Hello to all members

At first let me show you my little config

my socks5 config:
Port: 1945
Version:5
Authentication method: Password

my firewall rules is:
- Action=Accept, Chain=Input, Prorocol=17(udp), Dst. Port= 1945
- Action=Accept, Chain=Input, Prorocol=6(tcp), Dst. Port= 1945
- Action=Drop, Chain=Input (bottum of all other rules)

now the problem is when DROP rule is active my clients cant connect to socks5 proxy, WHY ?

socks5 uses another port that i don't know ?

Are these all your firewall rules? Because if they are, clients would be able to connect, but all responses to connections initiated by SOCKS server would be blocked. Start your firewall with these two rules:

Are these all your firewall rules? Because if they are, clients would be able to connect, but all responses to connections initiated by SOCKS server would be blocked. Start your firewall with these two rules:

Code: Select all

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid

wonderful Sob, thank you so much.

but now my server is blocked by government (iran) and i can connect to my proxy only with VPN

i have a problem with wireguard too, everytime i want to connect to wireguard i have to disable/enable the Peer, why ? its a bug ?

It's not very clear what exactly you do, try to provide more details. For start, if you're using WG to connect to this device from elsewhere, you'd need another rule for it in input chain.

Seems using SOCKS5 is a popular approach in OP's region, must be some reason. But if WG is allowed, is there a need for SOCKS5? I can see an easy of deployment of SOCKS5 argument (DHCP+WPAD auto-config), but SOCKS seems more identifiable, especially using default port, than E2E encryption offered by WireGuard.

Again, why it be good to know the OP's specific case

If it was me, I wouldn't use just SOCKS, but SOCKS over WG (or some other VPN or SSH). Advantage of SOCKS over just SOCKS-less WG (or other VPN) is that it's easy to configure it selectively, e.g. I can have just one web browser (or other software with SOCKS support) use it, without influencing anything else.

If it was me, I wouldn't use just SOCKS, but SOCKS over WG (or some other VPN or SSH). Advantage of SOCKS over just SOCKS-less WG (or other VPN) is that it's easy to configure it selectively, e.g. I can have just one web browser (or other software with SOCKS support) use it, without influencing anything else.

The "Persians Socks" WG has appeared a few times...got me thinking about SOCKS5. Another element is if your upstream internet is over a WG VPN already.... SOCKS5 might actually have some advantages to "automatically" deal MTU/re-fragementation too since SOCKS is going to package up the request directly on the MTU of WG, vs being managed by PMTUD / mss-adjust / change/fix interface MTUs / etc... Fixing MTU isn't always easy. While clearly not using SOCKS5 for performance, it's possible SOCK5+WG might not differ much from IPv4 connection, at least in some cases. If it avoided fragmentation, SOCKS5 could be faster even, especially if the remote WG "internet end" was close to the destination address, NAT'ed to IPv6, etc.

To @Sob approach.... You do have some easy measure of control if you web traffic flows though SOCKS5. It's been 20 years, butWPAD+PAC file can control SOCKS5 configuration, including what to proxy and what not. So relatively easy to "push" a SOCKS5 configuration to your network clients, while WG requires manual install/configuration (unless someone used MDM/AD/etc).

Not resigning my networks to use SOCKS5, but it is a curious use case.

It depends on the scale of operation and how much organized it is. If it's something smaller, then manual solution works best. Configure one web browser to use proxy, and if something doesn't work in main one (with direct connection), then just use the other one. Simple and maintenance free.

It's not very clear what exactly you do, try to provide more details. For start, if you're using WG to connect to this device from elsewhere, you'd need another rule for it in input chain.

my server is in france and i (from iran) want to use it as a vpn server

my WG port is 1994 and firewall rule is: Action=Accept, Chain=Input, Prorocol=17(udp), Dst. Port= 1994

this time firewall is okey, problem is WG itself.
issue will fix if i disable the Peer and enable it again

Seems using SOCKS5 is a popular approach in OP's region, must be some reason. But if WG is allowed, is there a need for SOCKS5? I can see an easy of deployment of SOCKS5 argument (DHCP+WPAD auto-config), but SOCKS seems more identifiable, especially using default port, than E2E encryption offered by WireGuard.

Again, why it be good to know the OP's specific case

Personally i dont use Proxy, its not safe enough. my popular protocol is pptp. however some of my friends persist to use proxy.

problem with pptp is there is no a pptp client for android so we have to use openvpn or WG for android, again problem is i have problem with configuring WG and OVPN on mikrotik