proxy-ns

proxy-ns is a Linux-specific command-line tool that can force any program to use your SOCKS5 proxy server.

Features

It has several advantages over proxychains:

• Support both TCP and UDP
• Work for statically linked programs
• Support Endpoint Independent Mapping(Full cone NAT) for UDP ASSOCIATE

Installation

Arch Linux

proxy-ns is available at AUR.

Other

You can manually clone this repository, then use make install.

git clone https://github.com/OkamiW/proxy-ns.git
cd proxy-ns
make
sudo make install
sudo make install-config # only for first installation

Configuration

You can find the default configuration location by running help:

proxy-ns --help

Typically, you only need to change socks5_address.

If your SOCKS5 server has authentication, set username and password as well.

{
  "tun_name": "tun0",
  "tun_ip": "10.0.0.1/24",
  "socks5_address": "127.0.0.1:1080",
  "username": "",
  "password": "",
  "fake_dns": true,
  "fake_network": "240.0.0.0/4",
  "dns_server": "9.9.9.9",
  "udp_session_timeout": "1m0s"
}

If your SOCKS5 server supports IPv6, you can add the following configuration to enable IPv6 routing:

{
  "tun_ip6": "fc00::1/7"
}

Don’t enable IPv6 routing if your SOCKS5 server doesn’t support IPv6, as it may break your program’s connections to hosts with IPv6 addresses.

Usage

Force curl to use your configured proxy:

proxy-ns curl g.co

With a different configuration file:

proxy-ns -c ./config.json curl g.co

Temporarily use another proxy server:

proxy-ns --socks5-address=127.0.0.1:9050 curl g.co

Temporarily disable fake-dns:

proxy-ns --fake-dns=false dig g.co

Execute your shell in proxy-ns environment:

(All programs launched in the shell would be forced to use your configured proxy.)

exec proxy-ns $SHELL

Launch firefox in proxy-ns:

(Neither chromium nor firefox implement UDP ASSOCIATE in their SOCKS5 client. Thereby when a proxy is set, QUIC would be disabled.

If you launch the browser in proxy-ns, instead of specifying the proxy in the browser setting, QUIC can be utilized to reduce latency.)

proxy-ns firefox

Notes about FakeDNS

FakeDNS can be used to avoid a separate DNS roundtrip, thus improving latency. But it has its own limitations:

• All domains are resolved to fake_network, some programs may not work as expected(e.g. dig, geoiplookup).
• Some programs may not use your system DNS resolver. FakeDNS won’t work for them.
• Many SOCKS5 servers doesn’t support AtypDomainName for UDP ASSOCIATE. If you enable FakeDNS, all UDP packets to domains will be dropped. (e.g. DNS may still work, but QUIC probably won’t.)

Notes on capabilities

• cap_sys_admin is for setns system call.
• cap_net_admin is for creating TUN device.
• cap_net_bind_service is for the FakeDNS server listening on 127.0.0.1:53.
• cap_sys_chroot is for setns into a new mount namespace.
• cap_chown is for chown 0:0 /etc/resolv.conf.

All capabilities are dropped permanently before the program’s main loop (See dropPrivilege in main.go).

FAQ

Why can’t I ping as a normal user inside proxy-ns?

Because proxy-ns creates a new network namespace.

For many distributions, /proc/sys/net/ipv4/ping_group_range defaults to 1 0 in a new network namespace, which disallows ping for all groups.

Since SOCKS5 doesn’t support ICMP, it would be pointless to ping inside proxy-ns anyway.

My program cannot resolve any domain

Your SOCKS5 server may not support the UDP ASSOCIATE command.

Usually, you can work around this by enabling fake_dns (it’s enabled by default).

However, some programs resolve domains themselves. You will need to enable UDP support on your proxy server for these programs to function properly.

proxy-ns doesn’t work for forking programs

This is a known issue. As proxy-ns daemon exits as the program exits.

If you start the forking program in shell, you can work around this problem by executing the shell in proxy-ns beforehand:

exec proxy-ns $SHELL