Pfsense Socks
Installing a SOCKS server on pfSense 2.4+ | Daniel Garajau
Written on January 06, 2019
Recently I needed to setup a SOCKS server on my LAN so that I could browser on
Firefox through proxy locally.
IMHO, it should be something built-in on pfSense, or at least very easy to
setup using the GUI. However, it requires many manual steps, which we’re going
to cover now.
Installing packages
To setup this server, we will need to install new packages, because there’s
nothing built-in that you can achieve that.
Dante is a free SOCKS server that we will use for
this server. We can find binary packages on FreeBSD repository, but
unfortunately pfSense does not use FreeBSD pkg repositories since 2. 3.
We could enable FreeBSD repositories, but then many package dependencies would
conflict with those present on pfSense repos, so stay away from it.
There has been some
discussion
around this subject, but long story short, the safest way to download a package
from the FreeBSD repository is by:
$ pkg add
and having to check for updates manually, something you wouldn’t expect doing
when using a package manager.
Accessing pfSense SSH
Before you can proceed, ensure that you have SSH access to your pfSense box.
That can be done by uploading your public key on the interface. Then while
connecting to it, remember that the username is the same that you use for
logging into the GUI interface.
Install Dante
Dante can be installed by issuing the following commands:
# pkg install cyrus-sasl
# pkg add # pkg add
Luckily, there’s one dependency available on pfSense repos, so we don’t need to
install it from FreeBSD (one less package to care about when doing upgrades).
Configuring
Now you will need to setup the service. From my own requirements, I only needed
that it could listen into the right interface (bridge0) and redirect traffic
through the existing links (pppoe0 and pppoe1). Also, I don’t need
authentication, which is fine since we are serving only to LAN clients who
already have access to the whole outgoing network.
With those requirements in mind, here’s the content that you should put into
your /usr/local/etc/ (remember to edit it as root):
# Logging
logoutput: /var/log/
# User
user. unprivileged: nobody
# Bind ports
internal: bridge0 port = 5000
external: pppoe0
external: pppoe1
tation: route
# Auth
clientmethod: none
socksmethod: none
client pass {
from: 0. 0. 0/0 to: 0. 0/0
log: error
clientmethod: none}
# generic pass statement – bind/outgoing traffic
socks pass {
command: bind connect udpassociate bindreply udpreply
log: error}
This is enough, now you can start the service:
# /usr/local/etc/rc. d/sockd onestart
Enabling the service on startup
You will want to have this running when your box restarts. You will need to add
it to the configuration file ().
Edit the file /cf/conf/, and look for a specific section where it’s
closing the tag.
Then add the following snippet:
That should do it.
Maintenance routine
Well, because we’re kinda off the grid here, we will need to do some manual
work. First of all, we just installed two packages that are not on the machine
repo. Every time they need to update, we will need to do it manually, so take
care of it, you don’t want to have a router software with vulnerabilities on
your network.
Take a look at Dante and
MiniUPnP websites every now and then
to see when there are new releases. Also, take a look at the CVE boards and
security advisories.
Links
Dante Docs 1. 4. x
FreeBSD 11 Package Repository
Installing Dante on pfSense
Install FreeBSD Packages on pfSense
Enable SOCKS Proxy on pfSense
Share this
Socks5 Proxy | Netgate Forum
This topic has been deleted. Only users with topic management privileges can see it.
Hi,
Does anyone know of a way to get PFSENSE to act as a socks5 proxy? I have squid installed for but I have some need for socks5 as well. I don’t see any packages available at this point.
Any ideas?
Tks,
Dave
I know of a way to setup a Socks 5 Proxy using SSH, for the purpose of connecting one computer or network to another network, kind of like a poor-man’s VPN. It really depends on that for which what you need the Proxy to be used. If you are trying to create a proxy-filter (ie, with SquidGuard or DansGuardian), this method won’t work, AFAIK.
If you are curious about the “Poor-man’s VPN” of which I spoke, google “SSH tunnel”. There is a command-line switch that causes the router to accept connections from network-connected machines, rather than just local (loopback) connections, if desired. I don’t recall what is that particular switch.
Yes – Dynamic proxy can be used to access IPs behind the pfsense as well as the web as well, however simply using a VPN on pfsense is better if thats an option.
What I’m trying to do is direct some traffic from users, to force it to a certain connection. I have multiple connections, one of which has a pfsense box with a open vpn tunnel. What I’d like the ability to do is set the socks proxy in the software to point to the pfsense box while allowing normal surfing out the main connection. Right now the only way I can do this is set specific users to default out the pfsense box which is proving to cause some other problems. The pfsense connection is faster, but the routing is not as good, so thus the want to split.
I don’t think the SSH idea will work in this case.
I’m surprised that there isn’t another solution. squid works perfectly for, but nothing that I can find works for SOCKS.
Openvpn can easily handle that. But then again, so can SSH/Dynamic proxy.
I’d still use vpn though.
This is close to what I am trying to achieve. Main goal being that the same client computer could send traffic out to WAN and out over the pfsense’s client Open vpn connection if its a program that is set to use a socks proxy, at the same time. I don’t want to route all of a client computers traffic via the vpn, just select programs.
ie everything on a client computer uses direct wan connection except firefox which has been configured to use a socks proxy pointing to the pfsense and then pfsense socks server would proxy it out over the openvpn client connection on the pfsense.
