Shadowsocks Monitoring
Real-time uptime monitoring for Shadowsocks servers across all modern ciphers. AEAD (ChaCha20-IETF-Poly1305, AES-128/256-GCM) and the Shadowsocks 2022 family (2022-blake3-*). URI auto-detect, SIP003 plugin support. Sub-second alerts, REST API, free for 5 monitors.
Shadowsocks is particularly hard to monitor correctly
Shadowsocks was designed to be unidentifiable from network noise. A SS server on any port just looks like arbitrary TCP or UDP traffic. There's no protocol "hello". The first byte a client sends is already encrypted with the pre-shared key.
For monitoring this creates a specific challenge:
- Port probes tell you nothing. Any TCP connect succeeds if the server is listening. There's no handshake to observe.
- Sending wrong-cipher data gets silently dropped. Good SS servers just close the connection or stall on invalid input. They deliberately don't leak information about whether the port even has an SS server on it.
- Timing attacks are out. Since real users' first packets look like noise to a passive observer, SS servers are timing-attack resistant by design.
The only way to really know a Shadowsocks server is working is to perform the actual client flow with the right cipher and key, send a valid request, and verify the response. That's what TunnelHQ does.
URI auto-detection
TunnelHQ parses both legacy and SIP002 Shadowsocks URIs:
SIP002 (modern, recommended):
ss://YWVzLTI1Ni1nY206cGFzc3dvcmQ@server.example.com:8388
/?plugin=v2ray-plugin%3Bmode%3Dwebsocket%3Bhost%3Dexample.com
%3Bpath%3D%2Ftunnel%3Btls#Production-SSShadowsocks 2022 (blake3-based):
ss://MjAyMi1ibGFrZTMtYWVzLTI1Ni1nY206YmFzZTY0cGFzc3dvcmQ=
@server.example.com:8388#SS2022-ServerTunnelHQ extracts method (cipher), password, endpoint, and any SIP003 plugin configuration.
Supported ciphers
All AEAD ciphers (the only ones considered secure in 2026):
aes-128-gcm,aes-256-gcmchacha20-ietf-poly1305(aliaschacha20-poly1305)xchacha20-ietf-poly1305
Shadowsocks 2022 family:
2022-blake3-aes-128-gcm2022-blake3-aes-256-gcm2022-blake3-chacha20-poly1305
Legacy stream ciphers (AES-CFB, RC4-MD5, etc.) are not supported. They're cryptographically broken and any server still using them should rotate.
SIP003 plugin support
TunnelHQ handles Shadowsocks with plugin tunneling:
- v2ray-plugin. WebSocket or HTTP/2 tunneling, with optional TLS
- obfs-local / simple-obfs. HTTP and TLS obfuscation (legacy)
- xray-plugin. Xray as transport layer
- shadow-tls. TLS handshake masquerading
When a plugin is configured, TunnelHQ connects through the plugin layer (WS, TLS, etc.) before performing the SS cipher handshake.
Pricing for Shadowsocks monitoring
| Plan | SS Monitors | Interval | Price |
|---|---|---|---|
| Free | 5 | 10 min | $0 |
| Starter | 20 | 5 min | $12/mo or $84/yr |
| Pro | 100 | 2 min | $39/mo or $276/yr |
| Business | 500 | 1 min | $99/mo or $756/yr |
FAQ
Does TunnelHQ support Shadowsocks 2022?
Yes. The SS2022 family uses blake3-based key derivation and is fully supported including EIH (explicit identity header) for multi-user servers.
What about UDP relay?
Shadowsocks UDP relay monitoring is supported on the Pro and Business plans. Since UDP is connectionless, TunnelHQ uses a DNS-over-SS probe to verify the UDP path.
Does the public check endpoint work for Shadowsocks?
Yes. POST /api/v1/check/public with {"protocol": "shadowsocks", "config": "ss://..."} runs a one-shot check without an account.