DEV Community

Anim Mouse
Anim Mouse

Posted on

Hosting a SOCKS5 Proxy on GitHub Actions

My Workflow

Since GitHub Actions is an IaaS, and Actions Hackathon 2021 allows Wacky Wildcards, I wonder if I can use it as a proxy and view the internet from the perspective of GitHub's servers. So I created a proof of concept SOCKS5 proxy hosted on GitHub Actions.

As GitHub Actions runners are firewalled from incoming connections, what I did is connect to it through Cloudflare Tunnel. And as Cloudflare Tunnel can't tunnel TCP connections (we can use Ngrok but that's for another story), we tunnel SOCKS5 through websockets using Chisel.

Here you can see that I'm browsing the internet using Microsoft's IP address.
IP address check 1
IP address check 2
IP address check 3

Here you can see a speed test from my 45 mbps internet connection.
Speed test
This action can also be used as a VPN.

Submission Category:

Wacky Wildcards

Yaml File or Link to Code

name: Host Chisel SOCKS5 Proxy
on:
  workflow_dispatch:
    inputs:
      time-duration:
        description: Time to run chisel
        required: true
        default: 10m

jobs:
  socks5-proxy:
    runs-on: ubuntu-latest
    steps:
      - name: Install chisel
        working-directory: ${{ runner.temp }}
        env:
          version: 1.7.6
        run: |
          aria2c -x 16 "https://github.com/jpillora/chisel/releases/latest/download/chisel_${version}_linux_amd64.gz"
          gzip -d chisel_${version}_linux_amd64.gz
          mv chisel_${version}_linux_amd64 /usr/local/bin/chisel
          chmod +x /usr/local/bin/chisel

      - name: Setup Cloudflare Tunnel client
        uses: AnimMouse/setup-cloudflared@v1
        with:
          cloudflare_tunnel_certificate: ${{ secrets.CLOUDFLARE_TUNNEL_CERTIFICATE }}
          cloudflare_tunnel_credential: ${{ secrets.CLOUDFLARE_TUNNEL_CREDENTIAL }}
          cloudflare_tunnel_configuration: ${{ secrets.CLOUDFLARE_TUNNEL_CONFIGURATION }}
          cloudflare_tunnel_id: ${{ secrets.CLOUDFLARE_TUNNEL_ID }}

      - name: Run chisel
        run: timeout "${{ github.event.inputs.time-duration }}" chisel server --socks5 || true

      - name: Shutdown and view logs of Cloudflare Tunnel
        if: always()
        uses: AnimMouse/setup-cloudflared/shutdown@v1
Enter fullscreen mode Exit fullscreen mode

GitHub logo AnimMouse / SOCKS5-proxy-actions

Proof of concept SOCKS5 proxy running on GitHub Actions through Chisel

SOCKS5 Proxy Actions

SOCKS5 Proxy hosted on GitHub Actions.

Proof of concept Chisel's SOCKS5 Proxy running on GitHub Actions.

As GitHub Actions runner does not have an accessible IP address, we use Cloudflare Tunnel to have a tunnel to GitHub Actions runner.

Your Computer > Cloudflare > GitHub Actions runner > GitHub Actions' Internet

Usage

  1. Setup Cloudflare Tunnel Client by following instructions on setup-cloudflared README.md.
  2. At the config.yml, set service: to http://localhost:8080 at ingress:.
ingress:
  - service: http://localhost:8080
  1. Run the workflow.
  2. Connect to your chisel websocket by running chisel client https://example.com/ socks.
  3. Connect your browser to chisel's SOCKS5 proxy by setting proxy settings to localhost:1080.



Additional Resources / Info

GitHub logo AnimMouse / setup-cloudflared

Setup/Install Cloudflare Tunnel client for GitHub Actions

Setup cloudflared for GitHub Actions

Setup Cloudflare Tunnel client for GitHub Actions.

This action installs cloudflared for use in actions by installing it on tool cache using AnimMouse/tool-cache.

This action will automatically sign in and start Cloudflare Tunnel.

Other virtual environments besides Ubuntu are not supported yet.

Test page for setup-cloudflared

Usage

  1. Paste the contents of the cert.prm file to CLOUDFLARE_TUNNEL_CERTIFICATE secret. No need to encode it to base64 as it is already in base64.
  2. Encode the JSON credential in base64 using this command base64 -w 0 <cloudflare-tunnel-id>.json and paste it to CLOUDFLARE_TUNNEL_CREDENTIAL secret.
  3. At the config.yml, set credentials-file: to /home/runner/.cloudflared/<cloudflare-tunnel-id>.json
  4. Encode the config.yml in base64 using this command base64 -w 0 config.yml and paste it to CLOUDFLARE_TUNNEL_CONFIGURATION secret.
  5. Add the Cloudflare Tunnel ID to CLOUDFLARE_TUNNEL_ID secret.

To gracefully shutdown Cloudflare Tunnel after being started in the background, use the AnimMouse/setup-cloudflared/shutdown action as composite actions does not support post:


GitHub logo jpillora / chisel

A fast TCP/UDP tunnel over HTTP

Chisel

GoDoc CI

Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.

overview

Table of Contents

Features

  • Easy to use
  • Performant*
  • Encrypted connections using the SSH protocol (via crypto/ssh)
  • Authenticated connections; authenticated client connections with a users config file, authenticated server connections with fingerprint matching.
  • Client auto-reconnects with exponential backoff
  • Clients can create multiple tunnel endpoints over one TCP connection
  • Clients can optionally pass through SOCKS or HTTP CONNECT proxies
  • Reverse port forwarding (Connections go through the server and out the client)
  • Server optionally doubles as a reverse proxy
  • Server optionally allows SOCKS5 connections (See guide below)
  • Clients optionally allow SOCKS5 connections from a reversed port…

Top comments (0)