How to Set Up Dante SOCKS5 Proxy with FreeRADIUS Authentication on Ubuntu 24.04

If you run a VPN or proxy service, integrating your SOCKS5 proxy with a central authentication system like FreeRADIUS gives you full control over user access.

In this guide, we’ll show you how to set up a Dante SOCKS5 proxy that authenticates users via FreeRADIUS on Ubuntu 24.04 LTS (kernel 6.8.0+). This setup lets you manage users, passwords, and policies directly from your RADIUS server — ideal for ISPs, proxy providers, or businesses offering dedicated IPs.

🧱 What You’ll Need

A valid shared secret between the proxy and RADIUS

Ubuntu 24.04 LTS (64-bit)

Root or sudo access

A working FreeRADIUS server (local or remote)

⚙️ Step 1: Install the Required Packages

Update your system and install the dependencies:

sudo apt update
sudo apt install dante-server libpam-radius-auth freeradius-utils -y

🔐 Step 2: Configure PAM to Use FreeRADIUS

Edit the PAM RADIUS configuration file:

sudo nano /etc/pam_radius_auth.conf

Add your RADIUS server details (replace the secret and IP with yours):

123.123.123.12:1812 secret123 3 0

Explanation:

• 123.123.123.121812 → Your FreeRADIUS server IP and port
• secret123 → Shared secret
• 3 → Timeout in seconds
• 0 → No specific source IP binding

Lock down the permissions:

sudo chmod 600 /etc/pam_radius_auth.conf

🧩 Step 3: Create a PAM Service for Dante

Create a new PAM profile called danted:

sudo nano /etc/pam.d/danted

Add:

auth required pam_radius_auth.so
account required pam_permit.so

This tells PAM to use RADIUS for authentication.

🧱 Step 4: Configure Dante Server

Edit the Dante configuration file:

sudo nano /etc/danted.conf

Use the following configuration (replace eth0 with your network interface):

logoutput: syslog

internal: eth0 port = 1080
external: eth0

user.privileged: root
user.notprivileged: nobody

socksmethod: pam.username

client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}

socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
    pamservicename: danted
}

Notes:

• socksmethod: pam.username replaces the old method: pam keyword (deprecated).
• Logging is set to syslog to avoid permission issues on read-only log files.

🚀 Step 5: Restart and Enable Services

sudo systemctl enable danted
sudo systemctl restart danted
sudo systemctl restart freeradius

Check Dante’s status:

sudo systemctl status danted

And monitor logs:

sudo journalctl -u danted -f

🧪 Step 6: Test Authentication

Before testing the proxy, ensure FreeRADIUS is accepting credentials:

radtest username password 123.123.123.12 0 secret

If you see:

Access-Accept

authentication works.

Now test the SOCKS5 proxy itself:

curl -x socks5h://username:password@YOUR_SERVER_IP:1080 https://api.ipify.org

If successful, you’ll see your proxy’s public IP address.

🧰 Step 7: Secure and Optimise (Optional)

For production environments:

• Restrict access to trusted IPs:

client pass { from: YOUR_ADMIN_IP/32 to: 0.0.0.0/0 }
client block { from: 0.0.0.0/0 to: 0.0.0.0/0 }

• Harden logs: enable rate limits and rotate logs via syslog.
• Use firewall rules: open only port 1080.
• Optional: add bandwidth control or per-user limits in Dante or via RADIUS attributes.

✅ Conclusion

You’ve now set up a fully authenticated SOCKS5 proxy using Dante with FreeRADIUS on Ubuntu 24.04.

This configuration provides a centralised, scalable authentication system that’s ideal for VPN providers, proxy resellers, and dedicated IP networks.

If you run a proxy or VPN business, this setup lets you integrate with billing systems like WHMCS or custom panels, and control user sessions directly via RADIUS.