{"id":13392878,"url":"https://github.com/darkk/redsocks","last_synced_at":"2025-04-09T11:03:42.777Z","repository":{"id":423687,"uuid":"43651","full_name":"darkk/redsocks","owner":"darkk","description":"transparent TCP-to-proxy redirector","archived":false,"fork":false,"pushed_at":"2024-06-29T14:46:22.000Z","size":782,"stargazers_count":3416,"open_issues_count":76,"forks_count":872,"subscribers_count":123,"default_branch":"master","last_synced_at":"2025-04-02T09:36:25.087Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://darkk.net.ru/redsocks","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/darkk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2008-08-18T17:09:07.000Z","updated_at":"2025-04-01T03:58:14.000Z","dependencies_parsed_at":"2023-02-13T22:46:06.782Z","dependency_job_id":"d13b39cd-c7a9-4885-994a-10ee613626fa","html_url":"https://github.com/darkk/redsocks","commit_stats":{"total_commits":203,"total_committers":12,"mean_commits":"16.916666666666668","dds":0.3645320197044335,"last_synced_commit":"19b822e345f6a291f6cff6b168f1cfdfeeb2cd7d"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkk%2Fredsocks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkk%2Fredsocks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkk%2Fredsocks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkk%2Fredsocks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/darkk","download_url":"https://codeload.github.com/darkk/redsocks/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248027404,"owners_count":21035594,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T17:00:38.577Z","updated_at":"2025-04-09T11:03:42.750Z","avatar_url":"https://github.com/darkk.png","language":"C","funding_links":[],"categories":["C","\u003ca id=\"1a9934198e37d6d06b881705b863afc8\"\u003e\u003c/a\u003e通信\u0026\u0026代理\u0026\u0026反向代理\u0026\u0026隧道","\u003ca id=\"d03d494700077f6a65092985c06bf8e8\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"56acb7c49c828d4715dce57410d490d1\"\u003e\u003c/a\u003e未分类-Proxy","\u003ca id=\"57b8e953d394bbed52df2a6976d98dfa\"\u003e\u003c/a\u003eSocks"],"readme":"# redsocks – transparent TCP-to-proxy redirector\n\nThis tool allows you to redirect any TCP connection to SOCKS or HTTPS\nproxy using your firewall, so redirection may be system-wide or network-wide.\n\nWhen is redsocks useful?\n\n* you want to route part of TCP traffic via OpenSSH `DynamicForward` Socks5\n  port using firewall policies. That was original redsocks development goal;\n* you use DVB ISP and this ISP provides internet connectivity with some\n  special daemon that may be also called \"Internet accelerator\" and the\n  accelerator acts as a proxy and has no \"transparent proxy\" feature and you\n  need it. [Globax](http://www.globax.biz) was an example of alike accelerator,\n  but Globax 5 has transparent proxy feature. That was the second redsocks`\n  development goal;\n* you have to pass traffic through proxy due to corporate network limitation.\n  That was never a goal for redsocks, but users have reported success with\n  some proxy configurations.\n\nWhen is redsocks probably a wrong tool?\n\n* redirecting traffic to [tor](https://www.torproject.org). First, you **have**\n  to [use tor-aware software for anonymity](https://www.torproject.org/download/download.html.en#warning).\n  Second, [use `TransPort`](https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy)\n  if you don't actually need anonymity. Third, question everything :-)\n* trying to redirect traffic of significant number of connections over single\n  SSH connection. That's not exactly [TCP over TCP](http://sites.inka.de/bigred/devel/tcp-tcp.html),\n  but [head-of-line blocking](https://en.wikipedia.org/wiki/Head-of-line_blocking)\n  will still happen and performance of real-time applications (IM, interactive\n  Web applications) may be degraded during bulk transfers;\n* trying to make non-transparent HTTP-proxy (not HTTPS-proxy) transparent using\n  `http-relay` module. First, it will likely be broken as the code is hack.\n  Second, the code is vulnerable to `CVE-2009-0801` and will unlikely be ever fixed;\n* making \"really\" transparent proxy, redsocks acts at TCP level, so three-way\n  handshake is completed and redsocks accepts connection before connection\n  through proxy (and _to_ proxy) is established;\n* trying to redirect traffic of significant number of connections in\n  resource-constrained environment like SOHO Linux router. Throughput of single\n  connection may be good enough like 40 Mbit/s\n  on [TP-Link TD-W8980](https://wiki.openwrt.org/toh/tp-link/td-w8980),\n  but amount of concurrent connections may be limiting factor as TCP buffers\n  are still consumed;\n* redirecting traffic to proxy on mobile device running Android or iOS as it'll require\n  [rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) to update firewall\n  rules. Probably, the better way is to use on-device VPN daemon to intercept\n  traffic via [`VpnService` API for Android](https://developer.android.com/reference/android/net/VpnService.html)\n  and [`NETunnelProvider` family of APIs for iOS](https://developer.apple.com/documentation/networkextension).