Setting up a reliable and fast SOCKS5 server on Ubuntu 22.04 allows site operators, developers, and businesses to route application traffic through a controlled proxy for privacy, access control, or load separation. This guide provides a practical, security-minded walkthrough using the Dante SOCKS server, including system configuration, firewall/NAT integration, authentication, testing, and production hardening. All examples assume root or sudo access and that you are comfortable with editing configuration files.

Why use a dedicated SOCKS5 server?

SOCKS5 is a versatile proxy protocol that supports TCP and UDP, authentication, and domain name forwarding. Compared with HTTP proxies, SOCKS5 is application-agnostic and commonly used for tunneling non-HTTP traffic (e.g., databases, SSH, custom applications). Running a dedicated SOCKS5 server on a VPS gives you:

  • Controlled egress IP for business services or crawlers.
  • Improved privacy by separating client and server networks.
  • Application-level flexibility since many clients (browsers, curl, proxychains, SOCKS-compatible libraries) support SOCKS5.

Prerequisites

Before starting, prepare the following:

  • An Ubuntu 22.04 server (x86_64) with a public IPv4 address; optional IPv6 considerations are covered later.
  • Root or sudo user.
  • Basic firewall knowledge (UFW/iptables) and a plan for service ports.
  • A Debian/Ubuntu package mirror accessible by apt.

Step 1 — Install Dante (sockd)

Dante is a widely-used SOCKS proxy with flexible access rules and authentication modules. Install it from the default repositories:

sudo apt update && sudo apt install -y dante-server

Verify the package is installed:

dpkg -l | grep dante

Step 2 — Create a dedicated user and directory

For security, run the proxy daemon with a non-root user and isolate logs/config where possible.

sudo useradd -r -s /usr/sbin/nologin sockd
sudo mkdir -p /var/log/sockd /etc/sockd

Adjust ownership:

sudo chown sockd:sockd /var/log/sockd

Step 3 — Basic Dante configuration

The primary Dante config lives in /etc/danted.conf or /etc/sockd.conf depending on package. Replace or create the file with the minimal production-oriented template below. This example enables username/password authentication via PAM and binds to the server’s public IPv4 address on port 1080. Replace YOUR_PUBLIC_IP with the server IP.

/etc/danted.conf

logoutput: syslog /var/log/sockd.log
internal: YOUR_PUBLIC_IP port = 1080
external: YOUR_PUBLIC_IP
method: pam
user.privileged: root
user.notprivileged: sockd
user.libwrap: sockd
clientmethod: none
socksmethod: username

Allow local loopback for management

client pass { from: 127.0.0.0/8 to: 0.0.0.0/0 }
socks pass { from: 0.0.0.0/0 to: 0.0.0.0/0 }

Deny everything else by default

socks block { from: 0.0.0.0/0 to: 0.0.0.0/0 }

Notes:

  • method sets authentication for outgoing connections (pam used here so you can create system users for SOCKS auth).
  • clientmethod controls authentication of client connections to sockd — we use none because socksmethod: username will handle SOCKS username/password transactions.
  • Access rules can be tightened to specific CIDR ranges or ports.

Step 4 — Configure PAM or alternative auth

If using PAM-based auth, create dedicated system users or use a PAM stack that authenticates against an LDAP/AD source for enterprise environments. To create a local user for SOCKS authentication:

sudo adduser --disabled-password --gecos "" socksuser
sudo passwd socksuser

Enter a strong password when prompted. PAM will validate SOCKS username/password requests against the system accounts. For better separation in production, use an LDAP or RADIUS backend and configure PAM accordingly (edit /etc/pam.d/sockd or system PAM stack).

Step 5 — Start and enable the service

After adjusting config, start Dante and enable auto-start:

sudo systemctl enable --now danted
sudo systemctl status danted

Check logs for startup errors:

sudo tail -n 200 /var/log/sockd.log

Step 6 — Firewall and NAT considerations

Open the SOCKS port (1080) only to trusted client ranges if possible. Using UFW:

sudo ufw allow proto tcp from 198.51.100.0/24 to any port 1080 comment 'SOCKS clients'
sudo ufw reload

If your server also needs to NAT outgoing traffic (for clients that expect egress to appear from the server IP), ensure IP forwarding and MASQUERADE rules are configured. Enable forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward=1

Apply immediately:

sudo sysctl -p

Then add an iptables rule to masquerade outgoing traffic on the external interface (replace eth0 with your external NIC):

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Persist iptables rules using iptables-persistent or nftables equivalents for Ubuntu 22.04.

