Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


A transparent TCP to SOCKSv5/HTTP proxy on Linux written in Rust.


  • Transparent TCP proxy with iptables -j REDIRECT or nft redirect to
  • Support multiple SOCKSv5/HTTP upstream proxy servers
  • SOCKS/HTTP-layer alive & latency probe
  • Prioritize upstream proxy servers according to latency
  • Full IPv6 support
  • Multiple listen ports, each for a subset of proxy servers
  • Remote DNS resolving for TLS with SNI (extract domain name from TLS handshaking)
  • Optional try-in-parallel for TLS (try multiple proxies and choose the one first response)
  • Optional status web page (latency, traffic, etc. w/ curl-friendly output)
  • Optional Graphite and OpenMetrics (Prometheus) support (to build fancy dashboard with Grafana for example)
  • Customizable proxy selection algorithm with Lua script (see conf/simple_scroe.lua).
+-----+  TCP  +-----------+       SOCKSv5   +---------+
| App |------>| iptables  |    +----------->| Proxy 1 |--->
+-----+       +-----------+    |            +---------+
            redirect |         |
+-----+           to v         |      HTTP  +---------+
| App |       //=========\\    |   +------->| Proxy 2 |--->
+-----+       ||         ||----+   |        +---------+
   |          || MOPROXY ||--------+             :
   +--------->||         ||-----------···        :
   SOCKSv5    \\=========// choose one  |   +---------+
                                        +-->| Proxy N |--->


Print usage

moproxy --help


Assume there are three SOCKSv5 servers on localhost:2001, localhost:2002, and localhost:2003, and two HTTP proxy servers listen on localhost:3128 and Following commands forward all TCP connections that connect to 80 and 443 to these proxy servers.

moproxy --port 2080 --socks5 2001 2002 2003 --http 3128

# redirect local-initiated connections
nft add rule nat output tcp dport {80, 443} redirect to 2080
# redirect connections initiated by other hosts (if you are router)
nft add rule nat prerouting tcp dport {80, 443} redirect to 2080

# or the legacy iptables equivalent
iptables -t nat -A OUTPUT -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 2080
iptables -t nat -A PREROUTING -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 2080

SOCKSv5 server is also launched alongs with transparent proxy on the same port:

http_proxy=socks5h://localhost:2080 curl

Server list file

You may list all proxy servers in a text file to avoid messy CLI arguments.

address= ;required
protocol=socks5 ;required

test dns= ;use remote's local dns server to caculate delay
listen ports=8001

; server-3 serves for port 8001 & 8002, while server-2 is only for
; port 8001. server-1 accepts connections coming from any ports specified
; by CLI argument --port.
listen ports=8001,8002

score base=5000 ;add 5k to pull away from preferred server.

Pass the file path to moproxy via --list argument.

Signal SIGHUP will trigger the program to reload the list.

Custom proxy selection

Proxy servers are sorted by their score, which is re-calculated after each round of alive/latency probing. Server with lower score is prioritized.

The current scoring algorithm is a kind of weighted moving average of latency with penalty for recent connection errors. This can be replaced with your own algorithm written in Lua. See conf/simple_score.lua for details.

Source/destination address–based proxy selection is not directly supported. One workaround is let moproxy bind multiple ports, delegates each port to different proxy servers with listen ports in your config, then doing address-based selection on your firewall.


Metrics (latency, traffic, number of connections, etc.) are useful for diagnosis and customing your own proxy selection. You can access these metrics with various methods, from a simple web page, curl, to specialized tools like Graphite or Prometheus.

--stats-bind [::1]:8080 turns on the internal stats page, via HTTP, on the given IP address and port number. It returns a HTML page for web browser, or a ASCII table for curl.

The stats page only provides current metrics and a few aggregations. Graphite (via --graphite) or OpenMetrics (via --stats-bind then \metrics) should be used if you want a full history.

Some examples of Prometheus query (Grafana variant):

Inbound bandwith:

Total outbound traffic:

No. of connection errors per minute:

Average delay for each proxy server:

Systemd integration

Sample service file: conf/moproxy.service

Implemented features:

  • Watchdog
  • Reloading (via SIGHUP signal)
  • Notify (type=notify, reloading, status string)

Get simple status without turing on the HTTP stats page:

$ systemctl status moproxy
> ...
> Status: "serving (7/11 upstream proxies up)"
> ...


You may download the binary executable file on releases page.

Arch Linux user can install it from AUR/moproxy.

Or compile it manually:

# Install Rust
curl -sSf | sh

# Clone source code
git clone
cd moproxy

# Build
cargo build --release
target/release/moproxy --help

# If you are in Debian
cargo install cargo-deb
cargo deb
sudo dpkg -i target/debian/*.deb
moproxy --help

Refer to conf/ for config & systemd service files.


A transparent TCP to SOCKSv5/HTTP proxy on Linux written in Rust.







Sponsor this project


No packages published

Contributors 4