Avatar (Fabio Alessandro Locati|Fale)'s blog

Use Dante to proxy web traffic

March 31, 2024

A while ago, I posted about using SSH to proxy traffic within a Nebula network context. In the last few months, I changed my implementation because SSH required some steps and accesses that I was not fully happy with.

In the previous iteration, I was using SSH as a SOCKS proxy. The problem, though, is that I need to set up the connection every time and use my SSH credentials, so it becomes difficult to have it always on. A different SOCKS proxy software needs to be used to achieve the same result without SSH.

SOCKS proxies are not too complex pieces of software, and many of them were written many years ago and have become unmaintained by now. Using an unmaintained SOCKS proxy is not as bad as it sounds. Serious vulnerabilities are rare in highly tested codebases, and even if one were present, it would be very hard to exploit since it would only be accessible from the VPN. However, I still prefer actively maintained software, so I had to look a little harder to find one. A characteristic I was looking for in my selection was the reduced footprint of the service.

I ended up opting for Dante. Dante is a mature SOCKS proxy, with the first release in 1998. It is also actively developed: the latest stable version was released in 2021, and they are working on the next release as well.

The first step is installing Dante on the machine you want to use as a proxy. There are multiple ways of doing this, but the easiest one on a Fedora machine is using the already packaged version in Fedora:

sudo dnf install dante-server

We can now move to the configuration. Personally, I use an open-proxy configuration since it is only reachable from within my VPN, which already provides a level of security I’m confident in. To have a similar configuration, you can modify the file /etc/sockd.conf like the following:

logoutput: stdout
errorlog: stderr

internal: 0.0.0.0 port = 3128
external: eth0

clientmethod: none
socksmethod: none

client pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: error connect disconnect
}
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: error connect disconnect
}

We can now start the service (and enable it so that it will start at every boot) with:

sudo systemctl start sockd
sudo systemctl enable sockd

We can now proceed with using the proxy. In my case, I configured Firefox’s container proxy extension. This extension allows me to have some containers proxied and others not proxied. Since we created an open proxy, we will simply need to configure:

A few months passed since I moved from SSH to Dante, and I’m happy with the change. This approach is far more convenient.

CLI, Linux, Networking, Security, Self-hosting
Dante, Nebula, VPN, WireGuard