🍓 Raspberry Pi Solution: VODKA
🔹 1. 🔵 Keenetic (KeeneticOS 3.9+) — The Easiest Way
Why it's the best choice: The only mainstream firmware with native support for SOCKS5+Auth via web interface.
📋 Prerequisites
- Router with KeeneticOS 3.9 or newer (Check:
System → Updates) - Access to web interface (usually
192.168.1.1ormy.keenetic.net) - Proxy credentials:
IP:Port,Username,Password
🔧 Step-by-step Setup
Step 1: Install 'Proxy Client' component
- Access the router web interface
- Navigate to Management -> System Settings -> Components
- Search for
proxy - ✅ Check Proxy Client
- (Optional) also check DNS Server and DNS-over-TLS/HTTPS. With Rich Proxy, DNS proxying works out of the box on our servers, so extra DNS protection is not required.
- Click Install update -> router will reboot (2-3 mins)
Step 2: Create a proxy connection
- Navigate to Internet -> Other connections -> Proxy Connections
- Click Add connection
- Fill out the form:
- 🔸 Name: Any (e.g.
MySOCKS5) - 🔸 Protocol:
SOCKS v5 - 🔸 Server Address: IP address or domain (e.g.
1.2.3.4) - 🔸 Port: Proxy port (e.g.
1080) - 🔸 Authentication: Password
- 🔸 Username: Your username
- 🔸 Password: Your password
- 🔸 Use for Internet access: ✅ Enabled
- 🔸 Name: Any (e.g.
- Click Save
Step 3: Setup DNS via proxy (Optional)
Important: Without this step on third-party proxies, DNS queries leak. However, Rich Proxy automatically resolves DNS securely inside the tunnel. Skip this unless you want DoT.
🔹 2. 🟢 GL.iNet (OpenWRT with GUI)
Why it's popular: A ready-made OpenWRT with a convenient web interface + the ability to install packages via console.
📋 Prerequisites
- GL.iNet Router (Flint, Beryl, Slate, Mango)
- Access to the web interface (
192.168.8.1) - SSH access enabled (enabled by default)
Method A: Via Web Interface (Plugin)
Step 1: Install Plugin (if available)
- Go to the web interface
- Navigate to:
Plugins→ find Shadowsocks, V2Ray or RedSocks - Click Install
- After installation, navigate to the plugin settings
Step 2: SOCKS5 Setup
- In the plugin, create a new server:
Type: SOCKS5
Server: 1.2.3.4
Port: 1080
Auth: Username/Password
Username: your_login
Password: your_password - Enable Global Proxy or configure proper routing rules
- Save and activate
⚠️ Not all plugins support SOCKS5 with authentication. If your plugin lacks it, use Method B.
Method B: Via Console + redsocks2 (Universal)
Step 1: SSH Connection
ssh [email protected]
# Default password: same as your web-interface
Step 2: Install Packages
opkg update
opkg install redsocks2 iptables-mod-tproxy kmod-ipt-tproxy
Step 3: Setup redsocks2
Open the config: vi /etc/redsocks2.conf
Replace its contents with:
base {
log_debug = off;
log_info = off;
log = stderr;
daemon = on;
redirector = iptables;
}
redsocks {
bind = "192.168.8.1:12345";
relay = "1.2.3.4:1080";
type = socks5;
login = "your_login";
password = "your_password";
autoproxy = 0;
timeout = 10;
}
Save it: :wq in vi.
Step 4: Setup iptables
# Create a new chain iptables -t nat -N REDSOCKS # Exclude local networks iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN # Redirect traffic to redsocks iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345 # Apply routing rules to LAN traffic (interface is usually br-lan) iptables -t nat -A PREROUTING -i br-lan -p tcp -j REDSOCKS
Step 5: Start & Enable on boot
# Run redsocks2 /etc/init.d/redsocks2 start # Enable on boot /etc/init.d/redsocks2 enable # Check status /etc/init.d/redsocks2 status
Step 6: Setup DNS (Optional with Rich Proxy)
# With Rich Proxy, all DNS queries are reliably and safely resolved inside the tunnel. # Feel free to skip this step! # When using third-party proxies, it is advised to install dnscrypt-proxy: opkg install dnscrypt-proxy # And configure /etc/config/dnscrypt-proxy
Step 7: Verification
# From any device on the network: curl https://api.ipify.org # should show the Proxy IP-address nslookup google.com # should resolve through the proxy
🔄 Saving iptables rules across reboots
GL.iNet running on OpenWRT can drop iptables rules during a reboot. Create the script /etc/firewall.user:
#!/bin/sh # This file is executed after the firewall rules are loaded # Re-applying rules for redsocks iptables -t nat -N REDSOCKS 2>/dev/null || true iptables -t nat -F REDSOCKS # ... (all rules from Step 4) ...
