heiher / hev-socks5-tproxy Goto Github PK
View Code? Open in Web Editor NEWA simple, lightweight socks5 transparent proxy for Linux. (IPv4/IPv6/TCP/UDP)
License: MIT License
A simple, lightweight socks5 transparent proxy for Linux. (IPv4/IPv6/TCP/UDP)
License: MIT License
iptable 方案
可以默认直连,加入 ipset 才代理吗?
I want to forward UDP to a subnet, but I can't get connectivity.
I have been using this rules:
ip rule add fwmark 1088 table 100
ip route add local default dev eth2 table 100
iptables -t mangle -A OUTPUT -o eth2 -p udp -j MARK --set-mark 1088
iptables -t mangle -A PREROUTING -i eth2 -p udp -j TPROXY --on-ip 10.0.0.1 --on-port 10000 --tproxy-mark 1088
eth2 has 10.0.0.1 as IP.
In the socks5 proxy this log is showed, it tells the connection was done successfully:
# glider -verbose -listen socks5://127.0.0.1:9000
2021/10/08 21:16:03 group.go:186: [group] only 1 forwarder found, disable health checking
2021/10/08 21:16:03 server.go:38: [socks5] listening TCP on 127.0.0.1:9000
2021/10/08 21:16:03 server.go:107: [socks5] listening UDP on 127.0.0.1:9000
2021/10/08 21:16:13 server.go:150: [socks5u] 127.0.0.1:39434 <-> 1.1.1.1:53 via DIRECT
2021/10/08 21:17:16 server.go:150: [socks5u] 127.0.0.1:57056 <-> 1.1.1.1:53 via DIRECT
am I doing something wrong?
我直接将命令复制到了op里面,配合socks5客户端使用,但一直无法成功,不知道是什么原因。
执行 hs5t CONFIG_FILE,得到如下输出,不知道是否正常?
之所以这么问是看到您还有一个库是专门针对openwrt的版本,不过似乎很久没更新。
[2023-04-29 15:20:13] [E] 0x7f4c3ceb5e00 socks5 client read response
[2023-04-29 15:20:13] [E] 0x7f4c3ceb5e00 socks5 session handshake
[2023-04-29 15:20:13] [E] 0x7f4c3cece6b0 socks5 client read response
[2023-04-29 15:20:13] [E] 0x7f4c3cece6b0 socks5 session handshake
[2023-04-29 15:20:13] [E] 0x7f4c3ceb5c20 socks5 client read response
[2023-04-29 15:20:13] [E] 0x7f4c3ceb5c20 socks5 session handshake
[2023-04-29 15:20:13] [E] 0x7f4c3cece750 socks5 client read response
[2023-04-29 15:20:13] [E] 0x7f4c3cece750 socks5 session handshake
单独使用socks5客户端,经测试是可用的。
op上使用nftables,防火墙规则用其他代理redir没问题,不太熟tproxy规则,不过也是参照了您的教程和网上的教程,感觉是对的。
尝试过这里的多个版本,都不成功,盼指教。
依据链接时间判定是否走socks5接口,或者依据速率判定
one of the good idea of hev-socks5-tproxy is that it's upd tproxy is routed over tcp, which works quite well with Chrome youtube QUIC traffic in this way : [tproxy - socks5 upstream 10808] - > [trojan forward mode : localhost 10808 to remote localhost 1080] - [trojan server 443] - [hev socks5 server port 1080]
is it possible to work directly with trojan client mode socks5 listening somehow?
hev-socks5-tproxy有安卓版本,不知道是否可以简化配置步骤,做成GUI,就像sockstun一样
当然前提条件是有root,另外还可以引入基于uid的过滤(--uid-owner)
README says the LICENSE is "LGPL", but it's still unclear which version of "LGPL" is actually in use and to which scope the license applies.
So please at least add a LICENSE file, see https://opensource.org/licenses/lgpl-license for available LGPL license candidates.
Some of the dependencies (git submodules) of this also have similar problem.
You might want to add a compatible LICENSE for those projects as well to meet LGPL v* requirements.
if the binary is built with zig cc ARCH-linux-musl, Segmentation fault in 2 cases
if change udp: 'udp' to udp: 'tcp', i know this mode only works with hev-socks5-server, it does not work with trojan-r socks5 listening. when sending a udp packet like dig @1.1.1.1 example.com (udp packet), hev-socks5-tproxy just exit with Segmentation fault, i know it will fail, but that could be handled better with some error message instead of exit with seg fault. (side note, in this case trojan-r log shows: socks: unsupported command 0x5), just some thoughts, not a big issue if one knows how to configure the udp: parameter.
i found another hev-socks5-tproxy Segmentation fault when upstream socks5 server stopped/killed/quit/no longer listening. can you reproduce this behavior on your side?
not effected when using zig cc ARCH-linux-gnu
, tested zig version 0.11,0.12-dev
build arg
# STRIP=true disables strip in Makefile, as we have zig cc -s to strip
make clean ;
make \
CC='zig cc -flto -O3 -s -static -target aarch64-linux-musl' \
AR='zig ar' \
RANLIB='zig ranlib' \
STRIP=true \
-j
EDIT: issue fix by setting task-stack-size in config.yml
equal or larger than 8193. Or even larger, e.g. : 16384
is preferred
It's easy to get detected by GFW, do you think?
