Self Hosting Shadowsocks VPN with Outline

Outline is an open-source project created by Jigsaw, a subsidiary of Alphabet Inc (Google) that provides a safer way for individuals and organizations to access the open internet. Outline works by creating Shadowsocks servers on cloud service providers like Linode, DigitalOcean, or even your own …

Outline is an open-source project created by Jigsaw, a subsidiary of Alphabet Inc (Google) that provides a safer way for individuals and organizations to access the open internet. Outline works by creating Shadowsocks servers on cloud service providers like Linode, DigitalOcean, or even your own remote server.

Okay, the title’s a bit misleading, Shadowsocks isn’t technically a VPN, it’s more of a proxy. Shadowsocks works by creating an encrypted SOCKS5 proxy to redirect all of your internet traffic, on the other hand, a VPN using OpenVPN or WireGuard works by creating an encrypted tunnel between your device and a server.

This is part 2 of our VPN self-hosting guide, our guides cover self-hosting VPN using OpenVPN as well as WireGuard.

Don’t want to get your hands dirty? Our private VPN guide has recommendation and everything you need to know.

VPN vs Proxy

Both a VPN and proxy are similar in the way they can be used to redirect your network traffic and make it appear as originating from another remote server—hiding the traffic’s final destination aka your devices from observers.

However, a VPN can do much more than just redirecting your network traffic, such as encapsulating traffic within a virtual tunnel, and allowing connected devices to “see” each other as if they were connected to a LAN.

Outline VPN — Trusting Google?

Let’s address the elephant in the room, Outline is a Jigsaw project, a subsidiary of Alphabet, Google’s parent company; let’s just say Google and Privacy doesn’t really go hand-in-hand, and it wouldn’t be a surprise if you are a bit skeptical of using a VPN developed by Google.

But, Jigsaw really wants you to trust them with this one.

Outline is open-source, allowing anyone to have a look at the code to see if there’s anything shady, has been audited in 2017 by Radically Open Security and in 2018 by Cure53, and both security firms supported Jigsaw’s security claims.

However, Jigsaw does collect all server IPs, and crash logs with “non-identifiable” data, apart from that, Outline servers don’t keep any logs of your internet traffic.

With all of that out of the way, let’s see how you can set up your own VPN using Outline.

Step 1: Download & Install Outline Manager

Download the Outline Manager from the official website or from their GitHub page, it has binaries available for Windows, macOS, and Linux.

Just download the latest version for your device and install it.

Outline Manager

Step 2: Choose a Cloud Service Provider

Next up, pick a cloud service provider of your choice, there’s a streamlined process to create outline server if you want to go with DigitalOcean, Google Cloud, and AWS, just click on “Set Up” and you’ll be prompted to authenticate with your account.

I’ll be using Linode in this guide, choose the “Set up Outline Anywhere” if you want to use a different service provider instead of DigitalOcean, Google Cloud, and AWS.

Choose a provider that offers:

  • Virtualization via KVM or Xen instead of OpenVZ
  • An IPv4 address
  • Your preferred server location

Any basic VM with 1 vCPU and 1 GiB RAM running Ubuntu 20.04 would suffice for most use cases. You can

Step 3: Configuring Your Outline Server

Any simple VM with 1 vCPU and 1 GiB RAM running Ubuntu 20.04 would suffice for most use cases. You can use distros may work as well, but you’ll need to use Docker.

Now, let’s configure our server:

Step 3.1: Connect to the Server via SSH

Open up the terminal on your device, and run this command:

ssh root@123.45.67.89

If you chose a username while creating the virtual machine, use that instead of root, and replace 123.45.67.89 with the IP address of your VM.

You’ll be prompted with “The authenticity of host…”, just type yes, and then enter the password.

Step 3.2: Configure Automatic Updates

Let’s update packages and configure automatic updates so that our server gets patched automatically.

# Update packages
sudo apt update && apt upgrade

# Install unattended-upgrades
sudo apt install unattended-upgrades

# Configure unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

# Test unattended-upgrades
sudo unattended-upgrades --dry-run --debug

Step 3.3: Creating a “sudo” user

If your cloud provider didn’t ask you to choose a username while creating it, you are given root access to your server; it is recommended to not use the “root” user, which has unlimited privileges and can execute any command, even ones that could potentially disrupt your server.

Let’s create a new user on a server that can use “sudo” to do day-to-day administration tasks.

# Create a new user
adduser username

# Add user to the "sudo" group
usermod -aG sudo username

# Check user's group
groups username

# Switching users
su - username
su - root

Step 3.4: Configure SSH Keys

Using SSH keys instead of passwords provides you with better security, as SSH keys are far more long and complex than any password could ever be; you can also add an extra password to the SSH keys, requiring both the SSH key and the password to access the server.

