search

heiher / hev-socks5-tunnel

A high-performance tun2socks for Linux/Android/FreeBSD/macOS/iOS/WSL2 (IPv4/IPv6/TCP/UDP)
MIT License
668 stars 134 forks source link

Udp tcp over socks #13

Closed armantc closed 1 year ago

armantc commented 1 year ago

In my vps server , i install softether vpn server that use tap devie with 192.168.24.0/21 subnet . Traffic of this devoce go throuh gateway if eth0 ip. With some iptables trick can forward tcp to local go simple tunnel and use tls tunnel to coonect to socks server on another vps . Beacuse of many restriction on internet in our country . But mg problem is with udp traffic . How i can forward udp this way . I was test tun2soxks but i cant got it working beacuse when change metrics with way say in exampl , i lost connection to device . Can i do it with hev ?

heiher commented 1 year ago

Certainly. If you want to proxy UDP, you should use hev-socks5-server on server side vps. BTW, the traffic in direct access is not encrypted or obfuscated.

It should be noted that if you use the global default route, you need to bypass the socks5 server address to avoid it going through the virtual tunnel:

ip route add SOCKS5-SERVER-IP dev INTERNET-IFACE metric 10

ip route add default dev tun0 metric 20
ip -6 route add default dev tun0 metric 20
armantc commented 1 year ago

Certainly. If you want to proxy UDP, you should use hev-socks5-server on server side vps. BTW, the traffic in direct access is not encrypted or obfuscated.

It should be noted that if you use the global default route, you need to bypass the socks5 server address to avoid it going through the virtual tunnel:

ip route add SOCKS5-SERVER-IP dev INTERNET-IFACE metric 10

ip route add default dev tun0 metric 20
ip -6 route add default dev tun0 metric 20

tnx for quick answer , for tap device to use tun0 as gateway what rule must add ? i want be like this : tap_se ==> tun0 ==> eth0

tap_se has subnet 192.168.0.21/24 with netmask 255.255.248.0 and brodcast 192.168.31.255 and ip of router 192.168.24.0

heiher commented 1 year ago

I need more info about your network topology.

armantc commented 1 year ago

ok this is ifconfig result of my vps server , just for security reason i change eth0 inet and broadcast and gateway,

softether vpnserver and local dhcp installed that accept clients connection through l2tp or openvpn , and get them ip on subnet of tap_se

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 45.159.50.149  netmask 255.255.255.0  broadcast 45.159.50.255
        ether 00:16:3c:f4:70:d4  txqueuelen 1000  (Ethernet)
        RX packets 1788  bytes 185961 (185.9 KB)
        RX errors 0  dropped 24  overruns 0  frame 0
        TX packets 285  bytes 35281 (35.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 409  bytes 66498 (66.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 409  bytes 66498 (66.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap_se: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.24.0  netmask 255.255.248.0  broadcast 192.168.31.255
        ether 5e:90:71:5b:d7:06  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

this is ip route result :

default via 45.159.113.254 dev eth0 
45.159.50.0/24 dev eth0 proto kernel scope link src 45.159.50.149 
192.168.24.0/21 dev tap_se proto kernel scope link src 192.168.24.0

and for client to have internet access have following iptables rule iptables -t nat -A POSTROUTING -s 192.168.24.0/21 -o eth0 -j MASQUERADE

and now i want to socksify outgoin traffic of client through socks server

heiher commented 1 year ago

Run hev-socks5-server directly on vpsserver, and hev-socks5-tunnel on another without softether, if encryption is not required. (or use a tcp stream wrapper to encrypt socks5 traffic between server and client. e.g. ssh port forwarding?)

vps server:

hev-socks5-server conf.yml # default config

another host:

hev-socks5-tunnel conf.yml # socks5 sever point to vpsservet

ip route add vpsserver dev eth0
ip route default dev tun0
ghost commented 1 year ago

当然。如果你想代理 UDP,你应该在服务器端 vps 上使用hev-socks5-server。顺便说一句,直接访问中的流量未加密或混淆。

需要注意的是,如果使用全局默认路由,需要绕过socks5服务器地址,避免走虚拟隧道:

ip route add SOCKS5-SERVER-IP dev INTERNET-IFACE metric 10

ip route add default dev tun0 metric 20
ip -6 route add default dev tun0 metric 20

Is there a plan to develop the original udp proxy? If not,lay4 VPN like v2ray xray is not easy to use hev-socks5-tunnel

heiher commented 1 year ago

Is there a plan to develop the original udp proxy? If not,lay4 VPN like v2ray xray is not easy to use hev-socks5-tunnel

Adding UDP associate support is done: https://github.com/heiher/hev-socks5-tunnel/commit/f5311b06fcce4d5255d1feea52c3ba3a7de756c9

socks5:
  # Socks5 UDP relay mode (tcp|udp)
  udp: 'udp'

Please let me know if you have any other questions.

A5DkjGQUZx commented 1 year ago 
#!/bin/sh
/usr/bin/hev-socks5-tunnel /usr/bin/hevsocksconfig.yaml \
& ifconfig eth0:0 192.168.70.2 netmask 255.255.255.0

ip rule add pref 300 from 192.168.70.0/24 table tun2socks

iptables -A FORWARD -i eth0:0 -s 192.168.70.0/24 -j ACCEPT
iptables -A FORWARD -i tun0 -d 192.168.70.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.70.0/24 -o tun0 -j MASQUERADE

ip route flush table tun2socks
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table tun2socks $ROUTE; done
ip route add default via 10.0.0.1 dev tun0 table tun2socks

ip route flush cache

/usr/local/bin/xray run /usr/local/bin/config.json

Someday someone might find this script useful for NATing a local network traffic to Hev tun0 and then pass it by the tun2socks to a Xray or V2ray or V2fly client connection over socks... (PAY ATTENTION TO THE "pref 300" AS IT IS CRITICALLY IMPORTANT)

I had limited Kernel Modules and was not able to utilize Tmark Iptables modules. So had to use a tun2socks adapter and do an old fashion typical nat.

Works fine with latest Hev build. 

speedtest -I tun0

   Speedtest by Ookla

      Server: KPN - Amsterdam (id: 26996)
Idle Latency:    96.52 ms   (jitter: 1.17ms, low: 95.34ms, high: 97.32ms)
    Download:   452.90 Mbps (data used: 584.0 MB)                                                   
                290.17 ms   (jitter: 69.22ms, low: 95.39ms, high: 458.78ms)
      Upload:   378.08 Mbps (data used: 535.0 MB)                                                   
                121.87 ms   (jitter: 8.42ms, low: 102.21ms, high: 162.63ms)
 Packet Loss:     0.0%