NYM-1103: Add SOCKS5 Proxy process. (#5078)

Initial working version.

What's missing:

- App configuration (enabled, listen port and list of excluded countries). At the moment this is all hard-coded to be enabled.
- No support for updating the excluded countries while the SOCKS5 Proxy process is running.
- No support for updating the GeoIP or domain data at runtime within the SOCKS5 Proxy process. This would include supporting additional countries other than CN.

Author: trojanfoe

.github/workflows/build-nym-vpn-core-deb.yml

@@ -1,7 +1,7 @@
 name: build-nym-vpn-core-deb
 on:
   pull_request:
-    types: [opened]
+    types: [ opened ]
     paths:
       - ".github/workflows/build-nym-vpn-core-deb.yml"
   workflow_dispatch:
@@ -71,7 +71,8 @@ jobs:
           cache-key: ${{ matrix.arch }}
 
       - name: Append timestamp if it's a dev version
-        run: ./scripts/append-timestamp-to-version.sh nym-vpn-core/Cargo.toml ${{ steps.workspace-version.outputs.metadata }}
+        run: ./scripts/append-timestamp-to-version.sh nym-vpn-core/Cargo.toml ${{
+          steps.workspace-version.outputs.metadata }}
 
       - name: Download wireguard-go artifacts
         uses: actions/download-artifact@v8

.github/workflows/build-nym-vpn-core-linux.yml

@@ -1,7 +1,7 @@
 name: build-nym-vpn-core-linux
 on:
   pull_request:
-    types: [opened]
+    types: [ opened ]
     paths:
       - ".github/workflows/build-nym-vpn-core-linux.yml"
   workflow_dispatch:
@@ -70,7 +70,8 @@ jobs:
           subcommand: workspace.package.version --entry nym-vpn-core
 
       - name: Append timestamp if it's a dev version
-        run: ./scripts/append-timestamp-to-version.sh nym-vpn-core/Cargo.toml ${{ steps.workspace-version.outputs.metadata }}
+        run: ./scripts/append-timestamp-to-version.sh nym-vpn-core/Cargo.toml ${{
+          steps.workspace-version.outputs.metadata }}
 
       - name: Download wireguard-go artifacts
         uses: actions/download-artifact@v8
@@ -98,6 +99,7 @@ jobs:
           mkdir ${{ env.UPLOAD_DIR_LINUX }}
           cp -vpr ${{ env.SRC_BINARY }}/nym-vpnc ${{ env.UPLOAD_DIR_LINUX }}
           cp -vpr ${{ env.SRC_BINARY }}/nym-vpnd ${{ env.UPLOAD_DIR_LINUX }}
+          cp -vpr ${{ env.SRC_BINARY }}/nym-socks5-proxy ${{ env.UPLOAD_DIR_LINUX }}
           cp -vpr ${{ env.SRC_BINARY }}/nym-diagnostic ${{ env.UPLOAD_DIR_LINUX }}
 
       - name: Upload artifacts

.github/workflows/build-nym-vpn-core-windows.yml

@@ -1,7 +1,7 @@
 name: build-nym-vpn-core-windows
 on:
   pull_request:
-    types: [opened]
+    types: [ opened ]
     paths:
       - ".github/workflows/build-nym-vpn-core-windows.yml"
   workflow_dispatch:
@@ -32,7 +32,7 @@ jobs:
 
   build-windows:
     if: github.actor != 'dependabot[bot]'
-    needs: [build-wireguard-go-windows, build-winfw-windows]
+    needs: [ build-wireguard-go-windows, build-winfw-windows ]
     runs-on: custom-windows-11
     outputs:
       UPLOAD_DIR_WINDOWS: ${{ env.UPLOAD_DIR_WINDOWS }}
@@ -123,6 +123,7 @@ jobs:
           mkdir ${{ env.UPLOAD_DIR_WINDOWS }}
           cp -vpr ${{ env.SRC_BINARY }}/nym-vpnc.exe ${{ env.UPLOAD_DIR_WINDOWS }}
           cp -vpr ${{ env.SRC_BINARY }}/nym-vpnd.exe ${{ env.UPLOAD_DIR_WINDOWS }}
+          cp -vpr ${{ env.SRC_BINARY }}/nym-socks5-proxy.exe ${{ env.UPLOAD_DIR_WINDOWS }}
           cp -vpr ${{ env.SRC_BINARY }}/nym-diagnostic.exe ${{ env.UPLOAD_DIR_WINDOWS }}
           cp -vpr ${{ env.LIBS_PATH }}/libwg.dll ${{ env.UPLOAD_DIR_WINDOWS }}
           cp -vpr ${{ env.WINFW_PATH }}/winfw.dll ${{ env.UPLOAD_DIR_WINDOWS }}

