Shadowsocks vs WireGuard: Technical Protocol Comparison

**WireGuard:** - Layer 3 VPN protocol (operates at network layer, all traffic through tunnel) - Uses UDP exclusively - Cryptography: ChaCha20 for encryption, Poly1305 for authentication, ECDH for key exchange - Port: default 51820 UDP - Traffic signature: distinctive WireGuard handshake (recognizable by DPI) - Code: extremely small (~4,000 lines), integrated into Linux kernel - Performance: fastest VPN protocol available, minimal CPU overhead **Shadowsocks:** - Proxy protocol (operates at application layer, proxies specific traffic) - Uses TCP (or UDP with extra configuration) - Cryptography: configurable (chacha20-ietf-poly1305 recommended) - Port: configurable, often 8388 or 443 - Traffic signature: designed to look like random encrypted data, no recognizable handshake pattern - Code: multiple implementations in different languages - Performance: slightly more overhead than WireGuard but minimal in practice

This is where the protocols differ most significantly: **WireGuard DPI detection:** WireGuard has a recognizable handshake pattern (the initial key exchange messages have a specific format). China's GFW and Iran's DPI can detect WireGuard based on this pattern. Russia's DPI is less sophisticated and typically does not block WireGuard consistently. Mitigation: WireGuard does not have built-in obfuscation. Use wstunnel or udp2raw to wrap WireGuard in TCP and optionally add TLS/HTTP obfuscation. **Shadowsocks DPI detection:** Shadowsocks was designed specifically to defeat DPI. Without the obfuscation plugin, modern Shadowsocks (chacha20-ietf-poly1305) is harder for DPI to identify than WireGuard because it lacks recognizable handshake patterns. With obfuscation plugins (simple-obfs, v2ray-plugin): traffic becomes virtually indistinguishable from HTTPS web traffic. China's GFW specifically targets Shadowsocks servers via active probing (sending test requests to suspected proxy IPs). Personal VPS IPs are less susceptible to this because they are not in known proxy IP pools. **Detection resistance ranking (most to least):** 1. XRAY Reality (borrows real TLS fingerprint) 2. Shadowsocks + v2ray-plugin (WebSocket+TLS on port 443) 3. Shadowsocks + simple-obfs (HTTP obfuscation) 4. Shadowsocks (plain, chacha20-ietf-poly1305) 5. WireGuard + wstunnel (TCP over TLS) 6. WireGuard (standard, UDP) 7. OpenVPN (standard)

Benchmark data for the same Iceland VPS connection: **WireGuard (direct UDP):** - Throughput: 95% of raw bandwidth (2-3% overhead) - Latency added: 1-3ms - CPU: minimal (kernel-native on Linux) - Best case: 300-500 Mbps on a 1Gbps link **Shadowsocks (chacha20-ietf-poly1305, no plugins):** - Throughput: 88-92% of raw bandwidth - Latency added: 2-5ms - CPU: moderate (userspace encryption) - Typical: 200-400 Mbps on a 1Gbps link **Shadowsocks + v2ray-plugin (WebSocket+TLS):** - Throughput: 75-85% of raw bandwidth - Latency added: 5-15ms (WebSocket + TLS handshake overhead) - CPU: higher (multiple encryption layers + WebSocket framing) - Typical: 150-300 Mbps **XRAY Reality:** - Throughput: 80-90% of raw bandwidth - Latency added: 3-8ms - CPU: moderate - Typical: 200-400 Mbps **Practical conclusion:** For speed-sensitive applications (large file transfer, video streaming): WireGuard. For censorship resistance in heavy-filtering environments: Shadowsocks+obfs or XRAY Reality. For general use in moderate-filtering environments: WireGuard is faster and easier.

**WireGuard server setup:** 10-15 minutes. Install wireguard, generate keys, write wg0.conf, enable IP forwarding, start service. Well-documented, extensive community resources. **WireGuard client setup:** 5 minutes. Install WireGuard app, import config file or QR code. Extremely user-friendly. **Shadowsocks server setup:** 5-10 minutes. Install shadowsocks-libev, write config.json, start service. Simpler than WireGuard in some ways. **Shadowsocks + v2ray-plugin:** 30-45 minutes. Install plugin, configure WebSocket+TLS, get TLS certificate (Let's Encrypt), configure web server (Nginx) as front. More moving parts. **XRAY Reality:** 45-60 minutes. Install XRAY, generate Reality keys, configure JSON, understand TLS fingerprint borrowing concept. Most complex setup but best results in heavy-filtering environments. **Recommendation for first-time setup:** Start with WireGuard - easiest, works in most environments. Upgrade to Shadowsocks+obfs or XRAY if WireGuard is blocked in your environment.