Secure SOCKS5 VPN on CentOS 9: Step-by-Step Setup in Minutes

Setting up a production-ready SOCKS5 service on CentOS 9 can be completed in minutes if you follow a clear, secure workflow. This article walks you through a practical, technically detailed setup using the Dante SOCKS server (sockd). The resulting service supports username/password authentication, integrates with system users, and includes firewall and systemd configuration. The target audience includes sysadmins, devops engineers, and site owners who need a reliable, private SOCKS5 endpoint on a Dedicated IP server.

Why choose Dante (sockd) on CentOS 9?

Dante is a mature, widely used SOCKS server that supports SOCKS v4 and v5, ACLs, multiple authentication methods, and robust logging. For CentOS 9, Dante provides a balance of performance, configurability, and security controls. Compared with ad-hoc SSH-based SOCKS tunnels, Dante runs as a system service, supports multiple concurrent authenticated clients, and can be hardened to meet enterprise needs.

Prerequisites and assumptions

• CentOS 9 (or CentOS Stream 9) server with a publicly routable IP address (root or sudo access).
• Basic familiarity with building packages from source or installing EPEL packages.
• Firewall management via firewalld or iptables/nftables and optional SELinux in enforcing mode.

Step 1 — Prepare the system

Start by updating the system and installing required build tools and dependencies. Run as root or via sudo:

Install updates and development tools

yum -y update
dnf -y install epel-release
dnf -y groupinstall “Development Tools”
dnf -y install pam-devel openssl-devel libwrap-devel wget

Note: If you prefer to use a packaged Dante (when available), install from EPEL. Building from source gives you the latest stable features and control over install paths.

Step 2 — Download, build and install Dante

Fetch the latest stable Dante release (check the official site for the latest version). Example steps:

cd /usr/local/src
wget https://www.inet.no/dante/files/dante-1.4.2.tar.gz
tar xzf dante-1.4.2.tar.gz
cd dante-1.4.2
./configure –prefix=/usr –sysconfdir=/etc –with-pam
make -j$(nproc)
make install

The –with-pam option enables PAM authentication so Dante can authenticate SOCKS users against local system accounts. Adjust –prefix/–sysconfdir if you have policies for custom paths.

Step 3 — Create a dedicated system user for the daemon

It’s best practice to run the server with minimal privileges. Create a non-login user for sockd to drop privileges to if configured:

useradd -r -s /sbin/nologin sockd

However, Dante still needs root privileges at startup to bind privileged ports and set networking; the configuration will include privileged/unprivileged user settings.

Step 4 — Configure Dante (important config options)

Create /etc/sockd.conf with the following example. This config uses PAM for username/password authentication, restricts clients to a specific network or interface, logs activity, and hides unnecessary verbosity.

# /etc/sockd.conf
logoutput: /var/log/sockd.log
internal: 0.0.0.0 port = 1080
external: eth0
method: pam
user.privileged: root
user.notprivileged: sockd
user.libwrap: sockd
clientmethod: none
client pass { from: 0.0.0.0/0 to: 0.0.0.0/0 }
pass { from: 192.0.2.0/24 to: 0.0.0.0/0 protocol: tcp }
block { from: 0.0.0.0/0 to: 0.0.0.0/0 }

Key notes on the directives:

• internal — interface and port sockd listens on (0.0.0.0:1080 opens on all interfaces).
• external — network interface used for outbound traffic (use the public NIC name, e.g., eth0 or ens3).
• method — auth backend; pam authenticates against system accounts.
• user.privileged and user.notprivileged — ensure the process drops privileges after binding.
• ACLs (pass/block) — explicitly control which clients can connect and what destinations are allowed.

Creating SOCKS users (system accounts)

Since we configured PAM, create a system user for each SOCKS client. For security, set a strong password and a locked shell:

useradd -M -s /sbin/nologin alice
passwd alice

Consider using a dedicated user group (e.g., socksusers) and apply account expiration or two-factor policies for enterprise environments.