\n  That may require some code doing [TCP Reassembly](https://wiki.wireshark.org/TCP_Reassembly)\n  like [`tun2socks`](https://github.com/ambrop72/badvpn/wiki/Tun2socks).\n\nLinux/iptables is supported.  OpenBSD/pf and FreeBSD/ipfw may work with some\nhacks. The author has no permanent root access to machines running OpenBSD,\nFreeBSD and MacOSX to test and develop for these platforms.\n\n[Transocks](http://transocks.sourceforge.net/) is alike project but it has\nnoticeable performance penality.\n\n[Transsocks_ev](http://oss.tiggerswelt.net/transocks_ev/)\nis alike project too, but it has no HTTPS-proxy support\nand does not support authentication.\n\nSeveral Android apps also use redsocks under-the-hood:\n[ProxyDroid](https://github.com/madeye/proxydroid)\n[\u003ci class=\"fa fa-play\"\u003e\u003c/i\u003e](https://market.android.com/details?id=org.proxydroid) and\n[sshtunnel](https://code.google.com/archive/p/sshtunnel/)\n[\u003ci class=\"fa fa-play\"\u003e\u003c/i\u003e](https://market.android.com/details?id=org.sshtunnel).\nAnd that's over 1'500'000 downloads! Wow!\n\n## Features\n\nRedirect any TCP connection to Socks4, Socks5 or HTTPS (HTTP/CONNECT)\nproxy server.\n\nLogin/password authentication is supported for Socks5/HTTPS connections.\nSocks4 supports only username, password is ignored. for HTTPS, currently\nonly Basic and Digest scheme is supported.\n\nRedirect UDP packets via Socks5 proxy server. NB: UDP still goes via UDP, so\nyou can't relay UDP via OpenSSH.\n\nHandle DNS/UDP queries sending \"truncated reply\" as an answer or making them\nDNS/TCP queries to some recursive resolver.\n\nRedirect any HTTP connection to proxy that does not support transparent\nproxying (e.g. old SQUID had broken `acl myport' for such connections).\n\n### Enforcing DNS over TCP using `dnstc`\n\nDNS is running over UDP and it may be an issue in some environments as proxy\nservers usually don't handle UDP as a first-class citizen.  Redsocks includes\n`dnstc` that is fake and really dumb DNS server that returns \"truncated answer\"\nto every query via UDP. RFC-compliant resolver should repeat same query via TCP\nin this case - so the request can be redirected using usual redsocks facilities.\n\nKnown compliant resolvers are:\n\n* bind9 (server);\n* dig, nslookup (tools based on bind9 code).\n\nKnown non-compliant resolvers are:\n\n* eglibc resolver fails without any attempt to send request via TCP;\n* powerdns-recursor can't properly startup without UDP connectivity as it\n  can't load root hints.\n\nOn the other hand, DNS via TCP using bind9 may be painfully slow.\nIf your bind9 setup is really slow, you may want to try\n[pdnsd](http://www.phys.uu.nl/~rombouts/pdnsd.html) caching server\nthat can run in TCP-only mode.\n\n### Relaying DNS/UDP to DNS/TCP via `dnsu2t`\n\nThe code acts as DNS server that multiplexes several UDP queries into single\nstream of TCP queries over keep-alive connection to upstream DNS server that\nshould be recursive resolver. TCP connection may be handled by `redsocks`\nitself if firewall is configured with corresponding rules.\n\nDifferent resolvers have different timeouts and allow different count of\nin-flight connections, so you have to tune options yourself for optimal\nperformance (with some black magic, as script testing for optimal DNS/TCP\nconnection parameters is not written yet).\n\nThere are other programs doing alike job (with, probably, different bugs)\n\n* [ttdnsd](http://www.mulliner.org/collin/ttdnsd.php)\n* [dns2socks](https://github.com/qiuzi/dns2socks) for Windows\n* [tcpdnsproxy](https://github.com/jtripper/dns-tcp-socks-proxy)\n\n## Source\n\nSource is available at [\u003ci class=\"fa fa-github\"\u003e\u003c/i\u003e GitHub](https://github.com/darkk/redsocks).\n\nIssue tracker is also at GitHub, but keep in mind that the project is not\nactively maintained, so feature requests will unlikely be implemented within\nreasonable timeframe.  Reproducable bugs having clean desciption will likely be\nfixed. Destiny of hard-to-reproduce bugs is hard to predict.\n\nNew network protocols will unlikely be implemented within this source tree, but\nif you're seeking for censorship circumvention protocols, you may want to take\na look at [redsocks2](https://github.com/semigodking/redsocks) by Zhuofei Wang\nAKA @semigodking who is actively maintaining the fork with GFW in mind.