Setup NetDetour and Dante SOCKS server to secure traffic using GSSAPI
Introduction
Secure proxying makes it possible to protect proxied network traffic from interception and unauthorized access while also providing integrated user authentication. This can be useful when securely accessing internal corporate resources remotely through a proxy server, including TCP-based VPN scenarios where, unlike with a traditional IP-layer VPN, only selected application traffic is routed securely through the proxy server. The same approach can also be used to securely route traffic through a trusted remote network when direct Internet access is restricted, monitored, or filtered.
NetDetour supports secure proxying through multiple technologies, including SSH tunneling. This guide describes how to configure secure SOCKS5 proxying using GSSAPI authentication and encryption with MIT Kerberos and the Dante SOCKS server.
In this sample configuration, two clean VMware virtual machines are used:
- Fedora Workstation 41 running MIT Kerberos and Dante
- Windows 11 running the native Windows Kerberos client and NetDetour
The VMs are interconnected using a VMware NAT virtual network.
Set up MIT Kerberos and Dante on Fedora 41
Start the Fedora 41 VM.
Install MIT Kerberos:
yum install krb5-server krb5-libs krb5-workstation
The version of MIT Kerberos used in this sample is 1.21.3-5.
Install Dante:
yum install dante-server
The version of Dante used in this sample is 1.4.4-1.
Edit /etc/hosts and add the following entries (replace the IP addresses with your own values):
192.168.241.152 vm-fedora41 192.168.241.152 kerberos.vm-fedora41 192.168.241.115 vm-win11.vm-fedora41
Modify /etc/krb5.conf as follows:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
dns_canonicalize_hostname = fallback
qualify_shortname = ""
default_realm = VM-FEDORA41
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
VM-FEDORA41 = {
kdc = kerberos.vm-fedora41
admin_server = kerberos.vm-fedora41
}
[domain_realm]
.vm-fedora41 = VM-FEDORA41
vm-fedora41 = VM-FEDORA41
Modify /var/kerberos/krb5kdc/kdc.conf as follows:
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
VM-FEDORA41 = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
disable_pac = true
}
Create the Kerberos database and set the master password. The -s switch stores the master key so that it does not need to be entered each time the KDC starts:
kdb5_util create -r VM-FEDORA41 -P password -s
Create:
- a test Kerberos user user1 (the password should match the password of the Windows user account, although the user name does not need to match)
- a host principal for the Windows VM host/vm-win11.vm-fedora41
- a service principal for Dante rcmd/vm-fedora41
- a keytab file for Dante
Run:
kadmin.local
addprinc -pw password user1
addprinc -pw password host/vm-win11.vm-fedora41
addprinc -pw password rcmd/vm-fedora41
ktadd -k /etc/sockd.keytab rcmd/vm-fedora41
exit
Start the Kerberos KDC service and configure Fedora to start it automatically:
systemctl start krb5kdc.service
systemctl enable krb5kdc.service
Modify /etc/sockd.conf as follows (replace ens33 with the name of the network interface on your system if necessary, for example eth0):
internal: ens33 port = 1080
external: ens33
socksmethod: gssapi
logoutput: /var/log/sockd
debug: 1
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
}
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: connect
log: connect disconnect error
}
socks block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
Start the Dante server and configure Fedora to start it automatically:
systemctl start sockd.service
systemctl enable sockd.service
Configure the Fedora firewall:
firewall-cmd --permanent --add-service=kerberos
firewall-cmd --permanent --add-port=1080/tcp
firewall-cmd --reload
Set up the Native Kerberos Client and NetDetour on Windows 11
Start the Windows 11 VM.
Edit:
%SystemRoot%\System32\drivers\etc\hosts
Add the following entries (replace the IP addresses with your own values):
192.168.241.152 vm-fedora41 192.168.241.152 kerberos.vm-fedora41 192.168.241.115 vm-win11.vm-fedora41
Open Command Prompt as Administrator.
Configure the Windows Kerberos client. Replace Administrator with the name of your Windows test account if necessary. Note that password must match the password of the Kerberos principal host/vm-win11.vm-fedora41.
ksetup /setrealm VM-FEDORA41
ksetup /addkdc VM-FEDORA41 kerberos.vm-fedora41
ksetup /SetComputerPassword password
ksetup /mapuser user1@VM-FEDORA41 Administrator
Install NetDetour.
Restart the Windows 11 VM.
Log into Windows as:
VM-FEDORA41\user1
Open NetDetour. Go to Proxifying Settings.
Add a new SOCKS5 server with the following settings:
- Host:
vm-fedora41 - Port:
1080
Enable:
- Proxy requires authentication
- Use GSSAPI authentication
Click Advanced, then in the GSS level drop-down list select:
Integrity and confidentiality
This enables encryption of proxied network traffic.
Note that the value specified in Host is used by NetDetour to construct the Kerberos service principal name. In this sample configuration, the resulting principal is "rcmd/vm-fedora41".
Do not specify the proxy server using an IP address. The hostname must be entered exactly as used in the Kerberos service principal definition, including letter case, otherwise the Linux KDC may not recognize the principal correctly.
Finally, create a proxy rule in NetDetour and select the SOCKS5 server configured above.
Was this article helpful?