This is a modified version of original redsocks. The name is changed to REDSOCKS2 to distinguish with original redsocks. REDSOCKS2 contains several new features besides many bug fixes to original redsocks.
- Redirect TCP connections which are blocked via proxy automatically without need of blacklist.
- Redirect UDP based DNS requests via TCP connection.
- Integrated shadowsocks proxy support(IPv4 Only).
- Redirect TCP connections without proxy.
- Redirect TCP connections via specified network interface.
- UDP transparent proxy via shadowsocks proxy.
- Support Ful-cone NAT Traversal when working with shadowsocks or socks5 proxy.
- Integrated HTTPS proxy support(HTTP CONNECT over SSL).
- Support TCP Fast Open on local server side and shadowsocks client side 10.Support port reuse (SO_REUSEPORT)
The following libraries are required.
- libevent2
- OpenSSL or PolarSSL
On general Linux, simply run command below to build with OpenSSL.
$ make
To compile with PolarSSL
$ make USE_CRYPTO_POLARSSL=true
To compile static binaries (with Tomatoware)
$ make ENABLE_STATIC=true
By default, HTTPS proxy support is disabled. To enable this feature, you need to compile like (Require libevent2 compiled with OpenSSL support):
$ make ENABLE_HTTPS_PROXY=true
To compile on newer systems with OpenSSL 1.1.0 and newer (disables shadowsocks support):
$ git apply patches/disable-ss.patch
$ make
Since this variant of redsocks is customized for running with Openwrt, please read documents here (http://wiki.openwrt.org/doc/devel/crosscompile) for how to cross compile.
To build on a MacOS system, you will have to install OpenSSL headers and libevent2 For this, brew is your best friends
$ brew install openssl libevent
Makefile include the folder of openssl headers and lib installed by brew.
To build with PF and run on MacOS, you will need some pf headers that are not included with a standard MacOS installation. You can find them on this repository : https://github.com/opensource-apple/xnu And the Makefile will going find this file for you
Please see 'redsocks.conf.example' for whole picture of configuration file. Below are additional sample configuration sections for different usage. Operations required to iptables are not listed here.
To use the autoproxy feature, please change the redsocks section in configuration file like this:
redsocks {
local_ip = 192.168.1.1;
local_port = 1081;
ip = 192.168.1.1;
port = 9050;
type = socks5; // I use socks5 proxy for GFW'ed IP
autoproxy = 1; // I want autoproxy feature enabled on this section.
// timeout is meaningful when 'autoproxy' is non-zero.
// It specified timeout value when trying to connect to destination
// directly. Default is 10 seconds. When it is set to 0, default
// timeout value will be used.
// NOTE: decreasing the timeout value may lead increase of chance for
// normal IP to be misjudged.
timeout = 13;
//type = http-connect;
//login = username;
//password = passwd;
}
Suppose you have VPN connection setup with interface tun0. You want all all blocked traffic pass through via VPN connection while normal traffic pass through via default internet connection.
redsocks {
local_ip = 192.168.1.1;
local_port = 1080;
interface = tun0; // Outgoing interface for blocked traffic
type = direct;
timeout = 13;
autoproxy = 1;
}
Similar like other redsocks section. The encryption method is specified by field 'login'.
redsocks {
local_ip = 192.168.1.1;
local_port = 1080;
type = shadowsocks;
ip = 192.168.1.1;
port = 8388;
timeout = 13;
autoproxy = 1;
login = "aes-128-cfb"; // field 'login' is reused as encryption
// method of shadowsocks
password = "your password"; // Your shadowsocks password
}
redudp {
local_ip = 127.0.0.1;
local_port = 1053;
ip = your.ss-server.com;
port = 443;
type = shadowsocks;
login = rc4-md5;
password = "ss server password";
dest_ip = 8.8.8.8;
dest_port = 53;
udp_timeout = 3;
}
List of supported encryption methods(Compiled with OpenSSL):
table
rc4
rc4-md5
aes-128-cfb
aes-192-cfb
aes-256-cfb
bf-cfb
camellia-128-cfb
camellia-192-cfb
camellia-256-cfb
cast5-cfb
des-cfb
idea-cfb
rc2-cfb
seed-cfb
List of supported encryption methods(Compiled with PolarSSL):
table
ARC4-128
AES-128-CFB128
AES-192-CFB128
AES-256-CFB128
BLOWFISH-CFB64
CAMELLIA-128-CFB128
CAMELLIA-192-CFB128
CAMELLIA-256-CFB128
To make redsocks2 works with GoAgent proxy, you need to set proxy type as
'http-relay' for HTTP protocol and 'http-connect' for HTTPS protocol
respectively.
Suppose your goagent local proxy is running at the same server as redsocks2,
The configuration for forwarding connections to GoAgent is like below:
redsocks {
local_ip = 192.168.1.1;
local_port = 1081; //HTTP should be redirect to this port.
ip = 192.168.1.1;
port = 8080;
type = http-relay; // Must be 'htt-relay' for HTTP traffic.
autoproxy = 1; // I want autoproxy feature enabled on this section.
// timeout is meaningful when 'autoproxy' is non-zero.
// It specified timeout value when trying to connect to destination
// directly. Default is 10 seconds. When it is set to 0, default
// timeout value will be used.
timeout = 13;
}
redsocks {
local_ip = 192.168.1.1;
local_port = 1082; // HTTPS should be redirect to this port.
ip = 192.168.1.1;
port = 8080;
type = http-connect; // Must be 'htt-connect' for HTTPS traffic.
autoproxy = 1; // I want autoproxy feature enabled on this section.
// timeout is meaningful when 'autoproxy' is non-zero.
// It specified timeout value when trying to connect to destination
// directly. Default is 10 seconds. When it is set to 0, default
// timeout value will be used.
timeout = 13;
}
Sending DNS request via TCP connection is one way to prevent from DNS poisoning. You can redirect all UDP based DNS requests via TCP connection with the following config section.
tcpdns {
// Transform UDP DNS requests into TCP DNS requests.
// You can also redirect connections to external TCP DNS server to
// REDSOCKS transparent proxy via iptables.
local_ip = 192.168.1.1; // Local server to act as DNS server
local_port = 1053; // UDP port to receive UDP DNS requests
tcpdns1 = 8.8.4.4; // DNS server that supports TCP DNS requests
tcpdns2 = 8.8.8.8; // DNS server that supports TCP DNS requests
timeout = 4; // Timeout value for TCP DNS requests
}
Then, you can either redirect all your DNS requests to the local IP:port configured above by iptables, or just change your system default DNS upstream server as the local IP:port configured above.