Dante: socks proxy with UDP support

[ryzhovau]

Considering to add another UDP-compatible proxy - redsocks. https://github.com/Entware-ng/Entware-ng/issues/7

[ryzhovau]

Redsock package added. Please, provide a feedback.

[ryzhovau]

No response.

[moonbuggy]

Can we look at this issue again?

As far as I'm aware redsocks is not a SOCKS server. It will redirect traffic to a SOCKS server, but that's not really the same thing. It's useful if you want to make an existing SOCKS proxy transparent, but unless I'm missing something it doesn't allow you to connect a SOCKS client to it.

I have a need for an actual SOCKS server that handles UDP packets, and Dante seems to be the best bet from what reading I've done.

[zyxmon]

@moonbuggy - what feed (arch) are you using? I can try to compile a test package for it. PS Dante is located in openwrt trunk - https://github.com/openwrt/openwrt/tree/master/package/network/utils/dante

[moonbuggy]

I'm running entware-ng on an RT-AC3200, which I believe is going to be ARMv7.

I had contemplated building it myself, btw. Since I saw the issues raised here it seemed others may want a UDP-capable SOCKS server as well, so I figured I'd try this route first. Thanks for the link though, it's good to know it's there.

[zyxmon]

http://pkg.entware.net/binaries/armv7/test/sockd_1.4.1-1_armv7soft.ipk http://pkg.entware.net/binaries/armv7/test/socksify_1.4.1-1_armv7soft.ipk server and client for testing. Please report!

[zyxmon]

BTW socksd now uses /etc/sockd.conf and /var/run/sockd.pid. If the binary works - i'll make a patch to move these files to /opt.

[moonbuggy]

Don't have a lot of time tonight, but I've done a quick test of the server with the default minimal configuration, modified for my network. Proxying TCP nicely. UDP doesn't seem to be working, but that's quite possibly/probably either an issue with the config or the tunnel I'm using as the external interface. (Didn't expect such rapid action on my message, not properly set up to test UDP. Need to find or setup something that will respond to a UDP packet. P2P client doesn't give me any useful feedback.)

The default path for the config file is .. You posted as I was typing. :) Yep, needs to be changed but not an issue for testing since I can specify the path as an argument.

I've not looked at the client yet, but I will look tomorrow.

All very promising so far. Thanks. :)

[moonbuggy]

So it turns out I accidentally pasted the config from a different example minimal config I had open, not the official one. I was blocking incoming UDP replies. It's late here and in theory I should be asleep, so I'm going to use fatigue as an excuse. :)

UDP works with the actual default minimal config I linked above.

Not seeing any errors in syslog or dante's log. It appears fully functional, although I've not tested anything beyond the minimal config (authentication, for example).

I'll turn authentication on tomorrow, check it works, and look at the client and let you know if anything pops up. So far so good though. Thanks again. :)

[moonbuggy]

I'm now seeing a few memory allocation errors:

sockd[11548]: warning: addchild(): fork(): Cannot allocate memory
sockd[11548]: warning: failed to add a new child to handle new clients
sockd[11548]: info: disable_childcreate(): disabling creation of new child processes (Cannot allocate memory)
sockd[11548]: warning: need to add a new child process to handle client load, but unable to do so at the moment (Cannot allocate memory)

I have more than 50% of my RAM available and the swap file is unused:

$ free
             total         used         free       shared      buffers
Mem:        255556        96708       158848            0         1728
-/+ buffers:              94980       160576
Swap:       524284            0       524284

I don't know enough about it to tell if this is a bug with the executable or if it's normal if it's trying to fork too rapidly or something. It's definitely forking okay in some/many attempts, ps shows a bunch of request/negotiate/io children.

OpenVPN is also throwing replay errors at me as well, but I assume this is unrelated to the proxy and I'm just seeing them now because it's handling UDP packets for the first time and I need to fiddle with the replay window:

openvpn[11178]: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #571513 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Figured I'd pass both these on, in case they were relevant.

[moonbuggy]

Increasing the replay window resolved the OpenVPN errors, so that was indeed unrelated to Dante.

I'm logging a lot of those fork errors mention above, I'm also unable to start a second simultaneous SOCKS server due to the same sort of memory allocation errors:

sockd[31562]: warning: addchild(): fork(): Cannot allocate memory
sockd[31562]: warning: failed to add a new child to handle new clients
sockd[31562]: info: disable_childcreate(): disabling creation of new child processes (Cannot allocate memory)
sockd[31562]: error: initial childcheck() failed: Cannot allocate memory: Bad file descriptor
sockd[31562]: alert: mother[1/1]: shutting down

I've seen similar memory allocation/fork errors before, when I was playing with a Ruby script the other week, so I'm not sure if it's something up with my router or if it's specific to this Dante build. I'd be interested to hear your thoughts on this - I know little about how the router works at this level.

When I was attempting to test authentication I found that sockd was compiled without PAM support:

sockd[31464]: error: /opt/etc/sockd-auth.conf: problem on line 20 near token "pam": in order to set the given keyword/value, Dante must be linked with an external PAM library at compiletime. When Dante was compiled, no such linking was done, perhaps due to no usable PAM library being installed on the system at the time. If a PAM library has since been installed on this system, please rerun ./configure in Dante's source directory, recompile and reinstall Dante. Please see the Dante manual for more information

Maybe this is intentional. Other authentication methods seem to be alright, not throwing errors in a conf check. I didn't actually test that authentication works though because when I went to start the client I found that socksify was broken:

test: can't load library 'libdl.so'

I have /lib/libdl.so.0 sitting where it should be. Not really sure what that's about.

