Install SS5 SOCKS5 Proxy server with multiple instances / outgoing IPs / ports

SS5 is a high performance SOCKS proxy server implementing SOCK4 and SOCKS5 protocols. This step-by-step guide describes installation and configuration of SS5 with user/password authentication on a CentOS 5.x/6.x server.

1. Download the latest source rpm from sourceforge.net
wget http://downloads.sourceforge.net/ss5/ss5-3.8.9-8.src.rpm

2. Build the source rpm
This requires the rpmbuild tool provided by rpm-build package. Also, ss5 requires openldap-devel, pam-devel and openssl-devel development packages. Install these packages using YUM package manager:

For 32 bit Linux,
yum install gcc rpm-build openldap-devel pam-devel openssl-devel
For 64 bit Linux,
yum install gcc.x86_64 rpm-build.x86_64 openldap-devel.x86_64 pam-devel.x86_64 openssl-devel.x86_64

Install libgssapi-devel,
yum install libgssapi-devel

Now build ss5 source rpm to create the binary rpm package:
rpmbuild --rebuild ss5-3.8.9-8.src.rpm

3. Install SS5 rpm package
On CentOS 5.x, the RPM package will be created in /usr/src/redhat/RPMS/. On CentOS 6.x, RPM package will we created in the subdirectory rpmbuild/RPMS/ of build directory. You can install the RPM package using following command:
On CentOS 5,
rpm -ivh /usr/src/redhat/RPMS/x86_64/ss5-3.8.9-8.x86_64.rpm (for 64 bit Linux)
rpm -ivh /usr/src/redhat/RPMS/i386/ss5-3.8.9-8.i386.rpm (for 32 bit Linux)
On CentOS 6 (you might need to use “cd” command to change to root directory),
rpm -ivh rpmbuild/RPMS/x86_64/ss5-3.8.9-8.x86_64.rpm (for 64 bit Linux)
rpm -ivh rpmbuild/RPMS/x86_64/ss5-3.8.9-8.i386.rpm (for 32 bit Linux)

4. Run SS5 as root and change the port to 8899 (default port is 1080)
Edit /etc/init.d/ss5 and put following lines at the top after shabang(#!/bin/sh):
export SS5_SOCKS_PORT=8899
export SS5_SOCKS_USER=root

You can use any available port you want. Make sure that the port is opened in the server firewall, if any.

5. User/password authentication
SS5 configuration file is /etc/opt/ss5/ss5.conf. The ‘auth’ directive sets the authentication policy.

For no authentication,
auth 0.0.0.0/0 – –
For user/pass authentication,
auth 0.0.0.0/0 – u

The user/password pairs are stored in /etc/opt/ss5/ss5.passwd. Setup permission:
chown root:root /etc/opt/ss5/ss5.passwd
chmod 755 /etc/opt/ss5/ss5.passwd
chmod 755 /etc/opt/ss5

In /etc/opt/ss5/ss5.passwd, put user and password separated by a space and one user/password per line.
E.g.
user1 pass1
user2 pass2

6. Set permission ( /etc/opt/ss5/ss5.conf )
Allow all hosts to connect:
permit u 0.0.0.0/0 – 0.0.0.0/0 – – – – –

7. Start/Stop/Restart ss5
service ss5 start
service ss5 stop
service ss5 restart

If you see an error message like the following,
Can’t create pid file /var/run/ss5/ss5.pid
Can’t unlink pid file /var/run/ss5/ss5.pid
create the directory /var/run/ss5 and start ss5 again.

The default location of log file: /var/log/ss5/ss5.log

8. If you have a block of say 10x IPs, you can config multiple ss5 proxy instance to use different outgoing IP.
8.1 create user to run the instances:
useradd user1 -s /bin/false -p YourPasswordHere

8.2 retrieve user’s UID:
awk -F: '/^user1:/{print $1,$4}' /etc/passwd

8.3 config firewall to set the outgoing IP:
iptables -t mangle -A OUTPUT -m owner --uid-owner USER_UID -j MARK --set-mark USER_UID
iptables -t nat -A POSTROUTING -m mark --mark USER_UID -j SNAT --to-source 24.68.1.1

(replace USER_UID with the output number from step 2)

To review the firewall rules:
iptables -nvL -t nat
iptables -nvL -t mangle

8.4 start the instance with specific user, IP and port:
ss5 -u user1 -b 24.68.1.1:10001
Note: make sure you open the port 10001 on the firewall.

You will need to repeat this process for each IP.

19 thoughts on “Install SS5 SOCKS5 Proxy server with multiple instances / outgoing IPs / ports

  • Monday June 29th, 2015 at 07:51
    Permalink

    我已按上述的配置多ip 以及ss5 绑定用户与ip
    但是多ip客户端该用什么帐号登录,怎么登录都提示用户密码不对

    Reply
    • Tuesday June 30th, 2015 at 21:13
      Permalink

      ss5 -u user1 -b 24.68.1.1:10001
      这行命令开启 ss5 进程,你用 user1 或者 user2 帐号通过 ss5 客户端访问 IP 24.68.1.1 端口 10001 应该就可以了。注意防火墙的端口 10001要打开。

      Reply
      • Monday October 12th, 2015 at 05:37
        Permalink

        Hi,
        我也遇到了同样的问题,
        主IP设置没有问题,绑定的第二个IP设置出口8899端口了之后,连接提示如下错误:
        ————–
        [23:41] Starting: Test 2: Connection through the Proxy Server
        [23:42] Error : Authentication on the proxy server failed.
        Please check your username and password.
        [23:42] Test failed.
        [23:42] Testing Finished.

        ————-
        操作步骤一致,端口已在防火墙已经打开,账号密码无误,而连接时用1080端口就可以连接上,可是出来的IP是主IP~,,这个是怎回事呢?

