• Deutsch
  • Español
  • Français
  • Bahasa Indonesia
  • Polski
  • Português
  • Русский
  • Українська
  • 简体中文
This page is not translated into all languages.
Sign in My account
Blog

How to Set Up a SOCKS5 Proxy Server on Linux (Ubuntu and Other Distros)

  • Seo Za
  • October 23, 2025
  • 11 minutes

Introduction to SOCKS5 Proxies and Why You Need One on Linux

A SOCKS5 proxy offers a versatile, low-level way to route your Linux system's network traffic. Unlike an HTTP proxy that only reinterprets web requests, a SOCKS5 proxy is protocol-agnostic—it can handle any data over TCP or UDP, from email and P2P to gaming.

The core trade-off is that this raw flexibility comes at the cost of the application-level intelligence HTTP/HTTPS proxies offer. A SOCKS5 proxy blindly forwards packets, with no native caching or content inspection. That's the fundamental difference between SOCKS5 and HTTP proxies: one offers universality, the other application-specific features like caching.

For Linux users, this trade-off often works in your favor. The main benefits are enhanced privacy from masking your true IP, and the ability to bypass geo-restrictions for a wide range of applications, not just web browsing. A SOCKS5 proxy can also be paired with an SSH tunnel to create a fully encrypted connection for all network traffic, which gives developers and analysts a lot of control over complex scraping or testing environments. For managed solutions, you can explore various SOCKS5 proxy services.

Feature
SOCKS5 Proxy
HTTP/HTTPS Proxy
OSI Layer
Layer 5 (Session)
Layer 7 (Application)
Protocol Support
Any TCP/UDP
HTTP, HTTPS, FTP
Core Function
Circuit-level Gateway
Application-level Gateway

Now that the what and why of SOCKS5 proxies is clear, let's gather the tools and access you'll need.

Prerequisites for Setting Up Your Linux SOCKS5 Proxy

Before you begin, make sure you meet these basics. For best results and to avoid software conflicts, start with a clean, minimal OS install. You'll need:

  • A Linux server: A VPS or dedicated machine. Our examples cover popular distributions like Ubuntu, Debian, and Rocky Linux.
  • Administrative access: Either full root access or a user account with sudo privileges to install software and modify configurations.
  • Remote connectivity: Basic knowledge of SSH, and an SSH client (e.g., PuTTY or your local terminal) to connect to your server.

With your server ready, let's move to the first and most robust method: installing and configuring a dedicated Dante SOCKS5 proxy server.

Method 1: Setting Up Dante SOCKS5 Proxy Server on Linux

Dante is a high-performance, circuit-level SOCKS proxy server, and a solid choice for a private, secure SOCKS5 proxy on a Linux server like Ubuntu or Debian. This section walks through installation, configuration, and security hardening from start to finish.

Step-by-Step Installation and Basic Configuration

First, connect to your server and make sure your package list is up to date. Then install the dante-server package.

sudo apt update && sudo apt upgrade -y
sudo apt install dante-server -y

Once installed, the main configuration file is /etc/danted.conf. It's good practice to back up the original before making changes.

sudo mv /etc/danted.conf /etc/danted.conf.bak

Now create a new danted.conf file. The example below configures a simple, authenticated proxy—a common setup for a developer or small team routing traffic through a single, controlled VPS.

# /etc/danted.conf - Basic setup for a private proxy
logoutput: /var/log/danted.log

# Bind to the server's internal network
internal: eth0 port = 1080

# Use the same interface for outgoing connections
external: eth0

# Use system user authentication
socksmethod: username

# Run the proxy daemon as a non-privileged user
user.privileged: root
user.unprivileged: nobody

# --- Access Rules ---

# Allow authenticated clients to connect to any destination
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: error connect disconnect
}

# Block all other client connections
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}

# --- Server Rules ---

# Allow the proxy to forward traffic from authenticated clients
pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
protocol: tcp udp
log: error connect disconnect
}

# Block all other forwarding requests
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}

Note: replace eth0 with your server's actual network interface name, which you can find by running ip a.

Securing Your Dante Proxy with User Authentication and IP Restrictions

Failing to secure your proxy is a serious mistake. An unsecured, open proxy isn't a private tool—it's a public liability waiting to be discovered and abused.

The mistake: Configuring Dante to allow all connections without authentication—often done by setting socksmethod: none alongside a permissive client pass rule like from: 0.0.0.0/0.

