Subspace Proxy is a specialized, lightweight GUI application designed to isolate Linux applications within their own Network Namespaces.
It allows you to route specific processes (like Steam, Firefox, or terminal commands) through distinct proxy tunnels (SOCKS5, HTTP, Shadowsocks, etc.) without affecting your system-wide network configuration.
- Network Isolation: Uses Linux Namespaces (
ip netns) to sandbox applications networking. - Protocols: Connect via SOCKS5, SOCKS4, HTTP, Shadowsocks, and Relay. (More coming soon)
- Desktop Integration: Automatically injects PulseAudio, PipeWire, Wayland, X11, and D-Bus environment variables, ensuring GUI applications work with sound and video.
- Tun2Socks Integration: Tun2Socks converts both TCP and UDP traffic from the namespace into proxy-compatible packets.
- Diagnostics: Built-in tools to Ping the target server and check Port status before launching.
- Smart Management: Automatically handles virtual interfaces (
veth,tun), routing tables, and cleanup.
Imagine you computer as a house:
- Namespace Creation: The app creates a new Network Namespace (a sealed network environment).
Like creating a new room in your house.
- Bridging: It links the namespace to your host system using a Veth (Virtual Ethernet) pair.
A door to connect your house and your room.
- Proxying: Inside the namespace, traffic is routed to a TUN interface. The tun2socks utility captures traffic from the TUN interface and forwards it to your specified proxy server.
Imagine a conveyor belt (TUN) leading to a packaging machine (Tun2Socks). Every "letter" is re-addressed in a new package before it leaves.
- Launching: When you run a command, the app injects your current user's desktop environment (X11/Wayland/Audio) into the namespace so the app behaves normally, but its traffic is forced through the tunnel.
Now when an app in run in the room, all of its mail (Network Packets) is sent through the packaging machine and out the door, and once the recipient (Remote Server) opens the package and mails the real letter, its response can come back to the house.
- Click + New to create a profile.
- Enter your Proxy Name (cosmetic), IP, Port, and Protocol.
- (Optional) Configuring authentication (User/Pass) and other specifics in the advanced settings.
- Save the profile.
- Test Connection: Use the
PingandPortbuttons to double check the connection that is about to be made. - Setup Environment: Click the Setup button (Purple). This creates the namespace and virtual interfaces.
- Enter Command: In the top command bar, type the application you want to run:
firefoxsteamcurl ifconfig.me
- Run: Click the Run button (Green) to launch the app. You can re-enter the command and run multiple apps in the same namespace!
When finished, click Clean (Red). This destroys the namespace, deletes the virtual interfaces, and kills any processes within.
- Root Privileges: This application requires
sudopermissions to create namespaces and modify network interfaces. You may be prompted for your password in the terminal running the app. (To be fixed on release) - Non-Interactive: Commands are launched non-interactively. You cannot run interactive shells like
bashorzshthat require TTY input. - System Modification: While running, the app enables global IP forwarding (
sysctl -w net.ipv4.ip_forward=1). - Container Conflicts: May misbehave if run inside Docker or other sandboxed environments due to nested namespace restrictions.
This project is built using Tauri, Vue 3, and Tun2Socks.
- Linux (Kernel with namespace, veth, and tun/tap support)
- Node.js & npm
- Rust & Cargo
- Runtime Dependencies:
tun2socks(Must be in your PATH)iproute2(ipcommand)iputils(ping)bash
# 1. Install dependencies
npm install
# 2. Run in development mode
npm run tauri devThis project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). See the LICENSE file for details.