[Feature Request] Add Authentication Support for SOCKS Service in wstunnel Client

[dobelachaos]

Description of the feature

I am using wstunnel for creating a SOCKS proxy to access resources behind firewalls and would like to request a feature that adds authentication support to the SOCKS service created by the wstunnel client.

Current Functionality

Currently, wstunnel allows the creation of a SOCKS5 service without authentication. This is useful for simple use cases but lacks the security needed for environments where access control is required.

Proposed Feature

The feature I am proposing is the addition of an authentication option for the SOCKS service. This would involve the following:

• Adding a flag or configuration option in the wstunnel client to enable authentication for the SOCKS service.
• Allowing users to specify a username and password either through command-line arguments or a configuration file.

Use Case

The ability to add authentication to the SOCKS service would greatly enhance the security and usability of wstunnel in environments where only certain users should have access to the proxy. For example, in corporate settings or shared hosting environments, adding authentication would ensure that only authorized users can use the proxy to access the internet or internal resources.

Implementation Suggestions

• The implementation could follow the SOCKS5 user authentication standard, which supports plain text username and password authentication.
• It might also be beneficial to support more secure authentication methods, such as OAuth or integration with existing user management systems.

Benefits

Adding authentication support would:

• Improve the security of wstunnel by preventing unauthorized access to the SOCKS proxy.
• Make wstunnel more versatile and suitable for a wider range of use cases, including those with strict security requirements.
• Enhance the overall user experience by providing an additional layer of control.

Additional Information

• I believe this feature would benefit many users and expand the applicability of wstunnel.
• I am open to contributing to this feature, whether by providing feedback, testing, or even code, if the implementation aligns with my capabilities.

Thank you for considering this feature request. I look forward to any feedback or discussion on this proposal.

[github-actions]

Hello @dobelachaos 👋

This issue is being automatically closed because it does not follow the issue template.

[erebe]

Hello,

Thank you for the detailed explanation.
Adding login/password to the socks5 server should be easy to do and can be useful to other users indeed.
Regarding the OAuth, while it would be nice to have it too, I don't think I am going to add it, as there is no easy way to interact with OAuth provider, it is rather convoluted every time.

Anyway, I am going to add the login/password for socks5 and let you know when it is done, so you can try it out

[dobelachaos]

Thank you very much for your work, and I agree with your opinion that username and password authentication is sufficient. Thank you again.

[erebe]

Hi back,

Would you mind trying this pre-release and let me know if it works for you ?
https://github.com/erebe/wstunnel/releases/tag/v9.7.3-rc1

You can specify login/password of your socks5 server like that
socks5://8080?login=admin&password=admin

let me know !

[dobelachaos]

Okay, I will try it. Thank you for your work!

[dobelachaos]

Hello, I followed your example to specify the username and password for the SOCKS5 on the client, but the terminal returned an error message. Here is the error message: "error: the following required arguments were not provided: <ws[s]|http[s]://wstunnel.server.com[:port]>".

I have tried both "wstunnel_9.7.3-rc1_windows_amd64.tar.gz" and "wstunnel_9.7.3-rc1_linux_arm64.tar.gz", and the error messages returned are the same.

The command I used to start is: "wstunnel client --http-upgrade-path-prefix *********** -L socks5://192.168.2.192:1080?login=admin&password=admin wss://...:1843".
Is there a mistake in my command?

[erebe]

You miss the quote around the argument of -L
Try something like

wstunnel client --http-upgrade-path-prefix 'xxxx' -L 'socks5://192.168.2.192:1080?login=admin&password=admin' wss://...:1843

[dobelachaos]

Thank you for your guidance; I have successfully used it and resolved my needs. Thank you again!

Now, I have two issues to report to you:

1. After enabling username and password authentication for SOCKS5, there seems to be a slight impact on the network speed, which has become a bit slower.
2. I'm not sure if this is a bug, but when SOCKS5 does not have username and password authentication enabled, any random username and password entered in the proxy software can still connect to the SOCKS5 proxy.

[erebe]

Happy to know it is working for you :0

For the performance I don't know, it is the socks5 lib that is supposed to handle it. The penalty should be very small, as the auth is only check at connection. Will try to take a look at it when I get some spare time.

Regarding the 2nd point, it is normal, if you dont specify any password, it means you don't want any auth, so it allows everyone, like it is today

[dobelachaos]

Ok, I understand, thank you for your work. I'm using it very well now. ) :

[erebe]

released in v9.7.4

[yymk158]

You miss the quote around the argument of -L Try something like

wstunnel client --http-upgrade-path-prefix 'xxxx' -L 'socks5://192.168.2.192:1080?login=admin&password=admin' wss://...:1843

How to set it up on the server ??

wstunnel server --restrict-http-upgrade-path-prefix 'xxxx' https://serverip:xxxx?login=admin&password=admin
Is that right ？