PINAC Pt. 2: Running Shadowsocks in Docker

This is the second part in a five-part series which will cover WireGuard, Shadowsocks, Monero, I2P and Tor.

September 22, 2025
2 min read
Lynett Simons

Lynett Simons

UK
Website
PINAC Pt. 2: Running Shadowsocks in Docker

Photo by Nick Page / Unsplash

This is the second part in a five-part series which will cover WireGuard, Shadowsocks, Monero, I2P and Tor. PINAC = Privacy Is Not A Crime.

Woah, okay, I've gone a full month without writing. Apologies!

Without further ado, let's talk about how you can run your very own Shadowsocks server on your very own VM to bypass geoblocks and government censorship.

Why would you do this?

  • You like tinkering and doing things yourself
  • You like learning some basic stuff about networks
  • You want to get an American IP address
  • Commercial VPNs get blocked too much
  • You don't trust commercial VPNs' no-log policies
  • Your government blocks VPN protocols

Prerequisite: Docker

I've yapped about this in the previous blog post, so you can go there for that. These instructions require Docker, which is a containerization platform.

What's Shadowsocks?

Shadowsocks is a proxy protocol designed by a Chinese engineer to get around the Great Firewall. The documentation explains the basics of the architecture better than I can, so I'll just drop it in here:

The Shadowsocks local component (ss-local) acts like a traditional SOCKS5 server and provides proxy service to clients. It encrypts and forwards data streams and packets from the client to the Shadowsocks remote component (ss-remote), which decrypts and forwards to the target. Replies from target are similarly encrypted and relayed by ss-remote back to ss-local, which decrypts and eventually returns to the original client.

Essentially, it's SOCKS5 plus encryption.

Creating the stack

SSH into your VM. Our first step is to create a folder for you to put your Docker Compose stacks, keeping things organised. I suggest /opt/stacks/shadowsocks, but any place works (as long as you can remember it!)

You'll have to use sudo for this because /opt/stacks is a privileged location that only root can access.

sudo mkdir -p /opt/stacks/shadowsocks
cd /opt/stacks/shadowsocks

The -p option means "create parent", so it'll create wireguard as well as the stacks directory if you haven't done so already. This also makes you enter the directory.

Next, you'll want to open the file compose.yml inside that directory. You can use nano as a text editor as it comes preinstalled in nearly all Linux server OSes (sudo nano compose.yml), but vim and micro are also fine choices.

We'll be using the shadowsocks/shadowsocks-libev image. Shadowsocks is typically single-user and designed solely for proxying, unlike VPN protocols like WireGuard, so you'll have to set a pretty good secure password.

version: "2.1"
services:
  shadowsocks:
    image: shadowsocks/shadowsocks-libev:v3.3.5
    container_name: shadowsocks
    ports:
      - 8388:8388
      - 8388:8388/udp
    environment:
      - METHOD=chacha20-ietf-poly1305
      - PASSWORD=ChangeThisPasswordAAAAAAAAAAAAAAAAAAAAAAAAAA
    restart: always

Once you're done, you'll want to start it up. Run docker compose up -d within the folder to deploy the Docker Compose config.

If you ever want to stop it, restart it or see logs, remember: we named it shadowsocks, so you can always do docker logs shadowsocks or some other command.

Using Shadowsocks

Shadowsocks has unofficial clients for Android, iOS, Linux, MacOS and Windows.

Most of these clients sadly aren't maintained, so I recommend Potatso Lite (for Chinese iOS users) or Outline Client (for all users). Outline is probably the most well maintained at the time of writing.

From there, put in your server IP, encryption method and password, then connect. Enjoy browsing freely!

About the Author

Lynett Simons

Lynett Simons

UK
Website

Lyn is a programmer forced to be a vibe designer and sales lead. She rants about the evils of serverless on the Altivox Networks Twitter account.