Make it executable: chmod +x /etc/firewall.user
🔹 3. 🟡 OpenWRT (Universal Method)
Supported Models: Hardware Table — TP-Link Archer C7, Xiaomi Mi Router 4A, Netgear R7800 and hundreds more.
📋 Prerequisites
- OpenWRT installed (verify version: 21.02 or newer)
- SSH access
- Basic Linux knowledge
🔧 Step-by-step Setup
Step 1: Install Packages
ssh [email protected] opkg update opkg install redsocks2 iptables iptables-mod-tproxy kmod-ipt-tproxy
Step 2: Setup redsocks2
Open: vi /etc/redsocks2.conf
base {
log_debug = off;
log_info = off;
log = syslog;
daemon = on;
redirector = iptables;
}
redsocks {
bind = "192.168.1.1:12345";
relay = "1.2.3.4:1080";
type = socks5;
login = "your_login";
password = "your_password";
autoproxy = 0;
timeout = 10;
}
Step 3: Setup iptables
# Create a new chain
iptables -t nat -N REDSOCKS
# Exclude local addresses (mandatory!)
for net in 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.168.0.0/16 224.0.0.0/4 240.0.0.0/4; do
iptables -t nat -A REDSOCKS -d $net -j RETURN
done
# Redirect the remaining TCP-traffic
iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
# Apply to outbound traffic (replace br-lan with your interface name)
iptables -t nat -A PREROUTING -i br-lan -p tcp -j REDSOCKS
💡 Find interface name: ip link show or ifconfig
Step 4: Verify redsocks2
# Run manually to test redsocks2 -c /etc/redsocks2.conf # In another terminal, verify: curl --socks5 192.168.1.1:12345 https://api.ipify.org
Step 5: Enable Autostart
Create /etc/init.d/redsocks2:
#!/bin/sh /etc/rc.common
START=99
STOP=01
start() {
/usr/sbin/redsocks2 -c /etc/redsocks2.conf
}
stop() {
killall redsocks2 2>/dev/null
iptables -t nat -F REDSOCKS 2>/dev/null
iptables -t nat -X REDSOCKS 2>/dev/null
}
chmod +x /etc/init.d/redsocks2 /etc/init.d/redsocks2 enable /etc/init.d/redsocks2 start
Step 6: Saving iptables rules
OpenWRT does not retain iptables rules upon reboot by default.
Option A: Via iptables-persistent
opkg install iptables-persistent /etc/init.d/iptables-persistent save
Option B: Via /etc/firewall.user
vi /etc/firewall.user
Append to the end of the file:
# Rules for redsocks iptables -t nat -N REDSOCKS 2>/dev/null || true iptables -t nat -F REDSOCKS # ... all rules from Step 3 ...
Step 7: Setup DNS (Optional with Rich Proxy)
When using Rich Proxy, this step can be ignored since the DNS automatically resolves securely on the proxy server's side. For third-party untrusted proxies:
# Install dnscrypt-proxy opkg install dnscrypt-proxy # Configure /etc/config/dnscrypt-proxy vi /etc/config/dnscrypt-proxy
Minimal configuration example:
config dnscrypt-proxy
option address '127.0.0.1:5353'
option port '5353'
option resolv_conf '/tmp/resolv.conf.auto'
Then in /etc/config/dhcp:
config dnsmasq
option noresolv '1'
option server '127.0.0.1#5353'
Restart the services:
/etc/init.d/dnsmasq restart /etc/init.d/dnscrypt-proxy restart
Step 8: Final Checks
# Test external IP-address curl https://api.ipify.org # Test DNS nslookup google.com # Online checker: open from a device on the network # - https://ipleak.net # - https://dnsleaktest.com
🔹 4. 🔵 ASUS Merlin + Entware
Supported Models: RT-AX86U, RT-AX88U, GT-AX11000, RT-AC86U and others from the compatibility list.