The motivation: Simplicity. An engineer might set it up this way for a "quick test," or assume the server's IP is obscure enough that no one will find the open port.

The cost: The consequences tend to be swift. Automated scanners run by malicious actors constantly patrol the internet, and open proxies are typically found within hours. Once found, your server gets used for spam, DDoS attacks, click fraud, or accessing illegal content, and that abuse gets your server's IP blacklisted across the web—rendering it useless for legitimate work. Your hosting provider may issue a warning or terminate your service for a terms violation. The real cost isn't just the wasted server—it's the engineering time spent migrating services and handling support tickets.

To prevent this, enforce authentication. The configuration above already specifies socksmethod: username, which requires clients to provide a valid system username and password. Create a dedicated, non-root user for proxy access.

# Create a user named 'proxyuser' without a home directory
sudo useradd --shell /usr/sbin/nologin proxyuser

# Set a strong password for this user
sudo passwd proxyuser

For an even higher level of security, restrict access to specific IP addresses. If you know the static IP of the client machine that will use the proxy, update the client pass rule in danted.conf.

# /etc/danted.conf - Restrict access by IP
# ... other settings ...

# Allow connections ONLY from a specific IP and require authentication
client pass {
from: 198.51.100.25/32 to: 0.0.0.0/0
log: error connect disconnect
}

# Block everyone else
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}

# ... other settings ...

Managing Dante Service and Firewall Rules

After configuring danted.conf, manage the Dante service with systemctl. First, test your configuration file for syntax errors.

sudo danted -f /etc/danted.conf -V

If there are no errors, start and enable the service. Enabling it means Dante starts automatically on server boot.

# Start the Dante service
sudo systemctl start danted

# Enable it to start on boot
sudo systemctl enable danted

# Check the service status
sudo systemctl status danted

Finally, configure your firewall to allow connections on the SOCKS5 port (1080/tcp). Using ufw (Uncomplicated Firewall) on Ubuntu/Debian, the command is straightforward. To maximize security, only allow your specific client IP.

# Allow traffic on port 1080 only from your trusted IP
sudo ufw allow from 198.51.100.25 to any port 1080 proto tcp

# If you need to allow any IP (less secure)
# sudo ufw allow 1080/tcp

# Reload ufw to apply the new rules
sudo ufw reload

Your secure Dante SOCKS5 proxy is now operational.

While Dante provides a powerful, permanent proxy solution, it might be more than you need for personal tasks or temporary access. For a much lighter approach that requires zero server-side installation, you can use SSH SOCKS tunneling instead.

Method 2: SSH SOCKS Tunneling – A Lighter Approach (for Personal Use)

For personal or temporary use, a full proxy server setup is often overkill. An SSH SOCKS tunnel is a lightweight, secure, fast alternative that uses a standard SSH client to create a dynamic proxy. It establishes an encrypted connection to a remote Linux server you control and forwards your local traffic through it.

The idea is simple: a single command creates a dynamic port forward. This tells your SSH client to listen on a local port (e.g., 1080) on your machine. Any traffic sent to that localhost port is automatically and securely channeled through the remote server before reaching its final destination. This effectively creates an on-demand SOCKS5 proxy, using SSH's built-in encryption without any extra server-side configuration.

Setting Up the SSH Tunnel on Your Client Machine

On a macOS or Linux client, you can set up the tunnel with a single terminal command. Windows users can use PuTTY's graphical interface to achieve the same result.

The core command to create a SOCKS proxy with SSH is:

ssh -D 1080 -f -N -C user@your_remote_server_ip

Here's a breakdown of the flags:

  • -D 1080: The key flag—specifies a dynamic port forward on local port 1080, which creates the SOCKS proxy.
  • -f: Tells SSH to move to the background just before command execution.
  • -N: Don't execute a remote command—essential for just forwarding ports.
  • -C: Enables compression, which can help on slower networks.

For PuTTY on Windows, go to Connection > SSH > Tunnels. Enter 1080 in the "Source port" field, select the "Dynamic" radio button, and click "Add." Then open your session as usual.

Browser Configuration for SSH SOCKS Proxy

Creating the tunnel is only half the job—you still need to configure your applications, typically a web browser, to use the local SOCKS proxy you've just set up.

