Shadowsocks: setup and connection in 2026

If you received a config from your provider or found instructions in a chat but still don't understand what to insert where — this material is for you. Shadowsocks: setup and connection in practice turns out to be easier than it seems, but there are several places where people consistently get stuck. Let's go through everything step by step: from the structure of the config to diagnostics when there is a connection, but websites do not open.

What is Shadowsocks and why is it needed to bypass restrictions

Shadowsocks is not a VPN in the classical sense. It is an encrypted proxy based on SOCKS5 that disguises traffic as regular HTTPS. From the perspective of the provider and DPI equipment — it is just some web request, nothing suspicious.

That is why it is so difficult to block it by protocol. Roskomnadzor can block a specific server IP address, but detecting "this is Shadowsocks" for deep traffic inspection is much more challenging than catching OpenVPN or WireGuard.

How Shadowsocks differs from a classic VPN

A VPN creates an encrypted tunnel for all device traffic at the network level. Shadowsocks works differently — as a proxy. That is, only those applications that can work with SOCKS5 or HTTP proxies will go through it automatically. On mobile clients, this is handled through the TUN interface, on desktop — through the system proxy.

Practical consequence: if you launched Shadowsocks on Windows in PAC mode, your torrent client or Teams can go directly, bypassing the proxy. This is not a bug — this is how the architecture works.

How Shadowsocks disguises traffic and bypasses DPI

Standard HTTPS looks like a stream of encrypted bytes with a TLS handshake. Shadowsocks with chacha20-ietf-poly1305 encryption generates a similar picture — a seemingly random stream of data without the characteristic headers of VPN protocols. DPI does not see explicit signatures, so there is nothing to block.

But in 2026, providers in Russia learned to heuristically identify "Shadowsocks-like" traffic — by the entropy of the stream and connection patterns. Without an obfuscation plugin, SS is increasingly being cut off. More on this below.

When Shadowsocks works better than WireGuard and OpenVPN

Pure OpenVPN is detected easily — it has a characteristic TLS handshake with known certificates and ports. WireGuard also has recognizable UDP patterns, although it is more challenging to detect. Shadowsocks without obfuscation breaks through average DPI better than both.

But VLESS/XRay with Reality and Amnezia with obfuscation — this is the next level. In the conditions of aggressive restrictions in 2026, they are more resilient. SS is a good solution for most tasks, but not a panacea. Services like NvoVPN offer several protocols at once, and if SS starts to fail with a specific provider, you can switch without searching for a new service.

What you need to prepare before setting up

Before opening the client, you need to understand what you have in your hands. The Shadowsocks config consists of four mandatory parameters: server address, port, encryption method, and password. That's it.

Where to get a working configuration (ss:// link, QR code, JSON)

If you are using a paid VPN service, the config is provided in your personal account. Usually, it is either an ss:// link, a QR code (which is the same thing, just in different forms), or a JSON file for manual import.

The link looks something like this:ss://[email protected]:8388#MyServer. The part before @ is the encoded encryption method and password, after is the server address and port, after # is the profile name.

The QR code is the same link, just in the form of an image. Most mobile clients can read it with the camera directly from the interface.

Which parameters are important: server, port, encryption method, password

The encryption method is what people most often get wrong. I recommendchacha20-ietf-poly1305 — it works great on mobile devices and is efficient in terms of CPU resources. On desktop,aes-256-gcmworks fine.

Avoid rc4-md5, table, and other old methods. They are insecure, poorly withstand attacks, and modern DPI can detect them better than new AEAD ciphers.

The port is a separate story. If the provider blocks non-standard ports (typical for corporate and mobile networks), only 443 will work. Choose a server or config that supports 443 if you often find yourself in restricted networks.

Choosing a plugin: simple-obfs and v2ray-plugin against DPI

Obfuscation plugins are an additional layer of disguise on top of Shadowsocks. Simple-obfs mimics HTTP or TLS traffic. V2ray-plugin is more advanced, capable of creating WebSocket + TLS, which is practically indistinguishable from a regular HTTPS site.

