Skip to main content

Quickstart Guide

This guide will help you set up a working paqet proxy quickly.

Prerequisites

libpcap development libraries must be installed on both the client and server machines.
  • Linux: No prerequisites - binaries are statically linked
  • macOS: Comes pre-installed with Xcode Command Line Tools. Install with xcode-select --install
  • Windows: Install Npcap. Download from npcap.com

Setup Steps

1

Download the Binary

Download the pre-compiled binary for your client and server operating systems from the Releases page.Make the binary executable:
chmod +x ./paqet_linux_amd64
You will need root privileges to use raw sockets.
2

Find Your Network Details

You’ll need to find your network interface name, local IP, and the MAC address of your network’s gateway (router).On Linux:
  1. Find Interface and Local IP: Run ip a. Look for your primary network card (e.g., eth0, ens3). Its IP address is listed under inet.
  2. Find Gateway MAC:
    • First, find your gateway’s IP: ip r | grep default
    • Then, find its MAC address with arp -n <gateway_ip> (e.g., arp -n 192.168.1.1)
On macOS:
  1. Find Interface and Local IP: Run ifconfig. Look for your primary interface (e.g., en0). Its IP is listed under inet.
  2. Find Gateway MAC:
    • First, find your gateway’s IP: netstat -rn | grep default
    • Then, find its MAC address with arp -n <gateway_ip> (e.g., arp -n 192.168.1.1)
On Windows:
  1. Find Interface and Local IP: Run ipconfig /all and note your active network adapter (Ethernet or Wi-Fi):
    • Its IP Address
    • The Gateway IP Address
  2. Find Interface device GUID: Windows requires the Npcap device GUID. In PowerShell, run Get-NetAdapter | Select-Object Name, InterfaceGuid. Note the Name and InterfaceGuid of your active network interface, and format the GUID as \Device\NPF_{GUID}.
  3. Find Gateway MAC Address: Run: arp -a <gateway_ip>. Note the MAC address for the gateway.
3

Configure the Server

Create a config.yaml file for your server:
# Role must be explicitly set
role: "server"

# Logging configuration
log:
  level: "info" # none, debug, info, warn, error, fatal

# Server listen configuration
listen:
  addr: ":9999" # CHANGE ME: Server listen port

# Network interface settings
network:
  interface: "eth0" # CHANGE ME: Network interface (eth0, ens3, en0, etc.)
  ipv4:
    addr: "10.0.0.100:9999" # CHANGE ME: Server IPv4 and port (port must match listen.addr)
    router_mac: "aa:bb:cc:dd:ee:ff" # CHANGE ME: Gateway/router MAC address

# Transport protocol configuration
transport:
  protocol: "kcp" # Transport protocol (currently only "kcp" supported)
  kcp:
    block: "aes" # Encryption algorithm
    key: "your-secret-key-here" # CHANGE ME: Secret key (must match client)
Avoid Standard PortsDo not use ports 80, 443, or any other standard ports, because iptables rules can also affect outgoing connections from the server. Choose non-standard ports (e.g., 9999, 8888, or other high-numbered ports) for your server configuration.
4

Configure Critical Firewall Rules

Although packets are handled at a low level, the OS kernel can still see incoming packets on the connection port and generate TCP RST packets. These kernel generated resets can corrupt connection state in NAT devices and stateful firewalls, causing instability, packet drops, and premature termination.You must configure iptables on the server to prevent the kernel from interfering.Run these commands as root on your server:
# Replace <PORT> with your server listen port (e.g., 9999)

# 1. Bypass connection tracking (conntrack) for the connection port. This is essential.
# This tells the kernel's netfilter to ignore packets on this port for state tracking.
sudo iptables -t raw -A PREROUTING -p tcp --dport <PORT> -j NOTRACK
sudo iptables -t raw -A OUTPUT -p tcp --sport <PORT> -j NOTRACK

# 2. Prevent the kernel from sending TCP RST packets that would kill the session.
# This drops any RST packets the kernel tries to send from the connection port.
sudo iptables -t mangle -A OUTPUT -p tcp --sport <PORT> --tcp-flags RST RST -j DROP

# An alternative for rule 2 if issues persist:
sudo iptables -t filter -A INPUT -p tcp --dport <PORT> -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --sport <PORT> -j ACCEPT

# To make rules persistent across reboots:
# Debian/Ubuntu: sudo iptables-save > /etc/iptables/rules.v4
# RHEL/CentOS: sudo service iptables save
These rules ensure that only the application handles traffic for the connection port.
5

Configure the Client

Create a config.yaml file for your client:
# Role must be explicitly set
role: "client"

# Logging configuration
log:
  level: "info" # none, debug, info, warn, error, fatal

# SOCKS5 proxy configuration (client mode)
socks5:
  - listen: "127.0.0.1:1080" # SOCKS5 proxy listen address

# Network interface settings
network:
  interface: "en0" # CHANGE ME: Network interface (en0, eth0, wlan0, etc.)
  # guid: "\Device\NPF_{...}" # Windows only (Npcap).
  ipv4:
    addr: "192.168.1.100:0" # CHANGE ME: Local IP (use port 0 for random port)
    router_mac: "aa:bb:cc:dd:ee:ff" # CHANGE ME: Gateway/router MAC address

# Server connection settings
server:
  addr: "10.0.0.100:9999" # CHANGE ME: paqet server address and port

# Transport protocol configuration
transport:
  protocol: "kcp" # Transport protocol (currently only "kcp" supported)
  kcp:
    block: "aes" # Encryption algorithm
    key: "your-secret-key-here" # CHANGE ME: Secret key (must match server)
The client acts as a SOCKS5 proxy server, accepting connections from applications and dynamically forwarding them through the raw TCP packets to any destination.
6

Start the Server

On the server, run:
# Make sure to use the binary name you downloaded for your server's OS/Arch.
sudo ./paqet_linux_amd64 run -c config.yaml
7

Start the Client

On the client, run:
# Make sure to use the binary name you downloaded for your client's OS/Arch.
sudo ./paqet_darwin_arm64 run -c config.yaml
8

Test the Connection

Once the client and server are running, test the SOCKS5 proxy:
# Test with curl using the SOCKS5 proxy
curl -v https://httpbin.org/ip --proxy socks5h://127.0.0.1:1080
This request will be proxied over raw TCP packets to the server, and then forwarded according to the client mode configuration. The output should show your server’s public IP address, confirming the connection is working.

Troubleshooting

If you encounter issues:
  1. Permission Denied: Ensure you are running with sudo.
  2. Connection Times Out:
    • Transport Configuration Mismatch: Ensure transport.kcp.key is exactly identical on client and server
    • iptables Rules: Did you apply the firewall rules on the server?
    • Incorrect Network Details: Double-check all IPs, MAC addresses, and interface names.
    • Cloud Provider Firewalls: Ensure your cloud provider’s security group allows TCP traffic on your listen.addr port.
    • NAT/Port Configuration: For servers, ensure listen.addr and network.ipv4.addr ports match. For clients, use port 0 in network.ipv4.addr for automatic port assignment to avoid conflicts.
  3. Use ping and dump: Use paqet ping -c config.yaml to test the connection. Use paqet dump -p <PORT> on the server to see if packets are arriving.

Next Steps

Installation Guide

Detailed installation instructions for all platforms

Configuration Reference

Complete configuration documentation

Build docs developers (and LLMs) love

Get started for freeTalk to us