This project is a lightweight SOCKS5 server for devices that run Linux, or similar operating systems like RasPi OS or Termux. The goals are low memory consumption and single-threaded design. The latter is accomplished by the use of I/O multiplexing, which allows a single thread to manage hundreds of connections at once.
This is one of many available SOCKS5 server packages available. Some intend to be full-featured, while others, like this one, focus on being light enough to run on small devices, like a RasPi or a mobile device.
Top Features
The server supports both IPv4 and IPv6, for both clients and connections. Name resolution is provided as an option, via one of the included resolver utilities, running as coprocesses. The system's native host resolution can be used, as well as direct DNS and DNS-over-TLS queries to specific servers. Custom hosts files are supported, which can also be used to implement blocklists. The server can be configured to prefer either IPv4 or IPv6 when a name resolves to addresses of both types.
Socks5++ has been tested with RedSocks, which can be used to build a gateway or router device that sends TCP connections to a proxy server. Use of RedSocks isn't required, but it can be handy if you want to proxy an entire network, such as at a home or office.
Limitations
The core specification document for SOCKS5, RFC 1928, describes certain features that are not implemented in Socks5++.
The first is authentication. The RFC requires "compliant" servers to provide GSSAPI authentication support, while leaving username/password authentication as a recommended option. However, none of the popular web browsers implement any authentication options when using SOCKS5. This makes authentication support of little value, so it is not included in Socks5++.
The server does support binding to specific addresses, as well as limiting requests to specific subnets. This can be used to provide basic security for the proxy, especially when running from a system with multiple network connections. If authentication or encryption are needed, either or both can be added by wrapping connection requests in a VPN or TLS tunnel. This is common practice with other TCP-based protocols, by using open-source products like OpenVPN or Stunnel. Secure (TLS) connections made through a SOCKS5 connection will remain secured, even if the SOCKS5 protocol itself is not encrypted or authenticated.
Another SOCKS5 feature that is not implemented is UDP support. While this also has valid use cases, e.g., for proxying NTP or QUIC, the same lack of client-side SOCKS support in major applications using these protocols makes UDP support of similarly limited benefit.
Building and Installing
The Socks5++ package builds using the make utility. The core software is written in C++. Some of the included DNS resolvers are written in Python. DNS-over-TLS support requires the package dnspython to be available to the installed Python environment.
The software can be installed using make install to copy the binaries and scripts into /usr/local/bin. The command make uninstall will remove them.
Configuration is provided by command-line arguments. Run the program socks5pp -h to see a list of available options. There are many settings that can be enabled or adjusted, but none of them are required. By default, the server will bind to the loopback adapters for both IPv4 and IPv6, and listen on TCP port 1080.
