[Feature] Guide to use tunsocks on linux host as a gateway to other hosts ex: LXC containers and VMs

[SkullFace141]

Description

[Feature] Guide to use tunsocks on linux host as a gateway to other hosts ex: LXC containers and VMs

the guide in the wiki shows configuration for single machine use.

Thanks

[bb33bb]

I also need this detailed documentation.

[Alecyrus]

@xjasonlyu If possible, could you please tell us how to configure gateway mode? The current wiki doesn't mention this at all.

[xjasonlyu]

Technically, there is no such gateway mode. It's just a server/host with ip forwarding enabled.

Therefore, to turn on "gateway mode", you only need to setup tun2socks as usual and enable the ip forwarding on your machine, e.g. sysctl -w net.ipv4.ip_forward=1

To let LAN clients access internet via this gateway, just configuring your clients' gateway ip to your tun2socks server's ip. easy peasy :-P

[sonvirgo]

Technically, there is no such gateway mode. It's just a server/host with ip forwarding enabled.

Therefore, to turn on "gateway mode", you only need to setup tun2socks as usual and enable the ip forwarding on your machine, e.g. sysctl -w net.ipv4.ip_forward=1

To let LAN clients access internet via this gateway, just configuring your clients' gateway ip to your tun2socks server's ip. easy peasy :-P

tried lot of methods, also by iptablez , did not work
ip is routed through en0 instead of tun0

[n-r-w]

Gateway mode working fine. This is my test startup script for manual run and cleanup after finish. After run just set client gateway to server's address and all traffic going to shadowsocks-server.

#!/bin/bash
sysctl -w net.ipv4.ip_forward=1
ip tuntap add mode tun dev tun0
ip addr add 198.18.0.1/15 dev tun0
ip link set tun0 up
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route add default via 198.18.0.1 dev tun0 metric 1
ip route add default via 192.168.1.1 dev ens18 metric 10
ip route add <shadowsocks-server-address>/32 via 192.168.1.1

./tun2socks -device tun0 -proxy socks5://127.0.0.1:1080 -interface ens18

sysctl -w net.ipv4.ip_forward=0
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route del <shadowsocks-server-address>/32 
ip route add default via 192.168.1.1 dev ens18

[n-r-w]

But how to make it work on a router (I have ubuntu 20.04 configured as a router), I don't understand.
Here my iptables config for routing. Tried to forward from LAN to tun0, etc... Nothing helped.
LAN - enp3s0
WAN - enp4s0

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp4s0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# basic global accept rules - ICMP, loopback, traceroute, established all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# enable traceroute rejections to get sent out
-A INPUT -p UDP --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
# DNS - accept from LAN
-A INPUT -i enp3s0 -p tcp --dport 53 -j ACCEPT
-A INPUT -i enp3s0 -p udp --dport 53 -j ACCEPT
-A INPUT -i enp3s0 -p tcp --dport 53 -j ACCEPT
-A INPUT -i enp3s0 -p udp --dport 53 -j ACCEPT
# SSH - accept from LAN and WAN
-A INPUT -i enp3s0 -p tcp --dport 22 -j ACCEPT
-A INPUT -i enp4s0 -p tcp --dport 22 -j ACCEPT
# DHCP client requests - accept from LAN
-A INPUT -i enp3s0 -p udp --dport 67:68 -j ACCEPT
# Refuse anything else
-A INPUT -j DROP
# Forwarding rules
# forward packets along established/related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# forward from LAN (enp3s0) to WAN (enp4s0)
-A FORWARD -i enp3s0 -o enp4s0 -j ACCEPT
# drop all other forwarded traffic
-A FORWARD -j DROP
COMMIT

[sonvirgo]

But how to make it work on a router (I have ubuntu 20.04 configured as a router), I don't understand. Here my iptables config for routing. Tried to forward from LAN to tun0, etc... Nothing helped. LAN - enp3s0 WAN - enp4s0

