Playing with a simple SOCKS5 proxy server on Digital Ocean and Ubuntu 16

A step by step explanation for non-technical users

Posted by snakers41 on April 13, 2018

A sock cat. A small pun intended.


TLDR

Buy me a coffeeBuy me a coffee

Become a PatronBecome a Patron

This is an article on how to set up your SOCKS5 server up and running in 10-15 minutes on your personal VDS on Digital Ocean in 4 easy steps. It assumes that you are a professional PC user and by no means a professional system administrator.

Also, you will be able to create as many proxy logins and passwords for your friends and family as you want.

I basically assume that your knowledge and background is more or less similar to mine, when I just started learning about Linux.

Why make your own proxy-server?

  • It's a opportunity and a good reason to learn new stuff (and boast to your girlfriend?);
  • There are lists of free proxies and even people who provide such proxies for free. But you can never be sure if they continue to maintain their services / whether their intentions are pure;
  • If required, you can always extend it to provide VPN or other services;
  • You will not depend on the providers mentioned above in case anything happens to them;
  • If you share access with your friends and family - it will become extremely cheap as well (basically US$5 per month / number of people, i.e. US$2.5 per person for 2 people, US$1 per person for 5 people, etc);


Introduction

There has been a lot of controversy recently regarding the government censorship of the Internet, especially in the CIS region. I will not focus on this, but I will just say that in the modern world it is becoming increasingly difficult to maintain access to the best sources of media / information / entertainment and have your own position not influenced by politics / corporate agenda and other external influences.

In any case, if for some reason you want to use any kind of VPN / proxy service, ultimately you have 3 choices:

  1. Use easily available tools (before writing this article I knew about simple ssh tunneling with Putty, but apparently you can use ssh for socks proxy as well);
  2. Use a B2C service, where you just enter your credentials (and your credit card credentials). Usually such services are more expensive. If not - then they are not free, your data is being sold;
  3. A solution somewhere in the middle, where the majority of software and tools you use are open / free / non-proprietary (I am using these terms loosely, a difference between free and open software is a known reason for disputes);


Usually solutions under (1) are handy hacks, that either require some fiddling all the time (you cannot just set them up and forget) or are not cross-platform. Option 2 may not work for your particular setup / be expensive (e.g. browser VPN service costs as much as VDS rent, but a VDS can be shared among 5-10 people easily) / be too "marketing" heavy / be not flexible in the long-term. If you can easily set-up option 3, then usually you can just forget about it.



In a nutshell - any sort of proxy-like service works like this. Your client accesses a web page via another machine that serves as a proxy


A couple of notes before we start:

  • I have chosen Digital Ocean (DO) as a hosting provider for my proxy VDS, mainly because they have stellar support, APIs, product and services (and I already have a couple of droplets there. Where do you think this blog is hosted?);
  • If you do not want to get deep in the admin stuff, DO does the following for you (usually this is enough):
    • Assign ssh keys to new droplets;
    • Creates snapshots;
    • Create new droplets in 1 click;
  • I have borrowed heavily from these online manuals. Kudos to the guys behind them!
  • I have chosen only open-source software and I assume that you will also be using Ubuntu 16.04;
  • I will provide more guidance to Windows users, usually blogs like the above ones assume that you have a Linux server hanging around;
  • If you use my referral link, you will get US$10 in Digital Ocean, so for the first 2 months you will essentially be using your own proxy for free (you can share it with a reasonable number of people, like your family and friends);


So, once again in caps,  USE MY LINK, AND PROXY WILL BE ESSENTIALLY FREE FOR 2 MONTHS FOR YOUR FRIENDS AND FAMILY AND YOU WILL LEARN STUFF =)


So, let's start!

Step 1 - get a VDS

It is as easy as:

  • Follow my link;
  • Create and account and add your billing information;
  • Select the cheapest option as described below (do not be afraid to mess up - you are billed per hour, so no worries there);




Just create a droplet. Menus may vary in future, but it's easy to navigate

Select Ubuntu 16.04 - I tested it on this system

Choose the cheapest option. Providers like Vulture or Hetzner are cheaper (basically you can find noname VDS for as low as US$1-2 per month), but DO has superior service

Choose the region which is closest to you


WAIT, but you may notice, that you do not have an ssh key in your account. If so, read a little bit about ssh keys (here and here) and let's proceed to step 2.

If you are a Windows user - do not be afraid, I will tell you how to easily work with SSH keys on Windows as well.


Step 2 - set up a proper way to access your VDS



A proper way to access your VDS from your PC / notebook


Well, if you are Linux / Mac user - probably you already know how to generate ssh key pairs and how to use them. In this case, just upload your private ssh key to digital ocean, and proceed next.

Also - adding 2FA authentication will not harm (you can just use google authentication app for that).


