Socks proxy and shadowsocks

Recently I had an interesting encounter with SSH tunneling. I was searching for some option to access one VPS with Scaleway, with no public access from outside. I’ve another VPS in Scaleway with public access. Actually VPS with no public IP comes at €1.99/per month. I was thinking to host one MySQL server in that VPS. But the main problem arose, was how to access that server. After some search, I came to know, SSH tunneling is ideal for this scenario and it’s very easy to do also. In my office I use Windows workstation. There I’ve installed Git and for that I get Git Bash. And during installation I had checked the option to make all the unix tools available in path. So, I can use ssh, ls, mkdir, awk, grep, rm, sed all the useful commands. SSH is tunnel is also possible with Putty.

There are three types of tunnels can be made with ssh.

• local
• remote
• dynamic

Of this three, the last one dynamic is of real interest for us, in regard to the socks proxy. But before that, let’s get into that topic slowly. First let’s review the other two and see their possibility and scope.

Local Tunnels

Local tunnels make remote resources available locally. Suppose a MySQL server is running on the remote machine A behind a firewall and we have ssh access to another machine B in the same network as A. Then to access the MySQL server in A, we can invoke,

# -N: do not execute remote commands
# -L: bind address locally

# local_port:A_IP or A_FQDN:A_Port_To_Bind
# binding to the local port 3309 with the remote port 3309
ssh -N -L 3309:aa.aa.aa.aa:3309 username_on_B@bb.bb.bb.bb

# another usecase, though not so practical, if A is accessible
# and for some reason MySQL port is required as local port
ssh -N -L 3309:aa.aa.aa.aa:3309 username_on_A@aa.aa.aa.aa

# optionally if local is bound to more than one IP address
# it is possible to specify local IP to bind
ssh -N -L ll.ll.ll.ll:3309:aa.aa.aa.aa:3309 username_on_A@aa.aa.aa.aa

Remote Tunnels

This kind of tunnels are rarely used. It’s just opposite to the previous one. Instead of using -L we have to use -R

# the host part is mandatory, so we have to use either of
# 127.0.0.1, localhost, 0.0.0.0
ssh -R 3309:127.0.0.1:3309 username_on_B@bb.bb.bb.bb

Dynamic Tunnels

This is of the most interest regarding the discussion about SOCKS proxy. For dynamic tunnels, we don’t have to give any specific remote port, though we have use one specific local port, that we want to pass all our traffic through.

# choice of local port is very important, but the ports
# 465, 587, 993 generally kept open even in very restrictive environments
ssh -D 8888 username_on_B@bb.bb.bb.bb

Dynamic tunnels creates light weight SOCKS proxy, that we can use to annonymize our browsing. SOCKS proxy is app level proxy. So it works at Application Chrome and IE uses system proxy. But in Firefox, we can set proxy. Paste about:preferences#advanced in the address-bar of Firefox and enter. Click on the Settings button related to Connection. Choose Manual Proxy Configuration, put 127.0.0.1 in the host and specified port for Socks Host. Leave all the others blank.

Don’t forget to check the option Proxy DNS when using SOCKS v5. This option is available in newer version of Firefox. If this is checked, Firefox will try to use the DNS of the remote host, through which the proxy has been configured.

Also, we need to prevent the WebRTC leak. Type about:config in the address-bar and enter. Click on the button containing the text I accept the risk or similar like it. Search for media.peerconnection.enabled and double click it to make this flag false.

Navigate to the site ipleak.net and see if the intended IP is shown. Also don’t forget to check the DNS list. Sometimes DNS list exposes our actual location. If the DNS of your ISP is shown, try to change the nameserver inside the router or network adapter of PC. Google DNS or Free DNS responses are quite fast.

socks5 proxy with ShadowSocks

Dynamic tunnels make use of SSH protocol to exchange network packets. A more sophisticated and secure option may be Shadowsocks. This uses altogether a new protocol. And it uses a different approach to encrypt and decrypt network packets. On top of Socks5, it uses a pre-specified password in server and client both to encrypt and decrypt. So, if the password is secure enough, it’s next to impossible to decrypt the packets.

Shadowsocks is very easy to configure. Unless we are deploying it as a service, it does not require much resource also. For personal use, low end servers from Linode, Vultr, Digital Ocean, Amazon Lightsail, Scaleway, Rackulous, Contabo can be used. All the them have reasonably good performance and reputation as VPS providers. Here three things should be considered during the selection of provider,

• location
• price
• bandwidth

I’m using Linode with 1GB RAM, 1 shared CPU core, 1 TB bandwidth for the minimum plan of $5 per month. Performance of the VPS is pretty decent and as I’m using shadowsocks-libev, it’s almost nothing on the server. shadowsocks-libev is a Shadowsocks implementation in C. So, it’s fast and requires less resource. Other options can be viewed from here.

Here I’m giving a no-frill instructions to setup a Shadowsocks server on Ubuntu 16.04.

# install required softwares
apt-get install --no-install-recommends build-essential autoconf libtool haveged automake \
        libssl-dev gawk debhelper dh-systemd init-system-helpers pkg-config asciidoc \
        xmlto apg libpcre3-dev zlib1g-dev libev-dev libudns-dev libsodium-dev libmbedtls-dev

cd /usr/local/src
git clone https://github.com/shadowsocks/shadowsocks-libev.git
cd shadowsocks-libev
git submodule update --init

# build and install
./autogen.sh && ./configure && make && make install

# this is a hack to create the autostart scripts
add-apt-repository ppa:max-c-lv/shadowsocks-libev
apt-get update
apt install shadowsocks-libev

# configure the server correctly
vim /etc/shadowsocks-libev/config.json

apt-get remove shadowsocks-libev

# change the "DAEMON" localtion to '/usr/local/bin/ss-server'
vim /etc/init.d/shadowsocks-libev

# make the server configuration file as specified below

# reload reload daemons
systemctl daemon-reload

# restart the server
/etc/init.d/shadowsocks-libev restart # if any error occurs try with just 'start'

Server configuration should be put in the file /etc/shadowsocks-libev/config.json

{
    "server":"xx.xx.xx.xx",
    "server_port": 1234,
    "local_port": 1234,
    "password":"long-non-guessable-password",
    "timeout": 600,
    "method":"chacha20-ietf-poly1305"
}

There are a lot of options for clients of Shadowsocks. Install on Android or iPhone or on desktop and start to use proxy anywhere. I personally use on my Android set. It does not drain battery like the openVPN clients.

Though proxy is used for anonymity. It helps us to keep ourselves private. But let’s not use this to harm someone. Great power comes with great responsibility. Use them carefully.