[zyxmon]

1. I have uploaded fixed packages to the same place, same names. pid and config files paths fixed.
2. I think fork(): Cannot allocate memory is system/firmware related bug. Google suggets to try echo 1 > /proc/sys/vm/overcommit_memory
3. pam is disabled - https://github.com/openwrt/openwrt/blob/master/package/network/utils/dante/Makefile#L30
4. As for libdl.so - it should be in /opt/lib folder. But there is no such lib, only libdl.so.2. So the quick fix is to edit /opt/bin/socksify script and change libdl.so ->libdl.so.2. This is architecture/libc related and will be fixed later.

[moonbuggy]

1. Maybe I'm doing it wrong, but reinstalling (either by removing first or using --force-reinstall) from the same URLs as above gives me a sockd that still wants to use /etc/ instead of /opt/etc/:

   $ sockd
   Nov  8 21:09:32 (1478599772.291553) sockd[5116]: error: parseconfig(): could not open config file /etc/sockd.conf
   Nov  8 21:09:32 (1478599772.292501) sockd[5116]: alert: mother[1/1]: shutting down

2. That seems to have worked. I can run a second sockd instance and I'm not seeing fork() warnings in the log as of yet. Thanks. :)
3. Fair enough. Figured it was probably intentional for whatever reason. Don't need it anyway, just mentioned it incase it wasn't intentional.
4. I made that edit, now I get:

$ socksify
test: '/opt/lib/libc.so.6' library contains unsupported TLS
test: '/opt/lib/libc.so.6' library contains unsupported TLS
test: can't load library 'libc.so.6'

Quick search suggests it's possibly built with an incompatible toolchain..? I don't really know what I'm doing at this point, but maybe the following will be useful:

$ ls -ahl /opt/lib/ | grep libc
-rwxr-xr-x    1 moonbugg root        1.2M Aug 18 21:08 libc-2.23.so
lrwxrwxrwx    1 moonbugg root          12 Oct 30 20:13 libc.so.6 -> libc-2.23.so

$ ldd /opt/lib/libc.so.6
-sh: /opt/lib/libc.so.6: not found

$ ldd /opt/lib/libc-2.23.so
-sh: /opt/lib/libc-2.23.so: not found

$ ls -ahl /lib/ | grep libc
-r-xr-xr-x    1 moonbugg root       20.9K Sep 29 11:37 ld-uClibc.so.0
-r-xr-xr-x    1 moonbugg root      430.2K Sep 29 11:37 libc.so.0

$ ldd /lib/libc.so.0
        ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0x40035000)

[zyxmon]

1. It was my fault - fixed it now.
2. I do not have such an error when I run socksify on a tomato based armv7 router with no config file. May be it is system/firmware related.

You can check libc this way

# /opt/lib/ld-2.23.so --list /opt/lib/libc.so.6 
    /lib/ld-linux.so.3 => /opt/lib/ld-2.23.so (0x2a000000)

ldd is a script, that wraps /opt/lib/ld-2.23.so - dynamic linker.

[zyxmon]

BTW - libc is a special one:

# /opt/lib/ld-2.23.so  /opt/lib/libc.so.6 
GNU C Library (GNU libc) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 5.4.0.
Available extensions:
    crypt add-on version 2.1 by Michael Glad and others
    GNU Libidn by Simon Josefsson
    Native POSIX Threads Library by Ulrich Drepper et al
    BIND-8.2.3-T5B
libc ABIs: UNIQUE
For bug reporting instructions, please see:
<http://www.gnu.org/software/libc/bugs.html>.

[moonbuggy]

I get the same output as you do for both those commands.

$ /opt/lib/ld-2.23.so --list /opt/lib/libc.so.6
        /lib/ld-linux.so.3 => /opt/lib/ld-2.23.so (0x2a000000)

$ /opt/lib/ld-2.23.so  /opt/lib/libc.so.6
GNU C Library (GNU libc) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 5.4.0.
Available extensions:
        crypt add-on version 2.1 by Michael Glad and others
        GNU Libidn by Simon Josefsson
        Native POSIX Threads Library by Ulrich Drepper et al
        BIND-8.2.3-T5B
libc ABIs: UNIQUE
For bug reporting instructions, please see:
<http://www.gnu.org/software/libc/bugs.html>.

I'm running Asuswrt-Merlin 380.62_1, if that's at all relevant. (Although I just noticed there's a newer firmware out, so I might stick that on. Don't really expect it to make a difference to this issue though.)

The server is working, which is the main thing I was after. I don't really need the client. So if it's too much trouble to fix the client that's not an issue at all for me. I'm grateful I can finally get UDP packets through a SOCKS proxy easily and don't have to try and code a half-arsed proxy in Python (which I'm not very good at anyway). :)

I'm not sure what needs to be done to troubleshoot this issue, kind of at the edge of my knowledge at this level. (This is part of the reason why I only got as far as contemplating building it myself. :) If the build didn't go smoothly and I ran into problems like that I'd have been stuck without spending a lot of time doing web searches looking for a solution.) But if you do you want fix it I'm more than happy to offer whatever help I can.

I'll leave it up to you to decide if/how you wish to proceed.

[zyxmon]

@moonbuggy - thank you for testing dante. I have added both server and client - https://github.com/Entware-ng/Entware-ng/commit/90c3a2c4b5b43f3def98ce643c29a06538ed4a60 I'll remove client in case there will be more issues with it. Binaries will be available soon.