SS-LOCAL(1) Shadowsocks-libev Manual SS-LOCAL(1)

ss-local - shadowsocks client as socks5 proxy, libev port

ss-local [-uv6] [-h|--help] [-s <server_host>] [-p <server_port>] [-l <local_port>] [-k <password>] [-m <encrypt_method>] [-f <pid_file>] [-t <timeout>] [-c <config_file>] [-i <interface>] [-a <user_name>] [-b <local_address>] [-n <nofile>] [--fast-open] [--reuse-port] [--acl <acl_config>] [--mtu <MTU>] [--no-delay] [--plugin <plugin_name>] [--plugin-opts <plugin_options>] [--password <password>] [--key <key_in_base64>]

Shadowsocks-libev is a lightweight and secure socks5 proxy. It is a port of the original shadowsocks created by clowwindy. Shadowsocks-libev is written in pure C and takes advantage of libev to achieve both high performance and low resource consumption.

Shadowsocks-libev consists of five components. ss-local(1) works as a standard socks5 proxy on local machines to proxy TCP traffic. For more information, check out shadowsocks-libev(8).

-s <server_host>

Set the server’s hostname or IP.

-p <server_port>

Set the server’s port number.

-l <local_port>

Set the local port number.

-k <password>, --password <password>

Set the password. The server and the client should use the same password.

--key <key_in_base64>

Set the key directly. The key should be encoded with URL-safe Base64.

-m <encrypt_method>

Set the cipher.

Shadowsocks-libev accepts 19 different ciphers:

aes-128-gcm, aes-192-gcm, aes-256-gcm, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, aes-128-ctr, aes-192-ctr, aes-256-ctr, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, chacha20-ietf-poly1305, xchacha20-ietf-poly1305, salsa20, chacha20 and chacha20-ietf.

The default cipher is chacha20-ietf-poly1305.

If built with PolarSSL or custom OpenSSL libraries, some of these ciphers may not work.

-a <user_name>

Run as a specific user.

-f <pid_file>

Start shadowsocks as a daemon with specific pid file.

-t <timeout>

Set the socket timeout in seconds. The default value is 60.

-c <config_file>

Use a configuration file.

Refer to shadowsocks-libev(8) CONFIG FILE section for more details.

-n <number>

Specify max number of open files.

Only available on Linux.

-i <interface>

Send traffic through specific network interface.

For example, there are three interfaces in your device, which is lo (, eth0 ( and eth1 ( Meanwhile, you configure ss-local to listen on and bind to eth1. That results the traffic go out through eth1, but not lo nor eth0. This option is useful to control traffic in multi-interface environment.

-b <local_address>

Specify the local address to use while this client is making outbound connections to the server.


Enable UDP relay.


Enable UDP relay and disable TCP relay.


Resovle hostname to IPv6 address first.


Enable TCP fast open.

Only available with Linux kernel > 3.7.0.


Enable port reuse.

Only available with Linux kernel > 3.9.0.

--acl <acl_config>

Enable ACL (Access Control List) and specify config file.

--mtu <MTU>

Specify the MTU of your network interface.


Enable Multipath TCP.

Only available with MPTCP enabled Linux kernel.



--plugin <plugin_name>

Enable SIP003 plugin. (Experimental)

--plugin-opts <plugin_options>

Set SIP003 plugin options. (Experimental)


Enable verbose mode.


Print help message.

ss-local(1) can be started from command line and run in foreground. Here is an example:

# Start ss-local with given parameters
ss-local -s -p 12345 -l 1080 -k foobar -m aes-256-cfb

ss-server(1), ss-tunnel(1), ss-redir(1), ss-manager(1), shadowsocks-libev(8), iptables(8), /etc/shadowsocks-libev/config.json

12/28/2021 Shadowsocks-libev 3.3.5