This configuration is application-specific and only routes traffic from the configured application through the tunnel. Here's how to set it up in Firefox as an example:

  1. Go to Settings and search for "proxy." Select Network Settings.
  2. Choose "Manual proxy configuration."
  3. In the SOCKS Host field, enter localhost (or 127.0.0.1) and set the port to 1080 (or whichever port you specified with the -D flag).
  4. Make sure "SOCKS v5" is selected.
  5. Crucially: check the box for "Proxy DNS when using SOCKS v5" to keep your DNS requests from leaking your real location.

The process is similar for Chrome and Edge, though it often means changing the operating system's proxy settings or using a browser extension like Proxy SwitchyOmega for more granular control.

Whether you configured a dedicated Dante server or set up a quick SSH tunnel, the next step is the same: verify that your traffic is actually being routed through the proxy.

Testing Your SOCKS5 Proxy Server

To confirm your SOCKS5 proxy is working, verify that your traffic is correctly routed. The most direct way is to request your external IP through the proxy itself. On Linux, use curl, pointing it at your proxy's host and port (e.g., localhost:1080).

curl --socks5-hostname localhost:1080 ifconfig.me

A successful test returns the proxy server's IP address. If you see your own IP, or get an error, the connection failed. This method works equally well for Dante-based proxies and SSH tunnels.

For Dante-specific connection failures, check the live logs for error details:

tail -f /var/log/danted.log

If you're still troubleshooting, check these common issues:

  • Firewall rules on the server are blocking the proxy port (e.g., 1080).
  • The danted or sshd service isn't running or has crashed.
  • Incorrect IP address binding in your danted.conf file.

With a fully functional self-hosted SOCKS5 proxy in place, it's worth understanding its practical limitations too. It's great for personal privacy and control, but it's not the right tool for every job—which raises the question of when a DIY setup makes sense versus when you need a professional service.

When to Choose Self-Hosted SOCKS5 vs. Professional Mobile Proxy Services

The choice between a self-hosted proxy and professional mobile proxy services mostly comes down to scale and requirements. Self-hosting gives you full control, but it has a real limitation: a self-hosted solution is tied to a single, static server IP with essentially the same origin profile as a datacenter IP, and datacenter-class IPs get blocked far more often than mobile ones—around 30-50% of the time by the company's own published comparison, versus under 1% for mobile IPs.

A mobile proxy service, by contrast, gives you access to a pool of over 18 million real mobile IPs across 40+ countries, which is a large part of why success rates hold up better for large-scale web scraping. Maintenance is another factor worth weighing: a DIY setup takes real hands-on time for initial configuration and ongoing patching, while a managed service shifts that operational work onto the provider.

Consider a researcher collecting localized pricing from 50 countries. A single self-hosted proxy can't really do this. A mobile proxy service with broad geo-diversity and automated IP rotation can get through a task like that far faster than manually rotating a handful of self-hosted servers would allow. That's the core case for mobile proxies on demanding tasks like ad verification or social media management, where IP trust and diversity matter a lot.

Comparison: self-hosted SOCKS5 proxy vs. professional mobile proxy services:

Feature
Self-Hosted SOCKS5 Proxy
Our Mobile Proxy Service
Control
High (full server access)
Moderate (API/dashboard control)
Ease of Setup
Complex, requires technical expertise
Simple, instant access via dashboard
IP Diversity
Limited (single server IP)
Extensive (real residential IPs from diverse locations)
Dynamic IPs
Requires complex configuration
Built-in rotation, on-demand IP changes
Maintenance
Full user responsibility
Managed by provider
Ideal Use Cases
Personal privacy, single-location tasks
Web scraping, ad verification, social media automation, market research

Conclusion and Next Steps

You now have what you need to deploy a SOCKS5 proxy server on Linux—a genuinely useful tool for managing network traffic with more precision and privacy. We've covered two paths: the robust, feature-rich Dante server for permanent, secure deployments, and the lightweight SSH SOCKS tunnel for personal use and on-the-fly encrypted browsing. Both put control directly in your hands, letting you bypass geo-restrictions and improve your operational security.

That control comes with real limits around scale, geo-diversity, and IP reputation, though. For personal projects or single-location tasks, a self-hosted proxy is a solid choice. For demanding professional work—large-scale web scraping, ad verification, multi-account social media management—the limits of a single server IP tend to become a real bottleneck. When your needs go beyond what one server can handle, and you need a large pool of trusted, rotating residential IPs from around the world, a dedicated service is worth considering: explore our mobile proxy services to see if they fit.