The truth about SOCKS5 proxy?

General support for problems installing or using Deluge
Post Reply
psisis
New User
New User
Posts: 7
Joined: Wed Nov 20, 2019 11:34 pm

The truth about SOCKS5 proxy?

Post by psisis »

There are a lot of contradicting propositions out there. The consensus is that no proxy supports incoming connections. And that I'm delusional saying Deluge does that in fact. Checking Wireshark, all my connections (tcp, udp and BT) are to and from the proxy IP, including incoming. Inspecting the packets, I see that SOCKS protocol contains information such as source/remote IP and Ports, and therefore I guess should be smart enough to forward them. Testing IPleak, my IP is the proxy and the client does not leak.

But I'm still confused on the matter. Is incoming proxy an update to the technology that other clients lag behind? And are there any compromises to using SOCKS5? I'm not complaining about speeds, but sometimes I think it undermines my overall ability connect to peers. Dropping some connections that maybe are not supported? When I'm seeding primarily. Like I'm in some way unattractive to other peers in the swarm?..

It's to the point that today I tried using two clients simultaneously. Really weird idea, but one is using proxy, the other not (still VPN tho). So I have two separate IPs peers can connect to, in theory doubling my potential connections (if I assume it's completely random). I actually noticed one peer on the non-proxy, that I can't connect to with the proxy one. (will you look at that, that peer in question had an incoming flag)
mhertz
Moderator
Moderator
Posts: 2195
Joined: Wed Jan 22, 2014 5:05 am
Location: Denmark

Re: The truth about SOCKS5 proxy?

Post by mhertz »

Several years ago Arvid the libtorrent author stated when I asked him about this:

"This is only possible via UDP as far as I know. SOCKS5 BIND could in theory be made to work for accepting TCP connections, but it seems to have been specifically designed to support active mode FTP (i.e. it has really weird semantics)."

I asked that I did see incoming connections in both deluge and utorrent, but also only on uTP though.

Later he added support for incoming connections over socsk5 for TCP BIND(http connections), but some time later he reverted the comit and stated in the comit-log on github that it didn't worked afterall, and he had read the specification "over-positively".

About the security aspects about it. Simply checking IPmagnet is nice, but only checks a single quick scenario and not throughout a whole download/upload + you have to recheck on every torrent-client update before using.

There are several places you can have issues with socks5 and must hope the app in question handles it propperly. First it obviously need only comunication through the proxy and not from real IP. This in later versions I believe is default in libtorrent, but before that, then you need setting the option in deluge v2.x or use ltconfig and set force_proxy. This can also be forced to not fail, by using firewall rules, like iptables on linux. Then for the rest, you need set propper setting in deluge v2.x, or set anynymous_mode in ltconfig plugin, which will do the rest like when contacting tracker, then the real unproxied IP shouldn't be sent &ip=, or in bep7 the possibility with adding &IP=v4/v6 to tracker requests even when going over proxy. These last two are though checked for in IPmagnet last I checked. Lastly, theres the issue of extended handshake, but looking through libtorrent source and searching through it, I don't really see it actually ever using the problematic myip field, so possible a non-issue.

These are the reasons I decided to finally change to a VPN, and as you can setup portforwarding if that is supported on your VPN, then you get extended swarm connectibility, and I don't have to be unsure about libtorrent ever having a bug that leaks my IP by mistake..
psisis
New User
New User
Posts: 7
Joined: Wed Nov 20, 2019 11:34 pm

Re: The truth about SOCKS5 proxy?

Post by psisis »

mhertz wrote:Several years ago Arvid the libtorrent author stated when I asked him about this:

"This is only possible via UDP as far as I know. SOCKS5 BIND could in theory be made to work for accepting TCP connections, but it seems to have been specifically designed to support active mode FTP (i.e. it has really weird semantics)."

I asked that I did see incoming connections in both deluge and utorrent, but also only on uTP though.

Later he added support for incoming connections over socsk5 for TCP BIND(http connections), but some time later he reverted the comit and stated in the comit-log on github that it didn't worked afterall, and he had read the specification "over-positively".

About the security aspects about it. Simply checking IPmagnet is nice, but only checks a single quick scenario and not throughout a whole download/upload + you have to recheck on every torrent-client update before using.

There are several places you can have issues with socks5 and must hope the app in question handles it propperly. First it obviously need only comunication through the proxy and not from real IP. This in later versions I believe is default in libtorrent, but before that, then you need setting the option in deluge v2.x or use ltconfig and set force_proxy. This can also be forced to not fail, by using firewall rules, like iptables on linux. Then for the rest, you need set propper setting in deluge v2.x, or set anynymous_mode in ltconfig plugin, which will do the rest like when contacting tracker, then the real unproxied IP shouldn't be sent &ip=, or in bep7 the possibility with adding &IP=v4/v6 to tracker requests even when going over proxy. These last two are though checked for in IPmagnet last I checked. Lastly, theres the issue of extended handshake, but looking through libtorrent source and searching through it, I don't really see it actually ever using the problematic myip field, so possible a non-issue.

These are the reasons I decided to finally change to a VPN, and as you can setup portforwarding if that is supported on your VPN, then you get extended swarm connectibility, and I don't have to be unsure about libtorrent ever having a bug that leaks my IP by mistake..
Thanks for info! My issue wasn't really the leak, since I extensively checked this with tools such as ipmagnet. The browser IP is my VPN IP, the IP that the tracker gets is different: my proxy IP. I do have force_proxy enabled, also the native option Force proxy which I've heard is not too old.