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp4s0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# basic global accept rules - ICMP, loopback, traceroute, established all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# enable traceroute rejections to get sent out
-A INPUT -p UDP --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable
# DNS - accept from LAN
-A INPUT -i enp3s0 -p tcp --dport 53 -j ACCEPT
-A INPUT -i enp3s0 -p udp --dport 53 -j ACCEPT
-A INPUT -i enp3s0 -p tcp --dport 53 -j ACCEPT
-A INPUT -i enp3s0 -p udp --dport 53 -j ACCEPT
# SSH - accept from LAN and WAN
-A INPUT -i enp3s0 -p tcp --dport 22 -j ACCEPT
-A INPUT -i enp4s0 -p tcp --dport 22 -j ACCEPT
# DHCP client requests - accept from LAN
-A INPUT -i enp3s0 -p udp --dport 67:68 -j ACCEPT
# Refuse anything else
-A INPUT -j DROP
# Forwarding rules
# forward packets along established/related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# forward from LAN (enp3s0) to WAN (enp4s0)
-A FORWARD -i enp3s0 -o enp4s0 -j ACCEPT
# drop all other forwarded traffic
-A FORWARD -j DROP
COMMIT

Same here, Ubuntu router, all other hosts traffic are not picked up by tun0

Gateway mode working fine. This is my test startup script for manual run and cleanup after finish. After run just set client gateway to server's address and all traffic going to shadowsocks-server.

#!/bin/bash
sysctl -w net.ipv4.ip_forward=1
ip tuntap add mode tun dev tun0
ip addr add 198.18.0.1/15 dev tun0
ip link set tun0 up
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route add default via 198.18.0.1 dev tun0 metric 1
ip route add default via 192.168.1.1 dev ens18 metric 10
ip route add <shadowsocks-server-address>/32 via 192.168.1.1

./tun2socks -device tun0 -proxy socks5://127.0.0.1:1080 -interface ens18

sysctl -w net.ipv4.ip_forward=0
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route del <shadowsocks-server-address>/32 
ip route add default via 192.168.1.1 dev ens18

Gateway portion Did not work.
For the 127.0.0.1 part
I have a better solution, as remote socks servers address are unknown.
https://github.com/sonvirgo/tun2socks-127.0.0.1-loopback
#!/bin/bash

sudo ip route add default via 192.168.43.1 dev enp3s0 metric 1 table 110

sudo ip rule add uidrange 1001-1001 lookup 110 pref 29000

pkexec --user psiphon ./psiphon-tunnel-core-x86_64 --config psiphone.conf

#!/bin/bash

sudo ip tuntap add mode tun dev tun0

sudo ip addr add 198.18.0.1/15 dev tun0

sudo ip link set dev tun0 up

sudo ip route del default

sudo ip route add default via 198.18.0.1 dev tun0 metric 1

sudo ip route add default via 192.168.43.1 dev enp3s0 metric 10

tun2socks -device tun0 -proxy socks5://127.0.0.1:2088

[Youaresmarter]

Gateway mode working fine. This is my test startup script for manual run and cleanup after finish. After run just set client gateway to server's address and all traffic going to shadowsocks-server.

#!/bin/bash
sysctl -w net.ipv4.ip_forward=1
ip tuntap add mode tun dev tun0
ip addr add 198.18.0.1/15 dev tun0
ip link set tun0 up
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route add default via 198.18.0.1 dev tun0 metric 1
ip route add default via 192.168.1.1 dev ens18 metric 10
ip route add <shadowsocks-server-address>/32 via 192.168.1.1

./tun2socks -device tun0 -proxy socks5://127.0.0.1:1080 -interface ens18

sysctl -w net.ipv4.ip_forward=0
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route del <shadowsocks-server-address>/32 
ip route add default via 192.168.1.1 dev ens18

@n-r-w Hi!
The same question and still does not work. Can you explain your network structure and the script?

[n-r-w]

@Youaresmarter my full configuration https://github.com/n-r-w/tunnel

[sonvirgo]

Gateway mode working fine. This is my test startup script for manual run and cleanup after finish. After run just set client gateway to server's address and all traffic going to shadowsocks-server.

#!/bin/bash
sysctl -w net.ipv4.ip_forward=1
ip tuntap add mode tun dev tun0
ip addr add 198.18.0.1/15 dev tun0
ip link set tun0 up
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route add default via 198.18.0.1 dev tun0 metric 1
ip route add default via 192.168.1.1 dev ens18 metric 10
ip route add <shadowsocks-server-address>/32 via 192.168.1.1

./tun2socks -device tun0 -proxy socks5://127.0.0.1:1080 -interface ens18

sysctl -w net.ipv4.ip_forward=0
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route del <shadowsocks-server-address>/32 
ip route add default via 192.168.1.1 dev ens18

@n-r-w Hi! The same question and still does not work. Can you explain your network structure and the script?

it did not work for sure, waste your time
I have both Ubuntu and macos with ip forwarding enabled
If it is so simple as toggle ip forwarding, it is not so many people here
We are not amateurs at all

[n-r-w]

@sonvirgo I didn't fully understand your post, but the configuration I described here https://github.com/n-r-w/tunnel works right now.