Step 7 — Testing the proxy

From a client machine, test with curl and specifying SOCKS5 and credentials:

curl --socks5-hostname YOUR_SERVER_IP:1080 --proxy-user socksuser:YourPassword https://ifconfig.co

The response should show the server’s public IP. For application-level tests, configure a browser to use a SOCKS5 proxy at YOUR_SERVER_IP:1080 and test web access. Use proxychains or tsocks for CLI tools that don’t support SOCKS natively.

Testing UDP relay

Dante supports UDP ASSOCIATE for UDP-based protocols. Test with applications that support SOCKS5 UDP, or use specialized tools to validate UDP forwarding. Note that UDP support requires proper firewall/UFW rules to allow ephemeral ports and that NAT behavior for UDP is connection-stateful.

Hardening and performance tuning

To operate in production, consider the following measures:

  • Restrict client ranges: Limit the client pass rules to known IP ranges to reduce abuse.
  • Use long, unique credentials or integrate with centralized authentication (LDAP/RADIUS/PAM) so you can revoke access quickly.
  • Run behind a VPN or TLS tunnel: SOCKS5 is not encrypted by default. For security over untrusted networks, require SSH-based SOCKS (ssh -D) or wrap Dante with stunnel/sslh. Alternatively, place Dante behind an IPsec/OpenVPN layer.
  • Logging: Configure logrotate for /var/log/sockd.log and ensure logs are shipped to a centralized log system for auditing.
  • Rate limiting: Apply iptables/nftables rules to mitigate brute-force attempts and configure fail2ban to monitor authentication failures.
  • Resource limits: Tune system limits (/etc/security/limits.conf) for maximum open file descriptors and worker threads to support your expected concurrency.

Performance tips

  • Use a CPU/network-balanced VPS and enable CPU scaling governor performance for heavy use.
  • Enable SO_REUSEPORT and tune kernel network buffers via /etc/sysctl.conf (e.g., net.core.somaxconn, net.ipv4.tcp_rmem, net.ipv4.tcp_wmem).
  • Prefer IPv4 or IPv6 depending on client base; avoid simultaneous dual-stack complexities unless required.

Monitoring and logging

Collect metrics and logs to detect abuse and performance bottlenecks. Key items to monitor:

  • Concurrent connections and per-client connection counts.
  • CPU, network throughput, and socket errors.
  • Authentication failures and unusual access patterns.

Integrate with Prometheus exporters or use existing system metrics collectors (node_exporter) and forward logs to an ELK/Graylog stack for analysis.

IPv6 considerations

If your server has IPv6, bind Dante to the IPv6 address in internal and external entries. Ensure firewall rules allow IPv6 proxy clients and that NAT64/translation needs are understood for IPv4-only destinations. Test IPv6 clients separately and verify egress address behavior.

Troubleshooting checklist

  • If clients cannot connect, verify the daemon is listening: ss -plant | grep 1080.
  • Check logs for auth errors or rule rejections.
  • If DNS resolution fails for proxied clients, ensure Dante is configured to resolve hostnames (use --socks5-hostname behavior client-side) or configure a DNS forwarder reachable by the server.
  • Confirm IP forwarding and iptables NAT rules are in place if clients expect egress to originate from the server IP.

Advanced options

For enterprise deployments, consider:

  • Automated provisioning of credentials via a management API or LDAP sync.
  • High-availability setup using keepalived or clustering with virtual IP failover.
  • Integration with web-based dashboards to manage client access, quotas, and blacklists.
  • Using containerization (Docker) to isolate service instances; ensure proper networking (macvlan/host) and security contexts.

Running a SOCKS5 server on Ubuntu 22.04 with Dante gives you a flexible, performant proxy solution suitable for development, business applications, and controlled access scenarios. Follow best practices for authentication, firewalling, and monitoring to ensure reliable and secure operation. For additional managed options and dedicated IP configurations, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.