Apache-2.0 licensed by Jinjing Wang
Maintained by Jinjing Wang
This version can be pinned in stack with:moesocks-1.0.0.41@sha256:40d79b51f60de1bd306387f010634847925d733d09dae2347ffd3de2a035da20,2806

Module documentation for 1.0.0.41

There are no documented modules for this package.

MoeSocks

A SOCKS5 proxy using the client / server architecture.

MoeSocks is compatible with ss at the protocal and most of the configuration level.

Installation

From binary

Install Nix

curl https://nixos.org/nix/install | sh 

Install moesocks

nix-env -i -A nixpkgs.haskellPackages.moesocks

Run

moesocks 

From source

Install GHC and cabal-install

Download moesocks

git clone https://github.com/nfjinjing/moesocks

Sandbox!

cd moesocks
cabal sandbox init

Install

cabal install

Run

.cabal-sandbox/bin/moesocks

Usage

  • Start a remote node outside a firewall:

      moesocks -r remote -k birthday!
    
  • Start a local node inside a firewall:

      moesocks -s $REMOTE_IP -k birthday!
    
  • Now you have a SOCKS5 proxy running inside a firewall on port 1080.

  • See more options:

      moesocks --help
    
  • Not tested in OSX, but it should just work.

System wide proxy for NixOS

  • Add moesocks.nix and moesocks-bento.nix to /etc/nixos

  • Modify the following and add it to configuration.nix:

      imports = [ ./moesocks-bento.nix ];
    
      networking.moesocks-bento =
        {
          enable = true;
          remote = "my-server";
          remotePort = 8388;
          password = "birthday!";
        };
    

Features

  • SOCKS5 proxy service
  • TCP port forwarding
  • UDP port forwarding, for example to tunnel DNS request: -U 5300:8.8.8.8:53
  • SOCKS5 service on local can be turned off
  • Understand ss’ configuration file

Know issues

  • UDP over SOCKS5 is not implemented.
  • TCP bind over SOCKS5 is not implemented
  • More then 2 times slower then the original Python implementation (measured at 20M/s vs 43M/s on an Intel P8800, using the AES-256-CFB method, in software AES).
  • Currently only works on Unix.

TCP Fast Open (TFO)

Benefit of using TFO

TFO can bypass the TCP three-way handshake in successive connections, thus reducing latency.

Enable TFO in your OS runtime.

On Linux 3.7+, to check the availability of TFO:

cat /proc/sys/net/ipv4/tcp_fastopen

On Linux 3.7+, to enable TFO (as root):

echo 3 > /proc/sys/net/ipv4/tcp_fastopen

Enable TFO in MoeSocks

TFO can be turned on by adding a "fastOpen":true field in config.json or adding a --fast-open argument in the command line.

Verify

Use tcpdump on the remotePort, check for that SYN should start to carry payload. An example command is:

tcpdump port 8388 -i any -X -v

Credits

  • ss greatly inspired MoeSocks.
  • ss-haskell another implementation of ss in Haskell, also greatly inspired MoeSocks. Much of the understanding of the internal of ss was gained by reading ss-haskell.

License

Copyright 2015 Jinjing Wang

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Changes

1.0.0.41

  • Update README for GHC 7.10.3
  • Add instructions to configure system wide proxy for NixOS

1.0.0.40

  • Fix UDP packet size
  • Clean up repository

1.0.0.30

  • Add a deny-list option to specify an access control list file for blocking a large list of IPs.

1.0.0.20

  • Fix: respect disable-socks5

1.0.0.10

  • Add forbidden_IPs field in config.json
  • Use Reserved IP addresses as the default value for forbidden_IPs
  • Add show-default-config to options

1.0.0.1

  • Default to no buffer, rely on buffer in the kernel. Add force Explicit Congestion Notification in Readme.

1.0.0.0

  • Tag a stable release, clean up types

0.1.2.30

  • Refactor internal to make a runtime independent of Config and Options

0.1.2.20

  • Fix IPv6, finally tested on a real IPv6 network..

0.1.2.10

  • Fix not parsing snake case in config, a bug introduced in 0.1.2.0

0.1.2.0

  • Add OSX compatibility, still some unfixed bugs on OSX.
  • Fix a bug that breaks UDP forwarding in local

0.1.1.32

  • Add a runtime type

0.1.1.31

  • Fix hardcoded encryption method

0.1.1.30

  • Add more encryption methods from OpenSSL
  • Add a --list-methods flag to show all supported encryption methods

0.1.1.20

  • Implement TFO in remote.

0.1.1.10

  • Add TCP Fast Open (TFO) capability.

0.1.1.0

  • Use TCP_NOTSENT_LOWAT option to reduce latency

0.1.0.27

  • Make local respect forbidden-ip as well, this reduce unnecessary connections to the remote.
  • Clean up logging.

0.1.0.26

  • Enable CIDR format in forbidden-ip.

0.1.0.25

  • Add forbidden-ip option, which defaults to 127.0.0.1, to prevent misuse of remote. This is again a feature ported from ss.

0.1.0.24

  • Make obfuscation flush upper bound configurable in config.json.
  • Fix an IPv6 name resolution bug in remote.

0.1.0.23

  • Fix a bug to prevent a half closed connection to hold a file handle.

0.1.0.22

  • Add the -o flag to turn on simple obfuscation (randomly flush socket to vary packet length). There is about a 10-20% performance cost.

0.1.0.21

  • Add in README that GHC 7.10.2 is a must!

0.1.0.20

  • Rewrite Encrypt module, cache password hash.

0.1.0.19

  • Fix a memory leak.

0.1.0.18

  • Add complete command line arguments.

0.1.0.17

  • Add --disable-socks5 flag to switch off the SOCKS5 service on local.

0.1.0.16

  • Add compatibility with ss for UDP port forwarding.

0.1.0.15

  • Add UDP port forwarding.

0.1.0.14

  • Add IPv6 support.