Knowledge is power. Information is liberating. — by Kofi Annan.


  • CloudsVM
  • Vultr
  • DigitalOcean
  • BandwagonHOST
    • Client Area -> Services -> Order New Services
    • 64MB RAM is enough for running both ShadowSocks and pdnsd
    • Install Ubuntu LTS 32bit (x86, i686) or CentOS 7.


Install CentOS 7 (64bit)


cd /etc/yum.repos.d/
yum update
yum install shadowsocks-libev
cd /etc/shadowsocks-libev/
vim config.json
# server should be

vi /usr/lib/systemd/system/shadowsocks-libev.service
# replace all $variables to constant values to fix the bug

systemctl enable shadowsocks-libev
systemctl start shadowsocks-libev


yum localinstall pdnsd-1.2.9a-par_sl6.x86_64.rpm
vim /etc/pdnsd.conf

pdnsd.conf (replace the port)

global {
	run_as      = "pdnsd";
	server_ip   =;
	server_port = [xxxx];

server {
	label   = "GoogleDNS";
	ip      =,;
	timeout = 3;

Then run:

systemctl enable pdnsd
systemctl start pdnsd


Install Docker on VPS.

Remote Proxy

Install shadowsocks:

docker run -d -p <port>:<port> h12w/shadowsocks -p <port> -k <password> -m aes-128-cfb -t 60

Remote DNS server

Install pdnsd:

docker run -d -p [port]:53 -p [port]:53/udp h12w/pdnsd

To test the DNS server:

dig -p xxxx

Local OpenWrt Router

Install openwrt-shadowsocks & ChinaDNS on an OpenWrt router.

Follow the instructions on OpenWrt-Dist:

Check CPU model of the router:

cat /proc/cpuinfo

add the following to /etc/opkg.conf:

src/gz openwrt_dist[cpu model]/packages
src/gz openwrt_dist_luci

and install:

opkg update
opkg install ChinaDNS
opkg install luci-app-chinadns
opkg install shadowsocks-libev-spec
opkg install luci-app-shadowsocks-spec

opkg install bind-dig

Or manually download IPKs of the corresponding CPU:

Copy *.ipk to router:

scp *.ipk [email protected]:/tmp

And install:

opkg install shadowsocks-libev-spec_xxx.ipk
opkg install ChinaDNS_xxx.ipk
/etc/init.d/shadowsocks enable
/etc/init.d/chinadns enable

ShadowSocks configuration in /etc/config/shadowsocks:

config shadowsocks
	option config_file '/etc/shadowsocks/config.json'
	option tunnel_enable '0'

It refers to /etc/shadowsocks/config.json:

    "server":      "",
    "server_port": xxxx,
    "local_port":  xxxx,
    "password":    "xxxxxx",
    "method":      "aes-128-cfb",
    "timeout":     60

ChinaDNS configuration in /etc/config/chinadns:

config chinadns
    option chnroute '/etc/shadowsocks/ignore.list'
    option server '[isp_dns],[private_pdnsd_dns]'

Make sure [private_pdnsd_dns] is the same IP:PORT as the remote pdnsd server.

ucitrack configuration in /etc/config/ucitrack:

config shadowsocks
    option init 'shadowsocks'

config chinadns
    option init 'chinadns'

DHCP configuration in /etc/config/dhcp:

config dnsmasq
    list server ''
    option noresolv '1'
    option nohosts '1'


Use RedSocks2 to bypass the proxy when the target site is reachable.

Download RedSocks2:

Install RedSocks2:

scp *.ipk [email protected]:/tmp
opkg update
opkg install xxx.ipk

RedSocks2 will take effect immediately.

Upgrade OpenWRT

Download latest *.ipk above.

opkg update
opkg upgrade ipset libopenssl resolveip iptables-mod-tproxy
opkg install xxx.ipk

Merge configuration files manually.

Update ignore.list:

wget -O- '' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > ignore.list
scp ignore.list [email protected]:/etc/shadowsocks/ignore.list

Android Client