Install and Configure Dante Socks5 Proxy on Debian/Ubuntu

Introduction

This tutorial will explain how to install and configure the Dante Socks5 Proxy on Debian/Ubuntu. Before you start the installation, you must meet the following conditions:

Prerequisites

• Server with Operating System Linux:
  • Debian 12
  • Ubuntu 24.04
• Access to root user or user with sudo permission
• SSH Tools
  • PuTTY For Windows
  • OpenSSH in Linux/macOS (available by default)

Step 1 - Install Dante

You can install Dante with apt. When using apt to install Dante, it might not install the latest version. Full details about release information are HERE.

• Update the system packages and install Dante:

  sudo apt update
  sudo apt install dante-server

  On Debian, you might also need to run:

  export PATH=$PATH:/usr/sbin

• Check Dante Version:

  holu@your_host:~# danted -v
  Dante v1.4.3

Step 2 - Configure Dante

Step 2.1 - Internet Interface

In the next step, we will create the Dante configuration file. In this file, you have to add the interface name of the public interface. We can check the interface name by running ip a. The public interface usually has an MTU size of 1500 bytes. In the example below, the server uses the eth0 interface.

root@your_host:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:06:d1:d0 brd ff:ff:ff:ff:ff:ff
    inet 203.0.113.1/32 metric 100 scope global dynamic eth0
       valid_lft 86232sec preferred_lft 86232sec

Step 2.2 - Dante Configuration

Before we change the configuration, we must make a backup configuration file, because in the configuration file there is information about the functions of each configuration line.

sudo mv /etc/danted.conf /etc/danted.conf.bak

Then we edit the Danted configuration:

sudo nano /etc/danted.conf

Copy and paste the configuration below:

logoutput: /var/log/socks.log
internal: eth0 port = 1080
external: eth0
clientmethod: none
socksmethod: none
user.privileged: root
user.notprivileged: nobody

client pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: error connect disconnect
}
client block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: error connect disconnect
}
socks block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

Configuration Notes:

• If your server does not use the eth0 interface, change it in the sections internal and external.
• If you use public wifi and it turns out that the non-standard port is blocked, you can replace it with another port like 53 or 443. In this case, change the port in port = 1080 to the port you want.

Make sure Dante can write the log entries:

sudo nano /lib/systemd/system/danted.service

Add this entry and save the changes:

[Service]
ReadWriteDirectories=/var/log

Start and check if Danted is running normally:

sudo systemctl daemon-reload
sudo systemctl start danted
sudo systemctl status danted

Step 2.3 - Dante Socks5 Test

curl -x socks5://<your_ip_server>:<your_danted_port> -4 https://ip.hetzner.com

Example output of the command:

holu@your_host:~# curl -x socks5://203.0.113.1:1080 -4 https://ip.hetzner.com
203.0.113.1

If the test fails, you can check the Danted log in /var/log/socks.log.

Step 3 - Limit Access

Step 3.1 - Limit by Username

You can restrict access to your proxy server using a username and password.

Edit the Danted configuration in /etc/danted.conf, and change this section:

# socksmethod: none // for non-authentication
socksmethod: username

socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error connect disconnect
        socksmethod: username
}

Save, and restart using:

sudo systemctl restart danted
sudo systemctl status danted

To create a user and password, use the following command:

sudo useradd holu -r
sudo passwd holu

Use the following command to test the login with your username and password:

curl -x socks5://<your_username>:<your_password>@<your_ip_server>:<your_danted_port> -4 https://ip.hetzner.com

Example output of the command:

• With Username & Password:

  holu@your_host:~# curl -x socks5://holu:secure-password@203.0.113.1:1080 -4 https://ip.hetzner.com
  203.0.113.1

• Without Username & Password:

  holu@your_host:~# curl -x socks5://203.0.113.1:1080 -4 https://ip.hetzner.com
  curl: (97) No authentication method was acceptable.     # It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.

You can check the login for success or failure on your proxy server with this command:

sudo tail -10 /var/log/socks.log

Example output of the command:

holu@your_host:~# sudo tail -10 /var/log/socks.log
Aug 28 09:48:27 (1724838507.525562) danted[2129]: info: pass(1): tcp/accept [: 203.0.113.1.38304 203.0.113.1.1080
Aug 28 09:48:27 (1724838507.599879) danted[2146]: info: pass(1): tcp/connect [: username%sock@203.0.113.1.38304 203.0.113.1.1080 -> 203.0.113.1.46603 213.133.116.46.443
Aug 28 09:48:27 (1724838507.717996) danted[2146]: info: pass(1): tcp/connect ]: 4178 -> username%sock@203.0.113.1.38304 203.0.113.1.1080 -> 799, 799 -> 203.0.113.1.46603 213.133.116.46.443 -> 4178: local client closed.  Session duration: 0s
Aug 28 09:48:27 (1724838507.718030) danted[2146]: info: pass(1): tcp/accept ]: 4178 -> 203.0.113.1.38304 203.0.113.1.1080 -> 799: local client closed.  Session duration: 0s
Aug 28 09:48:33 (1724838513.864032) danted[2129]: info: pass(1): tcp/accept [: 203.0.113.1.34414 203.0.113.1.1080
Aug 28 09:48:33 (1724838513.864239) danted[2129]: info: block(1): tcp/accept ]: 203.0.113.1.34414 203.0.113.1.1080: error after reading 4 bytes in 0 seconds: client offered no acceptable authentication method

Step 3.2 - Limit by IP Address

In the previous Danted configuration, we gave public access to all IPs to connect to our proxy server. In this step, we will limit access to only one or several IPs.

Edit the Danted configuration in /etc/danted.conf, and change this section:

client pass {
        from: 198.51.100.1/32 to: 0.0.0.0/0
        log: error connect disconnect
}

• 198.51.100.1/32 is the single IP you want to allow access to your proxy server.

If you want to add another single IP again, just repeat the configuration.

client pass {
        from: 198.51.100.1/32 to: 0.0.0.0/0
        log: error connect disconnect
}
client pass {
        from: 10.0.0.2/32 to: 0.0.0.0/0
        log: error connect disconnect
}

Save, and restart using:

sudo systemctl restart danted
sudo systemctl status danted

If you want to give a range or block of IPs access, change the slash behind the IP to your IP block.

Use the following command to test the login to the proxy server with an unregistered IP:

• If you are using username and password authentication

  holu@your_host:~# curl -x socks5://holu:secure-password@203.0.113.1:1080 -4 https://ip.hetzner.com
  curl: (97) Recv failure: Connection reset by peer

• If you are not using username and password authentication

  holu@your_host:~# curl -x socks5://203.0.113.1:1080 -4 https://ip.hetzner.com
  curl: (97) Recv failure: Connection reset by peer

Conclusion

Now your server is ready to be used as a Socks5 Proxy using restrictions with username and IP address with danted applications on Debian or Ubuntu.

License: MIT