This project is a lightweight SOCKS5 server for devices that run Linux, and similar operating systems like RasPi OS or Termux. The goals are low memory consumption, low CPU load, and single-threaded design. The latter is accomplished by the use of I/O multiplexing, which allows a single thread to manage hundreds of connections at once.
This is only one of many SOCKS5 server packages available. E.g., the OpenSSH tools support SOCKS within SSH sessions, offering both encryption and strong authentication. Other implementations, like this one, focus on being simple, light, flexible, and fast.
Top Features
The server supports both IPv4 and IPv6, for both clients and connections. The main program, socks5pp provides the core SOCKS engine, managing all connections. If the clients resolve host names on their own, via DNS server or similar, no other tools are needed.
Host name resolution support is provided as an option, via one of the included resolver utilities, running as coprocesses. The system's default resolver can be used, as well as direct DNS and DNS-over-TLS queries to specific servers. Custom hosts files are also supported, which can be used to implement blocklists. The server can be configured to prefer either IPv4 or IPv6 when a host name resolves to addresses of both types.
Socks5++ has been tested with RedSocks, which can be used to build a gateway or router device that transparently routes TCP connections to a proxy server. Use of RedSocks isn't required, but it can be handy if you want to proxy an entire network, such as at a home or office.
Limitations
The core specification document for SOCKS5, RFC 1928, describes certain features that are not implemented in Socks5++.
The first is authentication. The RFC requires "compliant" servers to provide GSSAPI authentication support, while leaving username/password authentication as a recommended option. Unfortunately, none of the popular web browsers implement any authentication options when using SOCKS5. This makes authentication support of little value.
The server does support binding to specific addresses, as well as limiting requests to specific subnets. This can be used to provide basic security for the proxy, especially when running from a system with multiple network connections.
If authentication or encryption are needed, these can be added by wrapping connections in a VPN or TLS tunnel. This is common practice with other TCP-based protocols, using open-source products like OpenVPN or Stunnel. The use of a TLS wrapper can provide a light and simple — but still cryptographically strong — solution for encryption and/or authentication, but without the complexity of SSH or a VPN.
In any case, secure (TLS) connections made through a SOCKS5 server retain their security features, even if the SOCKS5 protocol itself is not encrypted or authenticated.
Another SOCKS5 feature that is not implemented is UDP support. While this also has valid use cases, e.g., for proxying NTP or QUIC, the same lack of client-side SOCKS support in the software providing these services makes UDP support of limited benefit.
Building and Installing
The Socks5++ package builds using the make utility. The core software is written in C++. Some of the included DNS resolvers are written in Python. DNS-over-TLS support requires the package dnspython to be available to the installed Python environment.
The software can be installed using make install to copy the binaries and scripts into /usr/local/bin. The command make uninstall will remove them.
Configuration is provided by command-line arguments. Run the program socks5pp -h to see a list of available options. There are many settings that can be enabled or adjusted, but none of them are required. By default, the server will bind to the loopback adapters for both IPv4 and IPv6, and listen on TCP port 1080.
