Tun2Socks: Using a Proxy Server as a Gateway or VPN via Proxy

In typical home network settings, your computer’s network configuration specifies a default gateway. This device is usually called a “router” — it handles all requests to IP addresses outside your local network. A proxy server (from the English “authorized” or “trusted”) also acts as an intermediary between you and the target network resource, but it is not the default gateway. To use a proxy, you must explicitly specify its parameters in your application. A simple example is accessing I2P or Tor networks. These networks are managed by separate applications that provide a proxy interface for users. By setting the appropriate proxy in your web browser, you can visit sites with “.i2p” and “.onion” domains, which your regular router knows nothing about.

Proxy services are also increasingly popular for bypassing restrictions: just set up a proxy from a more liberal country in your browser and access any site you want, free from local censorship. Modern proxy servers offer comprehensive traffic control and monitoring features — a great solution for offices and government institutions that need to restrict access to certain resources or provide internet access with additional authentication and bandwidth management for different users.

No matter your use case, using a default gateway is usually more convenient, especially since some applications can’t work through a proxy at all.

What is Tun2Socks?

Tun2Socks is a free, cross-platform project (GPL-3.0) written in Golang, mainly developed by a team from China. The application has no graphical interface and is configured with simple command-line parameters. The name Tun2Socks (Tunnel to SOCKS) means “tunnel through a SOCKS proxy.” Why SOCKS and not HTTP? While Tun2Socks can work with HTTP proxies, the HTTP protocol does not support UDP traffic. Most real-time data (audio/video calls, online games, DNS queries) uses UDP, so UDP support is crucial.

Tun2Socks works by creating a virtual network adapter that your operating system sees as a regular network interface. All data sent to this virtual adapter is actually handled by Tun2Socks, which then forwards it to the proxy server as needed.

Command-Line Usage

Usage of tun2socks:
  -device string
     Use this device [driver://]name
  -fwmark int
     Set firewall MARK (Linux only)
  -interface string
     Use network INTERFACE (Linux/MacOS only)
  -loglevel string
     Log level [debug|info|warn|error|silent] (default "info")
  -mtu int
     Set device maximum transmission unit (MTU)
  -proxy string
     Use this proxy [protocol://]host[:port]
  -stats string
     HTTP statistic server listen address
  -token string
     HTTP statistic server auth token
  -udp-timeout int
     Set timeout for each UDP session
  -version
     Show version information and quit

While these options may seem straightforward to experienced admins, newcomers may wonder: if a virtual network adapter is created, how does it become the default gateway, and do you need to assign it an address manually? The official documentation provides more details, but let’s focus on practical configuration with step-by-step explanations.

Windows Setup

1. Download the latest Tun2Socks release from the official GitHub releases page. Choose a package starting with tun2socks-windows. For 64-bit Windows, tun2socks-windows-amd64.zip is usually appropriate.
2. Extract the archive to any convenient location.
3. Tun2Socks requires a separate driver (Wintun) to create the virtual network adapter. Download Wintun 0.11 from this direct link (newer versions may not work with Tun2Socks v2.3.1). You only need the wintun.dll file from wintun/bin/amd64/wintun.dll (for amd64 systems). Place wintun.dll in the same directory as the Tun2Socks executable.
4. Run Tun2Socks from the command line as administrator. Example command:

   tun2socks-windows-amd64.exe -device tun://gatewaytun -proxy socks5://10.10.100.1:1080

   • -device tun://gatewaytun sets the name of the new virtual network interface.
   • -proxy socks5://10.10.100.1:1080 specifies the proxy protocol and address.
5. Assign an IP address and subnet mask to the new interface (replace as needed):

   netsh interface ip set address name="gatewaytun" static 127.254.254.1 255.255.255.255

   Use a private address not used by other adapters or your local network. If Windows refuses this address, try something like 10.254.254.1.

6. Set the new interface as the default gateway:

   route add 0.0.0.0 mask 0.0.0.0 127.254.254.1

7. Important: If your proxy server is not on the same local subnet, you must add a route to ensure access to the proxy server is not routed through itself. For example:

   route add 10.10.100.0 mask 255.255.255.0 10.10.5.25

   This ensures traffic to the proxy server’s subnet goes through the correct interface.

