[Feature] Reverse functionality: socks2tun

[ValdikSS]

Description

When you have a proxy and want to convert it to the interface and use it system-wide, you use software like tun2socks. There are several programs like tun2socks available because that's the only way to use proxy on Android, where only TUN (VPN) interface is available for handling.

However, when you have a VPN and want to expose it as a proxy, there's not much solutions out there. There's openconnect which supports redirection of TUN traffic to the file descriptor to be used with ocproxy or tunsocks, there's wg-http-proxy and wghttp for WireGuard protocol. The first does not support Windows. Neither support OpenVPN.

There's a patch for OpenVPN to pass TUN traffic over the file descriptor, not to a real TUN device. In fact, this is an adaptation of OpenConnect's --script option and it is compatible with ocproxy and tunsocks. But both ocproxy and tunsocks does not support Windows and are based on a lightweight lwIP TCP/IP stack designed for microcontrollers, so it's pretty slow and suboptimal. The patch is outdated, but I ported it to the latest OpenVPN and want to propose it in the main repo for the inclusion.

There are many use-cases for exposing VPN as a proxy:

• Routing traffic from different applications through different VPNs.
• Connecting to multiple VPNs (clients, sites, ...) that have overlapping IP ranges.
• Connecting to multiple VPNs that each advertise their own default route and/or DNS settings.
• Situations in which direct access to the VPN from all processes/UIDs is not necessarily wanted, impairs performance, or presents an unacceptable risk of intrusion or data leakage.
• Multiuser systems or container-based VPSes.
• Other situations in which the openvpn user or program is not trusted to reconfigure a tun/tap device.

Is this feature related to a specific bug?

No response

Do you have a specific solution in mind?

May I ask you to implement socks2tun functionality in your software, i.e. read TUN data from the fd, pass it inside gVisor's TCP/IP stack and expose it as a SOCKS/HTTP proxy port? Your software is fast and cross-platform, this would be very handy, especially for Windows users where configuring multiple VPNs or VPN over proxy like Tor, where the destination IP address is dynamic, is borderline impossible.

This could be also adapted to other software and protocols, for example, I'm planning to make a plugin for strongSwan to support userspace IPsec IKEv2 proxy as well.

[ValdikSS]

There was similar proposal in #26, but without technical implementation details, that's why I opened a new one.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[ValdikSS]

@xjasonlyu, what do you think about this proposal? Is it hard to implement, or you're just not interested in this functionality in tun2socks project?

[xjasonlyu]

Hi, sorry for the late reply. I haven't had enough time recently to make new features for this project, and I also think your proposal deserves a new socks2tun project rather than adding it as a feature.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[paolosezart]

I was also interested in the reverse functionality of socks2tun. And I would like to know if there are any plans to implement such a function or project?