Introduction

Sometimes we need to set up a VPN proxy to hide our IP address or bypass network restrictions. This article introduces two methods: the first is using an SSH Tunnel (simple and reliable, but prone to interference and potential IP identification as abnormal over long periods), and the second is Shadowsocks configuration (higher stealth, behaves like normal network traffic, making it harder to disturb or identify).

Code example

Enable EC2 Instance

First, launch an EC2 instance (a server in a specified region) on AWS. Configure the server according to the instructions and keep your .pem key file for subsequent server login and SSH tunneling.

SSH Tunnel

The principle involves establishing an encrypted channel locally; all traffic is encrypted via local SSH, forwarded to the server, and then the server returns the data.

First, open the CMD on Windows and enter the SSH code to create the tunnel:

ssh -N -D 1080 ubuntu@yourIP -i yourkey.pam

yourIP is the public IP of your EC2 (visible in your instance details), yourkey.pam is the path to your .pem file, and ubuntu is the login username (this may vary depending on your server’s OS). 1080 is the local port used for local data encryption and conversion. Note that you must keep this terminal window open to maintain the data conversion.

After successfully establishing the tunnel, configure the proxy directly in your browser (Firefox is recommended). In Firefox, go to Settings > Proxy Settings, enter your local port 1080, local IP 127.0.0.1, and set the type to SOCKS5. Check "Proxy DNS when using SOCKS v5". For Google Chrome, you can use various proxy plugins.
Try visiting a website; theoretically, visiting http://httpbin.org/ip should show your server’s public IP, proving the proxy is working successfully.

Open Specific Ports on EC2

To use Shadowsocks, you need to open specific ports on your EC2 server. By default, the local firewall on EC2 is inactive (if you have enabled a firewall, you need to open the specific port manually). However, there are Security Group settings on your account. Under the AWS Security Groups option, create a security group and specify the port you want to open, such as 8388. Refer to the image below for other options:

After confirming and saving, go to the Instances option, select your EC2 server, and under Actions > Security, change the security groups. Add the security group you just created (the original security group must be kept).

Now your EC2 server has the specified port open for subsequent use.

Shadowsocks Configuration

Install Shadowsocks:

# SSH into your server
ssh ubuntu@yourIP -i yourkey.pam

# Install shadowsocks-libev
sudo apt update
sudo apt install shadowsocks-libev -y

Create the configuration file:

sudo vim /etc/shadowsocks-libev/config.json

Write the following content (you can change the password; the port should be the one you opened):

{
    "server": "0.0.0.0",
    "server_port": 8388,
    "password": "your_password_change_me",
    "method": "chacha20-ietf-poly1305",
    "timeout": 300,
    "fast_open": true,
    "nameserver": "8.8.8.8",
    "mode": "tcp_and_udp"
}

Start the service:

sudo systemctl start shadowsocks-libev
sudo systemctl enable shadowsocks-libev
sudo systemctl status shadowsocks-libev

Enable BBR Acceleration:

echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# Verify
sysctl net.ipv4.tcp_congestion_control
# It should display: bbr

Windows Client Configuration

Download the Shadowsocks client:
https://reboottools.com/programs/shadowsocks/

Run Shadowsocks.exe (a small airplane icon will appear in the system tray) → Right-click the icon → Servers → Edit Servers.

Fill in your EC2 public IP for the IP, your configured port for the Port, your set password for the Password, and chacha20-ietf-poly1305 for the Encryption Method. The local port is 1080 (this opens a SOCKS5 proxy locally at 127.0.0.1:1080) → Right-click the airplane icon.

System Proxy → Global Mode (or PAC Mode).

In Global Mode, you don’t need to configure the browser. Try visiting a website; theoretically, visiting http://httpbin.org/ip should show your server’s public IP, proving the proxy is working successfully.

References

https://us-west-2.console.aws.amazon.com/console/home?region=us-west-2