.pkg/linux/install

@@ -157,6 +157,7 @@ app_deb="nym-vpn-app_${app_version}_amd64.deb"
 target_appimage="NymVPN.AppImage"
 core_archive="nym-vpn-core-v${vpnd_version}_linux_x86_64.tar.gz"
 vpnd_bin="nym-vpnd"
+socks5_proxy_bin="nym-socks5-proxy"
 vpnd_service="nym-vpnd.service"
 vpnd_deb="nym-vpnd_${vpnd_deb_ver}_amd64.deb"
 units_dir="/usr/lib/systemd/system"
@@ -333,6 +334,7 @@ download_vpnd_raw() {
   log "  ${B_GRN}Unarchiving$RS nym-vpnd"
   tar -xzf "$core_archive"
   mv "${core_archive%.tar.gz}/$vpnd_bin" $vpnd_bin
+  mv "${core_archive%.tar.gz}/$socks5_proxy_bin" $socks5_proxy_bin
   _popd
 }
 
@@ -389,7 +391,7 @@ sanity_check() {
 
   files_check=()
   if [ "$_vpnd" == 0 ]; then
-    files_check+=("$install_dir/$vpnd_bin" "$units_dir/$vpnd_service")
+    files_check+=("$install_dir/$vpnd_bin" "$install_dir/$socks5_proxy_bin" "$units_dir/$vpnd_service")
   fi
   if [ "$_app" == 0 ]; then
     files_check+=("$install_dir/$target_appimage" "$desktop_dir/nym-vpn.desktop" "$icons_dir/nym-vpn.svg")
@@ -506,12 +508,14 @@ install_app_deb() {
 install_vpnd_raw() {
   log "  ${B_GRN}Installing$RS nym-vpnd"
   sudo install -o "$(id -u)" -g "$(id -g)" -Dm755 "$temp_dir/$vpnd_bin" "$install_dir/$vpnd_bin"
+  sudo install -o "$(id -u)" -g "$(id -g)" -Dm755 "$temp_dir/$socks5_proxy_bin" "$install_dir/$socks5_proxy_bin"
 
   log "  ${B_GRN}Installing$RS systemd service"
   sudo install -Dm644 "$temp_dir/$vpnd_service" "$units_dir/$vpnd_service"
 
   log "  ${B_GRN}Installed$RS files"
   log "   ${I_YLW}$(tilded "$install_dir/$vpnd_bin")$RS"
+  log "   ${I_YLW}$(tilded "$install_dir/$socks5_proxy_bin")$RS"
   log "   ${I_YLW}$(tilded "$units_dir/$vpnd_service")$RS"
 }
 
@@ -640,6 +644,7 @@ _uninstall_raw() {
     files+=(
       "$xdg_bin_home/nym-vpnd"
       "/usr/bin/nym-vpnd"
+      "/usr/bin/nym-socks5-proxy"
       "/usr/lib/systemd/system/nym-vpnd.service"
       "/etc/nym/nym-vpnd.toml"
     )

nym-vpn-app/docs/build.md

@@ -31,7 +31,7 @@ They have to be placed in the `src-tauri` directory, and present during build
 time.\
 The required files are:
 
-- the daemon binary `nym-vpnd.exe`
+- the daemon binary `nym-vpnd.exe` and socks5 proxy `nym-socks5-proxy.exe`.
 - its dlls `libwg.dll`, `winfw.dll`, `wintun.dll`
 
 Depending on which version of vpnd you are targeting,\

nym-vpn-app/src-tauri/bundle/windows/installer.nsi

@@ -697,8 +697,9 @@ Section Install
   ; Copy main executable
   File "${MAINBINARYSRCPATH}"
 
