Systemwide transparent tcp proxy works on linux, MacOS, router.
It's a solution like: (redsocks + ss-local)/ss-redir + ChinaDNS. But all in one binary, don't depend on dnsmasq.
For linux: ensure iptables and ipset installed in your system.
For macos: pfctl is included by default, no extra dependences.
Example config.json:
{
"as-upstream": false,
"listen-host": "127.0.0.1",
"listen-port": 1111,
"proxy-type": "ss",
"proxy-timeout": 30,
# `bypassCN` or `global`, default to `bypassCN`
"proxy-scope": "bypassCN",
# target host list will bypass snet
"bypass-hosts": ["a.com"],
# only work on "mode": "router", traffic from those ips will bypass snet, use case: home NAS
"bypass-src-ips": ["192.168.1.100"],
# config used when proxy-type is "http"
"http-proxy-host": "",
"http-proxy-port": 8080,
"http-proxy-auth-user": "",
"http-proxy-auth-password": "",
# config used when proxy-type is "ss"
"ss-host": "ss.example.com",
"ss-port": 8080,
# https://github.com/shadowsocks/shadowsocks-go/blob/1.2.1/shadowsocks/encrypt.go#L159
"ss-chpier-method": "aes-256-cfb",
"ss-passwd": "passwd",
# config used when proxy-type is "ss2"
"ss2-host": "",
"ss2-port": 8080,
# https://github.com/shadowsocks/go-shadowsocks2/blob/v0.1.3/core/cipher.go#L29
"ss2-cipher-method": "AEAD_CHACHA20_POLY1305",
"ss2-key": "",
"ss2-password": "passwd"
# config used when proxy-type is "tls"
"tls-host": "",
"tls-port": 443,
"tls-token": "tlstoken",
# config used when proxy-type is "socks5"
"socks5-host": "",
"socks5-port": 1080,
"socks5-auth-user": "",
"socks5-auth-password": "",
"cn-dns": "114.114.114.114", # dns in China
"fq-dns": "8.8.8.8", # clean dns out of China
"enable-dns-cache": true,
"enforce-ttl": 3600, # if > 0, will use this value otherthan A record's TTL
"disable-qtypes": ["AAAA"], # return empty dns msg for those query types
"force-fq": ["*.cloudfront.net"], # domain pattern matched will skip cn-dns query
"dns-logging-file": "dns.log", # dns query will be logged in this file
"dns-prefetch-enable": true,
"dns-prefetch-count": 100, # prefetch top 10 freq used domains in cache.
"dns-prefetch-interval": 60,
"host-map": {
"google.com": "2.2.2.2" # map host and ip
},
"block-host-file": "", # if set, domain name in this file will return 127.0.0.1 to client
"block-hosts": ["*.hpplay.cn"], # support block hosts with wildcard
"mode": "local", # run on desktop: local, run on router: router
"active-eni": "" # only used on Mac, if multi network interface is active, snet try to use the one with highest priority, use this option to override this behavior
}
proxy-type:
CONNECT
method, eg: squid)bypass-hosts
list, or socks5's traffic to upstream server will be hijacked by snet, being a loop.snet
will modify iptables/pf, root privilege is required.
sudo ./snet -config config.json
Test (proxy-scope = bypassCN):
ifconfig.me
, ip should be your ss server ip.myip.ipip.net
, ip should be your local ip in China.If proxy-scope is global
, both should return ss server ip.
If you use it on router, change mode
to router
, and listen-host should be your router's ip or 0.0.0.0
In config.json:
snet server will serve stats api on port 8810
curl http://localhost:8810/stats
{
"Uptime": "26m42s",
"Total": {
"RxSize": 161539743,
"TxSize": 1960171
},
"Hosts": [
{
"Host": "github.com",
"Port": 443,
"RxRate": 0,
"TxRate": 0,
"RxSize": 840413,
"TxSize": 172528
},
{
"Host": "live.github.com",
"Port": 443,
"RxRate": 0,
"TxRate": 0,
"RxSize": 25710,
"TxSize": 12218
},
{
"Host": "encrypted-tbn0.gstatic.com",
"Port": 443,
"RxRate": 0,
"TxRate": 0,
"RxSize": 25418,
"TxSize": 960
},
{
"Host": "ogs.google.com",
"Port": 443,
"RxRate": 0,
"TxRate": 0,
"RxSize": 38138,
"TxSize": 2198
}
...
]
}
Top like UI: ./snet -top
example config.json:
{
"as-upstream": true,
"upstream-type": "tls",
"upstream-tls-server-listen": "0.0.0.0:9999",
"upstream-tls-key": "server.key", # created by: openssl genrsa -out server.key 2048
"upstream-tls-crt": "server.pem", # created by: openssl req -new -x509 -key server.key -out server.pem -days 3650
"upstream-tls-token": "xxxx" # random string
}
Only support tls tunnel when run as upstream server
upstream-type:
Run:
./snet -config config.json
Solution 1:
listen-host
to 0.0.0.0
, mode
to router
.nat prerouting chain
-> filter foward chain
-> nat postrouting chain
, not nat output chain
.client mode
and router mode
is handling DNS redirct, don't know how to make it work for PREROUTING chain
and OUTPUT chain
at the same time.Solution 2:
docker run --network host ...
If config.json is changed, use HUP signal to reload.
kill -HUP $(pgrep snet)
During hot reload:
snet will try to find active network interface current using on starting, you can use active-eni
option (eg: en4) to override it.
Desktop:
Router:
nameserver fe80::1%enp51s0
.
If it's first nameserver, dns query will bypass snet
(since I didn't handle ipv6), you need to disable ipv6 or put it on second line.