adllm Insights logo adllm Insights logo

Configuring Dante SOCKS Proxy for IPv6-Only Clients to Access IPv4-Only Services

Published on by The adllm Team. Last modified: . Tags: Dante SOCKS SOCKS5 IPv6 IPv4 Proxy Networking Linux danted

In today’s evolving internet landscape, the transition to IPv6 is steadily progressing. However, a significant number of services and servers remain accessible only via IPv4. This presents a challenge for IPv6-only clients that need to connect to these legacy IPv4 resources. While network-level solutions like NAT64/DNS64 exist, an application-level SOCKS proxy like Dante offers a flexible and powerful alternative, providing granular control over access.

This article provides a comprehensive guide on configuring a Dante SOCKSv5 proxy server to bridge this gap, specifically enabling IPv6-only clients to seamlessly access IPv4-only services. We will delve into the necessary Dante server configuration (danted.conf), firewall adjustments, client testing, and troubleshooting.

Prerequisites

Before we begin, ensure you have the following:

  • A server (e.g., a Linux Virtual Private Server - VPS) with dual-stack connectivity: it must have both a public IPv6 address (for clients to connect to) and a public IPv4 address (to reach IPv4 services).
  • Dante server software installed. On Debian/Ubuntu, this can typically be installed using:
    1
2

    sudo apt update
sudo apt install dante-server
    On CentOS/RHEL based systems:
    1

    sudo yum install dante-server
  • Root or sudo privileges on the server.
  • Basic understanding of IP addressing, network ports, and SOCKS proxy concepts.

Understanding the Core Challenge and Dante’s Role

An IPv6-only client, by itself, cannot directly initiate a connection to an IPv4 address. Conversely, an IPv4-only service cannot directly accept a connection from an IPv6 client. A SOCKS proxy server, strategically deployed on a host with dual-stack (IPv4 and IPv6) capabilities, can act as an effective intermediary.

Dante, when configured for this scenario, will:

  1. Listen for incoming SOCKS connections from clients on its designated IPv6 address and port.
  2. Receive the client’s request to connect to a destination service (which, in this case, will be an IPv4-only service).
  3. Initiate a new, separate connection from its own IPv4 address to the requested IPv4-only service.
  4. Relay data transparently between the IPv6 client and the IPv4 service.

The critical element is that the Dante server itself must possess both IPv6 and IPv4 network interfaces and be explicitly configured to use them appropriately for “internal” (client-facing) and “external” (service-facing) communications.

Dante Server Configuration: danted.conf

The behavior of the Dante server is entirely controlled by its configuration file, typically located at /etc/danted.conf or /etc/sockd.conf. We will construct configurations that precisely define the IP protocols for internal (client-side) and external (server-side) traffic.

For detailed information on all danted.conf directives, the official Dante documentation is the definitive resource. A comprehensive overview can be found in the danted.conf(5) man page.

Key danted.conf Directives for This Scenario

  • logoutput: Specifies where Dante logs its operational messages and errors. Crucial for troubleshooting.
    • Example: logoutput: /var/log/danted.log or logoutput: syslog
  • internal.protocol: Explicitly sets the IP protocol (IPv4 or IPv6) for the internal interface. This directive must appear before the internal address/interface line it applies to. For our use case, this will be ipv6.
  • internal: Defines the network interface and port where Dante listens for client connections. This must be an IPv6 address accessible by your clients.
  • external.protocol: Similar to internal.protocol, but for the external interface. This must appear before the external address/interface line. For our use case, this will be ipv4.
  • external: Defines the network interface or IP address Dante uses for its outgoing connections to destination services. This interface must have IPv4 connectivity.
  • user.privileged: The system user Dante initially runs as (e.g., root), often needed for binding to privileged ports (though port 1080 is not privileged).
  • user.unprivileged: The system user Dante drops privileges to after initialization (e.g., nobody). This is a vital security practice.
  • clientmethod / socksmethod: Defines authentication methods for connections to Dante and for the SOCKS protocol negotiation, respectively. We’ll start with none and then illustrate username authentication. More on authentication methods can be found in the Dante authentication documentation.
  • client pass: Rules defining which clients are permitted to connect to the Dante server and proceed with SOCKS negotiation.
  • socks pass: Rules defining which destinations authenticated clients are permitted to connect through the Dante server.

Example 1: Basic IPv6-to-IPv4 Proxy (No Authentication)

This configuration allows any IPv6 client connecting to the server’s specified IPv6 address to access any IPv4 destination.