My difference is that my pfsense is also the wan gateway, so need to not send any traffic out over the openvpn client connection except for socks client traffic. So socks server would bind to LAN net and proxy traffic out over vpn client connection. Im not clear how I would do the routing for what I just described, perhaps not possible. But also unfortunately not seeing way to run a socks server on pfsense.
I was looking to do the same thing, socks5 server running on pfsense and tunneling all traffic over a vpn connection.
The solution is to install the “dante” package from freebsd (look for the instructions on how to install freebsd package on pfsense)
@aln said in Socks5 Proxy:
Any details on how to proceed after that? Installing it wasn’t a problem, but the howto’s I found for getting it up and running use different filenames and paths for everything. None seem to match with the FreeBSD package.
Edit: I think I’ve got it working:)
Any pointers on how to get dante working then as I’m also looking to do this, I’ve got it installed but can’t work out how to configure and get it running?
@billiam said in Socks5 Proxy:
This is what you need to set (unless I forgot something besides this file):
/usr/local/etc/ (adjust internal and external address/interface and “client pass”, external is here the VPN interface)
#logging
logoutput: /var/log/
#debug: 1
#server address specification
internal: 10. 0. 1 port = 1080
external: ovpnc1
#server identities (not needed on solaris)
ivileged: root
tprivileged: socks
bwrap: libwrap
#reverse dns lookup
#srchost: nodnsmismatch
#authentication methods
clientmethod: none
method: none
##
## SOCKS client access rules
#rule processing stops at the first match, no match results in blocking
#block access to socks server from 192. 2. 22 (exception for pass rule below)
# client block {
# #block connections from 192. 22/32
# from: 192. 22/24 to: 0. 0/0
# log: error # connect disconnect
#}
#allow connections from local network (192. 0/24)
client pass {
from: 10. 0/24 to: 0. 0/0
log: error # connect disconnect}
## SOCKS command rules
#block communication with # block {
# from: 0. 0/0 to: # command: bind connect udpassociate
# log: error # connect disconnect iooperation
#generic pass statement – bind/outgoing traffic
pass {
from: 0. 0/0 to: 0. 0/0
command: bind connect udpassociate
log: error # connect disconnect iooperation}
#block incoming connections/packets from
# block {
# from: 0. 0/0 to:
# command: bindreply udpreply
#generic pass statement for incoming connections/packets
command: bindreply udpreply
Then start dante using /usr/local/etc/rc. d/sockd onestart, no clue as of yet how to start it automatically at boot since /etc/ isn’t the way to go in pfSense apparently.
Thanks for the pointers, with a few tweaks I’ve got it running as needed. Some were just because the commands shown in your config displayed warnings as deprecated when run. I also added a user to the system for the service to run as “socks” instead of root
#logoutput: stderr syslog stdout /var/log/
# accept connections going to this address.
internal: 192. 168. 1 port = 1080
# external IP to use 195. 1. 1
external: 192. 2
#server identities
# methods for socks-rules.
socksmethod: none
# methods for client-rules.
#permit clients inbound to the proxy
log: error #connect disconnect}
socks pass {
log: error #connect disconnect iooperation}
Finally I’ve added the line:
to the pfSense just before the line which auto starts the service when the box is rebooted.
Thanks again for your pointers.
You’re welcome. I found that config somewhere when looking for examples, don’t remember where I found it but might have been an old one. Didn’t see any warnings though, although once it worked I didn’t check the logs.
Thanks for the tip!
Transparently proxying HTTP to a SOCKS server that is …
I’m trying to transparently proxy HTTP requests in a LAN that is served by a pfSense router over SSH.
So far, I’ve tried setting up an Ubuntu box outside that network and forwarding everything going outward that’s HTTP to redsocks on the outside Ubuntu box which is forwarding to RedSOCKS which then points to a SOCKS server provided by a SSH connection to a box that’s also outside the network. This does not work and I am not sure why. Connecting to the socks server directly on an internal machine works but I need the traffic transparently forwarded.
Rough diagram of how I am thinking it is setup.
Client -> Router(pfSense) -> RedSOCKS -> SSH SOCKS -> Outside Internet
Help would be much appreciated.
As for searches I’ve done:
I’m kinda doing what this guy wants to do. I don’t want to resort to his solution of installing a proximity on every client computer as that would be a extraordinary massive hassle/compatibility issue for me.
quanta49k17 gold badges143 silver badges209 bronze badges
asked Nov 6 ’11 at 5:56
1
I think I nailed this. I added another interface to pfSense and another to the Ubuntu box with the Ubuntu box as a gateway in pfSense on that interface. I had the rules set to have anything going out on port 80 from a certain host use the gateway that was the Ubuntu box on that point to point LAN. On the Ubuntu box, I had the prerouting table there point to the redsocks instance on the Ubuntu box. From there on, it’s a matter of doing the SSH SOCKS thing. Thanks for the help.
For pfSense, I looked at policy based routing.
This was the most helpful thing for me regarding iptables:
answered Nov 11 ’11 at 4:54
Not the answer you’re looking for? Browse other questions tagged networking nat ssh-tunnel pfsense transparent-proxy or ask your own question.