{"id":76696,"date":"2025-07-09T19:49:03","date_gmt":"2025-07-09T18:49:03","guid":{"rendered":"https:\/\/proxidize.com\/?post_type=blog&p=76696"},"modified":"2025-07-17T10:02:41","modified_gmt":"2025-07-17T09:02:41","slug":"what-is-shadowrocket","status":"publish","type":"blog","link":"https:\/\/proxidize.com\/blog\/what-is-shadowrocket\/","title":{"rendered":"What is Shadowrocket?"},"content":{"rendered":"\n

What do you do when you need every packet that leaves your iPhone or\u202fiPad to pass through a proxy, yet the network you are on blocks or throttles traditional VPN tunnels?<\/p>\n\n\n\n

An unfamiliar scenario for many, but for those relying on hostile public\u202fWi\u2011Fi, corporate firewalls, or regional censorship it\u2019s often the only alternative that still gives them full control over where their traffic exits. Shadowrocket, an iOS\u2011only, rule\u2011based proxy client, fills that gap by applying granular routing policies at the operating\u2011system level.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"An<\/figure>\n\n\n\n
<\/div>\n\n\n\n

How\u202fShadowrocket Works<\/h2>\n\n\n\n

Shadowrocket<\/a> is built on Apple\u2019s Network Extension framework. The app inserts a local \u201ctunnel\u201d interface between iOS and the wider network stack, giving it visibility into every TCP, UDP, and DNS request your device generates. Because Apple restricts packet\u2011tunnel entitlements to apps that implement their own VPN or proxy<\/a> logic, Shadowrocket would not function unless it were built on this framework.<\/p>\n\n\n\n

Unlike a blanket VPN, which could offer you split tunneling with a basic IP routing table, i.e. \u201c10.0.0.0\/8 \u2192 VPN, everything else \u2192 Internet,\u201d Shadowrocket acts more like a programmable firewall plus multi\u2011proxy router, where one rule can say \u201c*.doubleclick.net via rotating mobile proxy,\u201d the next \u201cnetflix.com direct,\u201d and a third \u201cblock *.tracker.example.\u201d<\/p>\n\n\n\n

The rule engine accepts multiple match types \u2014 domain keyword, suffix, full host, CIDR<\/a>, or GeoIP. Once you set your rules, a \u201cfirst match wins\u201d model evaluates each outbound connection against your rule list in top\u2011to\u2011bottom order. The first rule that matches hands the request to the proxy label you named; if nothing matches, a \u201cFINAL, DIRECT\u201d rule usually lets the traffic exit unproxied. This approach means YouTube can stream on a fast home connection while ad\u2011tech domains or a QA test site simultaneously tunnel through a rotating mobile IP.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"A<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Installing and Configuring Shadowrocket<\/h2>\n\n\n\n

Begin by purchasing Shadowrocket from the App\u202fStore (currently USD\u202f$2\u20134 depending on region). On first launch, the app asks for permission to add a VPN profile; this profile is not a VPN in the traditional sense but gives Shadowrocket kernel\u2011level authority to create its virtual tunnel interface. Granting that permission is mandatory \u2014 without it the app cannot intercept traffic.<\/p>\n\n\n\n

Once installed, you\u2019ll see the home screen, which shows whether you\u2019re connected, where you can see your global routing config, a way to test your connectivity, and a way to add a new server.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"A<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Adding a new server is easy. From the Add Server screen you can add the address, port, and credentials of your proxy server, along with other options.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"A<\/figure>\n\n\n\n
<\/div>\n\n\n\n

When setting the server type, you\u2019ll have a lot of options to choose from.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"A<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Remember that the type you choose must match whatever is running on the exit server; otherwise the handshake will fail and Shadowrocket will show \u201cunavailable\u201d or endless reconnection attempts.<\/p>\n\n\n\n

