Transparently proxy all traffic from ocserv using socks proxy

  1. Assign a unique network address to clients of ocserv by setting ipv4-network = x.x.x.x/24 in /etc/ocserv/ocserv.conf (or some file in /etc/ocserv/config-by-xxx/).
  2. Set up iptables to redirect traffic originated from this network to port 12345 (will be used later):
    -A PREROUTING -s x.x.x.x/24 -i vpns+ -p tcp -j REDIRECT --to-ports 12345
  3. Install redsocks and bind it to address x.x.x.1.
  4. ocserv won’t bring the vpns* interface up until at least one client is connected, and thus address x.x.x.1 is probably not existing when redsocks is started. To allow redsocks to bind on such “non-existing” address, create a new conf under /etc/sysctl.d/ with:
    net.ipv4.ip_nonlocal_bind=1

Leave a Reply

Your email address will not be published. Required fields are marked *