svoboda.center Logo svoboda.center

Setting Up a Raspberry Pi as a Wi-Fi Access Point with SOCKS5 Proxy or Xray

Apr 04, 2025

Tested on Raspberry Pi 4 Model B Rev 1.5

Notes: Installing DNSCrypt-proxy is optional. If you are just using SOCKS5 proxy, Xray is optional. Instead of following the steps below, you can just use the script available here.

It might be complicated to set up correctly. If you encounter any issues, hit me up on Twitter or Tox: FC31427EC043880C59BB875209462462558941F570BEF564F15CB6473F4A6146272986AD2CF8.

1. Configure the Raspberry Pi as a Wi-Fi Access Point

Install Required Packages

sudo apt-get install hostapd dnsmasq iptables-persistent redsocks -y

Configure hostapd

Edit /etc/hostapd/hostapd.conf to set up the AP:

interface=wlan0
driver=nl80211
ssid=YourSSID
wpa_passphrase=YourPassphrase
hw_mode=g
channel=6
ieee80211n=1
wpa=2

Passphrase should be at least 8 characters.

Enable and start hostapd:

sudo systemctl enable hostapd
sudo systemctl start hostapd

Configure dnsmasq for DHCP

Add this to /etc/dnsmasq.conf:

interface=wlan0
dhcp-range=192.168.50.10,192.168.50.100,12h

# If you want to use DNSCrypt-proxy (step 5), add this:
server=127.0.0.1#53535

Assign Static IP to wlan0

Set a static IP (e.g., 192.168.50.1) for the access point:

cat <<EOF > /etc/systemd/network/10-wlan0-static-ip.network
[Match]
Name=wlan0

[Network]
Address=192.168.50.1/24
EOF

cat <<EOF > /etc/systemd/network/10-wlan0-static.link
[Match]
OriginalName=wlan0

[Link]
RequiredForOnline=yes
EOF

If you are running NetworkManager (check with systemctl status NetworkManager), it will interfere with systemd-networkd. Set it to ignore wlan0 by running:

cat <<EOF > /etc/NetworkManager/conf.d/80-ignore-wlan0.conf
[keyfile]
unmanaged-devices=interface-name:wlan0
EOF

sudo systemctl enable systemd-networkd
sudo systemctl restart systemd-networkd

or just run (it will be lost on reboot)

sudo ip addr add 192.168.50.1/24 dev wlan0

2. Configure redsocks to Proxy Traffic

Edit /etc/redsocks.conf to route traffic through your SOCKS5 proxy:

base {
    log_debug = off;
    log_info = on;
    daemon = on;
    redirector = iptables;
}

redsocks {
    local_ip = 192.168.50.1;
    local_port = 12345;

    // `ip` and `port` are the proxy server address and port
    // xray socks5 local proxy or remote socks5 proxy
    ip = 127.0.0.1;
    port = 1080;

    type = socks5;

    // `login` and `password` are the proxy server username and password
    // login = "username"; 
    // password = "password";
}

It should wait until network is online:

sudo sed -i 's/After=network.target/After=network-online.target systemd-networkd-wait-online.service/' /lib/systemd/system/redsocks.service
sudo systemctl daemon-reload

3. Set Up iptables Rules to Redirect Traffic

Create and apply iptables rules to redirect traffic through redsocks:

sudo iptables -t nat -N REDSOCKS
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp -j REDSOCKS
sudo iptables -t nat -A REDSOCKS -p tcp -j DNAT --to-destination 192.168.50.1:12345

Save iptables rules to persist across reboots:

sudo netfilter-persistent save

4. Restart redsocks to Apply Changes

Restart redsocks to ensure the new configuration is active:

sudo systemctl restart redsocks

5. Optional: Set up DNSCrypt-proxy

DNSCrypt offers crucial advantages for privacy, security, anonymity, and censorship resistance compared to corporate or ISP DNS providers:

  1. Enhanced Privacy: DNSCrypt encrypts and authenticates DNS traffic between your device and DNS resolver
  2. Strong Security: Cryptographic verification ensures DNS responses come from legitimate resolvers
  3. True Anonymity: DNS queries cannot be linked to your identity or location
  4. Censorship Resistance: Bypasses DNS-based censorship and filtering systems
  5. Decentralized Control: No single point of failure or centralized control

Install dnscrypt-proxy

This script will install dnscrypt-proxy and configure it to use the latest version of the hagezi Pro+ blacklist.

sudo bash -c "$(curl -L https://raw.githubusercontent.com/matt-d-dev/scripts/main/install-dnscrypt-rpi.sh)"

Configure resolv.conf

Make sure /etc/resolv.conf is set to nameserver 127.0.0.1:

cat <<EOF > /etc/resolv.conf
nameserver 127.0.0.1
EOF

If its managed by NetworkManager, you can disable it by running:

cat <<EOF > /etc/NetworkManager/conf.d/90-dns-none.conf
[main]
dns=none
EOF

6. Optional: Set up xray

Install xray

Install and add a user for xray:

sudo useradd -M -r -s /usr/sbin/nologin xray
sudo bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install -u xray

Configure xray

Add your xray config to /usr/local/etc/xray/config.json. Make sure the inbounds protocol is set to socks and the address and port is whatever you set in the redsocks.conf file.

...
"inbounds": [
    {
        "tag": "socks-in",
        "listen": "127.0.0.1",
        "port": 1080,
        "protocol": "socks",
        "settings": {
            "auth": "noauth",
            "udp": true
        },
        ...
    }
],
...

Then restart xray:

sudo systemctl restart xray

Troubleshooting

If you encounter issues:

  1. Check the redsocks logs:
    sudo journalctl -u redsocks

    If there is no connections log, it means that it is not redirecting traffic. Try restarting it:

    sudo systemctl restart redsocks
  2. Verify iptables rules:
    sudo iptables -t nat -L

    It should have Chain REDSOCKS with target DNAT and destination anywhere to:192.168.50.1:12345.

  3. Ensure the Wi-Fi interface is up and has an IP address:
    sudo ip addr show wlan0

    It should have state UP and an inet 192.168.50.1/24 scope global wlan0 entry.

  4. Check xray logs:
    sudo journalctl -u xray

    Set log_level to debug in the config.json file to get more detailed logs.

  5. Check DHCP leases:
    cat /var/lib/misc/dnsmasq.leases
If you want to support us, you can donate here: