How to Configure Squid as a SOCKS5 Proxy for Bypassing Censorship in Restricted Networks


3 views

When dealing with sophisticated censorship systems, standard HTTP proxies often fail because:

  • They don't encrypt traffic by default
  • Censors can detect proxy patterns in HTTP headers
  • Many now actively block known proxy server IP ranges

SOCKS5 operates at a lower level than HTTP proxies and offers:


+ TCP/UDP support
+ Optional authentication
+ Better tunneling capabilities
+ Less detectable protocol patterns

While Squid primarily functions as an HTTP proxy, we can make it work with SOCKS5 through these steps:


# Install required packages
apt-get install squid squid-common dante-server

# Configure Squid to forward to Dante (SOCKS5)
http_port 3128
acl socks_proxy dstdomain .example.com
always_direct allow socks_proxy
cache_peer 127.0.0.1 parent 1080 0 no-query proxy-only

Dante will handle the actual SOCKS5 connections:


# /etc/danted.conf configuration
internal: eth0 port = 1080
external: eth0

clientmethod: none
socksmethod: none

user.privileged: proxy
user.notprivileged: nobody

client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect disconnect error
}

socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect disconnect error
}

To make the connection truly secure:


# stunnel configuration
[squid]
accept = 443
connect = 127.0.0.1:3128
cert = /etc/stunnel/stunnel.pem

For various client applications:


# Firefox about:config
network.proxy.type = 1
network.proxy.socks = "your.server.ip"
network.proxy.socks_port = 443
network.proxy.socks_remote_dns = true

When dealing with deep packet inspection:

  • Use domain fronting if available
  • Implement custom protocol wrapping
  • Rotate IP addresses frequently

# Check active connections
ss -tulnp | grep 'squid\|danted'

# Log monitoring command
tail -f /var/log/squid/access.log | grep -v TCP_DENIED

When dealing with sophisticated internet censorship systems that actively block VPN and SSH tunnels, SOCKS5 proxies often become the last viable option. Unlike HTTP proxies, SOCKS5 operates at a lower level and can handle any type of traffic (TCP/UDP), making it harder for deep packet inspection systems to detect and block.

While Squid is an excellent caching HTTP proxy, it doesn't natively support SOCKS5 protocol. We'll need to implement a solution that:

  • Acts as SOCKS5 server
  • Tunnels traffic through Squid
  • Provides encryption layer

We'll use dante-server as our SOCKS5 frontend and Squid as the backend proxy:

Client → (SOCKS5) → Dante → (HTTP) → Squid → Internet

1. Install Required Packages

sudo apt-get update
sudo apt-get install squid dante-server

2. Configure Squid for Forwarding

Edit /etc/squid/squid.conf:

http_port 3128
acl localnet src 127.0.0.1
http_access allow localnet
forwarded_for delete
via off

3. Configure Dante SOCKS5 Server

Create /etc/danted.conf:

logoutput: /var/log/danted.log
internal: eth0 port = 1080
external: eth0
method: username
user.privileged: proxy
user.notprivileged: nobody
client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    log: connect disconnect
}
pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    command: bind connect udpassociate
    log: connect disconnect error
    method: none
}

4. Add Authentication (Optional)

For username/password authentication:

sudo apt-get install libpam-pwdfile
sudo htpasswd -c /etc/danted/passwd username1

Then modify /etc/danted.conf:

method: pam
pam.service: dante

Create /etc/pam.d/dante:

auth required pam_pwdfile.so pwdfile /etc/danted/passwd
account required pam_permit.so

Verify SOCKS5 connectivity using cURL:

curl --socks5-hostname 127.0.0.1:1080 https://www.google.com

For authenticated connections:

curl --socks5-hostname username:password@127.0.0.1:1080 https://www.google.com

To encrypt traffic between client and proxy:

sudo apt-get install stunnel4

Create /etc/stunnel/stunnel.conf:

[socks5]
accept = 8443
connect = 127.0.0.1:1080
cert = /etc/stunnel/stunnel.pem

Generate SSL certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/stunnel/stunnel.pem -out /etc/stunnel/stunnel.pem

For Firefox:

1. Go to Preferences → Network Settings
2. Select "Manual proxy configuration"
3. SOCKS Host: your.server.ip
4. Port: 1080 (or 8443 for encrypted)
5. SOCKS v5
6. Check "Proxy DNS when using SOCKS v5"

Check logs for connection attempts:

tail -f /var/log/danted.log

To rotate logs:

sudo logrotate -f /etc/logrotate.d/dante