fix: replace microsocks with dante-server (apt package, no compilation)

- Removes gcc/make/git and the microsocks git clone+build step - Installs dante-server from apt — zero compilation required - danted uses 'external: tun0' to explicitly route all proxied traffic through the VPN interface, more reliable than iptables-based routing - Config is generated at runtime after tun0 is confirmed up
2026-03-11 09:58:44 +01:00
parent 505da89144
commit d104249fbb
2 changed files with 41 additions and 18 deletions
--- a/vpn-node/Dockerfile
+++ b/vpn-node/Dockerfile
@@ -1,10 +1,10 @@
 FROM debian:bookworm-slim

-LABEL description="microsocks + purevpn-cli exit node"
+LABEL description="dante SOCKS5 + purevpn-cli exit node"

 # ── System dependencies ───────────────────────────────────────────────────────
 RUN apt-get update && apt-get install -y --no-install-recommends \
-        gcc make git \
+        dante-server \
        curl wget ca-certificates \
        iproute2 iptables iputils-ping \
        netcat-openbsd procps dnsutils \
@@ -12,7 +12,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    && rm -rf /var/lib/apt/lists/*

 # ── Install purevpn-cli (official installer) ──────────────────────────────────
-# Running as root inside Docker so no sudo needed.
+# Running as root inside Docker — no sudo needed.
 RUN curl -fsSL https://apps.purevpn-tools.com/cross-platform/linux-cli/production/cli-install.sh \
        -o /tmp/cli-install.sh \
    && bash /tmp/cli-install.sh \
@@ -21,13 +21,6 @@ RUN curl -fsSL https://apps.purevpn-tools.com/cross-platform/linux-cli/productio
 # ── Add purevpn-cli to PATH (as per official docs) ────────────────────────────
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/etc/pure-linux-cli/

-# ── Build microsocks from source ──────────────────────────────────────────────
-RUN git clone --depth 1 https://github.com/rofl0r/microsocks.git /tmp/microsocks \
-    && cd /tmp/microsocks \
-    && make \
-    && cp microsocks /usr/local/bin/microsocks \
-    && rm -rf /tmp/microsocks
-
 # ── Location list ─────────────────────────────────────────────────────────────
 COPY servers.txt /etc/vpndock/servers.txt

--- a/vpn-node/entrypoint.sh
+++ b/vpn-node/entrypoint.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # entrypoint.sh
 # Starts purevpn-cli (randomly selected location, rotates on reconnect)
-# then starts microsocks bound to 0.0.0.0 so HAProxy can reach it.
+# then starts dante SOCKS5 proxy bound to 0.0.0.0, routing out through tun0.
 set -euo pipefail

 export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/etc/pure-linux-cli/
@@ -64,14 +64,14 @@ pick_location() {
    echo "${available[$idx]}"
 }

-# ── iptables: let HAProxy reach microsocks despite VPN kill-switch ────────────
+# ── iptables: let HAProxy reach danted despite VPN kill-switch ───────────────
 whitelist_eth0() {
    local ip
    ip=$(ip -4 addr show eth0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}' || true)
    if [[ -n "$ip" ]]; then
        iptables -I INPUT  -i eth0 -j ACCEPT 2>/dev/null || true
        iptables -I OUTPUT -o eth0 -j ACCEPT 2>/dev/null || true
-        log "eth0 ($ip) whitelisted — HAProxy can reach microsocks"
+        log "eth0 ($ip) whitelisted — HAProxy can reach danted"
    fi
 }

@@ -119,11 +119,41 @@ wait_for_tunnel() {
    return 0
 }

-# ── Start / restart microsocks ────────────────────────────────────────────────
+# ── Start / restart dante SOCKS5 proxy ───────────────────────────────────────
+# dante's `external: tun0` means all proxied traffic leaves via the VPN —
+# no iptables tricks needed for outbound routing.
 start_socks() {
    [[ -n "$SOCKS_PID" ]] && kill "$SOCKS_PID" 2>/dev/null || true
-    log "Starting microsocks on 0.0.0.0:${SOCKS5_PORT}"
-    microsocks -p "$SOCKS5_PORT" &
+
+    # Generate config fresh each time (tun0 must already be up)
+    cat > /etc/danted.conf << EOF
+logoutput: stderr
+user.privileged: root
+user.unprivileged: nobody
+
+# Listen on the Docker network interface so HAProxy can reach us
+internal: 0.0.0.0 port = ${SOCKS5_PORT}
+
+# Route ALL proxied traffic out through the VPN tunnel
+external: ${VPN_IF}
+
+socksmethod: none
+clientmethod: none
+
+client pass {
+    from: 0.0.0.0/0 to: 0.0.0.0/0
+    log: error
+}
+
+socks pass {
+    from: 0.0.0.0/0 to: 0.0.0.0/0
+    command: bind connect udpassociate
+    log: error
+}
+EOF
+
+    log "Starting danted on 0.0.0.0:${SOCKS5_PORT} → external: ${VPN_IF}"
+    danted -f /etc/danted.conf &
    SOCKS_PID=$!
 }

@@ -206,9 +236,9 @@ while true; do
        FAIL_COUNT=0   # reset on any healthy check
    fi

-    # ── microsocks process check ──────────────────────────────────────────────
+    # ── danted process check ──────────────────────────────────────────────────
    if ! kill -0 "$SOCKS_PID" 2>/dev/null; then
-        log "microsocks died — restarting"
+        log "danted died — restarting"
        start_socks
    fi
 done