A Tale of Proxies
Bypassing Proxies#
Tired of stubborn corporate firewalls and region blocks? Below are straightforward configs, minimal chatter—just the steps and code. Use CNTLM if you’re stuck behind NTLM proxies. For something encrypted, checkout my V2Ray configs. ToC follows.
Table of Contents#
-
Insecure Setup
1.1 Installing Certificates (or How to Get Spied On)
1.2 CNTLM (for NTLM Proxy) -
Encrypted Setup
2.1 V2Ray Installation
2.2 V2Ray through SOCKS
2.3 Forcing Traffic through Proxy
2.4 Phone Setup
Insecure Setup#
The section below describes how to correctly setup your proxy in a linux machine. Last tested 17/12/2024 on Ubuntu 22.04.
NOTE apt, python, pip, conda, or insert-similar-program-here respect these env variables and certificates! If you are getting errors something went wrong or something is overwriting your settings. I have tested these on a clean setup multiple times.
Installing Certificates (or How to Get Spied On)#
Your work proxy might require you to trust custom certificates issued by them. By installing a custom bundle, you’re telling your system to trust certificates your company chooses. This can let them spy on your traffic or impersonate websites (like Google or your bank) without you knowing.
Still, if you want to go ahead on your linux machine (use sudo if needed):
apt install ca-certificates
cp mycertificate.crt /usr/local/share/ca-certificates/
chmod 644 /usr/local/share/ca-certificates/mycertificate.crt
update-ca-certificates
Occasionally, programs have their own certificate paths (especially chrome, etc). But the above should cover 99% of the terminal use cases.
CNTLM (for NTLM Proxy)#
Install:
sudo apt install cntlm
Run:
cntlm -u MYUSERNAME -d MYDOMAIN -H
to get something like:
PassLM XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PassNT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PassNTLMv2 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Configure /etc/cntlm.conf:
Username MYUSERNAME
Domain MYDOMAIN
# PASTE OUTPUT OF PREVIOUS COMMAND
PassLM XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PassNT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PassNTLMv2 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Proxy corporate-proxy.example.com:8080
# Proxy more-backup-proxies.example.com:8080
# Proxy more-backup-proxies2.example.com:8080
Listen 0.0.0.0:3128
Auth NTLM
Gateway yes
Start CNTLM:
sudo systemctl enable cntlm
sudo systemctl start cntlm
Set System-wide Proxy:
- Add to
/etc/environmentbefore restarting:
http_proxy=http://127.0.0.1:3128
https_proxy=http://127.0.0.1:3128
HTTP_PROXY=http://127.0.0.1:3128
HTTPS_PROXY=http://127.0.0.1:3128
NOTE if you export these variables, or add them to your
.bashrc, or something similar, they might not be picked up during yoursudocommands. Usesudo -Einstead.
NOTE 2 You can skip CNTLM and just use
http_proxy=http://username:[email protected]:8080(and the other vars as seen above). But your password will be everywhere and it will be slower. Also you won’t be able to setup backup proxies.
Encrypted Setup#
Disclaimer This setup should work decently well, but I cannot guarantee you complete privacy. DNS requests or other requests might leak and be revealed. V2Ray documentation is an excellent resource which might help you dive into even safer setups.
The setup below allows you to be sure your traffic cannot be easily seen by others. You need a server you control outside of the firewall. VPS from AWS, digitalocean, etc should work fine.
First install V2Ray on both client and server:
curl -O https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh
chmod +x install-release.sh
sudo ./install-release.sh
If commands above don’t work, look at their latest install instructions.
V2Ray through socks#
Often you will have access to a SOCKS proxy. These configs allow you to pass your traffic through that proxy.
Make a UUID. Keep it secret. Keep it safe:
apt install uuid-runtime
uuidgen
Make a config-server.json file in your server:#
{
"inbounds": [
{
"port": 8080,
"protocol": "vmess",
"settings": {
"clients": [
{
"id": "YOUR_UUID_HERE",
"alterId": 64
}
]
}
},
],
"outbounds": [
{
"protocol": "freedom",
"settings": {}
}
]
}
and start your v2ray service:
sudo cp config-server.json /usr/local/etc/v2ray/config.json
sudo systemctl enable v2ray
sudo systemctl start v2ray
sudo systemctl status v2ray
Client setup (inside the firewall)#
Make a config-client.json file:
{
"log": {
"access": {
"type": "File",
"path": "/home/USERNAME/access.log"
}
},
"inbounds": [
{
"protocol": "socks",
"settings": {
"udpEnabled": true,
"address": "127.0.0.1"
},
"port": 1080,
"listen": "0.0.0.0"
}
],
"outbounds": [
{
"protocol": "vmess",
"tag": "overlay",
"settings": {
"address": "HOSTNAME_OR_IP_OF_SERVER",
"port": 8080,
"uuid": "YOUR_UUID_HERE"
},
"proxySettings":{
"tag": "socks-outbound",
"transportLayer": true
}
},
{
"protocol": "#v2ray.core.proxy.socks.ClientConfig",
"tag": "socks-outbound",
"settings": {
"server": [
{
"address": "PROXY_IP_ADDRESS",
"port": 1080,
"user": [
{
"account": {
"@type": "v2ray.core.proxy.socks.Account",
"username": "YOUR_WORK_USERNAME",
"password": "YOUR_WORK_PASSWORD"
}
}
]
}
],
"version": "SOCKS5",
"delay_auth_write": true
}
}
]
}
Now, you can start v2ray as a system service or just in your terminal (e.g., tmux)
NOTE At the time of writing, this second config was from
v5which was not default. You need to runv2ray run -c config-client.json -format jsonv5.
Then, your localhost is running a proxy you can tunnel through. For example, you can run:
ssh -o ProxyCommand="nc -x 127.0.0.1:1080 %h %p" [email protected]
to ssh through the proxy.
Forcing traffic through proxy#
Well, how do we pass traffic through this v2ray client?
You could manually setup the proxy for your applications. Or you could try this lightly tested iptables setup.
Warning only do this if you are familiar with
iptables, know how to reset your system, or even are OK with breaking stuff.
Install redsocks:
apt install redsocks
Config: /etc/redsocks.conf:
base {
log_debug = on;
log_info = on;
log = "stderr";
daemon = off;
redirector = iptables;
}
redsocks {
local_ip = 127.0.0.1;
local_port = 6666;
ip = 172.38.0.1;
port = 1080;
type = socks5;
}
Start redsocks redsocks -c /etc/redsocks.conf (or as a service)
Then the iptables:
iptables -t nat -A OUTPUT -p tcp --dport 22 -j REDIRECT --to-ports 6666
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 6666
iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 6666
# add more dports.
iptables -t nat -A OUTPUT -o lo -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 1080 -j ACCEPT # 127.0.0.1 or the ip of the socks proxy
Phone Setup#
I can strongly recommend the “Shadowrocket” client for iOS. Worked fine for me and it is pretty straightforward to put the same proxy settings.
Advanced setup:#
This section is not finished. But consider using WebSocket + TLS with a reverse proxy like Caddy or Nginx. This can add HTTPS encryption to your V2Ray traffic. Check out the V2Ray guide on WSS for step-by-step instructions.