Bug: Socks proxy doesn't work for UDP data

[NaruZosa]

Is this urgent?

No

Host OS

Unraid

CPU arch

x86_64

VPN service provider

Custom

What are you using to run the container

docker run

What is the version of Gluetun

Running version latest built on 2026-05-24T22:30:37.344Z (commit ebbc630) on Linux 6.12.85-Unraid (x86_64)

What's the problem 🤔

The new plaintext socks feature works, but not for UDP data.
Tested with multiple known working trackers in qBittorrent using both http tracker URLs and UDP.

Likely related to #656

Share your logs (at least 10 lines)

2026-05-25T21:22:17+10:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2026-05-25T21:22:17+10:00 INFO [routing] adding route for 0.0.0.0/0
2026-05-25T21:22:17+10:00 INFO [firewall] setting allowed subnets...
2026-05-25T21:22:17+10:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2026-05-25T21:22:17+10:00 INFO [routing] adding route for 192.168.1.0/24
2026-05-25T21:22:17+10:00 INFO [healthcheck] listening on 127.0.0.1:9999
2026-05-25T21:22:17+10:00 INFO [socks5] SOCKS5 server listening on [::]:1080
2026-05-25T21:22:17+10:00 INFO [http server] http server listening on [::]:8000
2026-05-25T21:22:17+10:00 INFO [firewall] allowing VPN connection...
2026-05-25T21:22:17+10:00 INFO [wireguard] Using available kernelspace implementation
2026-05-25T21:22:17+10:00 INFO [wireguard] Connecting to REDACTED:1443
2026-05-25T21:22:17+10:00 INFO [socks5] running socks connection: handling request: command UDP associate is not supported
|   |           └── Server public key: REDACTED
|   ├── Wireguard settings:
|   |   ├── Private key: REDACTED
|   |   ├── Interface addresses:
|   |   |   └── REDACTED/24
|   |   ├── Allowed IPs:
|   |   |   ├── 0.0.0.0/0
|   |   |   └── ::/0
|   |   └── Network interface: tun0
|   |       └── MTU: use path MTU discovery
|   └── Path MTU discovery:
|       ├── ICMP addresses:
|       |   ├── 1.1.1.1
|       |   └── 8.8.8.8
|       └── TCP addresses:
|           ├── 1.1.1.1:443
|           ├── 8.8.8.8:443
|           ├── 1.1.1.1:53
|           ├── 8.8.8.8:53
|           ├── [2606:4700:4700::1111]:53
|           ├── [2001:4860:4860::8888]:53
|           ├── [2606:4700:4700::1111]:443
|           └── [2001:4860:4860::8888]:443
├── DNS settings:
|   ├── Upstream resolver type: dot
|   ├── Upstream resolvers:
|   |   └── Cloudflare
|   ├── Caching: yes
|   ├── IPv6: no
|   ├── Update period: every 24h0m0s
|   └── DNS filtering settings:
|       ├── Block malicious: yes
|       ├── Block ads: no
|       └── Block surveillance: no
├── Firewall settings:
|   ├── Enabled: yes
|   ├── Iptables settings:
|   |   └── Log level: info
|   └── Outbound subnets:
|       └── 192.168.1.0/24
├── Log settings:
|   └── Log level: info
├── IPv6 settings:
|   └── Check addresses:
|       ├── [2001:4860:4860::8888]:53
|       └── [2606:4700:4700::1111]:53
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target addresses:
|   |   ├── cloudflare.com:443
|   |   └── github.com:443
|   ├── Small health check type: ICMP echo request
|   |   └── ICMP target IPs:
|   |       ├── 1.1.1.1
|   |       └── 8.8.8.8
|   └── Restart VPN on healthcheck failure: yes
├── SOCKS5 proxy server settings:
|   ├── Enabled: yes
|   └── Listening address: :1080
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Servers directory path: /gluetun/servers/
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: australia/sydney
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2026-05-25T21:22:17+10:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2026-05-25T21:22:17+10:00 INFO [routing] adding route for 0.0.0.0/0
2026-05-25T21:22:17+10:00 INFO [firewall] setting allowed subnets...
2026-05-25T21:22:17+10:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.2 and family v4
2026-05-25T21:22:17+10:00 INFO [routing] adding route for 192.168.1.0/24
2026-05-25T21:22:17+10:00 INFO [healthcheck] listening on 127.0.0.1:9999
2026-05-25T21:22:17+10:00 INFO [socks5] SOCKS5 server listening on [::]:1080
2026-05-25T21:22:17+10:00 INFO [http server] http server listening on [::]:8000
2026-05-25T21:22:17+10:00 INFO [firewall] allowing VPN connection...
2026-05-25T21:22:17+10:00 INFO [wireguard] Using available kernelspace implementation
2026-05-25T21:22:17+10:00 INFO [wireguard] Connecting to REDACTED:1443
2026-05-25T21:22:17+10:00 INFO [socks5] running socks connection: handling request: command UDP associate is not supported
2026-05-25T21:22:17+10:00 INFO [vpn] wireguard setup is complete. Note wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the wireguard connection is not working.
2026-05-25T21:22:17+10:00 INFO [MTU discovery] finding maximum MTU, this can take up to 6 seconds
2026-05-25T21:22:19+10:00 INFO [MTU discovery] setting VPN interface tun0 MTU to maximum valid MTU 1420
2026-05-25T21:22:19+10:00 INFO [dns] DNS server listening on [::]:53
2026-05-25T21:22:19+10:00 INFO [dns] ready and using DNS server with dot upstream resolvers
2026-05-25T21:22:19+10:00 INFO [dns] downloading hostnames and IP block lists
2026-05-25T21:22:25+10:00 INFO [dns] leak check report: REDACTED (10%), REDACTED (10%), REDACTED (10%), REDACTED (10%), REDACTED (10%), REDACTED (10%), REDACTED (10%), REDACTED (10%), REDACTED (10%), REDACTED (10%)
2026-05-25T21:22:26+10:00 INFO [ip getter] Public IP address is REDACTED (REDACTED, REDACTED, REDACTED - source: ipinfo+ifconfig.co+ip2location+cloudflare)
2026-05-25T21:22:27+10:00 INFO [vpn] You are running on the bleeding edge of latest!

Share your configuration

Docker Compose YAML:

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun_vpn
    cap_add:
      - NET_ADMIN
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 1080:1080/tcp # socks5 proxy TCP
      - 1080:1080/udp # socks5 proxy UDP
    devices:
      - /dev/net/tun:/dev/net/tun
    volumes:
      - /mnt/user/appdata/gluetun/wg0.conf:/gluetun/wireguard/wg0.conf
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - FIREWALL=on
      - FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24
      - SOCKS5_ENABLED=on
      - SOCKS5_LISTENING_ADDRESS=":1080"
      - SOCKS5_USER=""
      - SOCKS5_PASSWORD=""

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[leo15dev]

May related to this #3337, also the description in README is " Built in Socks5 proxy server (tunnels TCP) "

[NaruZosa]

Doh, somehow I missed that in the readme.

Should this be a feature request rather than a bug report?

[qdm12]

I'll add udp, I do feel like a fraud just proxying tcp 😄

[NaruZosa]

Thank you so much!
That will make the native Gluetun solution you've built even more functional than the workaround using serjs/socks5-server from #234 as it only proxies TCP.

[mounteen0]

Oh! I see SOCKS5 is now supported in this update. Thank you so much.
I had to connect and use 3proxy specifically for SOCKS5, so this will be much more convenient.
Once UDP support is added, it will have no weaknesses at all.