, and Bandwagon Host.

The cheapest possibility is to use a low-end provider where one public IPv4 address is shared among many customers. The provider performs network address translation, or NAT, to map your private IPv4 address to the public IPv4 address. For IPv6, you still get one or more addresses that are exclusive to your server. Because IPv4 addresses are in short supply, the cost of an IPv4 address makes up a significant part of the cost of your VPS. By sharing an IPv4 address, the NAT IPv4 VPS providers can get the cost down to just a few dollars per year. Some common ones are WebHorizon, Gullo, Mr. VM, and Inception Hosting.

Avoid Blocked IP Addresses

Countries that aggressively censor the Internet sometimes block the entire IP addresse range of common VPS providers. They may also block individual IP addresses if they discover a IP address hosts a Shadowsocks server.

Make sure the provider you choose is not blocked in your country. If there is a risk of individual IP addresses being blocked, make sure your intended provider allows you to cheaply and easily change IP address.

Choose VPS Size and Linux Distribution

Shadowsocks will run in 128 MB of RAM. The smallest size of VPS you can rent will be more than adequate. For most VPS providers, that means 512 MB or 1 GB. For NAT IPv4 VPS providers, you can run Shadowsocks on a 128 MB VPS under OpenVZ.

Check your intended VPS provider to see if they offer enough bandwidth for you. Each package will specify a monthly bandwidth limit.

When it comes to choosing a Linux distribution, we recommend either Debian or Ubuntu. The rest of this tutorial uses Debian 10.

Choose VPS Provider and Package

Based on your research, choose a VPS provider and package that meets your needs.

The rest of this tutorial illustrates the Shadowsocks installation process on a 1 GB VPS from Digital Ocean running Debian 10.

Create VPS

DigitalOcean uses the word “droplet” for what other providers call a “VPS” or “instance.”

Whatever provider you’re working on, you’ll need to go through the process to create your VPS. Here is the sequence of choices you’ll make to create a “droplet (or VPS) on DigitalOcean. You’ll make similar choices on other VPS providers.

  1. Select a Linux distribution (Debian 10 in our example)
  2. Choose a plan (e.g. Basic)
  3. Select a CPU option (e.g. Regular Intel with SSD)
  4. Add block storage (we do not need any extra volumes for this tutorial)
  5. Choose a region near you (e.g. New York 3)
  6. Choose a VPC network (e.g. default-nyc3)
  7. Select additional options (choose whichever you want)
  8. Authentication method (e.g. choose password, then type a strong root password)
  9. Number of droplets (e.g. 1)
  10. Choose a hostname (e.g. the default, debian-s-1vcpu-1gb-nyc3-01, will do)
  11. Select a project (e.g. the default)
  12. Add backups (you can leave this option unchecked unless you need a regular backup of your server)

Click Create Droplet.

It takes about a minute to create the VPS. Once it’s created, its public IPv4 address is displayed on your dashboard. You’ll need that in a moment.

Install Terminal Emulator

To log in to your server, you’ll need a terminal emulator. On macOS or Linux, your computer already includes a terminal emulator application. On Windows, you have various choices:

Choose your terminal emulator. If you’re going to use a native terminal application, such as the SSH command in Windows PowerShell), there is nothing extra to install. If you choose a non-native application, download and install the software of your choice.

SSH into Server

Secure Shell (SSH) is an encrypted network protocol for operating network services securely over an unsecure network. Remote command execution is a typical application. You’ll use SSH to log in to your VPS and execute the commands to install, configure, and monitor Shadowsocks.

SSH into your server now, using your chosen terminal emulator. In a command-line terminal emulator, you would use the ssh command.

Switch User to Root

We assume you logged in as the root user. If you are not root, you will have to switch user to root.

If you know the root password, you can skip ahead one command to the point where you switch user to root.

If you do not know the root password, you will have to set it with the passwd command. This needs to be prefixed by sudo. sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the root or super user. It originally stood for “superuser do”:

1
sudo passwd root

Set the password to something you know. You’ll need to enter the new password again to confirm it.

Now you know the root password, switch user to root:

1
su -

Enter root password. You are now root.

Update Server

Your VPS was created from an image that may be out of date. Therefore, before you install any extra software, get your existing software up to date. Update its list of packages:

1
apt update

The upgrade your software, based on the updated package lists:

1
apt upgrade

In future you can concatenate these two commands in one line, like this:

1
apt update && apt upgrade

The ampersand-ampersand operator means execute the second command, but only if the first command was successul. The second command will execute if the first command exited with a status code of zero, meaning success. If the exit status of the first command is non-zero, the second command will not be executed.