Type<\/strong><\/th>How It Moves Traffic<\/strong><\/th><\/tr><\/thead>
Shadowsocks<\/td>Encrypts TCP & UDP in its own lightweight framing; usually on port 8388 or any high port.<\/td><\/tr>
ShadowsocksR<\/td>Same as above plus custom \u201cobfs\u201d layers (auth_sha1_v4, tls1.2_ticket_auth, etc.)<\/td><\/tr>
Subscribe<\/td>Shadowrocket downloads a subscription file that may contain dozens of nodes of any type.<\/td><\/tr>
Vmess<\/td>Multiplexed TCP (optionally UDP) wrapped in JSON frames; can be disguised under WebSocket, gRPC or TLS<\/td><\/tr>
VLESS<\/td>Same framing options as VMess but relies on outer TLS\/XTLS for encryption<\/td><\/tr>
Relay<\/td>Acts like a layer\u20114 forwarder or \u201chop\u201d between other proxies<\/td><\/tr>
Socks5<\/td>Transparent TCP and UDP relay, no encryption by default<\/td><\/tr>
Socks5 Over TLS<\/td>Same SOCKS5 semantics wrapped in a TLS tunnel (port 443 or 8443)<\/td><\/tr>
HTTP<\/td>TCP only, no built\u2011in encryption<\/td><\/tr>
HTTPS<\/td>Encapsulates traffic in HTTP\/2 or HTTP\/3 requests that look like Chrome browsing to a regular website<\/td><\/tr>
HTTP2<\/td>Same stealth idea but restricted to H2 (TCP).<\/td><\/tr>
Trojan<\/td>Raw or WebSocket\u2011wrapped data inside a genuine TLS session to a real domain with valid certificate<\/td><\/tr>
Hysteria<\/td>Uses UDP 443; includes NAT traversal and obfs<\/td><\/tr>
TUIC<\/td>UDP 443; more efficient than Hysteria on short flows<\/td><\/tr>
WireGuard<\/td>Kernel\u2011level UDP tunnel, ChaCha20\u2011Poly1305 encryption<\/td><\/tr>
Snell<\/td>TLS\u2011based, with per\u2011session PSK, UDP pass\u2011through, simple congestion control<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
<\/div>\n\n\n\n

You can also pick between a variety of different plugins, extra transport wrappers that sit between the core proxy protocol. (for example, Shadowsocks) and the network.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"A<\/figure>\n\n\n\n
<\/div>\n\n\n\n
Plugin<\/th>How It Works<\/th><\/tr><\/thead>
none (default)<\/td>\u2014<\/td><\/tr>
kcptun<\/td>Bundles, compresses and forward\u2011error\u2011corrects multiple TCP segments inside a single UDP stream, with selective ACKs and configurable FEC redundancy.<\/td><\/tr>
v2ray\u2011plugin<\/td>Wraps traffic inside WebSocket or HTTP\/2\/HTTP\/3 sessions and can add TLS; to DPI it looks like normal browser traffic to a CDN.<\/td><\/tr>
cloak<\/td>Performs a full, valid TLS handshake to a \u201cfront\u201d domain and keeps sending padding frames so packet sizes match genuine web browsing.<\/td><\/tr>
gost<\/td>Shadowrocket passes data to a local GOST stub, which then negotiates the chosen wrapper with the server\u2011side GOST.<\/td><\/tr>
shadow\u2011tls<\/td>Sends a legitimate TLS ClientHello and part of the handshake to a decoy domain, then switches to an encrypted inner stream while keeping the outer TLS session alive.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
<\/div>\n\n\n\n

Every plugin must be running both on the client (Shadowrocket) and on the exit server. If the provider does not offer matching server\u2011side support, choosing a plugin will break the connection.<\/p>\n\n\n\n

Beware Fake Shadowrocket Sites and APKs<\/h3>\n\n\n\n

The only legitimate Shadowrocket build is the iOS version<\/a> sold on Apple\u2019s App\u202fStore. The developer reiterated<\/a> on X (formerly Twitter) in December\u202f2022 that \u201cShadowrocket has not yet created an official website. Anyone claiming to be the official website of Shadowrocket must be a scammer.\u201d<\/p>\n\n\n\n

Despite that statement, numerous look\u2011alike domains \u2014 such as ShadowrocketVPN, Shadowrocket for Android, and ShadowrocketDownload \u2014 use the same logo to distribute questionable APKs or subscriptions with no link to the genuine iOS client. For safety, obtain the app only through Apple\u2019s App\u202fStore listing published by developer Shadow Launch Technology Limited<\/a>.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"A<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Shadowrocket Use Cases<\/h2>\n\n\n\n

A common scenario is geo\u2011locked media. Streaming platforms often restrict libraries by both country and network type; a mobile ASN<\/a> in the target market can unlock content that a datacenter VPN cannot. By assigning a GeoIP, US, MobileProxy<\/code> rule \u2014 the United States in this example \u2014 you ensure only U.S.\u2011bound traffic uses your mobile proxy node, while everything else goes direct.<\/p>\n\n\n\n

Developers and QA teams use Shadowrocket for device\u2011level A\/B testing. For example, a Chinese iOS\u2011testing tutorial<\/a> shows Shadowrocket configured as a VPN\u2011style packet tunnel so that any<\/em> app \u2014 even those that ignore the normal Wi\u2011Fi proxy setting \u2014 has its traffic forced through Burp Suite<\/a> for inspection.<\/p>\n\n\n\n

