NaiveProxy on Debian and Windows Tutorial

NaiveProxy uses Chrome’s network stack to camouflage traffic and provide stronger censorship resistance than custom-made network stacks. It aims to resist both fingerprinting and active probing. Reusing Chrome’s stack ensures that NaiveProxy implements best practices in performance and security.

In this tutorial, you’ll learn how to install NaiveProxy on a Debian server and a Windows client.

Debian is a long-established and highly respected Linux distribution. It is popular with server administrators. New releases are issued every few years, and at the time of writing the latest release is Debian 10.

Windows 10 continues to be Microsoft’s most popular desktop operating system, running on around half of all desktop computers.

1. Set Up Server

Before you begin, you’ll need to acquire a domain name and a server. This tutorial assumes you start with a newly created virtual private server (VPS). The domain name used in the examples is example.com with a sample hostname of california.example.com.

1.1. SSH as Root

Log in to your server using a tool such as PuTTY, XSHELL, or PowerShell (if you use Windows on your workstation), or the SSH command in a terminal emulator (if you use Linux or Mac on your workstation).

If your VPS provider sent you a root password by email, then change the root password to something only you know:

passwd root

If you do not know the root password, then SSH in as a non-root user, and set the root password:

sudo passwd root

If you logged in as a non-root user, then switch to the root user now:

su -

1.2. Update Your Server

Get your entire system up to date by issuing these commands as root:

apt update

apt dist-upgrade

apt autoremove

1.3. Implement BBR Congestion Control

Bottleneck Bandwidth and Roundtrip propagation time (BBR) is a congestion control algorithm for Transmission Control Protocol (TCP). It aims to achieve higher bandwidths and lower latencies.

Edit your Linux system control parameters file, /etc/sysctl.conf, to specify the BBR congestion control algorithm. You can use any command-line editor for this. For example, if your favorite editor is the vi editor:

vi /etc/sysctl.conf

Alternatively, if your favorite editor is the nano editor:

nano /etc/sysctl.conf

Add two lines at the end of the current file:

net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr

Write the file to disk, and quit the editor. Activate this change by issuing the command:

sysctl -p

1.4. Install Firewall

Install the nftables firewall package:

apt install nftables

Specify that you want to start nftables after every reboot, and start it now:

systemctl enable nftables

systemctl start nftables

1.5. Configure Firewall

List the current nftables rules:

nft list ruleset

You should see a table for inet filter, plus a chain within it for each of input, forward, and output.

table inet filter {
	chain input {
		type filter hook input priority 0; policy accept;
	}

	chain forward {
		type filter hook forward priority 0; policy accept;
	}

	chain output {
		type filter hook output priority 0; policy accept;
	}
}

If this table and its chains do not exist, then create them now:

nft add table inet filter

nft add chain inet filter input { type filter hook input priority 0 \; policy accept\; }

nft add chain inet filter forward { type filter hook forward priority 0 \; policy accept\; }

nft add chain inet filter output { type filter hook output priority 0 \; policy accept\; }

On the other hand, if these rules do already exist, then simply carry on as follows.

Add a rule to accept all related and established traffic:

nft add rule inet filter input ct state related,established counter accept

Add a rule to accept all loopback interface traffic:

nft add rule inet filter input iif lo counter accept

For the next rule, you need to know your workstation’s Internet Protocol (IP) address. If you do not know your IP address, you can find it out by opening a browser and visiting https://www.ipip.net or https://whatismyipaddress.com.

Let’s assume your workstation’s IP address is 11.22.33.44. If that is realtively fixed, whitelist your IP address for access to port 22, which is the port you use for SSH:

nft add rule inet filter input tcp dport 22 ip saddr 11.22.33.44/32 counter accept

Alternatively, you can open port 22 for a range of IP addresses. For example, if your ISP allocates addresses in the range 11.22.0.0 through 11.22.255.255, you could open port 22 for the entire range like this:

nft add rule inet filter input tcp dport 22 ip saddr 11.22.0.0/16 counter accept

Do not open port 22 for the entire world.

We will use ports 80 and 443 for NaiveProxy, so open them too:

nft add rule inet filter input tcp dport {http, https} counter accept

Check that the rules now look as expected:

nft list ruleset

To persist these changes across reboots, save your rules to /etc/nftables.conf:

nft list ruleset > /etc/nftables.conf

Now we are going to change the default policy to drop all other input.