Protect Port 22

If you’ve never administered a server before, you’ll quickly learn that some people go round and round the Internet, trying to break in to every server in existence. That includes yours. It’s vital that you protect you server’s port 22, the port used to SSH into your server.

You can protect your server with a piece of software called fail2ban. Fail2ban is intrusion-prevention software that protects a server from hackers. It monitors log files for certain entries and takes action based on what it finds. In our case, Fail2ban will temporarily ban any IP address that makes too many failed login attempts too quickly.

There’s an extra little twist that applies on Debian 10 servers. Fail2ban uses firewall software called iptables. On Debian 10, iptables is in a state of transition from legacy to current. To avoid confusion, explicitly specify that any reference to iptables means the old version:

1
update-alternatives --set iptables /usr/sbin/iptables-legacy

Do the same thing for the IPv6 firewall using ip6tables:

1
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

Now you can install fail2ban:

1
apt install fail2ban

Fail2ban creates and manages extra iptables rules to temporarily block IP addresses with too many failed login attempts.

iptables rules managed by fail2ban

Open Firewall for Shadowsocks

You have not yet specified any firewall rules except those that fail2ban created to limit bad login attempts. However, some VPS providers implement a system of security groups outside of the server’s iptables rules.

The script you run in a few minutes is going to randomly generate a port number between 9000 and 19999 for Shadowsocks. If your VPS providers uses security groups, you’ll need to open the security groups for input on ports 9000 through 19999. Note that, by default, Shadowsocks will listen on both TCP and UDP on its selected port.

Choose a Password for Shadowsocks

The script is going to suggest a default password of teddysun.com. Obviously this is not the best password to use in the real world. Therefore invent a strong password now. It should be different from the root password you chose in step 5 when you created the VPS. Our example will be socKsecreT2021%d.

Download Script

Download the script from GitHub by issuing this command in your terminal emulator:

1
wget https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks-libev-debian.sh

Make the script executable by issuing the command to set the execution bit:

1
chmod +x shadowsocks-libev-debian.sh

wget and chmod on shadowsocks script

Run Script

Issue the command:

1
./shadowsocks-libev-debian.sh

The user password can be set by yourself or, if you do not set it. the default is teddysun.com. We chose socKsecreT2021%d as an example of setting the password yourself.

Script prompts for password

You will be prompted for a server port. You can set it by yourself of you like. If you do not set it, the port number will be randomly generated from 9000 to 19999 by default.

Script prompts for port

The encryption method can be set by yourself or, if you do not set it, the default is aes-256-gcm.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
1) aes-256-gcm
2) aes-192-gcm
3) aes-128-gcm
4) aes-256-ctr
5) aes-192-ctr
6) aes-128-ctr
7) aes-256-cfb
8) aes-192-cfb
9) aes-128-cfb
10) camellia-128-cfb
11) camellia-192-cfb
12) camellia-256-cfb
13) xchacha20-ietf-poly1305
14) chacha20-ietf-poly1305
15) chacha20-ietf
16) chacha20
17) salsa20
18) rc4-md5

We recommend you set the encryption method to chacha20-ietf-poly1305. This is a modern, AEAD cipher.

Script prompts for cipher

Finally you are prompted to press any key to start, or Ctrl+c to cancel.

Shadowsocks-libev is compiled from source. This will take a few minutes.

After the installation is complete, the script prompts as follows:

1
2
3
4
5
Congratulations, Shadowsocks-libev server install completed!
Your Server IP: your_server_ip
Your Server Port: your_server_port
Your Password: your_password
Your Encryption Method: your_encryption_method

Shadowsocks installation script completed

Shadowsocks-libev has been set to start automatically on boot.

Now it’s time to log off the server:

1
exit

Client

Switch to working on your PC. You can download the client for yout Windows PC from https://github.com/shadowsocks/shadowsocks-windows/releases. Download the latest zip file. After it’s downloaded, extract the zip file.

Shadowsocks client for Windows download unzipped

Start the Shadowsocks application for the first time. For server IP, put the IP address of your server. The port to aim for is the port used by the server scrript. Put the password you chose on your server. Our example is socKsecreT2021%d.

