Shadowsocks Monitoring
Real-time uptime monitoring for Shadowsocks servers across all modern ciphers — AEAD (ChaCha20-IETF-Poly1305, AES-128/256-GCM) and the Shadowsocks 2022 family (2022-blake3-*). URI auto-detect, SIP003 plugin support. Sub-second alerts, REST API, free for 5 monitors.
Shadowsocks is particularly hard to monitor correctly
Shadowsocks was designed to be unidentifiable from network noise. A SS server on any port just looks like arbitrary TCP or UDP traffic. There's no protocol "hello" — the first byte a client sends is already encrypted with the pre-shared key.
For monitoring this creates a specific challenge:
- Port probes tell you nothing. Any TCP connect succeeds if the server is listening. There's no handshake to observe.
- Sending wrong-cipher data gets silently dropped. Good SS servers just close the connection or stall on invalid input — they deliberately don't leak information about whether the port even has an SS server on it.
- Timing attacks are out. Since real users' first packets look like noise to a passive observer, SS servers are timing-attack resistant by design.
The only way to really know a Shadowsocks server is working is to perform the actual client flow with the right cipher and key, send a valid request, and verify the response. That's what TunnelHQ does.
URI auto-detection
TunnelHQ parses both legacy and SIP002 Shadowsocks URIs:
SIP002 (modern, recommended):
ss://[email protected]:8388
/?plugin=v2ray-plugin%3Bmode%3Dwebsocket%3Bhost%3Dexample.com
%3Bpath%3D%2Ftunnel%3Btls#Production-SSShadowsocks 2022 (blake3-based):
ss://MjAyMi1ibGFrZTMtYWVzLTI1Ni1nY206YmFzZTY0cGFzc3dvcmQ=
@server.example.com:8388#SS2022-ServerTunnelHQ extracts method (cipher), password, endpoint, and any SIP003 plugin configuration.
Supported ciphers
All AEAD ciphers (the only ones considered secure in 2026):
aes-128-gcm,aes-256-gcmchacha20-ietf-poly1305(aliaschacha20-poly1305)xchacha20-ietf-poly1305
Shadowsocks 2022 family:
2022-blake3-aes-128-gcm2022-blake3-aes-256-gcm2022-blake3-chacha20-poly1305
Legacy stream ciphers (AES-CFB, RC4-MD5, etc.) are not supported — they're cryptographically broken and any server still using them should rotate.
SIP003 plugin support
TunnelHQ handles Shadowsocks with plugin tunneling:
- v2ray-plugin — WebSocket or HTTP/2 tunneling, with optional TLS
- obfs-local / simple-obfs — HTTP and TLS obfuscation (legacy)
- xray-plugin — Xray as transport layer
- shadow-tls — TLS handshake masquerading
When a plugin is configured, TunnelHQ connects through the plugin layer (WS, TLS, etc.) before performing the SS cipher handshake.
Pricing for Shadowsocks monitoring
| Plan | SS Monitors | Interval | Price |
|---|---|---|---|
| Free | 5 | 10 min | $0 |
| Starter | 20 | 5 min | $12/mo or $84/yr |
| Pro | 100 | 2 min | $39/mo or $276/yr |
| Business | 500 | 1 min | $99/mo or $756/yr |
FAQ
Does TunnelHQ support Shadowsocks 2022?
Yes. The SS2022 family uses blake3-based key derivation and is fully supported including EIH (explicit identity header) for multi-user servers.
What about UDP relay?
Shadowsocks UDP relay monitoring is supported on the Pro and Business plans. Since UDP is connectionless, TunnelHQ uses a DNS-over-SS probe to verify the UDP path.
Does the public check endpoint work for Shadowsocks?
Yes. POST /api/v1/check/public with {"protocol": "shadowsocks", "config": "ss://..."} runs a one-shot check without an account.