Edit the nftables configuration file in your preferred editor. For example, if your preferred editor is the vi editor:

vi /etc/nftables.conf

Alternatively, if your preferred editor is the nano editor:

nano /etc/nftables.conf

Change the policy from accept to drop:

chain input { 
        type filter hook input priority 0; policy drop; 

Restart nftables with your new configuration:

systemctl restart nftables

1.6. Install Prerequisites

Install the software packages that will be needed for the rest of this tutorial:

apt install libnss3 curl wget xz-utils zip unzip dnsutils

1.7. Download NaiveProxy

Now that the server is set up and the prerequisites are installed, we are ready to proceed with the NaiveProxy download.

Open a browser. Determine the latest release of NaiveProxy for 64-bit Linux by visiting https://github.com/klzgrad/naiveproxy/releases. We will use as an example the latest release at the time of writing, which is named naiveproxy-v80.0.3987.87-1-linux-x64.tar.xz. It may be different at the time you follow this tutorial.

Back in your SSH session with your server, issue the command to download the latest release of NaiveProxy for Linux:

wget https://github.com/klzgrad/naiveproxy/releases/download/v80.0.3987.87-1/naiveproxy-v80.0.3987.87-1-linux-x64.tar.xz

Unpack the archive:

tar -xf naiveproxy-v80.0.3987.87-1-linux-x64.tar.xz

Rename the unpacked directory to simply naiveproxy:

mv naiveproxy-v80.0.3987.87-1-linux-x64 naiveproxy

1.8. Download Caddy

Caddy is an advanced web server with a automated HTTPS features, including the automatic redirect of HTTP traffic to HTTPS.

Download Caddy for personal use with the http.forwardproxy plugin:

curl -OJ 'https://caddyserver.com/download/linux/amd64?plugins=http.forwardproxy&license=personal'

Unpack the archive:

tar -xzf caddy_*.tar.gz

Set the capabilites of Caddy to allow it to bind to ports below 1024, which are known as “privileged ports”:

setcap cap_net_bind_service=+ep caddy

1.9. Create Website

For extra realism, we will add some sample content to the web server.

Make a directory to hold the content of the sample blog:

mkdir -p /var/www/html

Download the archive file for some sample content from GitHub:

wget https://github.com/arcdetri/sample-blog/archive/master.zip

Unpack the archive:

unzip master.zip

Copy the downloaded sample blog into your web site directory:

cp -rf sample-blog-master/html/* /var/www/html/

1.10. Configure Caddy

Edit the Caddy configuration file. If you prefer the vi editor, then issue the command:

vi Caddyfile

Alternatively, if you prefer the nano editor, then issue the command:

nano Caddyfile

We will make Caddy forward authorized traffic to localhost port 8080. Enter into the file the Caddy configuration, using the model below.

california.example.com
root /var/www/html
tls myemail@example.com
forwardproxy {
  basicauth userid password
  hide_ip
  hide_via
  probe_resistance
  upstream http://127.0.0.1:8080
}

Write the file to disk, and quit the editor.

1.11. Run Caddy

Your mapping of your hostname (california.example.com in our example) to your server IP address must have propagated before you do this step. You can check that the hostname points to your server IP address with the nslookup command. Replace california.example.com in this example by your actual hostname:

nslookup california.example.com 8.8.8.8

We will run Caddy in a screen session. Screen is a Linux utility that can be used to multiplex a terminal session into several independent processes.

Create a new screen session for Caddy named caddy:

screen -S caddy

Caddy recommends that you increase the maximum number of open files to 8192, so do that now:

ulimit -n 8192

Launch Caddy:

./caddy

Agree to the Let’s Encrypt terms by typing y. You should see messages:

Serving HTTPS on port 443
Serving HTTP on port 80

Detach from your screen session by typing Ctrl+a followed by d. This detaches you from caddy and takes you back to your original terminal session.