Shadowsocks server definition on Windows client

Apply the settings, then click OK.

Find the Shadowsocks icon in the system tray. That’s at the bottom right of your Windows desktop. Right-click on the icon to bring up the Shadowsocks menu. Set the System Proxy to Global.

Shadowsocks system proxy set to Global mode

Test

Open a browser and visit https://whatismyipaddress.com. It should look as though you are coming from the server’s IP address and location, not your PC’s address and location.

Troubleshooting and Maintenance

You can view the status of Shadowsocks on your server with the command:

1
/etc/init.d/shadowsocks status

If you modify the server configuration file /etc/shadowsocks-libev/config.json, you can restart the Shadowsocks service with the command:

1
/etc/init.d/shadowsocks restart

You can check Shadowsocks is listening with the commands:

1
2
3
apt install net-tools

netstat -tulpn

If an old version of Shadowsocks needs to be upgraded, you can download the latest version of this script and run it to automatically upgrade:

1
./shadowsocks-libev-debian.sh

If you ever need to uninstall, log in to the server as the root user and run the following command:

1
./shadowsocks-libev-debian.sh uninstall

What is Outline VPN?

Outline is a product of Google Jigsaw, a unit of Google that seeks to harness technology to promote an open society. Before being named Jigsaw, the unit was known as Google Ideas. It was founded in 2010 under Jared Cohen, formerly of the U.S. State Department.

Outline VPN consists of a server manager and a client. Outline Manager will handle any server provider, but it has special features to automate the process on DigitalOcean, Amazon Lightsail, and Google Cloud. Builds of the Server Manager are available for Windows, Linux, and macOS. The Outline Client is available for Android, Windows, Chrome, iOS, macOS, and Linux.

The official website for Outline VPN is Get Outline at https://getoutline.org.

VPN vs. Proxy Server

A virtual private network or VPN typically routes all application and all protocols through an encrypted tunnel to a remote server.

A proxy server typically applies only to your browser or other applications specifically configured to use a proxy server.

Outline is a VPN in that it creates a new software interface and routes all traffic over it. However, under the hood, Outline implements Shadowsocks, which if used by itself is a proxy server protected by encryption.

Shadowsocks vs. Outline

Shadowsocks is the basis for Outline. It creates an encrypted tunnel between a Shadowsocks client and a Shadowsocks proxy server. Shadowsocks was created in 2012 by a Chinese programmer named clowwindy.

Since Outline runs on top of Shadowsocks, it can sometimes be quicker and more reliable simply to install Shadowsocks on your server and client instead of Outline.

If you do choose to run Shadowsocks itself, you can find best practices for configuration at https://gfw.report/blog/ss_tutorial/en.

Some helpful links for installing Shadowsocks:

Outline Manager

Prepare Server

Outline Manager runs on your PC but controls your Linux server.

Before beginning, make sure your server has high-numbered ports open for both TCP and UDP. Typically these are ports in the range 1024 through 65535.

Install Docker

Outline Server Manager will attempt to install Docker on your server. You can also install Docker on the server yourself. The instructions to install Docker on Ubuntu are given at https://docs.docker.com/engine/install/ubuntu. For Ubuntu 20.04 they are as follows.

SSH into your server as root.

Windows PowerShell SSH

Get the prerequisites:

1
2
3
apt update && apt upgrade

apt install apt-transport-https ca-certificates curl gnupg lsb-release

Get the Docker signing key:

1
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

Add the Docker repository to be signed by the Docker signing key:

1
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null

Install Docker:

1
2
3
apt update

apt install docker-ce docker-ce-cli containerd.io

Test your Docker install:

1
docker run hello-world

The multiline output should include the lines:

1
2
Hello from Docker!
This message shows that your installation appears to be working correctly.

Docker hello-world

Install and Configure Server

Now download to your PC the Outline Manager installer executable from the official website at https://getoutline.org.

Launch Outline Manager. Click OK to say that you agree to the Outline Terms of Service.

You are presented with a panel with four choices:

  • DigitalOcean
  • Google Cloud Platform
  • Amazon Lightsail
  • Set up Outline anywhere

Outline Manager VPS provider selection

The “anywhere” option provides you with a command to run a script on your server:

1
bash -c "$(wget -qO- https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh)"

Outline Server Manager install script

At the end of the script, a process named outline-ss-server is listening on randomly generated ports. TCP access is required for the management port, and both TCP and UDP for the client port. The file /opt/outline/persisted-state/outline-ss-server/config.yml contains the parameters for the client(s) in YAML format.

