SS5 SOCKS Proxy
UPDATE: SS5 blows donkey snot! Do NOT use it!!!!! It crashes, was written for init.d systems from half a decade ago (and didn't even work right then). It doesn't handle UDP requests (like for DNS, which will crash it).
SOLUTION / ALTERNATIVE: Dante-Server (click the link to read up on it)
...this isn't a "how to" article. Just some tips on getting a SOCKS Proxy working.
Read this first: https://en.wikipedia.org/wiki/SOCKS
This is the SOCKS Proxy software I chose: http://ss5.sourceforge.net/project.htm Complicated and way overkill for what I needed, but it worked. It also seems to be a bit old (2013) and not developed anymore, but solid and worked like it should. Maybe it is a mature product and doesn't need improvements.
Instead of compiling it from source code, and given that it's about half a decade old, I figured someone made an RPM for CentOS. But they didn't, so I followed the directions here: https://kenelm1985.wordpress.com/2016/07/28/socks5-server-setup-on-redhat-enterprise-linux-7/ and downloaded the source from here: https://rpmfind.net/linux/rpm2html/search.php?query=ss5 and made my own RPM which ended up here /MyHomeDirectory/rpmbuild/RPMS and then I installed it using YUM.
For configuration the default configuration worked fine and the only item(s) necessary (per the above instructions) were to add settings in the authorization section of the /etc/opt/ss5/ss5.conf file;
permit - MySubnetIP/24 - 0.0.0.0/0 - - - - -
By default SS5 listens on port 1080. Since my environment uses OpenVPN VPNs and SS5 is not exposed publicly, there wasn't any additional configuration to do or stuff to worry about.
As noted above the software is more than half a decade old. In my case it meant it wasn't build for the CentOS 7 systemctl "Unit" world, but it worked with a couple of modifications. The SS5 software did not automatically create a directory for its PID file, so added the /var/run/ss5 directory and it was able to add the PID file. The permission on the /etc/init.d/ss5 file had to be changed: chmod 755 /etc/init.d/ss5 and then systemctl enable ss5 worked correctly as did systemctl start ss5.
From there I checked it with my "client software" (which has SOCKS Proxy client capability built in) and verified that it worked. After that it was a matter of making sure the software only connected through the SOCKS Proxy which meant checking off every "Use..." and "Disable..." box under the Connection Section. Tested again by turning the SS5 SOCKS Proxy off which resulted in nothing happening from my client, then turning SS5 back on and everything worked. That meant all traffic for that client was routed through the SS5 SOCKS Proxy. And I verified it with this command (and saw a bazillion connections related to SS5): netstat -anp | grep ss5. Double verified it by noticing there was almost zero traffic through the host computer's default gateway router and a lot of bandwidth through a separate VPN router.
My client software is a bandwidth hog, so all the other traffic flowing through the VPN tunnel was very slow. Oh, well.
And now the subject of log file size. WOW! Nothing seemed to stop it. Every example I looked for controlling it via the CONF file did not work and produced an error in the log file. Maybe my RPM build didn't include some environmental variables? But then I looked at the source code. To set syslog level, in the .conf file: set SS5_SYSLOG_LEVEL to any number didn't work. One has to use undocumented settings like LOG_ERR, etc (from https://github.com/postageapp/ss5/blob/master/src/SS5Utils.c), and that only served to make the lines invisible, IE, it kept adding to the log file and increasing its size, so that was useless. None of the other variables worked (SS5_LOG_FILE, etc.)
At a certain point one has to give up, but I didn't. Instead I changed strategies. I noticed the ss5 binary had a command line switch (-m) that turned logging off, so I modified the /etc/init.d/ss5 file, adding three -m switches in the "start section" of the file;
# Start daemon.
echo -n "Starting ss5... "
if [ $OS = "Linux" ]; then
daemon /usr/sbin/ss5 -m -t $SS5_OPTS
if [ $OS = "SunOS" ]; then
/usr/sbin/ss5 -m -t
/usr/local/sbin/ss5 -m -t
...and good to go. It still creates the log file, but the size remains zero. Make sure to run systemctl daemon-reload when the /etc/init.d/ss5 file is modified and don't forget to remove any variables from the /etc/opt/ss5/ss5.conf file that don't work as this will prevent the service from starting.
Several additional observations after some usage;
- Using systemctl start ss5 was not always reliable (especially after a crash, see below), so used the service ss5 start command, which seems to only convert to the equivalent systemctl command, but makes ss5 happy.
- My client has a setting related to using proxy for host name lookups which crashes the SS5 service. Nothing in the log file (system or SS5 log), even when set to debug level. So I disabled that setting, all good to go.