Important: Replace [YOUR_SERVER_IPV6_ADDRESS] and [YOUR_SERVER_IPV4_ADDRESS] with your server’s actual public IP addresses.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

# /etc/danted.conf - Basic IPv6-in, IPv4-out proxy
#
# For detailed explanations of directives, see:
# https://www.inet.no/dante/doc/1.4.x/man/danted.conf.5.html

logoutput: /var/log/danted.log
# Alternative: logoutput: syslog facility local5

# Client-facing interface configuration:
# Dante listens on this IPv6 address for SOCKS client connections.
# The internal.protocol directive ensures only IPv6 is used here.
internal.protocol: ipv6
internal: [YOUR_SERVER_IPV6_ADDRESS] port = 1080

# Service-facing interface configuration:
# Dante uses this IPv4 address for outgoing connections to target services.
# The external.protocol directive ensures only IPv4 is used here.
external.protocol: ipv4
external: [YOUR_SERVER_IPV4_ADDRESS]

# Authentication: None for this basic example.
# clientmethod applies to the initial connection to danted.
# socksmethod applies to the SOCKS protocol handshake.
clientmethod: none
socksmethod: none

# User privileges:
# Start as root (or other privileged user if needed for port binding),
# then drop to an unprivileged user for operations.
user.privileged: root
user.unprivileged: nobody

# Client Access Rules:
# Allow any client connecting via IPv6 to the internal interface
# to proceed to SOCKS negotiation. The "to: 0/0" here refers to
# any address the proxy is configured to listen on.
client pass {
    from: ::/0 to: 0/0 # Allows any IPv6 source address
    log: error connect disconnect iooperation
}

# SOCKS Access Rules:
# Allow clients (who passed 'client pass' rules) to connect to any IPv4
# destination. "from: ::/0" matches our IPv6 clients.
# "to: 0.0.0.0/0" matches any IPv4 destination address.
socks pass {
    from: ::/0 to: 0.0.0.0/0
    command: connect # Allow TCP connect command
    log: error connect disconnect iooperation
}

# Default block rules (Dante's default is to deny if no pass matches):
# Explicitly blocking can be good for clarity and log generation.
client block {
    from: 0/0 to: 0/0
    log: error connect disconnect iooperation
}
socks block {
    from: 0/0 to: 0/0
    log: error connect disconnect iooperation
}

Example 2: Using Interface Names

If your server has a primary network interface (e.g., eth0) that carries both its IPv6 and IPv4 addresses, you can use the interface name. The internal.protocol and external.protocol directives are crucial here to ensure Dante selects the correct address family on the specified interface.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

# /etc/danted.conf - Using Interface Names

logoutput: /var/log/danted.log

# Client-facing: Use IPv6 addresses on eth0
internal.protocol: ipv6
internal: eth0 port = 1080

# Service-facing: Use IPv4 addresses on eth0
external.protocol: ipv4
external: eth0

# Authentication: None
clientmethod: none
socksmethod: none

# User privileges
user.privileged: root
user.unprivileged: nobody

# Client Access Rules
client pass {
    from: ::/0 to: 0/0
    log: error connect disconnect
}

# SOCKS Access Rules
socks pass {
    from: ::/0 to: 0.0.0.0/0
    command: connect
    log: error connect disconnect
}

client block { from: 0/0 to: 0/0 log: error connect disconnect }
socks block { from: 0/0 to: 0/0 log: error connect disconnect }

Example 3: Adding Username/Password Authentication

For enhanced security, implementing authentication is highly recommended. Dante SOCKSv5 supports username authentication, which typically uses existing system users unless configured with PAM or other authentication modules.

First, create dedicated system users for your proxy clients. These users do not need interactive shells.