1.13. Configure NaiveProxy

Edit the NaiveProxy configuration file naiveproxy/config.json. If you prefer the vi editor, then issue the command:

vi naiveproxy/config.json

Alternatively, if you prefer the nano editor, then issue the command:

nano naiveproxy/config.json

Enter the configuration below, which will make the NaiveProxy server listen on port 8080:

{
  "listen": "http://127.0.0.1:8080",
  "padding": true
}

Write the file to disk, and quit the editor.

1.14. Run NaiveProxy

Run NaiveProxy in its own screen session, which we will name naive:

screen -S naive

cd naiveproxy

./naive

Detach from your screen session by typing Ctrl+a followed by d. This detaches you from caddy and takes you back to your original terminal session.

1.15. Exit SSH Session

Your work on the server is done for now. Exit your SSH session by typing the command:

exit

2. Set Up Client

2.1. Download NaiveProxy

Open a browser, and visit https://github.com/klzgrad/naiveproxy/releases.

Download the latest release of NaiveProxy for 64-bit Windows. At the time of writing, it is named naiveproxy-v80.0.3987.87–1-win-x64.zip.

Right-click on the zip file and select Extract All... to unzip the zip file.

2.2. Configure NaiveProxy

In the folder naiveproxy-v80.0.3987.87–1-win-x64 and subfolder naiveproxy-v80.0.3987.87–1-win-x64, edit the file config.json. You can use Notepad, Notepad++, or any other text editor.

These must all match what you put on the server.

Here is the template for to modify:

{
  "listen": "socks://127.0.0.1:1080",
  "proxy": "https://userid:password@california.example.com",
  "padding": true
}

When you have finished editing, save the file, and close the editor.

2.3. Run NaiveProxy

Open a Command Prompt window by doing Windows+r, typing cmd, and clicking OK.

Change into the unzipped directory. At the time of writing, and with our example folder names, that command is:

cd Downloads\naiveproxy-v80.0.3987.87–1-win-x64\naiveproxy-v80.0.3987.87–1-win-x64

Launch NaiveProxy by issuing the command:

naive

Leave the Command Prompt window open with NaiveProxy running in it.

2.4. Configure Browser

Now configure your browser to use NaiveProxy, which is listening on localhost port 1080.

In Firefox, from the hamburger menu select Options. Under Network Settings, select Settings. Choose Manual proxy configuration, SOCKS Host 127.0.0.1, Port 1080, SOCKS v5. Choose Proxy DNS when using SOCKS v5. Click OK.

Firefox configured to use a proxy server

In Chrome, you can configure your browser to use a proxy server by installing and configuring the extension SwitchyOmega by FelisCatus from the Chrome Web Store at https://chrome.google.com/webstore/category/extensions. On the SwitchyOmega dashboard, click the PROFILE marked proxy. Specify protocol SOCKS v5, Server 127.0.0.1, and Port 1080. Click Apply changes. Find the SwitchyOmega logo at the top right of Chrome. Initially it is black for System Proxy. Select proxy to activate it. The SwitchyOmega logo at the top right of Chrome turns pale blue.

Chrome configured to use a proxy server

2.5. Test Browser

Test your browser by visiting https://ipchicken.com.

You should see your server IP address, not your client IP address.

2.6. End Browsing Session

Close the Command Prompt window with NaiveProxy running in it.

Set your browser back to its direct, non-proxied settings.

3. Troubleshoot Issues

You can find more information on NaiveProxy on the NaiveProxy wiki at https://github.com/klzgrad/naiveproxy/wiki.

If you have any problems, here are some steps you can take to troubleshoot.

Firstly, double-check that your client configuration file is an exact match for the settings on your server.

On the Windows client, your NaiveProxy Command Prompt window may show some error messages. Technical problems in Windows may also result in messages in the Windows Event Viewer (type event viewer in the Windows 10 search box, and select the Event Viewer app).

On the Debian server, you can look for messages by logging into your server and reattaching your Caddy screen session:

screen -r caddy

See if there are any messages there. When you are done looking, again detach the screen session (Ctrl+a followed by d). Next, look for messages by reattaching your NaiveProxy screen session:

screen -r naive

When you have examined the messages, detach the screen session (Ctrl+a followed by d).

Finally examine the log files in your server’s /var/log directory.

If you still have a problem, you can create a new issue on https://github.com/klzgrad/naiveproxy/issues.