Containerizes a SOCKS5 proxy server with traffic tunneled through Windscribe's VPN service
Windscribe is a yet another VPN service, offering varying subscriptions plans (free, pro, "build a plan", etc). Typically, Windscribe software must be installed on host devices to tunnel traffic through their VPN servers. However, there are other protocols (e.g. OpenVPN, IKEv2, SOCKS5, etc) supported for tunneling without their proprietary software. Unfortunately, these protocols are only available to users on their "Pro" subscription plan (i.e. excluding free and "Build A Plan" subscription plans).
I had submitted a feature request for SOCKS5 support for the "Build A Plan" option from their support, but have received a generic response indicating there was no particular interest in adding such support for non-"Pro" subscription plans. Ergo, Windscribe software must be installed on a host device to tunnel traffic, presenting two corollaries:
- a host device must be eligible for installing and running Windscribe VPN software
- all system traffic will be tunneled through Windscribe servers
This project was created to address a fringe use-case and circumvent the aforementioned corollaries by containerizing Windscribe software within Docker, enabling tunneling through as a SOCKS5 proxy server.
There are a few useful advantages of using this containerized application:
- Paid subscriptions are not required to use the SOCKS5 protocol to tunnel traffic through Windscribe.
- A host device does not need to install Windscribe system software and can still tunnel traffic through their VPN servers.
- Networking tools (e.g. Proxifier) can enable fine-grained control by handling per-process traffic tunneling, rather than system wide traffic tunneling.
However, there limitations to this project's usefulness relating significantly to security:
- Traffic to the SOCKS5 server is not encrypted and may be interceptable by a third party; however, traffic forwarded to Windscribe is encrypted.
- Without authentication, the SOCKS5 server should only be used in a tightly controlled network. Exposing the SOCKS5 server publicly allows any actor to tunnel traffic that is linked back to the specified Windscribe account. As of version
0.3.0
, proxy server authentication can be configured through environment variables. - Windscribe-CLI requires
iptables
support, requiring theNET_ADMIN
cap permission to execute inside of a Docker container. As a consequence, a compromised container may be able to leverage all the capabilities ofCAP_NET_ADMIN
, as defined in the Linux manuals. While it is unlikely the software involved would be compromised, there is a non-zero possibility that a compromised container may be able to manipulate the host's iptables for malicious purposes.
This project must be built using a container image building tool and run using container runtime (e.g. Docker, Podman, etc). Docker instructions are included in the following sections.
Pre-built images can be pulled from any of the following registries:
- Docker Hub:
concisions/windscribe-socks-server:latest
- GitHub Packages:
docker.pkg.github.com/concision/docker-windscribe-socks-server/windscribe-socks-server:latest
Note: The only prebuilt images architectures available are
linux/amd64
andlinux/arm/v7
. At the time of writing this documentation, Windscribe distributions are not available for other architectures.
Alternatively, the project can be built from the repository's sources by cloning the repository and running a container image build tool.
# clone the repository
git clone https://github.com/concision/docker-windscribe-socks-server.git
# change current working directory
cd docker-windscribe-socks-server
# build Docker image
docker build -t concisions/windscribe-socks-server:latest .
Note: Ensure the current working directory is inside of the cloned Git repository prior to executing the command (e.g.
cd docker-windscribe-socks-server
).
To deploy with Docker Compose, use the commented configuration file available in this repository here. Environment variables may be sourced with an .env
file or explicitly defined in the configuration file.
The container can be deployed with the following command:
docker-compose up
Note: An
.env
file containing all environment variable configuration can be passed as a Docker secret file using the keywindscribe_server
. Uncomment the relevant section in thedocker-compose.yml
file template. Configured Docker secrets take precedence over environment variables.
To deploy with Docker, use the example run script available in this repository here. It can be configured in the script itself or use an .env
file.
The container can be deployed with the following command:
./deploy-container.sh
Note: If specifying multiple SOCKS5 users, specify the relevant environment variables in an
.env
file or add--env SOCKS_USERNAME_xyz
and--env SOCKS_PASSWORD_xyz
flag (where "xyz" is a wildcard) to the script.
There are several variables that can be configured for this image:
- Windscribe:
WINDSCRIBE_DNS
(optional): Whitespace delimited list of DNS servers to use (default:1.1.1.1
). Setting a DNS server with Docker flags is not sufficient enough, as it utilizes an embedded local DNS server. Windscribe tunnels all DNS requests to prevent DNS leakage.WINDSCRIBE_USERNAME
: Windscribe account username.WINDSCRIBE_PASSWORD
: Windscribe account password.WINDSCRIBE_LOCATION
(optional): A preferred Windscribe location to automatically connect to.
- SOCKS5 Server:
Note: By default, there is no authentication enabled. Setting any of the environment variables
SOCKS_USERNAME
orSOCKS_USERNAME_xyz
automatically enables authentication. Without authentication, the SOCKS5 server should only be used in a tightly controlled network.SOCKS_USERNAME
(optional): Enables SOCKS5 authentication and creates a new user. Must be alphanumeric (with_
s).SOCKS_PASSWORD
(optional): Enables SOCKS5 authentication and sets the password for the associated$SOCKS_USERNAME
user. Additional users can be defined by namespacing (e.g. suffixing "_1") additional environment variables under pairs ofSOCKS_USERNAME
andSOCKS_PASSWORD
:SOCKS_USERNAME_xyz
(optional): Enables SOCKS5 authentication and creates a new user. Must be alphanumeric (with_
s).SOCKS_PASSWORD_xyz
(optional): Enables SOCKS5 authentication and sets the password for the associatedSOCKS_USERNAME_xyz
user.
This project is a prototype that has been hacked together and has its own set of issues and drawbacks compared to running Windscribe system software. Your mileage may vary. If you are experiencing an issue you believe is not intended, a GitHub issue can be filed here; however, not all issues may be solvable due to the hacky and unpredictable nature of this project and its software dependencies.