   For home use, if your proxy is on the internet:

   route add 11.11.11.11 mask 255.255.255.255 10.10.5.25

   • 11.11.11.11 — proxy server address
   • 255.255.255.255 — mask for a single address
   • 10.10.5.25 — your ISP’s gateway address
8. If using a SOCKS proxy (with UDP support), you can set a DNS server for the virtual interface:

   netsh interface ip set dns "gatewaytun" static 1.1.1.1

   Replace 1.1.1.1 with your preferred DNS server.

Summary of commands:

tun2socks-windows-amd64.exe -device tun://gatewaytun -proxy PROXY_PROTOCOL://PROXY_ADDRESS:PORT
netsh interface ip set address name="gatewaytun" static 127.254.254.1 255.255.255.255
route add 0.0.0.0 mask 0.0.0.0 127.254.254.1

# Optional: For enterprise LAN
route add LOCAL_NETWORK_SEGMENT mask SEGMENT_MASK GATEWAY_ADDRESS

# Optional: For internet proxy server
route add PROXY_SERVER_ADDRESS mask 255.255.255.255 ISP_GATEWAY_ADDRESS

# Optional: DNS server (if proxy supports UDP)
netsh interface ip set dns "gatewaytun" static DNS_SERVER_ADDRESS

Manually running all these commands may be inconvenient for most users. You can automate the process with batch scripts (e.g., start.bat) and add them to startup. All commands must be run as administrator.

Linux Setup

Linux and other Unix-like users are usually more comfortable with the command line, so explanations here are more concise. Example instructions are for Debian.

1. Download the appropriate binary from the releases page (e.g., tun2socks-linux-amd64.zip for Debian amd64). Extract and make it executable:

   chmod +x tun2socks-linux-amd64

   Move it to a suitable location, such as /usr/sbin/.

2. No extra drivers are needed for tunnel creation on modern Linux distributions.
3. Run as root:

   /usr/sbin/tun2socks-linux-amd64 -device tun://gatewaytun -proxy socks5://10.10.100.1:1080

4. Configure routing:

   # Assign address to new interface
   ip addr add 127.254.254.1/32 dev gatewaytun
   
   # Bring up the interface
   ip link set gatewaytun up
   
   # Add default route via new interface
   ip route add default dev gatewaytun metric 50
   
   # Optional: Route to proxy server in local network
   ip route add NETWORK_ADDRESS/PREFIX dev LOCAL_INTERFACE_NAME
   
   # Optional: Route to proxy server on the internet
   ip route add PROXY_ADDRESS/32 dev ISP_INTERFACE_NAME
   

DNS settings in Unix systems are usually global, so you don’t need to set them per interface. If needed, you can edit /etc/resolv.conf or your network configuration files.

Automating with systemd (Debian Example)

Create a systemd service file at /etc/systemd/system/tun2socks.service:

[Unit]
Description=Tun2Socks gateway
After=network.target

[Service]
User=root
Type=idle
ExecStart=/usr/sbin/tun2socks-linux-amd64 -device tun://gatewaytun -proxy socks5://10.10.100.1:1080 & sleep 3; ip link set gatewaytun up
Restart=on-failure

[Install]
WantedBy=multi-user.target

Adjust the path to Tun2Socks and the proxy address as needed. The sleep 3 ensures the interface is created before bringing it up.

In /etc/network/interfaces, add:

allow-hotplug gatewaytun
iface gatewaytun inet static
address 127.254.254.0
netmask 255.255.255.255
post-up ip route add default dev gatewaytun metric 50

# Optional: Route to proxy server in local network
# post-up ip route add NETWORK_ADDRESS/PREFIX dev LOCAL_INTERFACE_NAME

# Optional: Route to proxy server on the internet
# post-up ip route add PROXY_ADDRESS/32 dev ISP_INTERFACE_NAME

# post-up <other rules as needed>

Now you can start and stop the gateway with:

systemctl start tun2socks   # START
systemctl stop tun2socks    # STOP

To enable at boot:

systemctl enable tun2socks

Conclusion

This article was inspired by the lack of clear search results for queries like “gateway via proxy” or “how to route all traffic through a proxy.” Hopefully, this guide will be useful to a wide audience.

Automating on Windows can be tricky, especially with administrative rights and batch files. If you have a better script, feel free to share it in the comments. Thanks for reading!