Skip to content

Dante SOCKS5 Proxy on Ubuntu with IPv4, IPv6 and UDP

Jump to bottom
Vadim Smirnov edited this page Aug 28, 2025 · 2 revisions

System: Ubuntu 22.04.x LTS
Features: SOCKS5, UDP ASSOCIATE, username/password auth, dual-stack (IPv4 + IPv6)

1. Install Dante

sudo apt update
sudo apt install dante-server -y

2. Create runtime + proxy users

# Daemon user (optional, some Ubuntu builds already provide "proxy" user)
sudo useradd -r -M -s /usr/sbin/nologin danted

# Example proxy user for authentication
sudo useradd -M -s /usr/sbin/nologin danteuser
sudo passwd danteuser

3. Allow binding both IPv4 and IPv6

Linux by default lets an IPv6 socket bound to :: also accept IPv4 traffic, which conflicts if you also bind 0.0.0.0.

Enable bindv6only so IPv6 sockets only accept IPv6:

# Option A (modular)
echo 'net.ipv6.bindv6only=1' | sudo tee /etc/sysctl.d/99-danted.conf
sudo sysctl --system

# Option B (classic)
# Add to /etc/sysctl.conf:
# net.ipv6.bindv6only=1
# Then reload:
# sudo sysctl --system

4. Configuration (/etc/danted.conf)

Variant A — without UDP port range (uses ephemeral ports, less secure)

logoutput: syslog

# Listen on IPv4 and IPv6
internal: 0.0.0.0 port = 1080
internal: :: port = 1080

# Outbound interface
external: eth0

# Privileges
user.notprivileged: danted
user.privileged: root

# Authentication
clientmethod: none
socksmethod: username

# Allow all clients (authentication required)
client pass {
  from: 0.0.0.0/0 to: 0.0.0.0/0
}
client pass {
  from: ::/0 to: ::/0
}

# Allow TCP CONNECT and UDP ASSOCIATE
socks pass {
  from: 0.0.0.0/0 to: 0.0.0.0/0
  command: connect udpassociate
  log: connect disconnect ioop
}
socks pass {
  from: ::/0 to: ::/0
  command: connect udpassociate
  log: connect disconnect ioop
}

# Log UDP replies from remote hosts back to clients
socks pass {
  from: 0.0.0.0/0 to: 0.0.0.0/0
  command: udpreply
  log: connect disconnect ioop
}
socks pass {
  from: ::/0 to: ::/0
  command: udpreply
  log: connect disconnect ioop
}

Variant B — with UDP port range (recommended, predictable firewall rules)

logoutput: syslog

# Listen on IPv4 and IPv6
internal: 0.0.0.0 port = 1080
internal: :: port = 1080

# Outbound interface
external: eth0

# Privileges
user.notprivileged: danted
user.privileged: root

# Authentication
clientmethod: none
socksmethod: username

# Allow all clients (authentication required)
client pass {
  from: 0.0.0.0/0 to: 0.0.0.0/0
}
client pass {
  from: ::/0 to: ::/0
}

# Allow TCP CONNECT and UDP ASSOCIATE, constrain UDP to a safe range
socks pass {
  from: 0.0.0.0/0 to: 0.0.0.0/0
  command: connect udpassociate
  udp.portrange: 40000-45000
}
socks pass {
  from: ::/0 to: ::/0
  command: connect udpassociate
  udp.portrange: 40000-45000
}

5. Firewall rules

Case A — without udp.portrange

Dante will pick random UDP ports in the system’s ephemeral range (commonly 32768–60999). To guarantee UDP works you would need to open that entire range:

sudo ufw allow 1080/tcp
sudo ufw allow 32768:60999/udp

⚠️ Less secure — wider attack surface.

Case B — with udp.portrange

Only open the chosen range:

sudo ufw allow 1080/tcp
sudo ufw allow 40000:45000/udp

✅ Recommended — predictable and secure.

6. Enable & restart

sudo systemctl enable danted
sudo systemctl restart danted
sudo systemctl status danted --no-pager

7. Testing

  • IPv4
curl -4 -x socks5://USER:PASS@SERVER_IP:1080 ifconfig.co
  • IPv6
curl -6 -x socks5://USER:PASS@SERVER_IP:1080 ifconfig.co

✅ Result: Dante SOCKS5 proxy with

  • username authentication
  • IPv4 + IPv6 dual-stack
  • UDP ASSOCIATE support

🔐 Best practice: configure udp.portrange and open the matching firewall range.

Clone this wiki locally