From d104249fbba4f5f8b5682db6c7928fa0a111fb0d Mon Sep 17 00:00:00 2001
From: Malin <malin@cloudhost.es>
Date: Wed, 11 Mar 2026 09:58:44 +0100
Subject: [PATCH] fix: replace microsocks with dante-server (apt package, no
 compilation)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Removes gcc/make/git and the microsocks git clone+build step
- Installs dante-server from apt — zero compilation required
- danted uses 'external: tun0' to explicitly route all proxied traffic
  through the VPN interface, more reliable than iptables-based routing
- Config is generated at runtime after tun0 is confirmed up
---
 vpn-node/Dockerfile    | 13 +++---------
 vpn-node/entrypoint.sh | 46 ++++++++++++++++++++++++++++++++++--------
 2 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/vpn-node/Dockerfile b/vpn-node/Dockerfile
index 60527cf..2709b18 100644
--- a/vpn-node/Dockerfile
+++ b/vpn-node/Dockerfile
@@ -1,10 +1,10 @@
 FROM debian:bookworm-slim
 
-LABEL description="microsocks + purevpn-cli exit node"
+LABEL description="dante SOCKS5 + purevpn-cli exit node"
 
 # ── System dependencies ───────────────────────────────────────────────────────
 RUN apt-get update && apt-get install -y --no-install-recommends \
-        gcc make git \
+        dante-server \
         curl wget ca-certificates \
         iproute2 iptables iputils-ping \
         netcat-openbsd procps dnsutils \
@@ -12,7 +12,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 # ── Install purevpn-cli (official installer) ──────────────────────────────────
-# Running as root inside Docker so no sudo needed.
+# Running as root inside Docker — no sudo needed.
 RUN curl -fsSL https://apps.purevpn-tools.com/cross-platform/linux-cli/production/cli-install.sh \
         -o /tmp/cli-install.sh \
     && bash /tmp/cli-install.sh \
@@ -21,13 +21,6 @@ RUN curl -fsSL https://apps.purevpn-tools.com/cross-platform/linux-cli/productio
 # ── Add purevpn-cli to PATH (as per official docs) ────────────────────────────
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/etc/pure-linux-cli/
 
-# ── Build microsocks from source ──────────────────────────────────────────────
-RUN git clone --depth 1 https://github.com/rofl0r/microsocks.git /tmp/microsocks \
-    && cd /tmp/microsocks \
-    && make \
-    && cp microsocks /usr/local/bin/microsocks \
-    && rm -rf /tmp/microsocks
-
 # ── Location list ─────────────────────────────────────────────────────────────
 COPY servers.txt /etc/vpndock/servers.txt
 
diff --git a/vpn-node/entrypoint.sh b/vpn-node/entrypoint.sh
index 3434881..5db3d6d 100755
--- a/vpn-node/entrypoint.sh
+++ b/vpn-node/entrypoint.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # entrypoint.sh
 # Starts purevpn-cli (randomly selected location, rotates on reconnect)
-# then starts microsocks bound to 0.0.0.0 so HAProxy can reach it.
+# then starts dante SOCKS5 proxy bound to 0.0.0.0, routing out through tun0.
 set -euo pipefail
 
 export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/etc/pure-linux-cli/
@@ -64,14 +64,14 @@ pick_location() {
     echo "${available[$idx]}"
 }
 
-# ── iptables: let HAProxy reach microsocks despite VPN kill-switch ────────────
+# ── iptables: let HAProxy reach danted despite VPN kill-switch ───────────────
 whitelist_eth0() {
     local ip
     ip=$(ip -4 addr show eth0 2>/dev/null | grep -oP '(?<=inet\s)\d+(\.\d+){3}' || true)
     if [[ -n "$ip" ]]; then
         iptables -I INPUT  -i eth0 -j ACCEPT 2>/dev/null || true
         iptables -I OUTPUT -o eth0 -j ACCEPT 2>/dev/null || true
-        log "eth0 ($ip) whitelisted — HAProxy can reach microsocks"
+        log "eth0 ($ip) whitelisted — HAProxy can reach danted"
     fi
 }
 
@@ -119,11 +119,41 @@ wait_for_tunnel() {
     return 0
 }
 
-# ── Start / restart microsocks ────────────────────────────────────────────────
+# ── Start / restart dante SOCKS5 proxy ───────────────────────────────────────
+# dante's `external: tun0` means all proxied traffic leaves via the VPN —
+# no iptables tricks needed for outbound routing.
 start_socks() {
     [[ -n "$SOCKS_PID" ]] && kill "$SOCKS_PID" 2>/dev/null || true
-    log "Starting microsocks on 0.0.0.0:${SOCKS5_PORT}"
-    microsocks -p "$SOCKS5_PORT" &
+
+    # Generate config fresh each time (tun0 must already be up)
+    cat > /etc/danted.conf << EOF
+logoutput: stderr
+user.privileged: root
+user.unprivileged: nobody
+
+# Listen on the Docker network interface so HAProxy can reach us
+internal: 0.0.0.0 port = ${SOCKS5_PORT}
+
+# Route ALL proxied traffic out through the VPN tunnel
+external: ${VPN_IF}
+
+socksmethod: none
+clientmethod: none
+
+client pass {
+    from: 0.0.0.0/0 to: 0.0.0.0/0
+    log: error
+}
+
+socks pass {
+    from: 0.0.0.0/0 to: 0.0.0.0/0
+    command: bind connect udpassociate
+    log: error
+}
+EOF
+
+    log "Starting danted on 0.0.0.0:${SOCKS5_PORT} → external: ${VPN_IF}"
+    danted -f /etc/danted.conf &
     SOCKS_PID=$!
 }
 
@@ -206,9 +236,9 @@ while true; do
         FAIL_COUNT=0   # reset on any healthy check
     fi
 
-    # ── microsocks process check ──────────────────────────────────────────────
+    # ── danted process check ──────────────────────────────────────────────────
     if ! kill -0 "$SOCKS_PID" 2>/dev/null; then
-        log "microsocks died — restarting"
+        log "danted died — restarting"
         start_socks
     fi
 done