Because the utility captures traffic from every app \u2014 native or web \u2014 it reveals how ad SDKs, payment gateways, or API calls behave when seen as coming from a specific carrier IP block. In advertising compliance work, auditors run Shadowrocket profiles that pipe only ad\u2011tech domains through carrier proxies while leaving analytics or billing endpoints untouched, producing clean measurement datasets.<\/p>\n\n\n\n

As a result, you can technically use Shadowrocket as an adblocker<\/a>, allowing regular website content to pass through while outright blocking traffic from ad sites.<\/p>\n\n\n\n

<\/div>\n\n\n\n
\"A<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Verifying the Setup<\/h2>\n\n\n\n

Shadowrocket offers two quick diagnostics. First, tap Connectivity Test next to your proxy label; the tool measures round\u2011trip time and reports success or failure. A consistent latency value indicates authentication succeeded and the endpoint is reachable.<\/p>\n\n\n\n

Second, open a browser (Safari or any installed app) and visit an IP\u2011echo service like ifconfig.me<\/a>. With Shadowrocket off, the site should show your real ISP address; with it on and a rule triggered, the displayed IP should now match the Proxidize node.<\/p>\n\n\n\n

For more granular confirmation, browse to a domain covered by a specific rule and then inspect Data \u2192 Connections inside Shadowrocket. You will see the host, the rule name that matched, and the proxy label in use. If the wrong rule fires, drag your intended rule higher in the list; order is significant.<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u202fLimitations and Operational Considerations<\/h2>\n\n\n\n

Shadowrocket cannot force\u2011proxy QUIC traffic (UDP\u202f443) if the destination site refuses to downgrade to HTTP\/1.1 or HTTP\/2. As a workaround, some users block UDP or employ server\u2011side rules that force a TCP fallback. Similarly, certain system services \u2014 like Apple Push Notification \u2014 may bypass third\u2011party tunnels by design; test critical workflows before assuming 100% coverage.<\/p>\n\n\n\n

Running a persistent tunnel plus detailed logging can increase battery drain by 10\u201320% on older devices. Disabling packet capture and limiting rule complexity mitigates the impact. Finally, always confirm that routing commercial scraping traffic through mobile ASNs complies with both your local telecom regulations and the target site\u2019s terms of service; legal exposure varies by jurisdiction.<\/p>\n\n\n\n

<\/div>\n\n\n\n

Conclusion<\/h2>\n\n\n\n

Shadowrocket offers a flexible, rule\u2011driven alternative to monolithic VPNs for iOS. By intercepting traffic at the OS layer and applying match\u2011based routing, it gives security professionals, marketers, and QA teams a way to direct only the traffic that matters through specialised exit nodes while everything else stays local for speed and stability.<\/p>\n\n\n\n

Key Takeaways:<\/strong><\/p>\n\n\n\n

    \n
  • Shadowrocket routes iOS traffic by matching each request against user\u2011defined rules, not by tunnelling everything through a single VPN.<\/li>\n\n\n\n
  • Adding Proxidize proxies is straightforward.<\/li>\n\n\n\n
  • Verification is essential: use Shadowrocket\u2019s own Connectivity Test plus an external IP\u2011echo site to confirm that specific domains exit through the intended mobile or residential IP.<\/li>\n\n\n\n
  • Be aware of limitations such as QUIC flows and additional battery consumption, and verify that your use of mobile ASNs complies with local regulations.<\/li>\n<\/ul>\n\n\n\n

    Proper configuration boils down to three repeatable steps: import or create the proxy, write clear rules, and verify those rules with built\u2011in tests and third\u2011party IP\u2011echo sites.<\/p>\n","protected":false},"author":2284,"featured_media":76700,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","categories":[263],"tags":[],"class_list":["post-76696","blog","type-blog","status-publish","format-standard","has-post-thumbnail","hentry","category-proxies-and-anonymity"],"acf":[],"_links":{"self":[{"href":"https:\/\/proxidize.com\/wp-json\/wp\/v2\/blog\/76696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/proxidize.com\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/proxidize.com\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/proxidize.com\/wp-json\/wp\/v2\/users\/2284"}],"replies":[{"embeddable":true,"href":"https:\/\/proxidize.com\/wp-json\/wp\/v2\/comments?post=76696"}],"version-history":[{"count":3,"href":"https:\/\/proxidize.com\/wp-json\/wp\/v2\/blog\/76696\/revisions"}],"predecessor-version":[{"id":77625,"href":"https:\/\/proxidize.com\/wp-json\/wp\/v2\/blog\/76696\/revisions\/77625"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/proxidize.com\/wp-json\/wp\/v2\/media\/76700"}],"wp:attachment":[{"href":"https:\/\/proxidize.com\/wp-json\/wp\/v2\/media?parent=76696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/proxidize.com\/wp-json\/wp\/v2\/categories?post=76696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/proxidize.com\/wp-json\/wp\/v2\/tags?post=76696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}