1
2
3

sudo useradd --system --shell /usr/sbin/nologin proxyuser1
sudo passwd proxyuser1 
# Enter and confirm a strong password for proxyuser1

Then, modify danted.conf to require this authentication:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

# /etc/danted.conf - Username/Password Authentication

logoutput: /var/log/danted.log

internal.protocol: ipv6
internal: [YOUR_SERVER_IPV6_ADDRESS] port = 1080
# Or: internal: eth0 port = 1080

external.protocol: ipv4
external: [YOUR_SERVER_IPV4_ADDRESS]
# Or: external: eth0

# Authentication: Require SOCKSv5 username/password.
# The 'clientmethod: none' means the initial TCP connection to danted
# does not require separate auth, SOCKS-level auth is enforced by 'socksmethod'.
clientmethod: none 
socksmethod: username # Use system user accounts by default

user.privileged: root
user.unprivileged: nobody

# Client Access Rules:
# Allow any IPv6 client to attempt SOCKS negotiation.
# Authentication will be handled at the SOCKS protocol level.
client pass {
    from: ::/0 to: 0/0
    log: error connect disconnect
}

# SOCKS Access Rules:
# Allow clients who successfully authenticate via username/password
# to connect to any IPv4 destination.
socks pass {
    from: ::/0 to: 0.0.0.0/0
    command: connect
    log: error connect disconnect
    socksmethod: username # Enforce username auth for this rule
}

client block { from: 0/0 to: 0/0 log: error connect disconnect }
socks block { from: 0/0 to: 0/0 log: error connect disconnect }

Firewall Configuration

Your server’s firewall must permit incoming TCP connections to the Dante server on its listening IPv6 address and port (e.g., 1080).

Using ufw (Uncomplicated Firewall) on Debian/Ubuntu:

1
2
3
4
5
6

# Allow from any IPv6 source to your server's specific IPv6 on port 1080
sudo ufw allow proto tcp from any to [YOUR_SERVER_IPV6_ADDRESS] \
  port 1080 comment 'Dante SOCKS5 IPv6'

sudo ufw reload
sudo ufw status verbose

Using firewalld on CentOS/RHEL/AlmaLinux:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Add a rich rule for specific IPv6 destination and port
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv6" \
  destination address="[YOUR_SERVER_IPV6_ADDRESS]" \
  port port="1080" protocol="tcp" accept'

# If using zones, and your external interface is in 'public' zone:
# sudo firewall-cmd --permanent --zone=public --add-port=1080/tcp
# This might open for IPv4 too if not carefully managed by source IPs.
# The rich rule above is more precise for the IPv6 listener.

sudo firewall-cmd --reload
sudo firewall-cmd --list-all

Always ensure your firewall rules are as specific as necessary for your security posture. Restricting source IPv6 ranges is advisable if possible.

Starting and Testing Dante

  1. Validate configuration (optional but recommended): Dante itself doesn’t have a widespread, simple built-in syntax check command that works offline like nginx -t. The server will typically log errors prominently on startup if the configuration is invalid. Always check logs after starting/restarting.

  2. Start and enable the Dante service:

    1
2
3

    sudo systemctl start danted
sudo systemctl enable danted # To start on boot
sudo systemctl status danted

    Carefully examine the status and system logs (journalctl -u danted or the log file specified in danted.conf) for any error messages.

  3. Verify Dante is listening on the IPv6 address:

    1
2
3
4

    ss -tlpn 'sport == :1080' | grep danted
# Expected output should show danted listening on something like:
# LISTEN 0      128      [YOUR_SERVER_IPV6_ADDRESS]:1080  *:*    users:(("danted",...))
# or :::1080 if listening on all IPv6 addresses.

  4. Test from an IPv6-only client: Use a tool like curl from an IPv6-only machine (or a machine configured to prefer IPv6 and able to route to your Dante server’s IPv6 address). The socks5h:// scheme ensures that DNS resolution for the target hostname is performed by the proxy server, not the client.

    For no authentication:

    1
2

    curl -v -x socks5h://[YOUR_SERVER_IPV6_ADDRESS]:1080 http://ipv4.google.com
# Replace ipv4.google.com with any known IPv4-only URL for testing

    For username/password authentication:

    1
2

    curl -v -x socks5h://proxyuser1:yourpassword@[YOUR_SERVER_IPV6_ADDRESS]:1080 \
  http://ipv4.google.com

    A successful connection will display the HTML content of the target page, and curl -v output will show details of the SOCKS handshake and HTTP transaction.

Client-Side Configuration

IPv6-only client applications (web browsers, messaging clients, custom scripts) must be configured to use the Dante SOCKS proxy. This typically involves specifying:

  • Proxy type: SOCKSv5
  • Proxy server: [YOUR_SERVER_IPV6_ADDRESS]
  • Proxy port: 1080
  • Username/Password: If authentication is enabled on the server.

The configuration method varies by application: system-wide proxy settings (less common for SOCKS), browser-specific settings or extensions (e.g., FoxyProxy), environment variables (ALL_PROXY="socks5h://..."), or in-application proxy settings.