Step 5 — Systemd unit and logging

Create a systemd unit to manage sockd. Example unit file at /etc/systemd/system/sockd.service:

[Unit] Description=Dante SOCKS Proxy Server
After=network.target

[Service] Type=forking
ExecStart=/usr/sbin/sockd -f /etc/sockd.conf
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/var/run/sockd.pid
Restart=on-failure

[Install] WantedBy=multi-user.target

Reload systemd, enable and start the service:

systemctl daemon-reload
systemctl enable –now sockd

Check status and logs:

systemctl status sockd
tail -f /var/log/sockd.log

Step 6 — Firewall and networking

Open the SOCKS port (1080) in firewalld or your firewall of choice. Example using firewalld:

firewall-cmd –permanent –add-port=1080/tcp
firewall-cmd –reload

If you run nftables/iptables, add a rule allowing TCP 1080 from allowed client networks only. Always prefer restricting access to known IPs or VPN peers rather than opening to the entire Internet.

Step 7 — Testing connectivity

From a client machine, test authentication and proxied connections.

Using curl:

curl –socks5-hostname alice@your-server-ip:1080 https://ifconfig.co

Or use a GUI browser proxy configuration pointing to SOCKS5 host: your-server-ip port: 1080 with username/password. Verify external IPs and DNS resolution flow (use –socks5-hostname to ensure DNS through proxy).

Security hardening recommendations

• Limit client access: Use ACLs in sockd.conf to restrict which IP ranges can use the proxy. Use firewall rules to further reduce exposure.
• Strong authentication: Use system accounts with strong passwords or integrate with LDAP/Radius for centralized auth. Consider time-limited accounts or OTP when possible.
• Encrypt the transport: SOCKS5 itself does not provide encryption. If you need confidentiality over untrusted networks, combine SOCKS5 with an SSH tunnel (ssh -D) or TLS wrapper such as stunnel, or run the server inside a VPN (WireGuard/OpenVPN) and restrict access to the VPN.
• Monitoring and alerts: Tail logs (/var/log/sockd.log), use fail2ban to block repeated failed authentication attempts, and set up log rotation for sockd logs.
• Run minimal privileges: Ensure sockd drops privileges after binding and runs as a dedicated non-privileged user.
• SELinux: If SELinux is enforcing, test carefully. If issues arise, either add targeted policies or run SELinux permissive while you produce a proper policy. Avoid disabling SELinux permanently in production.

Advanced configuration ideas

For enterprise users and developers, consider the following:

• Per-user rate limits: Use external traffic shaping (tc/qdisc) tied to source addresses to limit bandwidth per user.
• Destination restrictions: Use detailed ACLs to limit which ports or subnets users can reach (for compliance or security segmentation).
• Logging and SIEM integration: Forward sockd logs to a central logging system (rsyslog/remote syslog or Fluent/ELK) for audit and anomaly detection.
• Containerized deployment: Run sockd in a lightweight container with strict networking to isolate the proxy process from the host.

Troubleshooting

Common issues and quick checks:

• sockd won’t start — check /var/log/sockd.log and systemd journal (journalctl -u sockd). Look for configuration syntax errors or missing privileges.
• Authentication failures — verify PAM login works for the user, test locally with su or ssh, and ensure the user shell is valid for the chosen PAM configuration.
• Clients cannot connect — verify firewall rules, listening address (ss -tlpn | grep 1080), and external interface setting in sockd.conf.
• DNS leaks — use client tools that support SOCKS5 hostname resolution (curl –socks5-hostname) or configure the client to resolve names through the proxy.

Wrap-up and operational notes

Deploying a secure SOCKS5 server on CentOS 9 with Dante provides a flexible proxy solution for developers and companies requiring a dedicated IP-based outbound channel. Combine strict ACLs, strong authentication, monitoring, and transport-layer encryption where necessary to achieve a secure posture. Keep the service updated and periodically review user accounts and ACLs to maintain security hygiene.

For more guides, management tips, and Dedicated-IP best practices, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.