How do we use TLS/SSL to secure SOCKS5 protocol?

Question

I'm researching about SOCKS5 protocol. After understanding it, I know that SOCKS5 does not encrypt data from clients to proxy server. Therefore, can we use TLS/SSL to encrypt data? secure SOCKS5?

Answer 1

SOCKS5 is just a tunnel protocol which does not provide any encryption by itself. Therefore encryption must be either added outside the tunnel or inside the tunnel, i.e.

• outside: wrap SOCKS5 into an encrypted layer
  This can be done by wrapping it into TLS using software like stunnel. There are also SOCKS5 server which have such capability already built in, see Do SOCKS proxy servers exist that have SSL support?. Also ssh -D already provides SOCKS5 wrapped into a SSH tunnel. Other encrypted layers can be VPN or Tor.
• inside: use encrypted traffic inside the SOCKS5 tunnel
  This can for example be done by only visiting HTTPS sites using the proxy. Note that meta data of the traffic (i.e. TLS handshakes, domain names inside the TLS ClientHello) can still be watched with this approach.

Answer 2

You can tunnel arbitrary network traffic through TLS, but SOCKS generally doesn't do so. You'd need a SOCKS server, and client, that establish a TLS connection first and AFAIK this doesn't exist (EDIT: Apparently there's WinGate, from the answer that Steffen linked.)

However, a VPN can do this. OpenVPN is one of several TLS-based VPNs (and has the benefit of being free for both client and server); you could configure it to only be used for the SOCKS connection. You could also use a VPN based on other secure protocols, such as IPSec. Then, your traffic would only travel unsecured between the VPN server and the SOCKS server (which could be the same host). You would just connect to the VPN and then point your SOCKS client at the SOCKS server as usual, and the VPN would secure it along the way.

Of course, in some ways a VPN is already similar to a proxy. If all you care about is that network traffic originating at host A is securely relayed through host B before it enters the wider network, and you don't need to do any special processing or inspection of it, a VPN could do fine.

Alternatively, you can run the SOCKS proxy locally on your machine, which greatly limits opportunities for interception, and have it relay the traffic (through a secure tunnel) to another server. This is what OpenSSH (and PuTTY) does in its proxy mode (for OpenSSH, you can use -D [local-address:]port as an option when making an SSH connection). This will make the SSH client start a SOCKS proxy on the local machine, listening on the specified local interface (or all interfaces if unspecified) and port. SOCKS clients can then connect to this local SOCKS server (which is also the SSH client), and their traffic will be routed through an SSH tunnel and emerge onto the network from the SSH server. In this way, the SSH server effectively becomes a SOCKS server, but the connection between the machines is secured.

As another alternative (possibly a better one, if you already have a SOCKS server running on the remote machine), you can use SSH (-L [local_address:]local_port:remote_host:remote_port) to just forward the relevant port through its secure tunnel. For example, ssh -f -N -L localhost:8000:localhost:1080 pham@sockserver.fully.qualified.domain would create a listening socket on your loopback address at port 8000, and forward any connections it receives to port 1080 (the usual SOCKS port) on the loopback interface of the SSH server (which here is assumed to also be the SOCKS server). In this way, you can again point your SOCKS client at a local port (8000) and your traffic will be securely tunneled to the SOCKS server (which will see your traffic as originating from its own SSH server, rather than from your machine directly).