[n-r-w]

Found out that UDP traffic is not routed :( @xjasonlyu do you have any adviсe?
I used a different server to test udp as I have problems with voice chat.

TCP works:

server:

iperf -s -p 42533

client:

iperf -c server_ip -b 1M -p 42533

UDP not working:

server:

iperf -s -u -p 42533

client:

iperf -c server_ip -u -b 1M -p 42533

[sonvirgo]

@n-r-w I didn't fully understand your post, but the configuration I described here https://github.com/n-r-w/tunnel works right now.

All your script is holy crap
We use different SOCKS software
But the most important part is IP FORWARDING didn't work

[sonvirgo]

@xjasonlyu
Simply turn on IP Forwarding didn't work
This is the local host run both tun2socks and socks5 server
ip4 forward enabled

This is host on local LAN, can not access internet through the tun2socks

Try google also not work
https://www.google.com/search?q=ubuntu+forward+all+LAN+traffic+to+TUN+interface

[sonvirgo]

Done!
I change my Wifi card.
Also disable systemd-resolve.
Some how it works.
Don't know the cause, however.
Now tun2socks work as NAT Router beautifully, forwarding Ethernet to Wifi TUN interface , both in Linux and Windows.
Can't figure out how to make it work on Darwin, as loopback is not resolved in macOS.

Btw: Ubuntu NAT Router requires only 1 NIC.
Windows NAT Router requires 2 NICs.

[PaPa1ya]

Режим шлюза работает нормально. Это мой тестовый сценарий запуска для ручного запуска и очистки после завершения. После запуска просто установите клиентский шлюз на адрес сервера, и весь трафик пойдет на Shadowsocks-сервер.

#!/bin/bash
sysctl -w net.ipv4.ip_forward=1
ip tuntap add mode tun dev tun0
ip addr add 198.18.0.1/15 dev tun0
ip link set tun0 up
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route add default via 198.18.0.1 dev tun0 metric 1
ip route add default via 192.168.1.1 dev ens18 metric 10
ip route add <shadowsocks-server-address>/32 via 192.168.1.1

./tun2socks -device tun0 -proxy socks5://127.0.0.1:1080 -interface ens18

sysctl -w net.ipv4.ip_forward=0
ip route del default via 198.18.0.1
ip route del default via 192.168.1.1
ip route del <shadowsocks-server-address>/32 
ip route add default via 192.168.1.1 dev ens18

Guys this does work, it really just requires you to specify sysctl -w net.ipv4.ip_forward=1. (in the case of v2raya enable in the GUI otherwise the service will overwrite the changes).
My configuration:
Debian 12 LXC.
No iptables or other firewall installed.
socks5 v2raya on the same server.
My mistake was that I didn't make sure that while tun2socks was running, the proxy was still running. I forgot to route the remote server address through the local route.

[zaknenou]

@sonvirgo I didn't fully understand your post, but the configuration I described here https://github.com/n-r-w/tunnel works right now.

@n-r-w I know I'm late to the party but thank you bro, it finally worked for me thanks to your great script! You're a genius and great teacher

[n-r-w]

@n-r-w I know I'm late to the party but thank you bro, it finally worked for me thanks to your great script! You're a genius and great teacher

I'm using a different configuration now.
Server: https://github.com/n-r-w/shadow-server
Client: https://github.com/n-r-w/shadow-client

[zaknenou]

I'm using a different configuration now. Server: https://github.com/n-r-w/shadow-server Client: https://github.com/n-r-w/shadow-client

thanks for providing this, I'll check it later. But I'm surprised you too still using this, I thought I'm the only one who couldn't use the rust implementation of shadowsocks, I see it claimed that its' ss-redir solves the problem but couldn't manage to make it work my self. What do you think about it?

[n-r-w]

thanks for providing this, I'll check it later. But I'm surprised you too still using this, I thought I'm the only one who couldn't use the rust implementation of shadowsocks, I see it claimed that its' ss-redir solves the problem but couldn't manage to make it work my self. What do you think about it?

In the configuration above, I do not use shadowsocks and tun2socks at all, because I could not make UDP work properly. Instead, I use Cloak + Wireguard.