Install SS5 SOCKS5 Proxy server with multiple instances / outgoing IPs / ports

SS5 is a high performance SOCKS proxy server implementing SOCK4 and SOCKS5 protocols. This step-by-step guide describes installation and configuration of SS5 with user/password authentication on a CentOS 5.x/6.x server.

1. Download the latest source rpm from

2. Build the source rpm
This requires the rpmbuild tool provided by rpm-build package. Also, ss5 requires openldap-devel, pam-devel and openssl-devel development packages. Install these packages using YUM package manager:

For 32 bit Linux,
yum install gcc rpm-build openldap-devel pam-devel openssl-devel
For 64 bit Linux,
yum install gcc.x86_64 rpm-build.x86_64 openldap-devel.x86_64 pam-devel.x86_64 openssl-devel.x86_64

Install libgssapi-devel,
yum install libgssapi-devel

Now build ss5 source rpm to create the binary rpm package:
rpmbuild --rebuild ss5-3.8.9-8.src.rpm

3. Install SS5 rpm package
On CentOS 5.x, the RPM package will be created in /usr/src/redhat/RPMS/. On CentOS 6.x, RPM package will we created in the subdirectory rpmbuild/RPMS/ of build directory. You can install the RPM package using following command:
On CentOS 5,
rpm -ivh /usr/src/redhat/RPMS/x86_64/ss5-3.8.9-8.x86_64.rpm (for 64 bit Linux)
rpm -ivh /usr/src/redhat/RPMS/i386/ss5-3.8.9-8.i386.rpm (for 32 bit Linux)
On CentOS 6 (you might need to use “cd” command to change to root directory),
rpm -ivh rpmbuild/RPMS/x86_64/ss5-3.8.9-8.x86_64.rpm (for 64 bit Linux)
rpm -ivh rpmbuild/RPMS/x86_64/ss5-3.8.9-8.i386.rpm (for 32 bit Linux)

4. Run SS5 as root and change the port to 8899 (default port is 1080)
Edit /etc/init.d/ss5 and put following lines at the top after shabang(#!/bin/sh):
export SS5_SOCKS_PORT=8899
export SS5_SOCKS_USER=root

You can use any available port you want. Make sure that the port is opened in the server firewall, if any.

5. User/password authentication
SS5 configuration file is /etc/opt/ss5/ss5.conf. The ‘auth’ directive sets the authentication policy.

For no authentication,
auth – –
For user/pass authentication,
auth – u

The user/password pairs are stored in /etc/opt/ss5/ss5.passwd. Setup permission:
chown root:root /etc/opt/ss5/ss5.passwd
chmod 755 /etc/opt/ss5/ss5.passwd
chmod 755 /etc/opt/ss5

In /etc/opt/ss5/ss5.passwd, put user and password separated by a space and one user/password per line.
user1 pass1
user2 pass2

6. Set permission ( /etc/opt/ss5/ss5.conf )
Allow all hosts to connect:
permit u – – – – – –

7. Start/Stop/Restart ss5
service ss5 start
service ss5 stop
service ss5 restart

If you see an error message like the following,
Can’t create pid file /var/run/ss5/
Can’t unlink pid file /var/run/ss5/
create the directory /var/run/ss5 and start ss5 again.

The default location of log file: /var/log/ss5/ss5.log

8. If you have a block of say 10x IPs, you can config multiple ss5 proxy instance to use different outgoing IP.
8.1 create user to run the instances:
useradd user1 -s /bin/false -p YourPasswordHere

8.2 retrieve user’s UID:
awk -F: '/^user1:/{print $1,$4}' /etc/passwd

8.3 config firewall to set the outgoing IP:
iptables -t mangle -A OUTPUT -m owner --uid-owner USER_UID -j MARK --set-mark USER_UID
iptables -t nat -A POSTROUTING -m mark --mark USER_UID -j SNAT --to-source

(replace USER_UID with the output number from step 2)

To review the firewall rules:
iptables -nvL -t nat
iptables -nvL -t mangle

8.4 start the instance with specific user, IP and port:
ss5 -u user1 -b
Note: make sure you open the port 10001 on the firewall.

You will need to repeat this process for each IP.