In Russia in 2026, without a plugin, SS works unstably with many providers — especially with the "big three." If the config without obfuscation does not work or works unstably — immediately look for a server with v2ray-plugin in websocket+tls mode. Simple-obfs is already considered an outdated solution.

Setting up Shadowsocks on Android

On Android, this is the easiest — there are several decent clients, and they are free.

Installing the client (shadowsocks-android / v2rayNG)

The main client —shadowsocks-android from the developer "Max Lv". Look for it in Google Play or download the APK from GitHub (repository shadowsocks/shadowsocks-android). The version at the time of writing is 5.3.x.

If you need one client for both SS and VLESS/XRay — takev2rayNG. It supports Shadowsocks alongside other protocols. Convenient if you have several configs of different types.

Import configuration via ss:// and QR code

In shadowsocks-android: tap “+” in the bottom right corner → “Scan QR code” or “Import from clipboard”. If you have an ss:// link — copy it, go to the app and tap import from clipboard. The app will automatically recognize the format.

For manual entry: “+” → “Enter manually” → fill in the fields Server, Remote Port, Password, Encryption Method. The rest can be left as default.

After adding the profile, tap on it to select it as active, then tap on the airplane icon in the bottom right corner. The app will request permission for the VPN connection — agree.

Configuring the obfuscation plugin and checking the connection

If the config uses a plugin: in the profile settings find the field “Plugin” → select v2ray-plugin or simple-obfs → enter the plugin parameters (usually a string likeobfs=websocket;host=example.com).

After connecting, check the IP through a browser — go to 2ip.ru or whoer.net. If the server address is displayed instead of your home address — everything is working.

Configuring Shadowsocks on iPhone and iOS

This is where the pain begins. There is no decent free client for Shadowsocks in the Russian App Store. This is a fact, not an opinion.

What clients are available in the App Store (Shadowrocket, Potatso)

Shadowrocket — the best option. It costs $2.99, supports SS, VLESS, Trojan, and a bunch of other protocols. It is purchased once and works without a subscription. The problem is that it is not available in the Russian App Store due to restrictions.

Potatso Lite — free, but more limited. If it is available in your region — try it first. It supports basic SS configs.

To install Shadowrocket, you need an Apple ID with an American or European region. The cleanest way is to create a separate Apple ID for another region without changing the main one. Family sharing does not work for apps purchased in another region.

Importing config and dealing with regional restrictions of the App Store

After installing Shadowrocket: tap “+” in the top right corner → select type “SS” → paste the ss:// link in the URI field or fill in the fields manually. The QR code is scanned via the scanner button next to the URI field.

If you have an ss:// link in the clipboard — Shadowrocket usually offers to import it upon launch. This is more convenient than manual entry.

Enabling VPN profile and iOS permissions

Upon first connection, iOS will show a request to add a VPN configuration. Tap “Allow” and enter the device passcode. Without this permission, the proxy will not work.

After connecting, a VPN icon will appear in the status bar. In iOS settings (Settings → VPN and device management), you can see the active connection and manage it independently of the app.

Configuring Shadowsocks on Windows and Mac

On desktop, SS works as a local proxy. This is different from VPN — it is important to understand from the very beginning.

Shadowsocks for Windows: client and system proxy

Download the official client from GitHub (repository shadowsocks/shadowsocks-windows). No installation is required — just unpack and run Shadowsocks.exe.

After launching, an icon will appear in the tray. Right-click → “Servers” → “Add server” → fill in the fields. Or: “Import URL from clipboard”, if you have an ss:// link.

To activate: right-click on the icon → “System Proxy” → enable it. This will automatically configure the Windows system proxy. Browsers (Chrome, Edge) will pick it up immediately. Other applications — it depends on whether they can read system proxy settings.

As an alternative —v2rayN, which supports both SS and VLESS in one interface.

ShadowsocksX-NG for macOS

ShadowsocksX-NG — the standard client for Mac. Download from GitHub (shadowsocks/ShadowsocksX-NG), install it like a regular application. Upon first launch, macOS will ask for permission to run — allow it in System Preferences → Privacy and Security.

