Kernel-namespaces-based alternative to proxychains.
Part of Accessible OPSEC series (if there even is).
# download or compile
sudo ./nsproxy install -s
# geph is a well known tool with good opsec
# this command sets up a namespace and enters it giving you a shell
sproxy geph
# now open another terminal
sproxy librewolf # lauches librewolf with a prompt for choosing a profile
# you can use different profiles for different namespaces
sproxy fractal # lauches `fractal` by directing running the command ie not using flatpak
# fractal is a matrix client written in Rust
apart from biased shortcuts, the standard commands are....
here is the case where you connect to a proxy from another computer in a local network
# get the binary to the device you want to proxy by whatever way, like kde-connect
kdeconnect-cli --share ./target/debug/nsproxy -d _a82d921a_aaa3_495f_978e_433a17395f3e_
# now run this one liner to install it to /usr/bin/ of course this doesnt work with nixos
sudo ./nsproxy install -s
# must use sproxy (which has SUID flag set) to initialize userns
sproxy userns
# subsequent operations do not need the SUID binary
# make the container
nsproxy socks --proxy socks5://192.167.1.2:9909
# you may also not use userns, which has better compatibility especially for system softwares, such as distribution's package managers
sproxy socks --proxy socks5://192.167.1.2:9909 --root
# this affects system wide DNS configuration temporarily though
and it enters a shell which is proxied as instructed.
for flatpak apps you can always run "flatpak run com.someapp" inside a shell like above. at least by the time I'm writing this, flatpak does not run the app through another process outside the namespace.....
It's recommended to use the veth + tun2proxy method.
./nsproxy install -s # installs nsproxy and sproxy to your /usr/local (requires root) and makes sproxy suid
# it assumes sproxy is in the same directory as its nsproxy binary
# even though sproxy is SUID, it still runs SUDO to check your permission
sproxy new --mount --veth --tun2proxy ./test_proxy.json # gives you a shell inside a proxied container
# later you may
sproxy node 1 run # enter that container from another shell
redirect/restrict programs to certain net interfaces, addresses (of socks5)
feature.Examples
Root or not
sproxy
requires root but less trouble
sproxy
is just a wrapper that starts nsproxy
.nsproxy userns
nsproxy socks2tun --new-userns
The proxy
sproxy veth -t <config>
socks2tun
subcommand to connect to its SOCKS5 endpoint.The app
veth
methodYou can run nsproxy watch ./test_proxy.json
to automatically proxy flatpak apps.
Currently it's not recommended (bad for anonymity) to have multiple instances of an app because the data could not be segregated, see the issue.
smoltcp
it uses has bugs which makes it unusable.impl AsFd for PidFd
I've been using nsproxy with Geph. For some reason I had to use IPV6, which didn't work in nsproxy. I found out an ipv6 address of exmaple.com
and put it in the browser, which surprisingly loaded.
The source code of geph shows it doesn't support ipv6. After some wireshark-ing, apparently the browser (librewolf) treated the ipv6 address as a domain, passed it to geph's socks server.
Librewolf is not complying with socks5 protocol, and concidentally sidestepped the code in Geph that throws errors upon ipv6.
After more debugging, it turned out the traffic was sent directly without proxying, because the addr was being labelled as a domain by librewolf, and then catogorized as "should not proxied" by geph.
If I were to keep anonymity, that would be a total disaster.