SOCKS5 To VPN Gateway 2018-03-31
In my search for a way to specify which applications should use my VPN and which ones shouldn't, I came across plenty of people with the same request... but no decent solution. I of course want to force my IRC client and browser through my VPN service, but not Guild Wars or my time synchronizer. I haven't found anything that lets me specify by application, but I was able to setup a Linux VPN gateway and then push SOCKS5 applications through it with PuTTYtray and port redirection. Here's what I did:
These are the basic parts I used:
- A separate Linux box on the LAN (a VM in my case)
- OpenVPN installed on the Linux box
- A free ProtonVPN account (comes with ProtonMail service)
- A PC with applications that support a SOCKS5 proxy (FF and mIRC in my case)
- PuTTY (or rather PuTTYtray in my case)
- SwapProxy Firefox addon for quick enable/disable
A number of these things could be changed out for alternatives, such as real PuTTY instead of PuTTYtray, or a different VPN provider if you don't like Proton. I also happen to be using Debian Jessie because it is what I am most familiar with, but any Linux or other OS that you can setup as an SSH server should be fine.
Part 1: The Server
All the server really needs is SSH and OpenVPN. On Debian I installed them with:
# apt-get install ssh openvpn
You might wanna setup your SSH to use keys or to use a non-standard port, but in general you just need to be able to SSH to the box. Since my server is inside my network I left my SSH pretty stock. For OpenVPN I downloaded a .ovpn file from my ProtonVPN account. There are actually only a few free servers with Proton's service, so I had to choose one of those. I had to comment out the
... keyword in the .ovpn file to make it work, and I changed the authentication line to
... so I could connect without having to enter my password every time. protonauth.txt is a simple text file with the username as the first line and the password as the second line. OpenVPN reads the test file on connect and pulls the credentials so I don't have to type them in.
Part 2: The Desktop
On the desktop I needed to setup a tunnel through which my SOCKS5 traffic would flow. I happen to use Windows XP for my desktop, you might [incorrectly] think that is a bad idea, but I won't fault you for running a garbage OS. PuTTYtray, KiTTY, PuTTY, and other similar Windows SSH clients should all be able to do port tunnels. I setup my tunnel connection like so:
This forces traffic sent to localhost on port 9090 through the tunnel to the remote system as a SOCKS5 proxy. Next, the applications have to be setup to use the tunnel. In Firefox's settings under "Advanced" is the "Network" section which I setup like this:
Now I have a few domain names in the exception list from some previous testing that I had been doing, but the ProtonVPN service seems to be handling them just fine. At the top left corner of the screenshot is a small "SP" icon that is actually the SwapProxy addon which gives me an easy way to quickly enable and disable the proxy with a single click.
This SOCKS5 gateway setup lets me choose which applications will go through the VPN, but also requires that the applications support a SOCKS5 proxy. The gateway is accessible to all machines on my network, and can be used by multiple internal devices simultaneously. There are a number of proxifiers that can apparently can provide SOCKS support for applications, but the ones I tested didn't work. If you have ever been able to get a proxifier working please let me know and I'll post an update. I should also note that my particular setup is free. ProtonVPN costs nothing, the software costs nothing, and the only real cost is the electricity to run the gateway server. This could be run on a pay VPN or on a VPS instead of an internal computer, but that would of course start to cost.