Socks5 Proxy

aaronouthier

I know of a way to setup a Socks 5 Proxy using SSH, for the purpose of connecting one computer or network to another network, kind of like a poor-man's VPN. It really depends on that for which what you need the Proxy to be used. If you are trying to create a proxy-filter (ie, with SquidGuard or DansGuardian), this method won't work, AFAIK.

If you are curious about the "Poor-man's VPN" of which I spoke, google "SSH tunnel". There is a command-line switch that causes the router to accept connections from network-connected machines, rather than just local (loopback) connections, if desired. I don't recall what is that particular switch.

kejianshi

Yes - Dynamic proxy can be used to access IPs behind the pfsense as well as the web as well, however simply using a VPN on pfsense is better if thats an option.

dlewis_nepean

What I'm trying to do is direct some traffic from users, to force it to a certain connection. I have multiple connections, one of which has a pfsense box with a open vpn tunnel. What I'd like the ability to do is set the socks proxy in the software to point to the pfsense box while allowing normal surfing out the main connection. Right now the only way I can do this is set specific users to default out the pfsense box which is proving to cause some other problems. The pfsense connection is faster, but the routing is not as good, so thus the want to split.

I don't think the SSH idea will work in this case.

I'm surprised that there isn't another solution. squid works perfectly for http, but nothing that I can find works for SOCKS.

kejianshi

Openvpn can easily handle that. But then again, so can SSH/Dynamic proxy.

I'd still use vpn though.

Jim Coogan

This is close to what I am trying to achieve. Main goal being that the same client computer could send traffic out to WAN and out over the pfsense's client Open vpn connection if its a program that is set to use a socks proxy, at the same time. I don't want to route all of a client computers traffic via the vpn, just select programs.

ie everything on a client computer uses direct wan connection except firefox which has been configured to use a socks proxy pointing to the pfsense and then pfsense socks server would proxy it out over the openvpn client connection on the pfsense.

My difference is that my pfsense is also the wan gateway, so need to not send any traffic out over the openvpn client connection except for socks client traffic. So socks server would bind to LAN net and proxy traffic out over vpn client connection. Im not clear how I would do the routing for what I just described, perhaps not possible. But also unfortunately not seeing way to run a socks server on pfsense.

aln

I was looking to do the same thing, socks5 server running on pfsense and tunneling all traffic over a vpn connection.
The solution is to install the "dante" package from freebsd (look for the instructions on how to install freebsd package on pfsense)

bartgrefte

@aln said in Socks5 Proxy:

I was looking to do the same thing, socks5 server running on pfsense and tunneling all traffic over a vpn connection.
The solution is to install the "dante" package from freebsd (look for the instructions on how to install freebsd package on pfsense)

Any details on how to proceed after that? Installing it wasn't a problem, but the howto's I found for getting it up and running use different filenames and paths for everything. None seem to match with the FreeBSD package.

Edit: I think I've got it working :)

billiam

Any pointers on how to get dante working then as I'm also looking to do this, I've got it installed but can't work out how to configure and get it running?

bartgrefte

@billiam said in Socks5 Proxy:

Any pointers on how to get dante working then as I'm also looking to do this, I've got it installed but can't work out how to configure and get it running?

This is what you need to set (unless I forgot something besides this file):

/usr/local/etc/sockd.conf (adjust internal and external address/interface and "client pass", external is here the VPN interface)

#logging
logoutput: /var/log/sockd.log
#debug: 1

#server address specification
internal: 10.0.0.1 port = 1080
external: ovpnc1

#server identities (not needed on solaris)
#user.privileged: root
#user.notprivileged: socks
#user.libwrap: libwrap

#reverse dns lookup
#srchost: nodnsmismatch

#authentication methods
clientmethod: none
method: none

##
## SOCKS client access rules
##
#rule processing stops at the first match, no match results in blocking

#block access to socks server from 192.0.2.22 (exception for pass rule below)
# client block {
#       #block connections from 192.0.2.22/32
#       from: 192.0.2.22/24 to: 0.0.0.0/0
#       log: error # connect disconnect
# }

#allow connections from local network (192.0.2.0/24)
client pass {
        from: 10.0.0.0/24 to: 0.0.0.0/0
        log: error # connect disconnect
}

##
## SOCKS command rules
##
#rule processing stops at the first match, no match results in blocking

#block communication with www.example.org
# block {
#        from: 0.0.0.0/0 to: www.example.org
#        command: bind connect udpassociate
#        log: error # connect disconnect iooperation
# }

#generic pass statement - bind/outgoing traffic
pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error # connect disconnect iooperation
}

#block incoming connections/packets from ftp.example.org
# block {
#        from: 0.0.0.0/0 to: ftp.example.org
#        command: bindreply udpreply
#        log: error # connect disconnect iooperation
# }

#generic pass statement for incoming connections/packets
pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bindreply udpreply
        log: error # connect disconnect iooperation
}

Then start dante using /usr/local/etc/rc.d/sockd onestart, no clue as of yet how to start it automatically at boot since /etc/rc.conf isn't the way to go in pfSense apparently.

billiam

Thanks for the pointers, with a few tweaks I've got it running as needed. Some were just because the commands shown in your config displayed warnings as deprecated when run. I also added a user to the system for the service to run as "socks" instead of root

#logoutput: stderr syslog stdout /var/log/sockd.log
logoutput: /var/log/sockd.log
#debug: 1
# accept connections going to this address.
internal: 192.168.2.1 port = 1080

# external IP to use 195.168.1.1
external: 192.168.1.2

#server identities
user.notprivileged: socks

# methods for socks-rules.
socksmethod: none

# methods for client-rules.
clientmethod: none

#permit clients inbound to the proxy
client pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: error #connect disconnect
}

#generic pass statement - bind/outgoing traffic
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error #connect disconnect iooperation
}

#generic pass statement for incoming connections/packets
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bindreply udpreply
        log: error #connect disconnect iooperation
}

Finally I've added the line:

<shellcmd>/usr/local/etc/rc.d/sockd onerestart</shellcmd>

to the pfSense config.xml just before the </system> line which auto starts the service when the box is rebooted.

Thanks again for your pointers.

bartgrefte

@billiam said in Socks5 Proxy:

Thanks for the pointers, with a few tweaks I've got it running as needed. Some were just because the commands shown in your config displayed warnings as deprecated when run. I also added a user to the system for the service to run as "socks" instead of root

You're welcome. I found that config somewhere when looking for examples, don't remember where I found it but might have been an old one. Didn't see any warnings though, although once it worked I didn't check the logs.

Finally I've added the line:
<shellcmd>/usr/local/etc/rc.d/sockd onerestart</shellcmd>
to the pfSense config.xml just before the </system> line which auto starts the service when the box is rebooted.

Thanks for the tip!