wireproxy icon indicating copy to clipboard operation
wireproxy copied to clipboard
verified publisher icon pufferffish

Garbage data when using SOCKS 5 proxy to IPv6

Open rledisez opened this issue 1 year ago • 1 comments

While I'm not 100% sure the issue comes from wireproxy, it is to be noted that with another SOCKS 5 proxy (ssh -D) I'm not observing this issue.

When connecting to an IPv6 TCP target via the SOCKS 5 proxy of wireproxy, some garbage data are inserted at the beggining of the connection, breaking the application protocol. See the following example with SSH

Environment

Client: SSH over WireProxy 1.0.9 over macOS 14.4.1 Wireguard endpoint: mikrotik router (RouterOS 7.14.3) Server: SSH (OpenSSH_9.2, OpenSSL 3.0.11 19 Sep 2023) on Debian 12

It is to be noted I do not have any issue with "official" wireguard clients (either on iOS or macOS)

Direct connection from a client on the same LAN than the server

  • IPv4
$ nc 172.29.47.10 22
SSH-2.0-OpenSSH_9.2p1 Debian-2
  • IPv6
$ nc fd00:172:29:47::10 22
SSH-2.0-OpenSSH_9.2p1 Debian-2

Using WireProxy with TCPClientTunnel

  • IPv4
# WireProxy Configuration file
WGConfig = /path/to/wireguard.conf
[TCPClientTunnel]
BindAddress = 127.0.0.1:25345
Target = 172.29.47.10:22

$ nc 127.0.0.1 25345
SSH-2.0-OpenSSH_9.2p1 Debian-2
  • IPv6
# WireProxy Configuration file
WGConfig = /path/to/wireguard.conf
[TCPClientTunnel]
BindAddress = 127.0.0.1:25345
Target = [fd00:172:29:47::10]:22

$ nc 127.0.0.1 25345
SSH-2.0-OpenSSH_9.2p1 Debian-2

Using WireProxy with Socks5

# WireProxy Configuration file
WGConfig = /path/to/wireguard.conf
[Socks5]
BindAddress = 127.0.0.1:25345
  • IPv4
nc -X 5 -x 127.0.0.1:25345 172.29.47.10 22
SSH-2.0-OpenSSH_9.2p1 Debian-2
  • IPv6
nc -X 5 -x 127.0.0.1:25345 fd00:172:29:47::10 22
I�SSH-2.0-OpenSSH_9.2p1 Debian-2

Note the garbage data before the SSH banner

The same can be observed with an HTTP server

  • IPv4 (it waits for me to enter a request)
$ nc -X 5 -x 127.0.0.1:25344 172.29.47.26 80
GET /
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Request
  • IPv6 (it immediately prints some garbage)
$ nc -X 5 -x 127.0.0.1:25344 fd00:172:29:47::26 80
I��

rledisez avatar May 13 '24 19:05 rledisez

I notice this too.. IPv6 fails:

$ curl -v -x socks5://user:pass@[::1]:1234 https://ipv6.jamieweb.net/
curl: (97) Can't complete SOCKS5 connection to ipv6.jamieweb.net. (4)

IPv4 works fine

$ curl -x socks5://user:pass@[::1]:8922 https://ipv4.jamieweb.net/
<html>
<head><title>IPv4 Test Page</title></head>
[..]
</html>

Edit: Nvm, probably my problem is caused by the VPN Provider (Proton VPN) not supporting IPV6 by default. It also happens when using wireproxy as HTTP Proxy.

powellnorma avatar Aug 16 '25 13:08 powellnorma