-  ; Copy vpnd and libs
+  ; Copy vpnd, socks5-proxy and libs
   File "..\..\..\..\nym-vpnd.exe"
+  File "..\..\..\..\nym-socks5-proxy.exe"
   File "..\..\..\..\libwg.dll"
   File "..\..\..\..\wintun.dll"
   File "..\..\..\..\winfw.dll"
@@ -837,6 +838,7 @@ FunctionEnd
 Function Cleanup
   Delete "$INSTDIR\${MAINBINARYNAME}.exe"
   Delete "$INSTDIR\nym-vpnd.exe"
+  Delete "$INSTDIR\nym-socks5-proxy.exe"
   Delete "$INSTDIR\libwg.dll"
   Delete "$INSTDIR\wintun.dll"
   Delete "$INSTDIR\winfw.dll"
@@ -876,10 +878,10 @@ Section Uninstall
   ; vpnd cleanup
   Call un.VpndUninstall
   Delete "$INSTDIR\nym-vpnd.exe"
+  Delete "$INSTDIR\nym-socks5-proxy.exe"
   Delete "$INSTDIR\libwg.dll"
   Delete "$INSTDIR\wintun.dll"
   Delete "$INSTDIR\winfw.dll"
-
   Delete "$INSTDIR\nymvpn-split-tunnel.sys"
   Delete "$INSTDIR\nymvpn-split-tunnel.inf"
   Delete "$INSTDIR\nymvpn-split-tunnel.cat"

nym-vpn-app/src-tauri/scripts/sign.sh

@@ -36,10 +36,9 @@ function sign {
 
 exe=$1
 
-# If we are signing the Tauri app, then also sign the daemon.
+# If we are signing the Tauri app, then also sign these executables.
 if [[ "$exe" == *NymVPN.exe ]]; then
-	# shellcheck disable=SC2043
-	for additonal in "nym-vpnd.exe"; do
+	for additonal in "nym-vpnd.exe" "nym-socks5-proxy.exe"; do
 		sign "$additonal"
 	done
 fi

nym-vpn-apple/.gitignore

@@ -69,6 +69,7 @@ Envs/mainnet.env
 
 NymVPND/nym-vpnd
 NymVPND/nym-setup
+NymVPND/nym-socks5-proxy
 
 fastlane/report.xml
 fastlane/README.md

nym-vpn-apple/NymVPN.xcodeproj/project.pbxproj

@@ -10,6 +10,7 @@
 		582C5F8E2C7654A800B678AE /* ConfigurationManager in Frameworks */ = {isa = PBXBuildFile; productRef = 582C5F8D2C7654A800B678AE /* ConfigurationManager */; };
 		5879C2062C80A37200BAB142 /* TunnelSettingsConversions.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5879C2052C80A37200BAB142 /* TunnelSettingsConversions.swift */; };
 		58C957422F8E505C00FD0C81 /* NymVPND.app in CopyFiles */ = {isa = PBXBuildFile; fileRef = 58C9571F2F8E3F0C00FD0C81 /* NymVPND.app */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; };
+		58E98AED2F92534300A120DF /* nym-socks5-proxy in Copy Files */ = {isa = PBXBuildFile; fileRef = 58E98AEB2F92533600A120DF /* nym-socks5-proxy */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; };
 		58FF8CE32F8EADEA0037AC51 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 58FF8CDE2F8EADEA0037AC51 /* Assets.xcassets */; };
 		58FF8CEC2F8EAF2F0037AC51 /* nym-setup in Copy Files */ = {isa = PBXBuildFile; fileRef = 58FF8CEA2F8EAF2F0037AC51 /* nym-setup */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; };
 		58FF8CED2F8EAF2F0037AC51 /* nym-vpnd in Copy Files */ = {isa = PBXBuildFile; fileRef = 58FF8CEB2F8EAF2F0037AC51 /* nym-vpnd */; };
@@ -174,6 +175,7 @@
 			dstPath = "";
 			dstSubfolderSpec = 6;
 			files = (
+				58E98AED2F92534300A120DF /* nym-socks5-proxy in Copy Files */,
 				58FF8CEC2F8EAF2F0037AC51 /* nym-setup in Copy Files */,
 				58FF8CED2F8EAF2F0037AC51 /* nym-vpnd in Copy Files */,
 			);
@@ -216,6 +218,7 @@
 /* Begin PBXFileReference section */
 		5879C2052C80A37200BAB142 /* TunnelSettingsConversions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = TunnelSettingsConversions.swift; sourceTree = "<group>"; };
 		58C9571F2F8E3F0C00FD0C81 /* NymVPND.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = NymVPND.app; sourceTree = BUILT_PRODUCTS_DIR; };
+		58E98AEB2F92533600A120DF /* nym-socks5-proxy */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.executable"; path = "nym-socks5-proxy"; sourceTree = "<group>"; };
 		58FF8CDE2F8EADEA0037AC51 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = "<group>"; };
 		58FF8CDF2F8EADEA0037AC51 /* NymVPND.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = NymVPND.entitlements; sourceTree = "<group>"; };
 		58FF8CE02F8EADEA0037AC51 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
@@ -397,6 +400,7 @@
 				58FF8CE02F8EADEA0037AC51 /* Info.plist */,
 				58FF8CEA2F8EAF2F0037AC51 /* nym-setup */,
 				58FF8CEB2F8EAF2F0037AC51 /* nym-vpnd */,
+				58E98AEB2F92533600A120DF /* nym-socks5-proxy */,
 			);
 			path = NymVPND;
 			sourceTree = "<group>";

