Login/Register
Telegram calls via Dante socks5 proxy server not working [closed]
Asked Answered
proxytelegramsocksdante
C

4

11

I've confugured Dante 1.4on Ubuntu 16.04 as a socks5 proxy for Telegram.

Chats are working, but voice calls are not, failing at "Connecting".

Is there something special I need to configure in order to proxy Telegram voice traffic?

I'm using a single non priveleged (>1024) TCP/UDP port + login + password for connection.

Thanks!

UPD: Thats piece of log while i am trying to call somebody:

Apr 15 23:05:38 (1523736338.510915) danted[22977]: info: pass(1): udp/udpassociate [: username%[email protected] 192.168.1.30.36562

Apr 15 23:08:33 (1523736513.020190) danted[22989]: info: pass(1): udp/udpassociate [: username%[email protected] 192.168.1.30.49065

I can answer the call at destination device but connection is looping and getting error after 30 seconds.

Coray answered 16/4, 2018 at 10:51 Comment(4)
How does this question releated to programming?Flutterboard
I've found in google that question webcache.googleusercontent.com/… which was removed by it author. I was thinking that he found solution. I registered on SO to ask him in private messages but figured out that there are no PM. So i asked same but modified question, thats all. I tested other socks5 proxy: V2ray and 3proxy : everywhere calls not working. So i guess i can ask low-level netwok developer here, dont punch me plsCoray
can you show dante config?Berm
pastebin.com/mnMQUqQACoray
P
12

Proxying UDP with socks is a bit more complex than it might seem, so let's start from the beginning.

Telegram calls use UDP with socks. Socks5 RFC1928 defines the following sequence for relaying UDP:

  1. Client instantiates a TCP socks5 connection.
  2. Client sends a UDP ASSOCIATE request, containing the client's source address and port, which will be used to send UDP datagrams to the socks5 Server. They might be zeros (in Telegram they are) (section 4).
  3. Socks5 Server binds a random UDP port for relaying datagrams for this TCP socks5 connection and sends a UDP ASSOCIATE response, containing the address and port where the client should send the datagrams to be relayed (section 6).
  4. To send a datagram, the Client must add a header to the payload, containing a destination address and port, where the server should relay that datagram (section 7).
  5. Server will keep the UDP port bound until the TCP socks5 connection terminates.

As you can see, opening a single TCP port is not enough. For UDP to work correctly, the automatically bound UDP port must be reachable by client. NATs and Firewalls might further complicate the situation.

UDP relaying configuration with Dante

  1. Telegram calls are Peer-to-Peer, so the udpassociate command should be allowed to 0/0:

     socks pass {
     from: 0.0.0.0/0
     to: 0.0.0.0/0
     # udp.portrange: 40000-45000
     command: udpassociate
     log: error connect disconnect
 }

  2. udpreply (that's for the actual relaying, the 4'th step above) should also be allowed to everyone as well:

     socks pass {
     from: 0.0.0.0/0
     to: 0.0.0.0/0
     command: udpreply
     log: error connect disconnect
 }

  3. If your socks5 Server is behind a firewall, open a range of UDP ports (say 40000-45000) and add the udp.portrange: 40000-45000 line to the udpassociate block (see the commented out example in the first point). Then Dante would bind UDP ports in that range only.

  4. If your socks5 Server is behind a NAT, then the returned destination address in the response to UDP ASSOCIATE request would be a local IP, rather than the external one. That local IP is unlikely to be reachable by the client, so the sent datagrams would be silently dropped.

    Unfortunately, Dante uses the destination address of the TCP connection as the one where the client should send UDP datagrams to (see the comment in the source code). NAT mangles this address from an external to a local one, so the Dante's assumption that the client can reach the proxy using that destination address is broken.

    A possible solution, which doesn't involve patching Dante, would be to use iptables to change the destination address from a local to the external one (assuming that it's known and doesn't change):

     # 203.0.113.12 – the external IP
 # 1080/tcp - Dante TCP port
 # 40000:45000 – Dante UDP portrange
 iptables -t nat -A PREROUTING -p tcp --dport 1080 -j DNAT --to-destination 203.0.113.12
 iptables -t nat -A PREROUTING -p udp --dport 40000:45000 -j DNAT --to-destination 203.0.113.12

 # If external address is not added to any network device on that 
 # machine, then add it to the loopback interface, so the kernel 
 # would know where to route the DNATed packets:
 ip addr add 203.0.113.12/32 dev lo
Pardo answered 23/4, 2018 at 7:29 Comment(0)
B
6

I had the same problem. Found the solution. You have to add udpassociate bindreply udpreply commands to conf file. here is my conf file that works with voice calls.

logoutput: syslog /var/log/danted.log
internal: ip port = 1080
external: ip
socksmethod: username

user.privileged: root
user.unprivileged: nobody


client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: error connect


}
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: bind connect udpassociate bindreply udpreply
log: error connect
}
Bake answered 19/4, 2018 at 21:36 Comment(3)
Your config is not working for me. Everything same except internal and external interfaces. Port 1080 is open. Any ideas?Britannic
Same for me... No progress with calls, just calling, than keys exchange, than connecting and failing after 30 sec timeoutCoray
Maybe you guys are using differ version? My is 1.4.1 which i installed from deb package.Coray
O
2

Allow clients' voice traffic

socks pass { from: 0.0.0.0/0 to: 0.0.0.0/0 command: udpreply log: connect disconnect error socksmethod: username }

iptables -A INPUT -p udp -m multiport --dports 1024:65535 -j ACCEPT

Opinionative answered 19/4, 2018 at 16:10 Comment(0)
S
-2

You should enable calls via proxy in your telegram settings.

Supraorbital answered 16/4, 2018 at 16:30 Comment(1)
Did you see the log? Ofcourse i've enabled it. But it stucks on udp/udpassociate step. Here is how it must be according to official manual inet.no/dante/doc/1.2.x/logformat.pdf (last page)Coray

© 2022 - 2024 — McMap. All rights reserved.