Troubleshooting Common Issues

  • Connection Refused (Client to Proxy):
    • Is the danted service running on the server? (systemctl status danted)
    • Firewall on the server blocking incoming connections to port 1080 on its IPv6 address?
    • Incorrect IPv6 address or port in the client’s proxy configuration?
    • Dante not configured to listen on the correct internal IPv6 address in danted.conf? Check danted.log.
  • Connection Timeout / No Route to Host (Proxy to IPv4 Service):
    • Does the Dante server have functional IPv4 connectivity and correct routing?
    • Is the external IPv4 configuration in danted.conf correct?
    • Can the Dante server resolve the IPv4 destination hostname (DNS issue on the server)? Test with dig A ipv4.google.com @your_resolver from the server.
    • Is a firewall on the Dante server (or an upstream network device) blocking outgoing IPv4 traffic?
  • Authentication Failures:
    • Incorrect username or password provided by the client.
    • socksmethod misconfiguration in danted.conf (e.g., set to none when client expects username).
    • Client SOCKS application not correctly supporting or sending SOCKSv5 username/password credentials.
    • If using system users, ensure the user account exists and the password is correct on the Dante server.
    • Check danted.log for detailed authentication error messages.
  • Dante Service Fails to Start or Exits:
    • Syntax errors in danted.conf. This is the most common cause. Examine logs (journalctl -u danted or the configured log file) immediately after attempting to start. Errors are usually descriptive.
    • Specified internal or external IP addresses are not actually configured or available on the server’s network interfaces.
    • Port 1080 is already in use by another application on the server. Use ss -tulnp | grep :1080.
  • internal.protocol or external.protocol Misconfiguration:
    • Ensure these directives appear before their respective internal or external address/interface lines in danted.conf. This is a strict requirement.
    • Confirm your Dante server version supports these directives (Dante 1.4.1 and later are generally fine; check danted.conf(5) man page for your version).

Always consult Dante’s logs first! The information in /var/log/danted.log (or wherever you’ve configured logging) is invaluable for diagnosing problems. Increase log verbosity in rules if necessary (e.g., log: error connect disconnect iooperation).

Comparison with NAT64/DNS64

While Dante SOCKS proxying is an application-layer solution, NAT64/DNS64 operates at the network layer:

  • NAT64/DNS64: DNS64 synthesizes AAAA (IPv6) records for IPv4-only domains, and NAT64 performs network address and protocol translation at a gateway. This solution is generally transparent to client applications once configured at the network level.
  • Dante SOCKS Proxy:
    • Advantages: Offers fine-grained control (per-user authentication, detailed access rules based on source/destination), extensive logging capabilities for proxy activity, can be deployed on a single server without requiring network-wide infrastructure changes.
    • Disadvantages: Requires explicit client-side proxy configuration in applications. Not all applications have robust or straightforward SOCKS proxy support.

Dante is an excellent choice when you require specific access controls, detailed auditing, or when implementing NAT64/DNS64 is not feasible or desired within your network architecture.

Security Considerations

  • Restrict Client Access: In client pass rules, use specific allowed IPv6 source address ranges (e.g., from: 2001:db8:1234::/48 to: ...) instead of the overly permissive ::/0 whenever possible.
  • Strong Authentication: Always use socksmethod: username with strong, unique passwords for proxy users. Avoid socksmethod: none in production environments.
  • Principle of Least Privilege: Ensure user.unprivileged is set to a non-root user with minimal privileges (e.g., nobody or a dedicated dante user).
  • Keep Software Updated: Regularly apply security patches for the Dante server software and the underlying operating system.
  • Robust Firewall Rules: Maintain strict, well-defined firewall rules that only allow necessary traffic to and from the Dante server.
  • Monitoring and Logging: Regularly review Dante logs and system logs for any suspicious activity or repeated failures.

Conclusion

Configuring a Dante SOCKS proxy provides a highly effective and adaptable method for enabling IPv6-only clients to access the vast array of remaining IPv4-only services. By meticulously setting up danted.conf with explicit protocol definitions for internal (IPv6) and external (IPv4) traffic, and by implementing robust security measures such as authentication and stringent firewall rules, administrators can create a reliable and controlled bridge between the two IP worlds. This solution empowers users and applications on modern IPv6 networks to maintain crucial connectivity with legacy systems, facilitating a smoother operational experience during the ongoing global transition to full IPv6 adoption.