This menu is hidden inside of Settings -> Security tab

Uploading your ssh key is as easy as copy-pasting your public key and adding a tag


There is a twist - DO expects the format of your key to be like a key generated by linux ssh keygen. It generally looks like this

ssh-rsa AAAAB3NzaC ...7QpNuybOgF [email protected]


Now, this part will be interesting for Windows users.


I personally use Putty and PuttyGen for ssh access and key pair generation. You will need both Putty and PuttyGen. If you do not know about ssh, it's the basic method of controlling Linux servers, you can read about it here. If you are windows user, then ssh prompt is the same thing you get when you run cmd.exe in Windows.

Do not be afraid of it - actually it's very simple and easy!

But if you generate a key pair with PuttyGen, your public key will look differently, something like this, which does not work with Ubuntu.

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20180413"
AAAAB3NzaC1yc2EAAAABJQAAAQEAuBflEQeTW9xfNI8N3krfFzxo8iU/NV/3cgxR
d2dkWZwYTaPaJsAoJFPtWhmsRuFuw7naZZOo/VFiqCuuYGaQcYRLrDqvfFjAusJg
B1ZK2YY57kz/ulzO9LqiVta+Fql4jL5244z9FNHF10YXbBZsmYQikAWJCItCxvZh
goY74Sfa5lPRfGojfC0xwayObJjqRcI9PS7z66ixRqO05vPMBekt/7fKoXQ+pUCP
LOVeH8AAWdaRWkvT6waCFSmjVBwfkHoghtR9pp/PZihAxpS5dM8H7AJXlvLEhNSp
6smFlkkz+XU3d3Z2FqSLV9K6pBNlNCRn+G/60xVtTqGDAsdPNw==
---- END SSH2 PUBLIC KEY ----


The easiest way to ensure that your key pair works with DO is the following set of steps:

  1. Create a key using a Linux utility as described here. You will use the public key from here in DO;
  2. Save the newly created public and private key somewhere on your PC / notebook;
  3. Load the private key in PuttyGen via Conversions -> Import key;
  4. Then press "save private key" - you will use this key with Putty later;



Converting key in PuttyGen. Also note the "Save private key" button


Wait, but if you have not access to Linux console? You can generate a key pair using one of the below options:

  1. Create a droplet with DO, reset root password (see image below), access it via online console. Create a key pair there, and use "cat" to diplay it;
  2. Create a droplet with DO, reset root password (see image below), access it via Putty using login and password;
  3. In both cases - it will be easier just to create a new droplet afterwards with a proper key already installed (or you can learn to install ssh keys as well);


Sometimes copying data from online terminals may be an issue.


This menu in DO allows you to reset root password and / or launch online terminal


Finally to access your Droplet with Putty using your key, you have to:

  1. Create a new connection in Putty;
  2. Type in your host name / IP address and port (by default it is 22);
  3. Type in the name for your preset and press "save";
  4. Go to data -> Auto-login username and input root:
  5. Go to data -> SSH -> Auth and select a private key that you have saved with PuttyGen;
  6. Do not forget to go back to session -> save after doing all the settings;


Do not forget to go back to session -> save after doing all the settings


Step 3 - set up your VDS and proxy server

Now I assume that you have your VDS and your ssh terminal with root access ready. Nice!

Also remember, if you break anything, you can just delete your droplet and start again. Also when your are finished, you can use snapshots to save your progress.


Creating a snapshot in DO


So, basically the whole list of set up commands looks like this, but we will go line by line and explain what does what.


# update packages
sudo apt-get update

# https://www.tazdij.com/post/setup-dante-1.4.1-sockd-dante-server-on-ubuntu-16.04
cd /opt/
mkdir dante-server

# download from the official website
# https://www.inet.no/dante/doc/
wget https://www.inet.no/dante/files/dante-1.4.1.tar.gz
tar -xvf dante-1.4.1.tar.gz
cd dante-1.4.1

# dependencies
apt-get install libwrap0 libwrap0-dev
apt-get install gcc make

# compilation from source
mkdir /home/dante
./configure --prefix=/home/dante
make
make install

# use this config
# for details refer here
# https://la2ha.ru/dev-seo-diy/unix/socks5-proxy-server-ubuntu
# this where the conf will be stored /home/dante/danted.conf
echo '
logoutput: syslog /var/log/danted.log
internal: eth0 port = 1080
external: eth0
 
socksmethod: username
user.privileged: root
user.unprivileged: nobody
 
client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: error
}
 
socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    command: connect
    log: error
    method: username
}' > /home/dante/danted.conf
# run the server once
/home/dante/sbin/sockd -f /home/dante/danted.conf

# run the server as a daemon
/home/dante/sbin/sockd -f /home/dante/danted.conf -D

# do not forget to create the user
sudo useradd -m soksuser && sudo passwd soksuser
# you then need to input your ip-address(hostname), login, password, port (1080 in this case) to your sock5 client

# basic ufw installation
sudo apt-get install ufw
sudo ufw status

# https://wiki.dieg.info/socks
sudo ufw allow ssh
sudo ufw allow proto tcp from any to any port 1080
sudo ufw status numbered
sudo ufw enable

# now we need to make sure that the service runs on reboot
# start daemon on reboot
sudo apt-get install cron
crontab -e
# insert this into crontab

#Borrowed from anacron
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
[email protected]_mail.com
#End borrowed from anacron
# * * * * * echo ‘Run this command every minute’ >> file.log
@reboot /home/dante/sbin/sockd -f /home/dante/danted.conf -D


Usually it is a good idea to update your linux packages to make sure that you are up-to-date. Anyway on a fresh droplets it's standard practice.

# update packages
sudo apt-get update


This bit basically downloads the source of the program used for socks5 proxy and just installs it from source. Refer to the original blog post for more details.


# https://www.tazdij.com/post/setup-dante-1.4.1-sockd-dante-server-on-ubuntu-16.04
cd /opt/
mkdir dante-server

# download from the official website
# https://www.inet.no/dante/doc/
wget https://www.inet.no/dante/files/dante-1.4.1.tar.gz
tar -xvf dante-1.4.1.tar.gz
cd dante-1.4.1

# dependencies
apt-get install libwrap0 libwrap0-dev
apt-get install gcc make

# compilation from source
mkdir /home/dante
./configure --prefix=/home/dante
make
make install

Now for the config. Note that I used a config from a different blog post because I wanted to install from source (because this package is not really popular, I would not rely on somebody uploading it to Ubuntu ppa), but I would like to have a password based authentication.


# use this config
# for details refer here
# https://la2ha.ru/dev-seo-diy/unix/socks5-proxy-server-ubuntu
# this where the conf will be stored /home/dante/danted.conf
echo '
logoutput: syslog /var/log/danted.log
internal: eth0 port = 1080
external: eth0
 
socksmethod: username
user.privileged: root
user.unprivileged: nobody
 
client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: error
}
 
socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    command: connect
    log: error
    method: username
}' > /home/dante/danted.conf
# run the server once
/home/dante/sbin/sockd -f /home/dante/danted.conf

# run the server as a daemon
/home/dante/sbin/sockd -f /home/dante/danted.conf -D


Also note that after running /home/dante/sbin/sockd -f /home/dante/danted.conf you will have to press ctr+C to stop the program. The next command runs it as a daemon.

This bit creates a user for your socks5 server. You need to remember these credentials and use them in your client later. A linux prompt will ask for password.

# do not forget to create the user
sudo useradd -m soksuser && sudo passwd soksuser
# you then need to input your ip-address(hostname), login, password, port (1080 in this case) to your sock5 client


Then you need to install and enable ufw as a basic firewall. Note that enabling ufw before you allow ssh may be a very bad idea. 

# basic ufw installation
sudo apt-get install ufw
sudo ufw status

# https://wiki.dieg.info/socks
sudo ufw allow ssh
sudo ufw allow proto tcp from any to any port 1080
sudo ufw status numbered
sudo ufw enable


Now you need to make sure that the daemon starts on reboot. Some time ago I found a nice template for crontab, which I use for such cases. Note that after crontab -e a text editor will open and you will need to copy the below cron config into the file. You can test that cron works via uncommenting the commented line below.

# now we need to make sure that the service runs on reboot
# start daemon on reboot
sudo apt-get install cron
crontab -e
# insert this into crontab

#Borrowed from anacron
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
[email protected]_mail.com
#End borrowed from anacron
# * * * * * echo ‘Run this command every minute’ >> file.log
@reboot /home/dante/sbin/sockd -f /home/dante/danted.conf -D


Step 4 - enjoy

Now let's create a user and a password and try it with a client that supports SOCKS5 proxies, like Telegram.

sudo useradd -m soksuser && sudo passwd soksuser


Hostname is your droplet's IP address. Port is from dante config. Login and password are chosen by you.




Step 5 - some limitations

Well, if you are a Windows user, then it looks like that all the browsers in 2018 mostly use own Window's proxy settings. But sadly they do not contain login and password field for SOCKS proxies =(

One of the guides above contains a conf file for a proxy without a password, but I would not risk it, because bot scanners will quickly add your proxy to a free proxy list (it usually happens within hours).

If you know how to bypass it - please write in comments below. Ofc, there is an obvious idea - allow traffic only from one IP address via ufw, but this is not what I wanted to achieve in the first place.



Buy me a coffeeBuy me a coffee

Become a PatronBecome a Patron