Wireguard + Socks proxy

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi!
I'm trying to setup an socks proxy that listens on one of the lan interfaces and on one of the wireguard interfaces.
I tried several socks proxy softwares but I can't get it to work.
The proxies itself do work but the traffic is not going through the wireguard initerface.
For example with dante:
config:

errorlog: syslog
logoutput: /var/log/sockd.log
debug:3
internal: br-lan port = 1080
external: wgc0
clientmethod: none
socksmethod: none
user.privileged: root
user.notprivileged: nobody

client pass {
        from: <clientip> to: 0.0.0.0/0
        log: error connect disconnect
}
client block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}
socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: error connect disconnect
}
socks block {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect error
}

The proxy is working but a simple test with curl shows my wan ip.
And the wg interface shows tx/rx bytes = 0.
What is the trick here?

//edit
dante log shows it has bound itseslf to the wg interface:

sockd[21254]: debug: int_ifname2sockaddr(): interface wgc0 missing address on index 8 ... skipping
sockd[21254]: debug: socks_bind(): trying to bind address 10.x.x.x.x on fd 7.  Retries is 0
sockd[21254]: debug: socks_bind(): bound address 10.x.x.x.55135 on fd 7

ping -I wgc0 8.8.8.8
works and the wgc0 interface packets are increasing after this.
So the wg interface is working too.

Is there are way to create a virtual interface just for the purpose to run some daemon on it?

2

Well...
I got this working somewhat...
After trying several approaches, I came up with this:
I created a dummy interface with a different subnet:
10.1.0.254/32
LAN Interface is:
10.0.0.254/24

Dummy interface got assigned his own firewall zone.
Dante is listening on the LAN interface as internal and on the dummy interface as external.

Then I used the PBR package to setup policy based routing. (could also be done with build in uci capabilities, I guess?)
Marking packets in the OUTPUT chain from the source address 10.1.0.254.

This works, but the firewall zone for SOCKS5 isn't working.
I can set everything to reject/drop for this zone and remove all forward rules from other zones to this zone but I'm still able to ping 10.1.0.254.

Why is that?

3

I have the exact same problem. Any luck solving it?

This seemed promising initially, but didn't do anything either: https://serverfault.com/a/674389

The last attempt was to bind dante's both internal and external ifs to wg and forward its listening port to lan. Nope, it still used my wan.

4

Alright, desperate measures. Solved it tho.

1)
Download OpenWrt SDK. Get it from the same dir where you download your device's firmware.
For example:
My latest stable upgrade link is: https://downloads.openwrt.org/releases/22.03.3/targets/ramips/mt76x8/openwrt-22.03.3-ramips-mt76x8-tplink_archer-c20-v5-squashfs-sysupgrade.bin
Remove that file name, scroll down, look for openwrt-sdk-

2)
Unpack and cd into.

./scripts/feeds update -a
./scripts/feeds install gcc # dunno, maybe not needed
export STAGING_DIR=path_to_SDK/staging_dir/toolchain-your_arch # note that your_arch

3)
Test it.
hello.c:

#include <stdio.h>

int main()
{
	printf("\nHello, world!\n\n");
	return 0;
}

And then,
path_to_SDK/staging_dir/toolchain-your_arch/bin/your_arch-openwrt-linux-gcc hello.c

Copy,
scp a.out root@your_device:/root/

And,
ssh root@your_device -C './a.out' # should print Hello, world!

4)
Finally.
Grab bindToInterface.c from https://github.com/JsBergbau/BindToInterface
Edit and uncomment //#define DEBUG to see if it's actually doing anything.

path_to_SDK/staging_dir/toolchain-your_arch/bin/your_arch-openwrt-linux-gcc -nostartfiles -fpic -shared bindToInterface.c -o bindToInterface.so -ldl -D_GNU_SOURCE
scp bindToInterface.so root@your_device:/root/

r u n i t !

ssh root@your_device
BIND_INTERFACE=wgc0 DNS_OVERRIDE_IP=1.1.1.1 LD_PRELOAD=/root/bindToInterface.so dropbear -F -E -p your_wgc0_ip:10022

Head to Admin > Network > Firewall > Port Forwards and add:
Source zone: lan
External port: 10022
Destination zone: wgc0
Internal IP: your_wgc0_ip
Internal port: 10022

ssh -D 31337 -N root@your_device

Your local socks proxy is now running on port 31337.