A SOCKS5 proxy runs on noodle, reachable from this machine via a mutually-authenticated TLS tunnel (stunnel). A local port-forwarding tool (s5pin.py) lets any service be accessed as a local port.
Local client → s5pin.py (local port) → stunnel (localhost:1080) → TLS → noodle:11080 → SOCKS5 → remote service
Configured in /etc/stunnel/stunnel.conf. Two entries, both connecting to noodle:11080:
• socks5h — listens on localhost:1080 (default SOCKS5 port)• socks5h_noodle — listens on localhost:2080 (alternate)
Both use mutual certificate authentication:
• checkHost = John Critchley — verifies server cert CN• CAfile = /etc/stunnel/CA.pem• cert = /etc/stunnel/cert.pem• key = /etc/stunnel/key.pem
Located at ~/py/s5pin.py. Aliased as s5pin (note: alias has double-slash typo: $HOME//py/s5pin.py — harmless but worth fixing).
Listens on a local port and proxies each connection through the SOCKS5 server to a fixed remote host:port. Async, handles multiple simultaneous connections. Supports IPv4, IPv6, and domain name targets.
# Expose a remote database on noodle's network as localhost:5432
s5pin --listen-port 5432 \
--remote-host db.internal \
--remote-port 5432 \
--socks-host localhost \
--socks-port 1080Defaults: listen on 127.0.0.1:8008, SOCKS at localhost:1080, remote localhost:80.
Reach a service on noodle's network (e.g. a database, internal API) as if it were local. The remote service sees the connection as originating from noodle.
s5pin can expose non-public REST services (e.g. on noodle's LAN) as local ports, making them reachable by the envoy API call mechanism. See API Registration.