moesocks
A functional firewall killer
https://github.com/nfjinjing/moesocks
Version on this page: | 1.0.0.20 |
LTS Haskell 12.26: | 1.0.1.0 |
Stackage Nightly 2018-09-28: | 1.0.0.44 |
Latest on Hackage: | 1.0.1.0 |
moesocks-1.0.0.20@sha256:64625052bc3a79d9586303a0d350954e34cb601d277a1d62cbcb5fefbe28dc91,2737
Module documentation for 1.0.0.20
There are no documented modules for this package.
MoeSocks
A SOCKS5 proxy using the client / server architecture.
MoeSocks is greatly inspired by ss and can be used in place of it.
Installation
- Need
GHC 7.10.2
on Unix.
Usage
-
Download a sample config.json to your current path
-
Edit
config.json
to fit your setup (at least theremoteHost
andpassword
fields) -
Start a remote node outside a firewall:
moesocks --role remote -c config.json
-
Start a local node inside a firewall:
moesocks --role local -c config.json
-
Now you have a SOCKS5 proxy running inside a firewall using port
localPort
. -
SS compatible obfuscation can be turned on with the
-o
flag to make statistical analysis on packet length a bit more confusing. -
See more options:
moesocks --help
-
You might want to run
moesocks
under some kind of a supervising daemon to auto restart the program if it crashes, likely due to #10590, the fix of which was not included in the7.10.2
release. -
On
OSX
, If you only runmoesocks -r local
, then it should work. Occasional manual restart should be expected.fastOpen
field should befalse
for now.
Features
- SOCKS5 proxy service, obviously
- TCP port forwarding
- UDP port forwarding, for example
-U 5300:8.8.8.8:53
- TCP per connection throttling (as a side effect of trying to find a bug in the remote)
- SOCKS5 service on local can be turned off
- Understand ss’ configuration file
Drawbacks
- UDP over SOCKS5 is not implemented.
- TCP bind over SOCKS5 is not implemented
- More then 2 times slower then the original Python implementation (measured at 20M/s vs 43M/s on an Intel P8800, using the AES-256-CFB method, in software AES).
- Currently only works on Unix.
TCP Fast Open (TFO)
TFO means faster response in this case
Both local and remote will use TFO when instructed. If the browser in use and the website to visit both support TFO, you can enjoy TFO all the way through. This could lead to a huge reduction of latency.
Enable TFO in your OS runtime.
On Linux 3.7+, to check the availability of TFO:
cat /proc/sys/net/ipv4/tcp_fastopen
On Linux 3.7+, to enable TFO (as root):
echo 3 > /proc/sys/net/ipv4/tcp_fastopen
Enable TFO in MoeSocks
TFO can be turned on by adding a "fastOpen":true
field in config.json
or
specifying a --fast-open
flag in the command line arguments.
Verify
Use tcpdump
on the remotePort
, check for that SYN
should start to carry
payload. An example command is:
tcpdump port 8388 -i any -X -v
Explicit Congestion Notification (ECN)
No buffer by default
After version v1.0.0.0, moesocks will default to no buffer at the application level. Smart buffer is expected from the kernel.
In app buffer can still be tuned on by setting “tcpBufferSize” in
config.json
a value greater then 1.
Force ECN
On Linux 2.4.20+ (as root)
echo 1 > /proc/sys/net/ipv4/tcp_ecn
ECN is recommended only on remote
.
Credits
- ss greatly inspired MoeSocks.
- ss-haskell another implementation of ss in Haskell, also greatly inspired MoeSocks. Much of the understanding of the internal of ss was gained by reading ss-haskell.
License
Copyright 2015 Jinjing Wang
Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Changes
1.0.0.20
- Fix respect ‘–disable-socks5’
1.0.0.10
- Add
forbidden_IPs
field inconfig.json
- Use
Reserved IP addresses
as the default value for
forbidden_IPs
- Add
show-default-config
to options
1.0.0.1
- Default to no buffer, rely on buffer in the kernel. Add force Explicit Congestion Notification in Readme.
1.0.0.0
- Tag a stable release, clean up types
0.1.2.30
- Refactor internal to make a runtime independent of Config and Options
0.1.2.20
- Fix IPv6, finally tested on a real IPv6 network..
0.1.2.10
- Fix not parsing snake case in config, a bug introduced in 0.1.2.0
0.1.2.0
- Add OSX compatibility, still some unfixed bugs on OSX.
- Fix a bug that breaks UDP forwarding in local
0.1.1.32
- Add a runtime type
0.1.1.31
- Fix hardcoded encryption method
0.1.1.30
- Add more encryption methods from OpenSSL
- Add a
--list-methods
flag to show all supported encryption methods
0.1.1.20
- Implement TFO in remote.
0.1.1.10
- Add TCP Fast Open (TFO) capability.
0.1.1.0
- Use TCP_NOTSENT_LOWAT option to reduce latency
0.1.0.27
- Make local respect
forbidden-ip
as well, this reduce unnecessary connections to the remote. - Clean up logging.
0.1.0.26
- Enable CIDR format in
forbidden-ip
.
0.1.0.25
- Add
forbidden-ip
option, which defaults to127.0.0.1
, to prevent misuse of remote. This is again a feature ported from ss.
0.1.0.24
- Make obfuscation flush upper bound configurable in
config.json
. - Fix an IPv6 name resolution bug in remote.
0.1.0.23
- Fix a bug to prevent a half closed connection to hold a file handle.
0.1.0.22
- Add the
-o
flag to turn on simple obfuscation (randomly flush socket to vary packet length). There is about a 10-20% performance cost.
0.1.0.21
- Add in README that
GHC 7.10.2
is a must!
0.1.0.20
- Rewrite Encrypt module, cache password hash.
0.1.0.19
- Fix a memory leak.
0.1.0.18
- Add complete command line arguments.
0.1.0.17
- Add
--disable-socks5
flag to switch off the SOCKS5 service on local.
0.1.0.16
- Add compatibility with ss for UDP port forwarding.
0.1.0.15
- Add UDP port forwarding.
0.1.0.14
- Add IPv6 support.