nym-vpn-apple/Scripts/BuildCore.sh

@@ -71,7 +71,7 @@ else
 fi
 
 # 3) Build macOS (produces upload/mac/nym-vpnd if macOS.mk has vpnd targets)
-make -f macOS.mk libwg nym-setup nym-vpnd rpc-swift-package RELEASE="${RELEASE}"
+make -f macOS.mk libwg nym-setup nym-vpnd nym-socks5-proxy rpc-swift-package RELEASE="${RELEASE}"
 
 # 4) Copy NymVPNRpc (from nym-vpn-rpc-uniffi) → apple repo root
 RPC_SRC="${CORE_ROOT}/crates/nym-vpn-rpc-uniffi/NymVPNRpc"
@@ -93,29 +93,19 @@ else
   echo "[BuildCore] Skipping header flatten (Xcode ${XCODE_VER} < 26.4)"
 fi
 
-# 5) Copy the universal nym-vpnd → apple Daemon
-VPND_SRC="${CORE_ROOT}/upload/mac/nym-vpnd"
+# 5) Copy binaries to apple Daemon folder
+VPND_SRC_DIR="${CORE_ROOT}/upload/mac"
 VPND_DEST_DIR="${APPLE_ROOT}/NymVPND"
-VPND_DEST="${VPND_DEST_DIR}/nym-vpnd"
-if [[ ! -f "${VPND_SRC}" ]]; then
-  echo "[BuildCore][ERROR] ${VPND_SRC} not found. Make sure macOS.mk builds vpnd-universal."
-  exit 1
-fi
 mkdir -p "${VPND_DEST_DIR}"
-cp -f "${VPND_SRC}" "${VPND_DEST}"
-chmod +x "${VPND_DEST}"
-echo "[BuildCore] Copied nym-vpnd → ${VPND_DEST}"
-
-# 6) Copy the universal nym-setup → apple Daemon
-NYM_SETUP_SRC="${CORE_ROOT}/upload/mac/nym-setup"
-NYM_SETUP_DEST="${VPND_DEST_DIR}/nym-setup"
-if [[ ! -f "${NYM_SETUP_SRC}" ]]; then
-  echo "[BuildCore][ERROR] ${NYM_SETUP_SRC} not found. Make sure macOS.mk builds nym-setup-universal."
-  exit 1
-fi
-cp -f "${NYM_SETUP_SRC}" "${NYM_SETUP_DEST}"
-chmod +x "${NYM_SETUP_DEST}"
-echo "[BuildCore] Copied nym-setup → ${VPND_DEST}"
+for f in nym-vpnd nym-socks5-proxy nym-setup; do
+  if [[ ! -f "${VPND_SRC_DIR}/${f}" ]]; then
+    echo "[BuildCore][ERROR] ${VPND_SRC_DIR}/${f} not found. Make sure macOS.mk builds vpnd-universal."
+    exit 1
+  fi
+  cp -f "${VPND_SRC_DIR}/${f}" "${VPND_DEST_DIR}"
+  chmod +x "${VPND_DEST_DIR}/${f}"
+  echo "[BuildCore] Copied ${f} → ${VPND_DEST_DIR}"
+done
 
 # Print sccache stats
 if command -v sccache &>/dev/null; then