I installed hev-socks5-tproxy in my router.
The router has the address 192.168.1.1 and my PC has the address 192.168.1.33. Also, I have a local bridge "virbr0" in PC side that forwards traffic to a virtual machine, having it the gateway address 192.168.11.1 and peer address 192.168.11.2.
In the PC side:
ip rule add fwmark 1088 table 100
ip route add local default dev virbr0 table 100
iptables -t mangle -A PREROUTING -i virbr0 -p tcp -j TPROXY -s 192.168.11.2 --on-ip 192.168.0.1 --on-port 1088 --tproxy-mark 1088
When I try to curl any IP in the virtual machine side (192.168.11.2) I get timeouts, seeing the Wireshark logs, any packet is forwarded from my PC to the router.
And when I change the address of "--on-ip" to 127.0.0.1 and run hev-socks5-tproxy locally listening on 127.0.0.1:1088 everything works ok.
How can I make the TPROXY option in iptables "see" the address of the router (192.168.1.1) and connect?
PS.: I don't know if TPROXY was designed to work with non-local addresses when sending the packets, but I searched a lot in Google and I could see examples of TPROXY using non-local addresses, but when I try to reproduce the examples, nothing works.
I'm trying to forward traffic across namespaces, basically I set up a transparent proxy inside a network namespace and forward the traffic to another one.
I create namespaces and set up all the rest with:
ip netns add nsx
ip netns add nsy
ip link add vethx type veth peer name peerx netns nsx
ip link set vethx up
ip address add 10.0.0.1/24 dev vethx
ip netns exec nsx ip link set peerx up
ip netns exec nsx ip address add 10.0.0.2/24 dev peerx
ip netns exec nsx ip link add vethy type veth peer name peery netns nsy
ip netns exec nsx ip link set vethy up
ip netns exec nsx ip address add 10.0.1.1/24 dev vethy
ip netns exec nsx sysctl -w net.ipv4.conf.peerx.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.conf.vethy.forwarding=1
ip netns exec nsx sysctl -w net.ipv4.ip_forward=1
ip netns exec nsy ip link set peery up
ip netns exec nsy ip address add 10.0.1.2/24 dev peery
ip netns exec nsy ip route add default via 10.0.1.1 dev peery
Rules are added in the network namespace "nsx":
ip netns exec nsx ip rule add fwmark 1088 table 100
ip netns exec nsx ip route add local default dev vethy table 100
Iptables rule is added:
ip netns exec nsx iptables -t mangle -A PREROUTING -i vethy -p tcp -j TPROXY -s 10.0.1.2 --on-ip 10.0.0.1 --on-port 19040 --tproxy-mark 1088
But when I try to connect I get this:
root@localhost:/home/user# dig @1.1.1.1 duckduckgo.com
; <<>> DiG 9.18.1-1-Debian <<>> @1.1.1.1 duckduckgo.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
============================
So, what can be done to make the connection be made successfully?
you said it can be running like
tproxy COMMAND
but where is the tproxy
?
看了下readme,几处很费解
1 redirect rule部分需要手动运行吗?
2 运行什么命令可以让普通程序使用sock5?
比如proxychains curl google.com,你的命令是什么?readme没写
redsocks说明自己并不是真实的透明代理:redsocks acts at TCP level, so three-way handshake is completed and redsocks accepts connection before connection through proxy (and to proxy) is established。我想问下这个项目也是这样的吗?
when start hev-socks5-tproxy with this config:
socks5:
port: 1080
address: 127.0.0.1
# Socks5 UDP relay mode (tcp|udp)
udp: 'udp'
# Socks5 server username
#username: 'username'
# Socks5 server password
#password: 'password'
# Socket mark
#mark: 438
tcp:
port: 1081
address: '127.0.0.1'
udp:
port: 1081
address: '127.0.0.1'
# Redirect DNS to local server on gateway
# [address]:port <-> [upstream]:53 (dnsmasq)
#dns:
# DNS port
#port: 1053
# DNS address
#address: '::'
# DNS upstream
#upstream: 127.0.0.1
misc:
# task-stack-size: 8192 # task stack size (bytes)
# connect-timeout: 5000 # connect timeout (ms)
# read-write-timeout: 60000 # read-write timeout (ms)
# log-file: stderr # stdout or file-path
log-level: error # debug, info or warn or error
# pid-file: /run/hev-socks5-tproxy.pid
limit-nofile: 65535
upstream socks5 server is provided by pagefault's trojan-r client, everything works as expected. but hev-socks5-tproxy's log [E] socks5 tproxy udp addr
is confusing, why is this an [E] error log?
by the way, i build hev-socks5-tproxy with this version: 6a85b48
With zig cc, there is no need to download tool chains, as zig cc is able to prepare/compile needed libc for various arch on the fly.
Build linux binary on macOS for instance:
make CC="zig cc -s -static -target x86_64-linux-musl" AR="zig ar"
Hello, is it possible to use the remote socks5 endpoint as the DNS resolver?
Or does it already work that way?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.