Secure SOCKS5 proxy for Telegram for 1 Euro and 10 minutes

Not all proxies are equally useful. In the wake of news about blocking the Telegram messenger, it has become important to raise your SOCKS5 proxy, since it is not safe to use someone else’s - it is not known who owns the servers, what software is used on them, and what vulnerabilities are present in it. In addition, public proxies are often very slow, because a large number of clients simultaneously "try" to use it, overloading server resources. Under the cutscene, instructions for quickly setting up a private SOCKS5 proxy with authentication for 1 euro and 10 minutes of time and the ability to further expand server protection using enhanced authentication.

I decided to check the offer of the Italian hosting provider Arubawhich offers a VPS for 1 euro per month with a white IP included in this price. For 1 euro received a battle server with 1 core. 1 GB of memory, 20 GB of storage, 2 TB of traffic per month. As the operating system, I chose my favorite Ubuntu server 16.04. As a proxy server - Dante.

Installing the OS is performed when configuring the server from the template. 2-3 minutes after creation, the machine will be ready for SSH using the set password or the loaded SSH key (in the same web admin panel).

I must say right away that authentication with a proxy by a system user does not work in the package provided in the distribution, and we do not need an open proxy. We will use the distribution with the source code and build Dante ourselves, since the build process on our OS runs without a single error. So let's get started:

We register on arubacloud, start a server for 1 euro, create the Ubuntu Server 16 OS template.

We go via SSH to our server, download and assemble Dante.

tar -xvf dante-1.4.1.tar.gz
cd dante-1.4.1
apt-get install gcc make
mkdir /home/dante
./configure --prefix=/home/dante
make install

The installation can be checked by entering

/home/dante/sbin/sockd -v

Download the settings file

wget -O /home/dante/danted.conf

The configuration, if used on the described platform, does not differ, i.e., by default it is just that. Everything you need is already there.

logoutput: /var/log/socks.log
internal: eth0 port = 1080 #
В качестве входящего соединения используем наш дефолтный интерфейс на порту 1080
external: eth0 #В качестве выходного также его
method: username 
user.privileged: root #Рут нужен для возможности проводить аутентификацию системных пользователей
user.notprivileged: nobody
client pass {
        from: to: #Правила оставляем как есть, для наших целей этого достаточно
        log: error connect disconnect
client block {
        from: to:
        log: connect error
pass {
        from: to:
        log: error connect disconnect
block {
        from: to:
        log: connect error

To start, run

/home/dante/sbin/sockd -f /home/dante/danted.conf -D

The binary lies exactly in


To stop

pkill sockd

Create a system user that we will use for our proxy (without the ability to log in via SSH).

useradd --shell /usr/sbin/nologin username

Let's set him a password

passwd username

Restart Dante with our config

pkill sockd
/home/dante/sbin/sockd -f /home/dante/danted.conf -D

If you restart the server, Dante will need to start manually.

Now you need to connect the proxy in the Messenger settings: Settings> Data and disk -> Use proxies -> SOCKS5. We enter our IP, 1080 port, login and password for the created user. The setting is available for all Telegram desktop applications in the Advanced Settings -> Connection Type -> TCP with Proxy section.

As it should be in the world of information security, right after configuration you need to spend a little more time protecting your server, namely access to the console via SSH. To do this, I recommend replacing the traditional approach to access protection using a traditional “login-password” pair with specialized devices to provide secure access based on asymmetric cryptography, in our example, these are JaCarta PKI USB tokens. In this scenario, you will enter the server using a certificate, the private key of which is located in the JaCarta PKI device itself and cannot be retrieved. How to do this is described in this article .

If you don’t want to use devices for strong authentication based on asymmetric cryptography, you can configure one-time password login (OTP) with the JaCarta Authentication Server service. An article about this can be found here .

Also popular now: