alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5c820a41e90fb5a6b9038644d428d4145284f27a
alknet/tasks/client/socks5-server.md
glm-5.1 5c820a41e9 tasks: decompose Phase 0a ADR foundation and mark prior tasks completed 
Add 10 new tasks under tasks/architecture/ for Phase 0a (ADR writing):
- 9 ADR tasks (026-034) with dependency-ordered structure
- 1 review checkpoint task before Phase 0b spec writing

ADR dependency graph (3 generations):
  Gen 1 (parallel): 026, 029, 030, 031, 032, 034
  Gen 2 (depends on 029): 027, 028
  Gen 3 (depends on 027+028): 033
  Gen 4: review checkpoint

Also mark all 34 prior implementation tasks as completed — they
were finished but still showing as pending in the taskgraph.
2026-06-07 08:55:33 +00:00

2.2 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
client/socks5-server Implement SOCKS5 server — local proxy that forwards through SSH channels completed
auth/client-auth-handler
transport/trait-and-types
auth/error-types
moderate medium component implementation

Description

Implement the local SOCKS5 proxy server — the primary client interface (ADR-005). Listens on a local port (default 127.0.0.1:1080), accepts SOCKS5 connections, and for each connection:

  1. Reads the SOCKS5 handshake (auth method negotiation, target address)
  2. Opens channel_open_direct_tcpip(target_host, target_port, originator_addr, originator_port) on the SSH session
  3. Converts the SSH channel to a stream via channel.into_stream()
  4. Runs tokio::io::copy_bidirectional(&mut local_socket, &mut ssh_stream) to proxy data

Supports SOCKS5h (domain names resolved server-side) by default. This prevents DNS leaks — the client never resolves target hostnames locally (ADR-006).

Acceptance Criteria

  • crates/alknet-core/src/socks5/mod.rs exports Socks5Server
  • Socks5Server binds to configurable listen address (default 127.0.0.1:1080)
  • SOCKS5 handshake: method negotiation (no-auth only), target address parsing (IPv4, IPv6, domain name)
  • Domain name targets (SOCKS5h) sent unresolved to server — no local DNS resolution
  • For each SOCKS5 connection, opens SSH direct_tcpip channel and proxies bytes bidirectionally
  • Connection errors (SSH session down, channel open failed) result in SOCKS5 error response to client
  • No logging of SOCKS5 request targets (ADR-006) — only connection-level events logged
  • SOCKS5 server always enabled when alknet connect runs (per client.md constraint)
  • Unit tests: SOCKS5 handshake parsing, address type handling, bidirectional proxy flow (with mock transport)

References

  • docs/architecture/client.md — SOCKS5 Server section
  • docs/architecture/decisions/005-socks5-before-tun.md — SOCKS5 as primary interface
  • docs/architecture/decisions/006-no-logging-of-tunnel-destinations.md — no DNS leak, no logging

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink