monadical/greywall
Archived
14
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

Replace built-in proxies with tun2socks transparent proxying

Browse Source 
Remove the built-in HTTP/SOCKS5 proxy servers and domain allowlist/denylist
system. Instead, use tun2socks with a TUN device inside the network namespace
to transparently route all TCP/UDP traffic through an external SOCKS5 proxy.

This enables truly transparent proxying where any binary (Go, static, etc.)
has its traffic routed through the proxy without needing to respect
HTTP_PROXY/ALL_PROXY environment variables. The external proxy handles its
own filtering.

Key changes:
- NetworkConfig: remove AllowedDomains/DeniedDomains/proxy ports, add ProxyURL
- Delete internal/proxy/, internal/templates/, internal/importer/
- Embed tun2socks binary (downloaded at build time via Makefile)
- Replace LinuxBridge with ProxyBridge (single Unix socket to external proxy)
- Inner script sets up TUN device + tun2socks inside network namespace
- Falls back to env-var proxying when TUN is unavailable
- macOS: best-effort env-var proxying to external SOCKS5 proxy
- CLI: remove --template/import, add --proxy flag
- Feature detection: add ip/tun/tun2socks status to --linux-features
This commit is contained in:
Mathieu Virbel
2026-02-09 20:41:12 -06:00
parent da5f61e390
commit 9cb65151ee
38 changed files with 588 additions and 4155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
internal/sandbox/linux_features.go
View File

@@ -35,6 +35,11 @@ type LinuxFeatures struct {
// This can be false in containerized environments (Docker, CI) without CAP_NET_ADMIN
CanUnshareNet bool
// Transparent proxy support
HasIpCommand bool // ip (iproute2) available
HasDevNetTun bool // /dev/net/tun exists
HasTun2Socks bool // tun2socks embedded binary available
// Kernel version
KernelMajor int
KernelMinor int
@@ -74,6 +79,12 @@ func (f *LinuxFeatures) detect() {
// Check if we can create network namespaces
f.detectNetworkNamespace()
// Check transparent proxy support
f.HasIpCommand = commandExists("ip")
_, err := os.Stat("/dev/net/tun")
f.HasDevNetTun = err == nil
f.HasTun2Socks = true // embedded binary, always available
}
func (f *LinuxFeatures) parseKernelVersion() {
@@ -255,6 +266,11 @@ func (f *LinuxFeatures) CanUseLandlock() bool {
return f.HasLandlock && f.LandlockABI >= 1
}
// CanUseTransparentProxy returns true if transparent proxying via tun2socks is possible.
func (f *LinuxFeatures) CanUseTransparentProxy() bool {
return f.HasIpCommand && f.HasDevNetTun && f.CanUnshareNet
}
// MinimumViable returns true if the minimum required features are available.
func (f *LinuxFeatures) MinimumViable() bool {
return f.HasBwrap && f.HasSocat