📋 Prerequisites
- ASUS Merlin firmware installed
- SSH access enabled (
Administration → System → Enable SSH) - Entware installed (via amtm)
🔧 Step-by-step Setup
Step 1: Install Entware (if not done yet)
# Connect via SSH ssh [email protected] # Install amtm (manager for Merlin) curl -sL https://raw.githubusercontent.com/SomeWhereOverTheRainBow/asuswrt-merlin.entware/master/amtm.sh | sh # Within the amtm menu, select Entware installation
Step 2: Install redsocks or proxychains
# Update package list opkg update # Install redsocks opkg install redsocks # Or proxychains-ng for single commands opkg install proxychains-ng
Step 3: Setup redsocks
vi /opt/etc/redsocks.conf
base {
log_debug = off;
log_info = off;
log = "syslog:daemon";
daemon = on;
redirector = iptables;
}
redsocks {
bind = "192.168.1.1:12345";
relay = "1.2.3.4:1080";
type = socks5;
login = "your_login";
password = "your_password";
autoproxy = 0;
timeout = 10;
}
Step 4: Run redsocks
# Run manually /opt/etc/init.d/S99redsocks start # Check status ps | grep redsocks
Step 5: Setup iptables
# Uses the same rules as OpenWRT iptables -t nat -N REDSOCKS iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN # ... remaining exclusions ... iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345 iptables -t nat -A PREROUTING -i br0 -p tcp -j REDSOCKS
💡 On ASUS Merlin, the primary interface is typically br0, and not br-lan
Step 6: Autostart
Create the script /jffs/scripts/services-start:
#!/bin/sh # This script executes after system boot # Waiting for network to initialize sleep 30 # Run redsocks /opt/etc/init.d/S99redsocks start # Apply iptables rules iptables -t nat -N REDSOCKS 2>/dev/null || true # ... your rules ...
chmod +x /jffs/scripts/services-start
Step 7: Verification
Similar to previous setups:
curl https://api.ipify.org nslookup google.com
🔹 5. 🟣 MikroTik RouterOS (v7.x)
Why professionals choose it: Power, flexibility, 24/7 stability.
📋 Prerequisites
- RouterOS 7.x (Socksify function is available from version 7.1)
- Access via WinBox or SSH
- Basic understanding of MikroTik firewall rules
Method A: Native Socksify Function
Step 1: Creating socksify service
# Using the terminal (WinBox: New Terminal) /ip socksify add name=MyProxy socks5-server=1.2.3.4 socks5-port=1080 socks5-user=your_login socks5-password=your_password connection-timeout=30 disabled=no
Step 2: Permit incoming connections to the service
/ip firewall filter add action=accept chain=input dst-port=952 protocol=tcp src-address=192.168.88.0/24 comment="Allow SOCKSIFY from LAN"
Port 952 is standard for the socksify service
Step 3: Redirect traffic via socksify
# Proxy all web-traffic (port 80, 443) from the local network /ip firewall nat add action=socksify chain=dstnat dst-port=80,443 protocol=tcp socksify-service=MyProxy src-address=192.168.88.0/24 comment="Proxy web traffic"
Step 4: Verification
# Upon a device on the network: curl https://api.ipify.org
⚠️ Limitation:
Socksify within MikroTik only operates for outgoing traffic and only via NAT rules. Not all protocols are supported by socksify.
Method B: Container running redsocks (RouterOS 7.12+)
If you have RouterOS 7.12+ which supports containers:
Step 1: Fetching the image
# Download or build a redsocks image # Example: Create a Dockerfile natively on your PC FROM alpine:latest RUN apk add --no-cache redsocks iptables COPY redsocks.conf /etc/redsocks.conf ENTRYPOINT ["/usr/sbin/redsocks", "-c", "/etc/redsocks.conf"]
Step 2: Upload image payload to router
# Via SCP or standard file-system drop
Step 3: Run the container
/container add interface=bridge-local root-dir=redsocks logging=yes start [find]
Step 4: Configure traffic redirecting
# Redirect your traffic directly to the container /ip firewall nat add action=dst-nat chain=dstnat dst-port=80,443 protocol=tcp to-addresses=172.17.0.2 to-ports=12345 comment="Redirect to redsocks container"
⚠️ Containers in RouterOS are an advanced capability mandating a deep understanding of network operations.
📊 Summary Matrix: Difficulty and Capabilities
| Platform | Difficulty | Authentication | Transparent Proxying | Autostart | Perfect for |
|---|---|---|---|---|---|
| Keenetic | ⭐ Low | ✅ Native | ✅ Via Priorities | ✅ Automatically | Home, small office |
| GL.iNet | ⭐⭐ Medium | ✅ Via Extensions | ✅ redsocks | ⚠️ Setup required | Travel, enthusiasts |
| OpenWRT | ⭐⭐⭐ High | ✅ redsocks2 | ✅ Full | ⚠️ Via scripts | Advanced users |
| ASUS Merlin | ⭐⭐ Medium | ✅ Entware | ✅ redsocks | ⚠️ Via services-start | Gamers, Home networks |
| MikroTik | ⭐⭐⭐⭐ Extremely High | ✅ Socksify | ⚠️ Via NAT/containers | ✅ Automatically | Corporate networks |
🔐 Critical Recommended Fixes (All Platforms)
1. DNS Leak Shielding (Solved dynamically in Rich Proxy)
Whenever you employ ordinary proxies, always regulate DNS queries to circumvent ISP surveillance. However, coupled with Rich Proxy infrastructures, all DNS traffic gets securely proxied inside the transparent tunnel — so no extraneous DoT/DoH setup is required!
