Ever wished you could make your stubborn programs use a proxy without them even knowing? Well, say hello to cproxy.

• Transparent redirection of TCP and UDP traffic
• Support for different proxies per application/process
• Compatible with all programs, including statically linked Go binaries
• DNS request redirection
• Simple usage similar to proxychains
• Ability to proxy existing running processes
• Support for both iptables REDIRECT and TPROXY modes
• DNS server override in TPROXY mode
• Network activity tracing using iptables LOG target
• Compatible with cgroup v1 and v2
• No background daemon required
• Easy integration with existing software like V2Ray, Xray, and Shadowsocks

You can install by downloading the binary from the release page or install with: cargo install cproxy.

Alternatively, here's a oneliner that downloads the latest release and put it in your /usr/local/bin/ (for the lazy... I mean, efficient folks):

curl -s https://api.github.com/repos/NOBLES5E/cproxy/releases/latest | grep "browser_download_url.*x86_64-unknown-linux-musl.zip" | cut -d : -f 2,3 | tr -d \" | wget -qi - -O /tmp/cproxy.zip && unzip -j /tmp/cproxy.zip cproxy -d /tmp && sudo mv /tmp/cproxy /usr/local/bin/ && sudo chmod +x /usr/local/bin/cproxy && rm /tmp/cproxy.zip

You can launch a new program with cproxy with:

sudo cproxy --port <destination-local-port> -- <your-program> --arg1 --arg2 ...

All TCP connections requests will be proxied. If your local transparent proxy support DNS address overriding, you can also redirect DNS traffic with --redirect-dns:

sudo cproxy --port <destination-local-port> --redirect-dns -- <your-program> --arg1 --arg2 ...

For an example setup, see wiki.

If your system support tproxy, you can use tproxy with --mode tproxy:

sudo cproxy --port <destination-local-port> --mode tproxy -- <your-program> --arg1 --arg2 ...
# or for existing process
sudo cproxy --port <destination-local-port> --mode tproxy --pid <existing-process-pid>

With --mode tproxy, there are several differences:

• All UDP traffic are proxied instead of only DNS UDP traffic to port 53.
• Your V2Ray or shadowsocks service should have tproxy enabled on the inbound port. For V2Ray, you need "tproxy": "tproxy" as in V2Ray Documentation. For shadowsocks, you need -u as shown in shadowsocks manpage.

An example setup can be found here.

Note that when you are using the tproxy mode, you can override the DNS server address with cproxy --mode tproxy --override-dns <your-dns-server-addr> .... This is useful when you want to use a different DNS server for a specific application.

With cproxy, you can even proxy an existing process. This is very handy when you want to proxy existing system services such as docker. To do this, just run

sudo cproxy --port <destination-local-port> --pid <existing-process-pid>

The target process will be proxied as long as this cproxy command is running. You can press Ctrl-C to stop proxying.

With cproxy, you can easily debug a program's traffic in netfilter. Just run the program with

sudo cproxy --mode trace <your-program>

You will be able to see log in dmesg. Note that this requires a recent enough kernel and iptables.

cproxy allows you to proxy all processes within specific cgroup paths. This is particularly useful for managing groups of related processes without specifying individual PIDs.

Suppose you have a cgroup at /sys/fs/cgroup/mygroup containing several processes you wish to proxy. You can run:

sudo cproxy --port 1080 --cgroup-path /sys/fs/cgroup/mygroup --mode tproxy

This command will proxy all TCP and UDP traffic from processes within the /sys/fs/cgroup/mygroup cgroup using TPROXY mode on port 1080.

cproxy simply creates a unique cgroup for the proxied program, and redirect its traffic with packet rules.

• cproxy requires root access to modify cgroup.
• Currently only tested on Linux.

There are some awesome existing work:

• graftcp: work on most programs, but cannot proxy UDP (such as DNS) requests. graftcp also has performance hit on the underlying program, since it uses ptrace.
• proxychains: easy to use, but not working on static linked programs (such as Go programs).
• proxychains-ng: similar to proxychains.
• cgproxy: cgproxy also uses cgroup to do transparent proxy, and the idea is similar to cproxy's. There are some differences in UX and system requirements:
  • cgproxy requires system cgroup v2 support, while cproxy works with both v1 and v2.
  • cgproxy requires a background daemon process cgproxyd running, while cproxy does not.
  • cgproxy requires tproxy, which is optional in cproxy.
  • cgproxy can be used to do global proxy, while cproxy does not intended to support global proxy.