        Reply
      • Monday October 12th, 2015 at 13:39
        Permalink

        我发现如果直接service ss5 start启动的话 两个IP都连接正常 并且出口都是默认主IP。如果2个不同用户分别启动ss5,再测试的话,都是认证失败,是权限的问题?该怎么设置呢?

        Reply
        • Monday October 12th, 2015 at 22:26
          Permalink

          端口只要一个,如果用8899就不用1080,这是入口端口,不是出口端口。
          出口IP是在步骤8.3中设置,仔细检查绑定的 USER_UID

      • Monday October 12th, 2015 at 22:34
        Permalink

        端口和出口IP没有疑问了,对于认证失败有个疑问:
        第五步设置权限:chown root:root /etc/opt/ss5/ss5.passwd

        意思是不是只能root访问呢?那用别的用户启动ss5后连接认证时候是不是没有权限访问?所以认证失败?原谅我问题太多,懂得太少。谢谢啦~

        Reply
        • Monday October 12th, 2015 at 22:52
          Permalink

          密码文件可读就行了。
          如果是多个用户,例如:
          ss5 -u user1 -b 24.68.1.1:10001
          那么 user1 的访问IP是24.68.1.1, 端口是 10001,
          ss5 -u user2 -b 24.68.1.2:10002
          用户 user2 的访问IP是24.68.1.2, 端口是 10002

      • Monday October 12th, 2015 at 23:01
        Permalink

        同个端口不可以吗?
        可是如果一个用1080 一个用8899,也是不行哎~我实在找不到原因,困扰了一天了~救命啊~~ 能加你Q吗?我加你好几次~ 不知道您有没有在线呢?

        Reply
  • Tuesday October 6th, 2015 at 02:36
    Permalink

    你好,我是小白,按照您这篇文章设置成功了,非常感谢。不过有个疑问:按这个过程设置下来,默认是否限制同时连接的用户数,每个用户使用的带宽是否限制?如果想要设置限制,该修改什么地方呢?有空希望回复一下额~再次感谢。

    Reply
    • Tuesday October 6th, 2015 at 02:51
      Permalink

      补充一下:我设置了一个账户,多的时候,有二三十个人同时通过这个账户使用ss5服务,每个人使用带宽都不做限制的话,是不是不需要修改什么了?

      Reply
      • Wednesday October 7th, 2015 at 09:53
        Permalink

        没有限制用户数,也没有限制带宽

        Reply
  • Tuesday October 13th, 2015 at 02:54
    Permalink

    步骤5中user1 pass1 和步骤8.1里面的user1是同一个用户吗?

    Reply
  • Saturday August 13th, 2016 at 11:19
    Permalink

    Hi Jack.

    configured all as mentioned but outgoing IP is still the same.
    I’m running

    ss5 -u root -b 1.2.3.4:8898 but still have outgoing IP as 1.2.3.1.

    Any ideas? Googled all the web. No any suggestions in config this at all.

    Thank you.
    Alexandr

    Reply
    • Saturday August 13th, 2016 at 15:15
      Permalink

      run

      iptables -nvL -t nat

      and

      iptables -nvL -t mangle

      to check if the firewall config is correct.

      Reply
      • Tuesday August 16th, 2016 at 09:07
        Permalink

        Hi, Jack!
        Thank you very much for your reply!

        ——————-
        [root@server~]# iptables -nvL -t nat
        Chain PREROUTING (policy ACCEPT 485 packets, 29051 bytes)
        pkts bytes target prot opt in out source destination

        Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
        pkts bytes target prot opt in out source destination
        6847 414K SNAT all — * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0 to:XX.XXX.164.3
        0 0 SNAT all — * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0 to:XX.XXX.165.2
        0 0 SNAT all — * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0 to:XX.XXX.166.2
        0 0 SNAT all — * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0 to:XX.XXX.167.4

        Chain OUTPUT (policy ACCEPT 5039 packets, 305K bytes)
        pkts bytes target prot opt in out source destination
        ———————–

        [root@server ~]# iptables -nvL -t mangle
        Chain PREROUTING (policy ACCEPT 100K packets, 34M bytes)
        pkts bytes target prot opt in out source destination

        Chain INPUT (policy ACCEPT 100K packets, 34M bytes)
        pkts bytes target prot opt in out source destination

        Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
        pkts bytes target prot opt in out source destination

        Chain OUTPUT (policy ACCEPT 106K packets, 30M bytes)
        pkts bytes target prot opt in out source destination
        258K 18M MARK all — * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0 MARK and 0x0
        5213 1889K MARK all — * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0 MARK and 0x0

        Chain POSTROUTING (policy ACCEPT 106K packets, 30M bytes)
        pkts bytes target prot opt in out source destination
        —————–

        Then

        [root@b2seo ~]# ss5 -u root -b XX.XXX.164.3:11643
        [root@b2seo ~]# ss5 -u root -b XX.XXX.165.2:11652
        [root@b2seo ~]# ss5 -u root -b XX.XXX.166.2:11662
        [root@b2seo ~]# ss5 -u root -b XX.XXX.167.4:11674

        And I get outgoing IP from 1st line of the rules (164.3).

        Also, all my outgoing connections (for example CURL with binded other IPs) go through 164.3

        I run all instances by root, also I have not created new user.
        Checking user/pass from the file ss5.passwd.

        Thanks again!

        Reply
        • Tuesday August 16th, 2016 at 09:09
          Permalink

          sure I’m using different IP:PORT (XX.XXX.167.4:11674 for example)

  • Wednesday August 17th, 2016 at 06:03
    Permalink

    I’ve figured out
    For those who has same problem

    you need to create separate user for each instance and bind each IP:PORT for thouse users.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *