diff --git a/shadowsocks-libev/Makefile b/shadowsocks-libev/Makefile
index cd8b9fdca..5ed57b95e 100644
--- a/shadowsocks-libev/Makefile
+++ b/shadowsocks-libev/Makefile
@@ -93,6 +93,8 @@ define Package/shadowsocks-libev-ss-rules/install
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_DATA) ./files/firewall.ss-rules $(1)/etc
 	$(INSTALL_BIN) ./files/ss-rules.defaults $(1)/etc/uci-defaults
+	$(INSTALL_DIR) $(1)/etc/sysctl.d
+	$(INSTALL_DATA) ./files/shadowsocks.conf $(1)/etc/sysctl.d
 endef
 
 define Package/shadowsocks-libev-ss-rules/prerm
diff --git a/shadowsocks-libev/files/shadowsocks.conf b/shadowsocks-libev/files/shadowsocks.conf
new file mode 100644
index 000000000..b2c4d8e39
--- /dev/null
+++ b/shadowsocks-libev/files/shadowsocks.conf
@@ -0,0 +1,46 @@
+# local sysctl settings can be stored in this directory
+# max open files
+fs.file-max = 51200
+# max read buffer
+net.core.rmem_max = 134217728
+# max write buffer
+net.core.wmem_max = 134217728
+# default read buffer
+net.core.rmem_default = 65536
+# default write buffer
+net.core.wmem_default = 65536
+# max processor input queue
+net.core.netdev_max_backlog = 4096
+# max backlog
+net.core.somaxconn = 4096
+
+# resist SYN flood attacks
+net.ipv4.tcp_syncookies = 1
+# reuse timewait sockets when safe
+net.ipv4.tcp_tw_reuse = 1
+# turn off fast timewait sockets recycling
+net.ipv4.tcp_tw_recycle = 0
+# short FIN timeout
+net.ipv4.tcp_fin_timeout = 30
+# short keepalive time
+net.ipv4.tcp_keepalive_time = 1200
+# outbound port range
+net.ipv4.ip_local_port_range = 10000 65000
+# max SYN backlog
+net.ipv4.tcp_max_syn_backlog = 4096
+# max timewait sockets held by system simultaneously
+net.ipv4.tcp_max_tw_buckets = 10000
+# turn on TCP Fast Open on both client and server side
+net.ipv4.tcp_fastopen = 3
+# TCP receive buffer
+net.ipv4.tcp_rmem = 4096 87380 134217728
+# TCP write buffer
+net.ipv4.tcp_wmem = 4096 65536 134217728
+# turn on path MTU discovery
+net.ipv4.tcp_mtu_probing = 0
+
+# for low-latency network, use cubic instead
+# net.ipv4.tcp_congestion_control = balia
+
+# Default conntrack is too small
+net.netfilter.nf_conntrack_max=131072