Log out of the server or just open up a new terminal on your computer to create SSH keys:

# Create ssh keys
ssh-keygen -b 4096 

# View ssh keys
ls -l ~/.ssh

# Add public key to server
ssh-copy-id -i ~/.ssh/keyname.pub username@123.45.67.89

# Switch ssh keys on client
ssh-add ~/.ssh/keyname

During the ssh-keygen process, you’ll be prompted for file location, use the default one or give a new location by typing in /home/username/.ssh/keyname, and enter a strong password for the SSH key.

In the .ssh folder, there’ll be two files, the one with “.pub” extension is your public key, the other one is your private key, never share the private key with anyone.

You might get a message like Could not open a connection to your authentication agent when switching SSH keys, you’ll need to start ssh-agent first using:

eval `ssh-agent`

Once done, you can log in to the server by just using the ssh username@123.45.67.89 command without entering the user password, although you will need to enter the password of your SSH key.

Step 3.5: Disable root login

Now that we have a new user with limited privileges that can run “sudo” commands and can access the server via SSH keys; let’s lock down our root user, as it is usually the most targeted account by hackers.

To do so, type in sudo nano /etc/ssh/sshd_config, and update PermitRootLogin to no and add AllowUsers username as shown below:

Disable root login via SSH

Optionally, you can also go ahead and disable password-based login via SSH for all users, including the new user account we just created, by updating these values in the same sshd config file:

# Disable password-based login via ssh for all users [optional]
PasswordAuthentication no
ChallengeResponseAuthentication no

Once done, save the file using Ctrl + O & Ctrl + X, and restart the sshd service using this command:

sudo systemctl restart sshd

Now, your server is ready to install Outline, let’s get into it.

Step 4: Installing Outline

Outline has a shell script on GitHub that you can use to install it on your server; you’ll need to have wget installed on your server to do that, it usually comes with the OS image already, you can install it using:

sudo apt install wget

Once that’s done, run the command that Outline Manager provides, it should be something like this:

sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh)"
Copy the code from the 1st box, and paste that “apiUrl” string in the 2nd box

You’ll be asked to install Docker if your installation doesn’t come with it, just type “Y”, and you’ll be greeted with a screen like this:

> Verifying that Docker is installed .......... NOT INSTALLED
> Would you like to install Docker? This will run 'curl https://get.docker.com/ | sh'. [Y/n] Y
> Installing Docker ........................... OK
> Verifying Docker installation OK
............... > Verifying that Docker daemon is running ..... OK
> Setting PUBLIC_HOSTNAME to external IP ...... OK
> Creating persistent state dir ............... OK
> Generating secret key ....................... OK
> Generating TLS certificate .................. OK
> Generating SHA-256 certificate fingerprint .. OK
> Writing config .............................. OK
> Starting Shadowbox .......................... OK
> Starting Watchtower ......................... OK
> Waiting for Outline server to be healthy .... OK
> Creating first user ......................... OK
> Adding API URL to config .................... OK
> Checking host firewall ...................... OK

CONGRATULATIONS! Your Outline server is up and running.

To manage your Outline server, please copy the following line (including curly
brackets) into Step 2 of the Outline Manager interface:

{"apiUrl":"https://123.45.67.89:14304/XXXXXXXXXX","certSha256":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}

If you have connection problems, it may be that your router or cloud provider
blocks inbound connections, even though your machine seems to allow them.

Make sure to open the following ports on your firewall, router or cloud provider:
- Management port 14304, for TCP
- Access key port 21434, for TCP and UDP

Copy that “apiUrl” line, it’ll appear is a different color, depending on your terminal configuration.

And, paste it in the second box in Outline Manager, and click “Done”.

Step 4.1: Generating Access Keys

Outline Manager will provide you an access key in the Outline Manager, under the name “My access key”, you can get the link to use that key by clicking on the “laptop-phone” icon next to it.

Set up Outline Access Keys

You can also generate new keys by clicking on “Add new key” button, and use it to connect other devices or share it with your friends and family. There’s also an option to data limit to control how much bandwidth each key is allowed to use.

Step 5: Installing & Configuring Outline Client

Download the Outline app on the device you want to connect, and copy that string from Outline Manager by clicking on that laptop-phone icon, it should start with ss://.

Paste that Access Key and click Add Server

Click on “Add server” and paste that string in there, and you should be able to connect to your very own VPN server.

You can also use any Shadowsocks client, they also have a client for OpenWRT routers. And like with the Manager, you can download Outline releases from their GitHub page as well.

Check your IP address, it should match with your server’s IP address, and enjoy your very own private VPN server.

That’s all folks!

If you are going to self-host your own VPN server, I would recommend using WireGuard or OpenVPN instead, all in all, setting up an Outline VPN server is far better using a free VPN or most of the commercial VPN services.

Leave a Comment