\n\n## License\n\nAll source code is licensed under Apache 2.0 license.\nYou can get a copy at http://www.apache.org/licenses/LICENSE-2.0.html\n\n## Packages\n\n* Archlinux: https://aur.archlinux.org/packages/redsocks-git\n* Debian: http://packages.debian.org/search?searchon=names\u0026keywords=redsocks\n* Gentoo (zugaina overlay): http://gpo.zugaina.org/net-proxy/redsocks\n* Gentoo: https://packages.gentoo.org/packages/net-proxy/redsocks\n* Ubuntu: http://packages.ubuntu.com/search?searchon=names\u0026keywords=redsocks\n\n## Compilation\n\n[libevent-2.0.x](http://libevent.org/) is required.\n\ngcc and clang are supported right now, other compilers can be used\nbut may require some code changes.\n\nCompilation is as easy as running `make`, there is no `./configure` magic.\n\nGNU Make works, other implementations of make were not tested.\n\n## Running\n\nProgram has following command-line options:\n\n* `-c` sets proper path to config file (\"./redsocks.conf\" is default one)\n* `-t` tests config file syntax\n* `-p` set a file to write the getpid() into\n\nFollowing signals are understood:\nSIGUSR1 dumps list of connected clients to log,\nSIGTERM and SIGINT terminates daemon, all active connections are closed.\n\nYou can see configuration file example in [redsocks.conf.example](https://github.com/darkk/redsocks/blob/master/redsocks.conf.example).\n\n### iptables example\n\nYou have to build iptables with connection tracking and REDIRECT target.\n\n```\n# Create new chain\nroot# iptables -t nat -N REDSOCKS\n\n# Ignore LANs and some other reserved addresses.\n# See http://en.wikipedia.org/wiki/Reserved_IP_addresses#Reserved_IPv4_addresses\n# and http://tools.ietf.org/html/rfc5735 for full list of reserved networks.\nroot# iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN\nroot# iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN\nroot# iptables -t nat -A REDSOCKS -d 100.64.0.0/10 -j RETURN\nroot# iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN\nroot# iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN\nroot# iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN\nroot# iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN\nroot# iptables -t nat -A REDSOCKS -d 198.18.0.0/15 -j RETURN\nroot# iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN\nroot# iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN\n\n# Anything else should be redirected to port 12345\nroot# iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345\n\n# Any tcp connection made by `luser' should be redirected.\nroot# iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner luser -j REDSOCKS\n\n# You can also control that in more precise way using `gid-owner` from\n# iptables.\nroot# groupadd socksified\nroot# usermod --append --groups socksified luser\nroot# iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner socksified -j REDSOCKS\n\n# Now you can launch your specific application with GID `socksified` and it\n# will be... socksified. See following commands (numbers may vary).\n# Note: you may have to relogin to apply `usermod` changes.\nluser$ id\nuid=1000(luser) gid=1000(luser) groups=1000(luser),1001(socksified)\nluser$ sg socksified -c id\nuid=1000(luser) gid=1001(socksified) groups=1000(luser),1001(socksified)\nluser$ sg socksified -c \"firefox\"\n\n# If you want to configure socksifying router, you should look at\n# doc/iptables-packet-flow.png, doc/iptables-packet-flow-ng.png and\n# https://en.wikipedia.org/wiki/File:Netfilter-packet-flow.svg\n# Note, you should have proper `local_ip' value to get external packets with\n# redsocks, default 127.0.0.1 will not go. See iptables(8) manpage regarding\n# REDIRECT target for details.\n# Depending on your network configuration iptables conf. may be as easy as:\nroot# iptables -t nat -A PREROUTING --in-interface eth_int -p tcp -j REDSOCKS\n```\n\n### Note about GID-based redirection\n\nKeep in mind, that changed GID affects filesystem permissions, so if your\napplication creates some files, the files will be created with luser:socksified\nowner/group. So, if you're not the only user in the group `socksified` and your\numask allows to create group-readable files and your directory permissions, and\nso on, blah-blah, etc. THEN you may expose your files to another user.\nOk, you have been warned.\n\n## Homepage\n\nhttp://darkk.net.ru/redsocks/\n\nMailing list: [redsocks@librelist.com](mailto:redsocks@librelist.com).\n\nMailing list also has [archives](http://librelist.com/browser/redsocks/).\n\n## Author\n\nThis program was written by Leonid Evdokimov \u003cleon@darkk.net.ru\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarkk%2Fredsocks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdarkk%2Fredsocks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarkk%2Fredsocks/lists"}