The thing about supporting UDP might clear things up a bit. Since most of my connections are through UDP. But I do get incoming TCP packets occasionally, still from the proxy. And the actual Bittorrent protocol is TCP-based, right? Here is an example from Wireshark, showing both incoming and outgoing Image 10.99.35.9 is my local IP. 10.64.0.1 is proxy IP. (I never ever get connections from anyone but 10.64.0.1 which is good)

But what exactly, does an incoming connection mean? Does it literally mean incoming traffic, or is it something more specific? My issue is that I don't get enough uploading time, the speed is excellent 5MB/s++ when I do get a peer. But it is getting the peer that is hard.

And the funny thing is (and counter-intuitive) I have zero problems downloading with proxy, I get speeds above 30MB/s in a healthy torrent. I always assumed incoming means packets that are sent to you: i.e. incoming data. But it is outgoing data that I have problems with.. How does Deluge even know that a new peer is on the torrent? Does the tracker report him to me, or does the tracker report my ip to him and then he establishes connection? If it's the latter I can see how problems can occur.
mhertz
Moderator
Moderator
Posts: 2195
Joined: Wed Jan 22, 2014 5:05 am
Location: Denmark

Re: The truth about SOCKS5 proxy?

Post by mhertz »

I'm not sure, but getting incoming connections frm the proxy, doesn't have to mean they are incoming torrent connections, but just sending data back and fourth, though i'm no expert on the actual socks protocol itself honestly. Yes the socks protocol I believe is tcp based, and just can be setup with UDP associate also for UDP connections(for uTP).

Incoming connection from peers tab showing I or whatever it was, don't remember, and the letter for UDP or TCP, is how to know for sure if real torrent incoming connection and protocol.

Incoming connections for torrents, means unsolicited connections, but doesn't only mean uploading or seeding like some other protocols like emule and kazza I believe. The torrent spec is asymetric, meaning you connect to someone and negotiate in between you two if the connection should be in or out, so you can upload to others by both yourself initiating(outgoing) or others connecting to you(incoming). So again, you can both download and upload from outgoing connections, and same vice-versa. When not being able to get incoming connections with socks5, except for uDP and DHT, then you only upload(and download) to others with the connections you yourself make, whereas if supporting incoming connections, then you also support unsolicited connections from others, so your connectibility becomes greater. When a new peer enters, you get to know about it from the tracker, or PEX or DHT, yes.
xaeiou
New User
New User
Posts: 8
Joined: Thu Jun 13, 2013 2:50 am

Re: The truth about SOCKS5 proxy?

Post by xaeiou »

mhertz wrote:
There are several places you can have issues with socks5 and must hope the app in question handles it propperly. First it obviously need only comunication through the proxy and not from real IP. This in later versions I believe is default in libtorrent, but before that, then you need setting the option in deluge v2.x or use ltconfig and set force_proxy. This can also be forced to not fail, by using firewall rules, like iptables on linux. Then for the rest, you need set propper setting in deluge v2.x, or set anynymous_mode in ltconfig plugin, which will do the rest like when contacting tracker, then the real unproxied IP shouldn't be sent &ip=, or in bep7 the possibility with adding &IP=v4/v6 to tracker requests even when going over proxy. These last two are though checked for in IPmagnet last I checked. Lastly, theres the issue of extended handshake, but looking through libtorrent source and searching through it, I don't really see it actually ever using the problematic myip field, so possible a non-issue.
At the risk of bumping a slightly old thread, I just wanted to add a data point to confirm this. I'm using:

Server: 1.3.15
libtorrent: 1.1.5.0
ltConfig v0.3.1

I was merrily using deluge without proxy for a while, and decided to try out socks5. After changing the setting in deluge, I restarted to be sure, then looked at the connections on my server and was getting plenty of established connections from remote peers that had remembered me prior to turning on the proxy. Tried restarting over a period of 30 minutes and the connections kept re-establishing.

I installed ltconfig, ticked "anonymous_mode" and "force_proxy", restarted deluge, there were no more established incoming connections.

I'll continue to monitor and report back here if I notice anything leaking thru, although as mhertz said it's probably a good idea to backup the proxy+ltconfig with iptables blocks on deluge ports.
QWIKAG
Member
Member
Posts: 28
Joined: Wed Sep 06, 2017 3:36 pm

Re: The truth about SOCKS5 proxy?

Post by QWIKAG »

I used ltConfig "force_proxy" and "anonymous_mode" as per others above.
but it was not hidden from trackers.
I also had to check "proxy_tracker_connections"

It works now when I look at my tracker all torrents now see a different IP.
would still prefer a vpn setup, but it is not well documented how to enable port forwarding etc and very confusing.
there are many ports in the setup but no document that describes it, all documentation says "just port forward as per your router", without any reference to the specifics of the setup menu.
mhertz
Moderator
Moderator
Posts: 2195
Joined: Wed Jan 22, 2014 5:05 am
Location: Denmark

Re: The truth about SOCKS5 proxy?

Post by mhertz »

With a VPN then you don't forward anything in your router, and if the VPN supports port-forwarding then enable it for a port(-range) and set deluge to use for incoming port(-range), done.

Yeah, the option for enabling socks-proxying trackers additionally, needs to be checked for trackers to be proxied ;) I don't remember from top of head ever hearing about force-proxy leaking, or commits regarding prevention of such. Anonymous-mode not as important, unless using pretty old libtorrent before force-proxy split off into own separate option, which I believe today not even is available as made default behavior finally(force-proxy I mean).
Post Reply