Consequently, if deploying third-party proxies, remember:
- Keenetic: Fasten DNS-over-TLS to your proxy connection interface.
- OpenWRT/GL.iNet: Boot dnscrypt-proxy or embed DoH into redsocks.
- MikroTik: Construct
/ip dns set use-doh-server=...enforcing the proxy rule.
2. Exclusion of Local Subnets
Never proxy your entire LAN indiscriminately. Disregarding this will sever connectivity to identical network nodes, printers, smart home gateways:
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
3. Emergency Access Check
Prior to establishing universal transparency proxy mechanisms:
- Safeguard and save your active stable router configuration locally.
- Verify availability of secondary console connections (not localized purely to network-bridge interfaces).
- Execute operations iteratively under a Virtual Machine wrapper if competent.
4. Post-Setup Audit Verification
# Mandatory Action Routine Checklist: # 1. Examine External IP: curl https://api.ipify.org # 2. Check for DNS Leaks: nslookup google.com # or verify online via dnsleaktest.com # 3. WebRTC-Leak audit (targeting Web Browsers): # Navigate towards https://browserleaks.com/webrtc
5. Maintenance and Logging
# OpenWRT/GL.iNet: logread | grep redsocks # Keenetic: # Administrative Dashboard → System Information → Logs # MikroTik: /log print
🚨 Absolute Antipatterns (Do NOT Perform)
- ❌ Do not configure blindly — you must perpetually establish backup console routes bypassing your primary structural framework manipulations.
- ❌ Do not proxy fundamental Local Area loopbacks — systematically block 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8 inside rule tables natively.
- ❌ Do not discard DNS leakage awareness (if employing non-premium/foreign proxies) — failing DoH/DoT encapsulation broadcasts your domains towards the ISP inherently. Rich Proxy circumvents this dynamically automatically.
- ❌ Refrain from employing Free or Public SOCKS5 networks on gateways — these generally track or inject unwanted traffic blocks. Exploit privately-bought proxy pools natively allocated.
- ❌ Do not forget autostart configurations — post-restart scenarios fundamentally clear firewall-tables in several OEM structures, rendering your connectivity unlinked unexpectedly.
💡 Equipment Matrix: Picking the Ideal Router for your Infrastructure Scope
-
🏠 Basic Household, Reliability mandated heavily?
→ Procure Keenetic alongside the integrated Proxy-Client component
Workflow outline: App Dashboard → Component Module Installation → Setup Proxy → Elevated Priority Hierarchy Tuning -
✈️ Continuous travelling user requiring a tactical module?
→ Select GL.iNet Beryl/Mango iteration variants
Workflow outline: GUI Web interface or direct SSH encapsulation using redsocks -
🔧 Enthusiast targeting unconditional OS control inside console limitations?
→ Arbitrary hardware running custom OpenWRT configurations coupled to redsocks2
Workflow outline: Tunnel into SSH → Package Extraction deployment → Routing Config editing → iptables formulation schema implementation → Init Setup process modification -
🎮 Demanding gamer anchored utilizing an ASUS gateway array?
→ Flash with Merlin utilizing Entware execution protocols for generic redsocks utilization
Workflow outline: Leverage amtm → Execute opkg → Reconstruct localized routing configs → Assign to autonomous services-start parameter -
🏢 Corporate Infrastructure requiring uncompromising multi-channel operation stability parameters natively?
→ Requisition MikroTik hardware alongside autonomous isolated Socksify parameters or dedicated proxy Container instances
Workflow outline: Standard WinBox access → Trigger /ip socksify directive → Administer comprehensive NAT routing structural dependencies optimally
💡
Final Insight Note:
If provisioning your inaugural physical proxy router bridge framework natively from scratch — we explicitly endorse experimenting via generic GUI wrappers found identically inside Keenetic or GL.iNet platforms. These OS distributions optimize balancing robust functionality against initial procedural complexity gracefully. Alternatively, for sophisticated autonomous routing deployment operations over granular iptables tracking parameter logic setups, transition over progressively to fully native OpenWRT distributions immediately.
Discovered an error or standard methods malfunctioning entirely?
Fundamental technological paradigms evolve routinely incrementally. Should documentation specifics reflect outdated procedural boundaries, you encounter a systemic roadblock, or connectivity is inexplicably dropping dynamically — please articulate and communicate it natively! We will comprehensively verify implementation specifics proactively and facilitate procedural onboarding for your device efficiently.
Desiring targeted personalized consultation procedures?
Weaponize the intelligence framework metrics provided procedurally via ChatGPT. We systematically standardized a generalized prompt iteration query targeting Artificial Intelligence models identically mapping against contextualized Rich Proxy deployments autonomously optimizing your routing parameters optimally.