Transparent Proxy with cgroup v2
Introduction
cgproxy will transparent proxy anything running in specific cgroup. It resembles with proxychains and tsock, but without their disadvantages, and more powerfull.
It aslo supports global transparent proxy and gateway proxy. See Global transparent proxy and Gateway proxy
Prerequest
-
cgroup2
Both cgroup and cgroup2 are enabled in linux by default. So you don't have to do anything about this.
systemd-cglsto see the cgroup hierarchical tree.- Why cgroup v2? Because simple, elegant and intuitive.
-
TPROXY
A process listening on port (e.g. 12345) to accept iptables TPROXY, for example v2ray's dokodemo-door in tproxy mode.
How to install
mkdir build && cd build && cmake .. && make && make install
-
It is alreay in archlinux AUR.
-
DEB and RPM are packaged in release page.
How to use
-
First enable service
sudo systemctl enable --now cgproxy.service sudo systemctl status cgproxy.service -
Then prefix with cgproxy with your command, just like proxychains
cgproxy <CMD> -
For example, test proxy
cgproxy curl -vIs https://www.google.com
More config in `/etc/cgproxy.conf` (click to expand)
########################################################################
## cgroup transparent proxy
## any process in cgroup_proxy will be proxied, and cgroup_noproxy the opposite
## cgroup must start with slash '/'
# cgroup_proxy="/"
cgroup_proxy="/proxy.slice"
cgroup_noproxy="/noproxy.slice"
########################################################################
## allow as gateway for local network
enable_gateway=false
########################################################################
## listening port of another proxy process, for example v2ray
port=12345
########################################################################
## if you set to false, it's traffic won't go through proxy, but still can go direct to internet
enable_tcp=true
enable_udp=true
enable_ipv4=true
enable_ipv6=true
enable_dns=true
########################################################################
## do not modify this if you don't known what you are doing
table=100
fwmark=0x01
mark_noproxy=0xff
mark_newin=0x02
sudo systemctl restart cgproxy.service
Global transparent proxy
-
First, set cgroup_proxy="/" in
/etc/cgproxy.conf, this will proxy all connection -
Then, run your proxy software in cgroup_noproxy to allow direct to internet
cgnoproxy <PROXY PROGRAM> # qv2ray as example cgnoproxy qv2ray # v2ray as example cgnoproxy sudo v2ray --config config_file -
Finally, restart service
sudo systemctl restart cgproxy.service, that's all
Gateway proxy
- set enable_gateway=true in
/etc/cgproxy.confand restart service - other device set this host as gateway, and set public dns if necessary
Other useful tools provided in this project
-
cgnoproxyrun program wihout proxy, very useful in global transparent proxycgnoproxy <CMD> -
run_in_cgrouprun command in specific cgroup which will create if not exist , cgroup can be only one level down exist cgroup, otherwise created fail.run_in_cgroup --cgroup=CGROUP <COMMAND> # example run_in_cgroup --cgroup=/mycgroup.slice ping 127.0.0.1 -
cgattachattach specific process pid to specific cgroup which will create if not exist , cgroup can be only one level down exist cgroup, otherwise created fail.cgattch <pid> <cgroup> # example cgattch 9999 /proxy.slice
NOTES
-
cgattachattach pid to specific cgroup, and has suid bit set by default, be careful to use on multi-user server for securiry. To avoid this situation, you can remove the suid bit , then it will fallback to use sudo, with visudo you can restrict permission or set NOPASSWD for youself. -
v2ray TPROXY need root or special permission
sudo setcap "cap_net_admin,cap_net_bind_service=ep" /usr/lib/v2ray/v2ray
TIPS
-
systemd-cglsto see the cgroup hierarchical tree. -
Qv2ray config example
Licences
cgproxy is licenced under 