Adding a server: icon in the menu bar → "Open ShadowsocksX-NG" → "Servers" → "Server Preferences" → button "+". Or import via "Import server URL from clipboard".

Global proxy mode and rule-based mode (PAC)

Global Mode — all traffic goes through the proxy. PAC Mode — only sites from the list. PAC is more convenient for everyday use: Russian sites go directly, blocked ones go through SS.

But PAC has a catch: applications that do not use the system proxy (many native macOS applications, some games, torrent clients) will go directly regardless of the mode. If you need to wrap all traffic — use Global or configure through Proxifier.

Bypassing blocks on YouTube, Instagram, Telegram, and other services

This is what most people set up Shadowsocks for. Let's see what really works.

Bypassing YouTube throttling through Shadowsocks

YouTube in Russia is throttled at the provider level — not a complete block, but loading at 480p with buffering. SS solves the problem because the traffic goes through an external server, bypassing the provider's "smart" DPI.

For streaming, the speed of the server itself is important. Chacha20-ietf-poly1305 works faster than aes-256-gcm on devices without AES hardware acceleration — mobile devices primarily. For 4K YouTube, a stable 25+ Mbps from the server is needed.

Access to Instagram, Facebook, Twitter/X

Instagram and Facebook (Meta) have been blocked by court order since 2022. Twitter/X works intermittently. With configured Shadowsocks, they open in a regular browser or native applications — traffic goes through an external server that does not see these blocks.

Nuance: on Android and iOS, the mobile applications of Instagram and Facebook use the system proxy, so just enabling the SS client is enough. On Windows in PAC mode, check that the domains meta.com and instagram.com are in the rule list.

Stability of Telegram and WhatsApp through the proxy

Telegram in Russia is periodically cut off by certain providers — not completely, but with delays and media issues. SS stabilizes the connection. WhatsApp works without blocks, but through SS is faster on some mobile operators with aggressive QoS.

If SS with obfuscation does not cope with a specific provider — it's a signal to switch to VLESS/XRay with Reality or Amnezia. There is a different level of masking there.

What to do if Shadowsocks does not connect

The most common question. Let's break it down step by step.

Connection exists, but websites do not open

The first thing to check is the encryption method. If aes-256-cfb is specified in the config, and the server is set to chacha20-ietf-poly1305, the connection will be formally established, but the traffic will be garbage. The client does not always explicitly report this.

Checklist for this case:

• The encryption method in the client exactly matches the server's
• The password is copied correctly (without extra spaces)
• On Windows/Mac, the system proxy is enabled (the client is not just running)
• The browser does not use its own proxy settings that override the system ones

The provider blocks the port or DPI cuts the traffic

If SS does not connect at all — first try port 443. It is blocked by few, because all HTTPS internet works on it. If the service supports different ports, 443 is the first choice for problematic networks.

If it connects but drops after a few minutes — this is DPI in action. The provider heuristically determines the traffic and drops the connection. The solution is one: an obfuscation plugin. V2ray-plugin in websocket+tls mode on port 443 is practically invisible traffic for most DPI systems.

If this does not help either — it's time to switch to VLESS/XRay (Reality) or Amnezia. Some providers already block any "suspicious" traffic regardless of obfuscation.

Low speed and connection drops

Low speed — in 90% of cases, this is a problem with the server itself or the route to it, not the client's settings. Check the ping to the server through the built-in test in the client or through the terminal.

Drops on mobile internet are often related to switching between towers or transitioning Wi-Fi ↔ LTE. Enable the "keepalive" or "heartbeat" option in the client settings if available. In shadowsocks-android, this is the "TCP Fast Open" and "UDP Relay" parameter — try disabling them if there is instability.

A separate case — Smart TV and Apple TV. There is no native SS client for them. The only working option is configuration on the router via OpenWrt or analogs with the shadowsocks-libev package. This is a separate topic, but it is important to know that bypassing the router cannot be solved there.