Hiding Local SOCKS Proxy in Android VPN Clients to Evade Detection
Popular VLESS clients on Android leave a local SOCKS proxy open on a fixed port, letting apps detect the VPN and snag the server's external IP. Tests with tools like RKNHardering confirm this—even in split-tunneling mode, the TUN interface, system routes, packet lists, and accessible proxy are all visible. The fix? Dynamically generate a random port and authentication for SOCKS5 that's off-limits to other apps.
How Detection Works and How to Fight Back
Apps scan localhost for open SOCKS ports. Standard clients (v2RayTun, v2rayNG, Hiddify) don't hide them, leading to leaks. Here's the workaround:
- Generate a random port (like 45478) on every launch.
- Auto-create unique credentials (e.g., upu6CHvvV:ZJC3GMDXKOLFdPKAfxBxrHiU).
- Run the proxy solely for internal use via tun2socks.
This shuts down scanning: other apps can't connect without creds and won't spot the real IP.
Technical Setup Using Xray and tun2socks
Xray-core offers cross-platform binaries for VLESS/VMess. For full TUN support, we swap Xray's native tunneling for tun2socks (static linux-arm64 build). The setup:
- Launch Xray with SOCKS5 on a random port.
- tun2socks routes traffic from the TUN file descriptor to the proxy.
- A Flutter + Kotlin + C++ wrapper manages the processes.
To dodge Android 10+ restrictions (W^X violations): pack binaries as lib/*.so files.
Sample launch log:
[2026-04-12T09:44:46.641632] [INFO] Starting VPN
[2026-04-12T09:44:46.641818] [INFO] Underlying network set: 176
[2026-04-12T09:44:46.641946] [INFO] nativeSetMaxFds result (parent): 0
[2026-04-12T09:44:46.643867] [INFO] TUN established, dup fd=142
[2026-04-12T09:44:46.644004] [INFO] xray started
[2026-04-12T09:44:46.644130] [INFO] Starting tun2socks (native): /data/app/~~_xfukaXUtA4X7kd1BmB4UA==/com.teapodstream.teapodstream-zTL0GGuDWxPk8XDn0VkAiw==/lib/arm64/libtun2socks.so -device fd://142 -proxy socks5://upu6CHvvV:[email protected]:45478 -mtu 1500 -loglevel error -tcp-sndbuf 524288 -tcp-rcvbuf 524288 -tcp-auto-tuning
[2026-04-12T09:44:46.644247] [INFO] tun2socks started (pid=28880)
[2026-04-12T09:44:46.644399] [INFO] VPN connected
tun2socks params: MTU 1500, TCP buffers at 524288 bytes, auto-tuning enabled. The process tracks tun2socks PID for clean shutdowns.
Client Features
The TeapodStream implementation handles core use cases:
- Protocols: VLESS, VMess, Trojan, Shadowsocks.
- Split-tunneling: exclude apps from VPN.
- URL subscriptions with auto-config updates.
- Dynamic proxy authentication.
Tests against detectors (from the original VLESS vulnerability article and RKNHardering) show no SOCKS or IP leaks.
Key Takeaways
- Mask local SOCKS with random ports and creds—it's the secret to beating localhost scans.
- tun2socks + Xray delivers rock-solid TUN without native tunneling headaches.
- Packing binaries as .so files sidesteps Android SELinux.
- Split-tunneling support doesn't hide other tells (TUN, routes).
- Open-source code lets you verify everything.
— Editorial Team
No comments yet.