[qersist3nce]

So at this point it is ready for passing traffic through a SOCKS proxy. Meaning we can `cargo run --release -- proxy` and redirect applications to use port `9150` for their network connections.

Couple of related questions:

- Does anyone know, in a Linux distro, how to pass all system traffic through a SOCKS proxy port? I'm not looking for intermediary proxy handlers but an official method to force all user and system apps to use an arbitrary port.

- If it is not possible to do so, does `NetworkManager` have a setting for this?

- Is it possible to at least change Chrome/Firefox ports via CLI to an arbitrary port?

[e12e]

I don't think you can generally expect all processes to transparently use a SOCKS proxy? You might be able to finagle a custom vpn around it, I suppose. But AFAIK SOCKS isn't 100% transparent at the IP layer allowing all protocols to transparently layer on top?

I guess SOCKS5 handles tcp and udp - so you might get away with redsocks (which explicitly recommends against using with TOR):

https://github.com/darkk/redsocks

See also transocks (SOCKS4 tcp only): https://transocks.sourceforge.net

And transocks (in go) https://github.com/cybozu-go/transocks

Ed: see also https://news.ycombinator.com/item?id=30684574

[samhw]

Does anyone know how TAILS accomplishes this, then? It doesn't rely on a relay like Whonix does, but I'm not a networking expert or a Linux expert, so I'm not altogether sure how it does work.

[nopcode]

TAILS has a very simple approach:

- Configure all applications to use Tor with the SOCKS proxy

- Block all non-Tor traffic with iptables

https://tails.boum.org/contribute/design/Tor_enforcement

[samhw]

Ah, interesting, thank you. As far as point (b) goes, it seems to work pretty well: I can’t recall an occasion where I’ve had traffic blocked. (I suppose in practice not many applications use custom IP-but-not-TCP-or-UDP-based protocols.) So could that same thing not be a solution to e12e’s question?

[conradev]

Tor itself does not support UDP, even if SOCKS might

[e12e]

Good point. Makes it a better fit for SOCKS I suppose. Tor does dns over tcp - or no dns?

[Caligatio]

SOCKS explicitly supports DNS but no other UDP.

[onedognight]

One way is to enable a global `LD_PRELOAD=libtsocks.so` (transparent socks) environment variable where you provide an optionally suid (to allow suid binaries to use it if you want) library that overrides `connect`, etc. and forwards them to your socks proxy. Make sure you get ipv4 and ipv6 support if you care. This is not bullet proof by any means. Any application that doesn't using the C library (e.g. go) will not proxy, but most things will.

[paskozdilar]

There is a shell wrapper `tsocks` that does all that - all you need is to configure the SOCKS server/port in /etc/tsocks.conf and run `tsocks $COMMAND`, and all the TCP connections of `$COMMAND` will be tunneled through the SOCKS proxy.

Combined with ssh's `-D` option, it becomes a powerful ad-hoc VPN tool.

[hkt]

TIL about stocks - thank you!

[beardog]

You have to be careful proxying everything through Tor if you care about using Tor to its full effectiveness, widely known issues with exit nodes aside, applications may naively sent through the same circuit: https://www.whonix.org/wiki/Stream_Isolation

[nopcode]

Best option is to use software that supports SOCKS. Alternatively you can set up local proxies (eg stunnel) or inject SOCKS support into the TCP calls of your app (eg. ProxyChains)

Tor only supports TCP, so you cannot route all traffic over Tor, you will have to drop a bunch.

[guerby]

The way it's done is described here:

https://unix.stackexchange.com/questions/166692/how-does-a-t...

A part from tor I don't know if there's a generic tool packaging this.

[guerby]

Found one here:

https://hev.cc/3033.html

https://github.com/heiher/hev-socks5-tproxy

[koblas]

Isn't that just NAT through a SOCKS proxy as transport.

Never would have imaged that use case.

[qersist3nce]

>Never would have imaged that use case.

circumventing censorship and geo-restrictions?

[koblas]

Let me clarify --

I never would have imagined SOCKS being used for this use case. There was no such thing as geo-restrictions or censorship at the time on the internet.

[throwaway5486nv]

Theoretically with systemd there is a way to create a container to do this. But its too complex, i could not get it to work.

[nofunsir]

<NOTIFICATION: Incoming chat from random IT person> Hey so I’ve been meaning to ask you about all this ssh traffic coming from your box. Do you know what that could be?