Not working on OS X 10.11 due to SIP

[Willian-Zhang]

which error ?

generally it doesn't work.

version

$ brew info proxychains-ng
proxychains-ng: stable 4.10, HEAD
Hook preloader
https://sourceforge.net/projects/proxychains-ng/
/usr/local/Cellar/proxychains-ng/4.8.1 (8 files, 100K)
  Built from source
/usr/local/Cellar/proxychains-ng/4.10 (8 files, 88K) *
  Built from source
From: https://github.com/Homebrew/homebrew/blob/master/Library/Formula/proxychains-ng.rb
==> Options
--universal
    Build a universal binary
--HEAD
    Install HEAD version

testcase

Config

strict_chain
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
localnet 127.0.0.0/255.0.0.0

[ProxyList]
socks5 127.0.0.1 30039

Test

$ proxychains4 curl http://ifconfig.co/
[proxychains] config file found: /Users/User/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.10/lib/libproxychains4.dylib
{{an ip resulted from DIRECT accessed http://ifconfig.co/ }}

why does your proxychains not print version information ? (it should)

like [proxychains] DLL init: proxychains-ng 4.10 ?
on my non-el-capitan OS X, it does and it works

if that is so, someone needs to research which changes were introduced in 10.11 that breaks LD_PRELOAD and how to fix it.
possibly it's the guilt of this new "feature": https://en.wikipedia.org/wiki/System_Integrity_Protection

any idea how to fix it?

you could try to disable the system integrity protection (as described in the wikipedia article) temporarily to see if it makes proxychains work. if so, we can try to seek a permanent workaround.

yes, disabling it would led to success in working of proxy chains

Disabling SIP

Run csrutil disable in Recovery mode

@Willian-Zhang thanks for testing. now we can look if there's a way to disable the LD_PRELOAD "protection" "feature" for handpicked applications, in our case proxychains-ng.

@rofl0r any luck with this problem?

i haven't found any documentation about the LD_PRELOAD specific protection so far. we need to wait until more information is available (probably after the official release).

[Willian-Zhang]

Logs above are moved from #74

[tais9]

It only happens if you execute a system binary using proxychains, e.g. proxychains4 ssh user@server. For now, a workaround is to copy the executable to another location (e.g. cp /usr/bin/ssh ~/XXX), and use it (e.g. proxychains4 ~/XXX/ssh user@server). You can modify the path variable so that ~/XXX/ssh is executed instead of /usr/bin/ssh, when you just type "ssh".

[Pikaurd]

@tais9 worked of me
thanks

[kennel209]

In OSX 10.11
something workaround is to turn off debug flag in SIP in recovery mode
csrutil enable --without debug

otherwise, proxychains cannot apply to /bin/* /usr/bin/* /System* ... unfortunately most script with #!/usr/bin/env XXX

[cache0928]

I find that if you move the executable file(proxychains4) to your home folder(like ~/bin), and then you need to change the PATH value. If you do this, you don't have to disable the SIP, , it will works with no error @Willian-Zhang

[wd]

If do not want to disalbe SIP, you can use pyenv to solve this. Use pyenv install a local python version(of cuz, you can install a python use make && make install from source).

And then run command like this
proxychains4 ~/.pyenv/versions/2.7.9/bin/python /usr/local/Cellar/youtube-dl/2015.10.24/bin/youtube-dl

[Willian-Zhang]

Update

Run csrutil disable in Recovery mode

For those who's disabling SIP to make it work:
There is no need to disable all SIP：debug mode will also work

Disabling partial SIP

Run csrutil enable --without debug in Recovery mode

[archywillhe]

Nice. Disabling SIP's debug indeed works. Though it did complain and echo

requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state

For anyone who wanna have a better sense of what SIP does and how to configure it, you can read it up here (which I stumbled upon it while I was reading a SE post) or just check out the apple doc

[MatzFan]

For those like me who do not wish to disable SIP, note that it is possible to use proxychains-ng with Homebrew-installed executables (or linked dupes) as SIP doesn't cover /usr/local. E.g. to use Homebrew's curl (with Tor in the .conf file here):

$ brew install curl

Then:

$ proxychains4 /usr/local/bin/curl http://ifconfig.co/
[proxychains] config file found: /Users/me/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.11
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  188.113.88.193:80  ...  OK
171.25.193.132

Perhaps this could be added to the README section where this issue is mentioned?

[rofl0r]

@MatzFan please elaborate on "linked dupes". is there a possibility to use e.g. ssh with a softlink or a hardlink ?

[MatzFan]

Using the curl example you can do brew link --force curl which will use Homebrew's curl before system installed version (as Homebrew insists /usr/local/bin comes before /usr/bin in your $PATH). If you do that you can simply do $ proxychains4 curl http://ifconfig.co/. Generally not advised to override (dupe) system binaries like this - hence my example using path to the Homebrew Cellar. Homebrew call this Keg only I think.

