ProxiFyre enables applications without native proxy support to transparently route both TCP and UDP traffic through a SOCKS5 proxy, enabling advanced use cases such as QUIC over SOCKS—a capability not supported by modern web browsers.
Built on top of the Windows Packet Filter socksify demo, ProxiFyre significantly extends its foundational functionality with production-ready enhancements. In addition to full UDP support, ProxiFyre allows users to manage multiple SOCKS5 proxy instances simultaneously.
Configuration is streamlined through a single app-config.json file, making setup intuitive and reproducible. For long-running or unattended use cases, ProxiFyre can also be configured to run as a Windows Service, ensuring continuous operation without manual intervention.
As of v2.1.1, ProxiFyre also supports process exclusions, allowing you to specify which applications should bypass the proxy while others remain proxied. Additionally, performance has been improved through intelligent caching of process matching.
As of v2.2.0, ProxiFyre supports LAN bypass, allowing local network traffic to pass through without being proxied.
As of v2.3.0, ProxiFyre also proxies IPv6 destinations. Previously only IPv4 traffic from a matched application was routed through the proxy while its IPv6 TCP/UDP traffic leaked out directly; now both address families are redirected to the configured SOCKS5 proxy.
Requirements and limitations:
- Your client host must already have working IPv6 connectivity. ProxiFyre redirects the IPv6 packets your applications actually transmit — it does not create IPv6 reachability. On an IPv4-only host, your applications never emit global IPv6 traffic, so there is nothing to redirect and you will still see IPv4-only egress even for IPv6-capable destinations. (This is inherent to the packet-filter design: it intercepts transmitted packets, it does not originate connections on the application's behalf.)
- The SOCKS5 server endpoint itself must be IPv4 — a literal IPv4 address, or a hostname that resolves to an A record. ProxiFyre connects to the proxy over IPv4 and reaches it via its IPv4-mapped IPv6 address on a dual-stack socket when relaying IPv6 destinations; an IPv6-only proxy address (an IPv6 literal, or an AAAA-only hostname) is not supported. Existing IPv4 endpoints (e.g.,
127.0.0.1:1080) continue to work unchanged. - The SOCKS5 server must accept IPv6 target addresses (
ATYP=4); servers that only support IPv4/domain targets will reject IPv6 destinations. - Fragmented IPv6 datagrams are not redirected. To avoid corrupting a partially rewritten datagram, IPv6 packets that arrive fragmented are passed through unproxied — so an application that emits oversized IPv6 UDP datagrams (which the OS fragments at the source) can leak those datagrams outside the proxy. Most traffic is unaffected: TCP is never source-fragmented, and UDP that honors path-MTU discovery (e.g. QUIC/HTTP3) does not fragment. A one-time warning is logged when such a packet is first passed through.
The application uses a configuration file named app-config.json. This JSON file should contain configurations for different applications. Each configuration object should have the following properties:
- appNames: An array of strings representing the names of applications this configuration applies to.
- socks5ProxyEndpoint: A string that specifies the SOCKS5 proxy endpoint.
- username: A string that specifies the username for the proxy (optional).
- password: A string that specifies the password for the proxy (optional).
- supportedProtocols: An array of strings specifying the supported protocols (e.g.,
"TCP","UDP"). - excludes (new in v2.1.1): An array of application names or paths to exclude from proxy routing.
- bypassLan (new in v2.2.0): A boolean to bypass proxy for local network traffic (default:
false).
LogLevel can have one of the following values which define the detail of the log:
Error, Warning, Info, Debug, All
- A name entry (one that contains neither
/nor\) matches the executable's filename, anchored to the whole name.firefoxorfirefox.exeboth matchfirefox.exe.- It matches the exact name, or the name followed by an extension such as
.exe— sofirefoxmatchesfirefox.exebut notNewFirefox.exe(a short pattern won't match an unrelated executable).
- If the pattern contains slashes or backslashes, it is treated as a pathname and matched as a substring of the process's full path.
- This allows targeting an entire folder (useful for UWP apps).
- Example:
C:\\Program Files\\WindowsApps\\ROBLOXCORPORATION.ROBLOX
- An empty string (
"") is a catch-all that matches every process not already matched by a prior proxy and not listed inexcludes. Use it for a default/fallback proxy — and place this proxy last in theproxieslist, since proxies are matched in order and a catch-all shadows any proxy defined after it.
The excludes section lets you define processes that should bypass the proxy.
This is useful when you want a global proxy setup but keep certain apps (like browsers, local dev tools, or games) unproxied.
Unlike appNames, exclusion entries match by substring (a name is matched against the process's filename, a path-form entry against the full path) — so chrome also excludes chrome_proxy.exe. Exclusion is deliberately permissive so an app you meant to keep direct is not accidentally proxied.