The output from the script will include lines that look like this:

1
2
3
To manage your Outline server, please copy the following line (including curly brackets) into Step 2 of the Outline Manager interface:

{"apiUrl":"https://XX.XX.XX.XX:YYYYY/4pvXtsIOLe3fiecYOEO6bw","certSha256":"8D43979D44757F9ECE87C80F3E8C8A352964BDA8A3F65ABAB4A6F2C044DF0496"}

Outline API URL

You must copy and paste the resultant API URL line into the Outline Manager GUI panel.

Outline API URL in Server Manager

After this, you can generate access keys for yourself and others.

The keys look like this:

1
ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTpPWW9QazFxcmtOTDA@XX.XX.XX.XX:ZZZZZ/?outline=1

Outline Client for Windows

Download the Outline Client from https://getoutline.org. On Windows, this gives you an installer, Outline-Client.exe. Run the installer.

Once the Outline Client is running, paste the Outline access key for the server into the Outline Client.

The Outline Client creates a TAP-Windows Adapter V9 named outline-tap0. You can view this in the Network Connections page of the Network and Sharing Center in the Control Panel. It also appears in the Device Manager in the Network adapter category.

Outline interface in Windows Device Manager

Connect from the client to the server.

Problems with TAP Adapter Not Installing

There are sometimes problems on Windows with the TAP adapter not installing. This issue is documented at https://github.com/Jigsaw-Code/outline-client/issues/761.

The general principle is to uninstall the TAP-Windows Adapter V9 in the Device Manager in the Network adapter category. Also uninstall the Outline Client program in Control Panel. Then attempt to rerun the Outline Client installer.

Unexpected Error

Outline Client sometimes creates problems marked “Unexpected error.”

On Windows, one possible cause is a missing Visual C++ Redistributable. This issue is documented at https://github.com/Jigsaw-Code/outline-client/issues/782. A user in that thread responds that the error was caused by missing DLLs. Running vc_redist.x64.exe and vc_redist.x86.exe solved the problem. The 32-bit version, vc_redist.x86.exe, is needed even on a 64-bit PC. You can find the DLLs from https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads.

Outline Client for Linux

Download the Outline Client from https://getoutline.org. On Linux, the Outline Client is supplied as an AppImage file.

Make the AppImage executable:

1
2
3
cd ~/Downloads

chmod +x Outline-Client.AppImage

Then just run the AppImage directly:

1
./Outline-Client.AppImage

Outline Client creates an interface outline-tun0. It then changes the routing table so that this interface becomes the default route. This is what allows Outline to function as a VPN.

Troubleshooting

Server

On the server side, you can view the logs with:

1
docker logs shadowbox

And see if Outline is listening with:

1
ss -tulpn

For insoluble problems, consider installing Shadowsocks on server and client as a workaround.

Client

A user reports at https://github.com/Jigsaw-Code/outline-client/issues/994 that you can sometimes get more information by running c:\Program Files(x86)\Outline\outline.exe from the command line.

You can also look in Windows Event Viewer (search for it in the Windows search box, or run eventvwr).

It may also be helpful to run Wireshark to see what is happening. Wireshark may be installed from https://www.wireshark.org.

Preparing to capture packets to and from a specific host in Wireshark

If you cannot resolve the issue yourself, you can report it at https://github.com/Jigsaw-Code/outline-client/issues.

Download shadowsocks-rust for Linux 64-bit from GitHub. Extract the contents of the archive.

Download the v2ray-plugin for Linux 64-bit from GitHub. Copy the binary into the same folder as the extracted shadowsocks binaries.

Create a config.json file like this:

1
2
3
4
5
6
7
8
9
10
11
{
"server":"your.host.name",
"server_port":443,
"local_address": "127.0.0.1",
"local_port": 1080,
"password":"yourshadowsocksserverpassword",
"timeout":300,
"method":"chacha20-ietf-poly1305",
"plugin":"./v2ray-plugin_linux_amd64",
"plugin_opts":"path=/yourpath;host=your.host.name;tls"
}

Start shadowsocks running:

1
./sslocal -c config.json

Configure Firefox network settings to use the SOCKS5 proxy server that is now listening on 127.0.0.1 port 1080. Also set Firefox to proxy DNS queries over the SOCKS5 server.