Not tried ssh, but any Homebrew-installed binary should work with proxychains like this on El Cap., as SIP doesn't affect the directory where all brewed symlinks go.

[MatzFan]

Homebrew openssh seems to work (using Tor in my .conf file):

$ brew install openssh
==> Installing openssh from homebrew/dupes
==> Downloading https://homebrew.bintray.com/bottles-dupes/openssh-7.1p2.el_capitan.bottle.tar.gz
Already downloaded: /Library/Caches/Homebrew/openssh-7.1p2.el_capitan.bottle.tar.gz
==> Pouring openssh-7.1p2.el_capitan.bottle.tar.gz
🍺  /usr/local/Cellar/openssh/7.1p2: 30 files, 3.9M
Macintosh:~ me$ which ssh
/usr/local/bin/ssh
Macintosh:~ me$ proxychains4 ssh -T git@github.com
[proxychains] config file found: /Users/me/.proxychains/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.11
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  192.30.252.130:22  ...  OK
Hi MatzFan! You've successfully authenticated, but GitHub does not provide shell access.

[meritozh]

because of SIP, you can't use proxychains-ng to proxy a execute which is in system dir like /usr/bin. But /usr/local/bin can works. Something like youtube-dl with call python which is in /usr/bin, install a Homebrew python or others can solve it.

[zanjs]

$: proxychains4 /usr/local/bin/curl http://ifconfig.co/
[proxychains] config file found: /usr/local/Cellar/proxychains-ng/4.11/etc/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.11/lib/libproxychains4.dylib
proxychains can't load process....: No such file or directory

[kakashisan]

Hello all, i'm not expert to fellow up but it seems i have a problem may be similar and related to this SIP, and i would be gratefull if someone could help.
i use proxychains4 in mac os sierra and have an issue with scp.
for ssh, i counter the problem by copying the ssh from /usr/bin to /User/mylaptop then use this to ssh :
proxychains4 /users/mylaptop/ssh user@host
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /opt/local/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.10
[proxychains] Strict chain .........
and i could connect to my host. but scp wont work.
i ran out of idea.

[rofl0r]

@kakashisan how about trying the things recommended here ?
and what is the error you get from scp ?

[kakashisan]

Thank you for the fast reply here when i scp:
proxychains4 /Users/didisan/scp -vvv didi@host:.bashrc new.file
[proxychains] config file found: /private/etc/proxychains.conf
[proxychains] preloading /opt/local/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.10
Executing: program /usr/bin/ssh host user didi, command scp -v -f .bashrc
OpenSSH_7.2p2, LibreSSL 2.4.1
debug1: Reading configuration data /Users/didisan/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: resolving "host" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to host [host] port 22.
debug1: connect to address host port 22: Connection refused
ssh: connect to host host port 22: Connection refused

[rofl0r]

oh so the problem is that scp starts ssh from /usr/bin. maybe you can fix that by overriding PATH pointing to where your copy of the ssh binary is, for example:

PATH=/Users/didisan/ proxychains4 /Users/didisan/scp -vvv didi@host:.bashrc new.file

this assumes that "ssh" as well as "scp" are in /Users/didisan.

[kakashisan]

i did it before by adding the path but it stills excecutes the binary one :
"Executing: program on /usr/bin/ssh"
i think even if i copied the scp from usr/bin to my local folder, it is still somehow (may be because of proxychains lib or smth) linked to the ssh of the bin and executed it. my ssh still works with this trick and connect through proxy.

[JasonQSY]

For git, use sudo proxychains4 git clone works for me.

[liftliftlift]

Acorrding to Apple we should use path like /usr/local instead of /usr or /usr/bin etc since OS X El Capitan. See https://support.apple.com/en-us/HT204899.
And my solved steps at OSX 10.11.6:

1. Install Homebrew
2. brew install proxychains-ng

==> Downloading https://homebrew.bintray.com/bottles/proxychains-ng-4.12_1.el_ca
Already downloaded: /Users/futeli/Library/Caches/Homebrew/proxychains-ng-4.12_1.el_capitan.bottle.tar.gz
==> Pouring proxychains-ng-4.12_1.el_capitan.bottle.tar.gz
🍺 /usr/local/Cellar/proxychains-ng/4.12_1: 8 files, 74.8KB

3. Proxychains-ng now has been installed at path /usr/local/Cellar

4. brew install curl

==> Downloading https://homebrew.bintray.com/bottles/curl-7.53.1.el_capitan.bott
######################################################################## 100.0%
==> Pouring curl-7.53.1.el_capitan.bottle.tar.gz
==> Caveats
(here has some caveats I don't use this time)
==> Summary
🍺 /usr/local/Cellar/curl/7.53.1: 390 files, 2.7MB

5. Curl also has been installed at path /usr/local/Cellar
6. cd /usr/local/etc && vim proxychains.conf
7. Configure [ProxyList] in proxychains.conf
8. Do not use proxychains4 curl xxxx.com but proxychains4 /usr/local/Cellar/curl/7.53.1/bin/curl xxxxx.com.