Example:
{
"logLevel": "Error",
"proxies": [
{
"appNames": [""],
"socks5ProxyEndpoint": "oracle.sshvpn.me:1080",
"username": "username1",
"password": "password1",
"supportedProtocols": ["TCP", "UDP"]
}
],
"excludes": [
"firefox",
"C:\\Program Files\\LocalApp\\NotProxiedApp.exe"
]
}When set to true, traffic to/from local network ranges will pass through without being proxied. This is useful for accessing local network resources (printers, NAS, local servers) while proxying internet traffic.
Bypassed ranges:
10.0.0.0/8– Private Class A172.16.0.0/12– Private Class B (172.16.x.x – 172.31.x.x)192.168.0.0/16– Private Class C224.0.0.0/4– Multicast (224.x.x.x – 239.x.x.x)169.254.0.0/16– Link-local (APIPA)
Example:
{
"logLevel": "Info",
"bypassLan": true,
"proxies": [
{
"appNames": ["chrome", "firefox"],
"socks5ProxyEndpoint": "127.0.0.1:1080",
"supportedProtocols": ["TCP", "UDP"]
}
]
}If the SOCKS5 proxy does not support authorization, you can skip the username and password fields in the configuration.
{
"logLevel": "Error",
"bypassLan": true,
"proxies": [
{
"appNames": ["chrome", "C:\\Program Files\\WindowsApps\\ROBLOXCORPORATION.ROBLOX"],
"socks5ProxyEndpoint": "158.101.205.51:1080",
"username": "username1",
"password": "password1",
"supportedProtocols": ["TCP", "UDP"]
},
{
"appNames": ["firefox", "firefox_dev"],
"socks5ProxyEndpoint": "127.0.0.1:8080",
"supportedProtocols": ["TCP"]
}
],
"excludes": [
"edge",
"localservice.exe"
]
}This guide provides step-by-step instructions on how to set up and run the ProxiFyre application.
Windows Packet Filter is a critical dependency for our project.
- Visit the Windows Packet Filter Github page to download the latest version.
- Follow the instructions on the page to install it.
Visual Studio Runtime Libraries are required for running applications developed with Visual Studio.
-
Identify your system architecture (x64, x86, or ARM64).
-
Download the appropriate installer for your platform to ensure compatibility and optimal performance.
- For x64 systems, download the x64 installer.
- For x86 systems, download the x86 installer.
- For ARM64 systems, download the ARM64 installer.
-
Locate the downloaded installer and double-click on it to begin the installation.
-
Follow the on-screen instructions to complete the installation
Please ensure you download the correct installer to avoid any installation issues.
-
Download the Latest Release: Visit our GitHub Releases page to download the latest release of the ProxiFyre software.
-
Unzip the Software: After downloading, extract the contents of the
.zipfile to your preferred location. -
Create
app-config.jsonFile: Following the template provided in the Configuration section of this document, create anapp-config.jsonfile. This file is crucial for the software to function properly. Save this file in the main application folder.
- Run the Application: Navigate to the directory where you extracted the software. Find the main application executable (
ProxiFyre.exe) and run it. It's recommended to run the application as an administrator to ensure all functionalities work as expected.
-
Temporarily disable the firewall to confirm if it’s blocking ProxiFyre.
-
If this resolves the issue, add an inbound firewall rule for
ProxiFyre.exeinstead of keeping the firewall disabled.- Open Windows Defender Firewall with Advanced Security.
- Go to Inbound Rules → New Rule... → Program.
- Select
ProxiFyre.exeand allow the connection. - Apply to all profiles (Domain, Private, Public).
ProxiFyre can be installed and run as a Windows service. Follow these steps:
-
Open a command prompt as an administrator.
-
Navigate to the directory containing
ProxiFyre.exe. -
Use the following command to install the service:
ProxiFyre.exe install -
Start the service with:
ProxiFyre.exe start -
To stop the service, use:
ProxiFyre.exe stop -
If you wish to uninstall the service, use:
ProxiFyre.exe uninstall
Logs are saved in the application folder under the /logs directory. The details and verbosity of the logs depend on the configuration set in the app-config.json file.
Before starting the build process, ensure the following requirements are met:
-
Install vcpkg: You can download and install vcpkg from the official website here.
-
Install Microsoft GSL library via vcpkg: Once vcpkg is installed, use it to download and install the Microsoft GSL library. Run the following commands in your terminal:
vcpkg install ms-gsl:x86-windows ms-gsl:x64-windows ms-gsl:arm64-windows -
Add online NuGet Package Source: In some cases, you may need to add an online NuGet Package Source. To do this, navigate to
Visual Studio -> Tools -> Options -> NuGet Package Manager -> Package Sourcesand addhttps://nuget.org/api/v2.
This repository consists of three main projects:
This is an adopted Windows Packet Filter NDISAPI static library project.
This project is a .Net C++/CLI class library that implements the local SOCKS5 router functionality.
This is a .Net-based Windows console application that employs the functionality provided by the socksify .Net C++/CLI class library.