You are not logged in.

#1 2024-10-12 12:11:06

sgp
Member
Registered: 2023-06-02
Posts: 19

UDP traffic through SOCKS5 proxy

I'm trying to proxy Discord WebRTC traffic through shadowsocks proxy (redsocks at port 9049 -> shadowsocks at port 9050):

$ doas iptables -t nat -N REDSOCKS
$ doas iptables -t nat -A REDSOCKS -p udp -j REDIRECT --to-ports 9049
$ for port in {50000..50010}; do
    doas iptables -t nat -A OUTPUT -p udp --dport $port -j REDSOCKS
  done
$ doas redsocks -c /etc/redsocks.conf
1728734491.493014 notice main.c:167 main(...) redsocks started, conn_max=128
$ sslocal -U -b 127.0.0.1:9050 --server-url "ss://.../?outline=1"
INFO shadowsocks local 1.21.0 build 2024-09-22T18:06:17.170776391+00:00
INFO shadowsocks socks TCP listening on 127.0.0.1:9050
INFO shadowsocks socks5 UDP listening on 127.0.0.1:9050

with wireshark it's seen that UDP traffic indeed gets redirected to a proxy IP:

208	1.711190732	192.168.1.14	xx.xx.xx.xx	UDP	171	57706 → xxxx Len=129
209	1.711200583	192.168.1.14	xx.xx.xx.xx	UDP	171	35816 → xxxx Len=129

however, the Discord logs report the following:

Creating connection to 35.217.46.15:50006 with audio ssrc: 64920
RTC connection state: RTC_CONNECTING => NO_ROUTE
Error occurred while connecting to RTC server: [OnConnectAttemptTimedOut] Connection timed out 3 times.
Disconnected from RTC server, clean: true, code: 1000, reason: Force Close, state: NO_ROUTE

Redsocks configuration:

$ cat /etc/redsocks.conf
base {
	log_debug = off;
	log_info = on;

	log = stderr;
	daemon = off;

	redirector = iptables;
}

redsocks {
	local_ip = 127.0.0.1;
	local_port = 9049;

	ip = 127.0.0.1;
	port = 9050;

	type = socks5;
}

redudp {
	local_ip = 127.0.0.1;
	local_port = 9049;

	ip = 127.0.0.1;
	port = 9050;
}

dnstc {
	local_ip = 127.0.0.1;
	local_port = 5300;
}

dnsu2t {
	local_ip = 127.0.0.1;
	local_port = 5313;

	remote_ip = 8.8.8.8;
	remote_port = 53;
}

Offline

#2 2024-10-12 13:18:43

cryptearth
Member
Registered: 2024-02-03
Posts: 1,029

Re: UDP traffic through SOCKS5 proxy

had to do something similar on my mail server as sendmail doesn't respect the port in a nullclient config
look at the second answer to https://serverfault.com/questions/10047 … k-redirect using firewalld and a policy
as firewalld is just a frontend to iptables/nftables it should be able to write the result yourself without firewalld

Offline

Board footer

Powered by FluxBB