[Huang-Libo]

@tais9
You helped me!

[rickygu]

On mac 10.14.2, csrutil enable --without debug doesn't work. I had to disable completely to kind of work.
I would often get this error warning but everything works fine.

dyld: warning: could not load inserted library '/usr/local/Cellar/proxychains-ng/4.13/lib/libproxychains4.dylib' into hardened process because no suitable image found.  Did find:
	/usr/local/Cellar/proxychains-ng/4.13/lib/libproxychains4.dylib: code signature in (/usr/local/Cellar/proxychains-ng/4.13/lib/libproxychains4.dylib) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
	/usr/local/Cellar/proxychains-ng/4.13/lib/libproxychains4.dylib: stat() failed with errno=1

How do I get rid of this error?

[heany]

proxychains4 curl www.google.com                                      ✔  671  01:01:10
[proxychains] config file found: /usr/local/etc/proxychains.conf
[proxychains] preloading /usr/local/Cellar/proxychains-ng/4.13/lib/libproxychains4.dylib
curl: (7) Failed to connect to www.google.com port 80: Operation timed out

In mac 10.14, why ? and how do I solve this error?

[theblackturtle]

I have this problem too.

[ilyamochalov]

same problem for me on
macOS 10.13.6,
ShadowsocksX-NG 1.7.1
proxychains-ng 4.14

[peiyaoli]

same issues here

[Neboer]

I am using Ubuntu 19.04 and I still can't launch GUI programme in a graphic way.
I saw the above discussion and the problem seems have been solved, but in your last release Release 4.14 the problem still occurs. Please find out a solution and solve it, thank you very much.

[rofl0r]

Please find out a solution and solve it

you volunteer? great!

btw, your comment has nothing to do with the issue discussed here, so post further updates about your work in a new issue/PR.

[kk580kk]

I can solve this problem!!!!

Problem

first
Gitl clone https://github.com/rofl0r/proxychains-ng.git
then make
./configure --prefix=/usr/local --sysconfdir=/etc
sudo make install
installed in /usr/local/bin/proxychains4
but
/usr/local/bin/proxychains4 curl -v -L https://ip.cn/
returns
{"ip": "xxx.xxx.xxx.xxx", "country": "上海市", "city": "移动”}
Same problem there

Solve it

install curl by brew
brew install curl
then do it
/usr/local/bin/proxychains4 /usr/local/opt/curl/bin/curl -v -L https://ip.cn
Solved
{"ip": "xxx.xxx.xxx.xxx", "country": "美国", "city": "阿里云”}

Finally

In case I use zsh.
echo 'export PATH="/usr/local/opt/curl/bin:$PATH"' >> ~/.zshrc
Then
proxychains4 curl -v -L https://ip.cn/
Got
{"ip": "xxx.xxx.xxx.xxx", "country": "美国", "city": "阿里云"}

Goal

[omidraha]

Same issue, fixed for some commands as @tais9 said.

[lupguo]

MacOS Ventura 13.2.1， proxychains curl ipinfo.io got unexpected result (no pass by proxy)，but proxychains wget google.com is ok!

Brew install an new curl on mac then using proxychains with the new curl filepath to solove this problem.

$ brew install curl 
...

$ proxychains4 /opt/homebrew/opt/curl/bin/curl ipinfo.io
[proxychains] config file found: /usr/local/services/proxychains/proxychains.conf
[proxychains] preloading /usr/local/lib/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.16-git-13-g133e06b
[proxychains] Strict chain  ...  127.0.0.1:10553  ...  ipinfo.io:80  ...  OK
{
  "ip": "104.28.227.187",
  "city": "Los Angeles",
  "region": "California",
  "country": "US",
  "loc": "34.0522,-118.2437",
  "org": "AS13335 Cloudflare, Inc.",
  "postal": "90009",
  "timezone": "America/Los_Angeles",
  "readme": "https://ipinfo.io/missingauth"
}

[godspeedcurry]

1. install
   for people who doesn't want to disable SIP, you can type
   brew install curl openssh
   works fine for ssh、scp、curl

2. verify
   you can type the following command to verify
   which ssh && which scp && which curl

PS: remember to add their path to ~/.zshrc or ~/.bashrc