UDP proxy — envoy 1.21.0-dev-4b5b33 documentation
v3 API reference
This filter should be configured with the name lters. udp_listener. udp_proxy
The UDP proxy listener filter allows Envoy to operate as a non-transparent proxy between a
UDP client and server. The lack of transparency means that the upstream server will see the
source IP and port of the Envoy instance versus the client. All datagrams flow from the client, to
Envoy, to the upstream server, back to Envoy, and back to the client.
Because UDP is not a connection oriented protocol, Envoy must keep track of a client’s session
such that the response datagrams from an upstream server can be routed back to the correct client.
Each session is index by the 4-tuple consisting of source IP/port and local IP/port that the
datagram is received on. Sessions last until the idle timeout is reached.
The UDP proxy listener filter also can operate as a transparent proxy if the
field is set. But please keep in mind that it does not forward the port to upstreams. It forwards only the IP address to upstreams.
Load balancing and unhealthy host handling¶
Envoy will fully utilize the configured load balancer for the configured upstream cluster when
load balancing UDP datagrams. When a new session is created, Envoy will associate the session
with an upstream host selected using the configured load balancer. All future datagrams that
belong to the session will be routed to the same upstream host.
When an upstream host becomes unhealthy (due to active health checking), Envoy will attempt to create a new session to a healthy host
when the next datagram is received.
The following example configuration will cause Envoy to listen on UDP port 1234 and proxy to a UDP
server listening on port 1235, allowing 9000 byte packets in both directions (i. e., either jumbo
frames or fragmented IP packets).
address: 127. 0. 1
– name: listener_0
– name: lters. udp_proxy
– name: service_udp
The UDP proxy filter emits both its own downstream statistics as well as many of the cluster
upstream statistics where applicable. The downstream
statistics are rooted at udp.
Number of datagrams not routed due to no cluster
Number of bytes received
Number of datagrams received
Number of datagram receive errors
Number sessions created in total
Number of bytes transmitted
Number of datagrams transmitted
Number of datagram transmission errors
Number of sessions destroyed due to idle timeout
Number of sessions currently active
The following standard upstream cluster stats are used
by the UDP proxy:
Number of datagrams dropped due to no healthy hosts
Number of datagrams dropped due to hitting the session circuit breaker
The UDP proxy filter also emits custom upstream cluster stats prefixed with
Number of datagrams dropped due to kernel overflow or truncation
Number of datagrams transmitted
how can we set up Proxy server dealing with UDP packets?
Any kind of proxy, whether it is for TCP or UDP, needs to be told where to forward outgoing packets to. That also allows the proxy to know who is requesting the forwarding so it can route matching inbound packets back to that same requester.
Lets assume SOCKS, for example. SOCKS v4 does not support UDP (or IPv6), but SOCKS v5 does. However, it requires the requesting app to establish a TCP connection to the SOCKS proxy and ask it to forward UDP packets on the app’s behalf until that TCP connection is closed.
Tools like CCProxy, Proxycap, Proxifier, etc work (for TCP, anyway) by intercepting outgoing TCP conections and redirecting them to the proxy server, transparently handling any proxy handshaking to set up forwarding, before then allowing any application data to flow through the TCP connection. Once the TCP connection has been established, the proxifier does not need to do anything more with the connection since the app is now talking directly to the proxy.
I do not know if such tools support UDP. It would be much harder to implement, since there is no outgoing connection to redirect. Every outbound UDP packet would have to be intercepted, then the proxifier would have to check if it already has its own SOCKS v5 TCP connection associated with the packet’s local/remote tuple and if not then create a new one and send the necessary UDP forwarding handshake, then encapsulate every outbound UDP packet for that tuple and send it to the proxy’s outbound IP/Port, and receive every matching inbound UDP packet for that tuple from the proxy so it can be de-encapsulated and forwarded to the app’s local IP/Port that sent out the original outbound UDP packet. And because UDP is connection-less, the proxifier would have to also implement a timeout mechanism on its SOCKS v5 TCP connection to the proxy so it can eventually be closed after a period of UDP traffic being idle.
That is a LOT more work for a UDP proxifier to do compared to TCP.
And that is just for SOCKS. HTTP/FTP proxies do not support UDP at all (since HTTP/FTP are TCP-based protocols). And there are other tunnel/proxy protocols as well, which may or may not have their on UDP capabilities.
So you have to check the capabilities of your proxifier tool to see if it supports UDP or not.
About the TCP-UDP-Proxy – WatchGuard Technologies
The TCP-UDP-proxy is a low precedence policy that allows all outbound TCP and UDP traffic from networks protected by your Firebox. If you remove the Outgoing policy, and do not want to add a separate policy for each type of traffic you want to allow out through your firewall, you can add the TCP-UDP-proxy. This policy only allows outbound TCP and UDP traffic, but it also monitors that traffic for HTTP, HTTPS, SIP, FTP, IMAP, POP3, and SMTP packets sent on non-standard ports. For the HTTP, HTTPS, SIP, FTP, IMAP, POP3, and SMTP protocols, the TCP-UDP proxy relays the traffic to the correct proxy for each protocol.
To add the TCP-UDP-proxy to your Firebox configuration, see Add a Proxy Policy to Your Configuration.
Configure the TCP-UDP-Proxy
These sections describe the TCP-UDP-Proxy configuration tabs in Fireware Web UI.
On the Settings tab, you can set basic information about a proxy policy, such as whether it allows or denies traffic, create access rules for a policy, or configure static NAT or server load balancing. The Settings tab also shows the port and protocol for the policy, as well as an optional description of the policy. You can use the settings on this tab to set logging, notification, automatic blocking, and timeout preferences.
Connections are — Specify whether connections are Allowed, Denied, or Denied (send reset) and define who appears in the From and To list (on the Policy tab of the proxy definition). See Set Access Rules for a Policy.
You can also configure static NAT or configure server load balancing. See Configure Static NAT (SNAT) and Configure Server Load Balancing.
To define the logging settings for the policy, configure the settings in the Logging section. For more information, see Set Logging and Notification Preferences.
If you set the Connections are drop-down list to Denied or Denied (send reset), you can block sites that try to use TCP-UDP. For more information, see Block Sites Temporarily with Policy Settings.
To change the idle timeout that is set by the Firebox or authentication server, see Set a Custom Idle Timeout.
On the SD-WAN tab, you can select to apply an SD-WAN action to the policy. You can also add a new SD-WAN action. For more information about SD-WAN routing, see About SD-WAN.
SD-WAN replaces policy-based routing in Fireware v12. 3 or higher.
If Geolocation is enabled on your Firebox, on the Geolocation tab, you can select the Geolocation action for this proxy. You can also add a new Geolocation action. For more information about Geolocation, see Configure Geolocation.
To apply a Geolocation action in a policy:
Select the Geolocation tab.
From the Geolocation Control Action drop-down list, select a Geolocation, to create a new Geolocation action, click Add.
The Geolocation tab is available in Fireware 12. 3 or higher.
Application Control Tab
If Application Control is enabled on your Firebox, you can set the action this proxy uses for Application Control.
Select the Application Control tab.
From the Application Control Action drop-down list, select an application control action to use for this policy, or create a new action.
(Optional) Edit the Application Control settings for the selected action.
For more information, see Enable Application Control in a Policy.
Traffic Management Tab
On the Traffic Management tab, you can select the Traffic Management action for the policy. You can also create a new Traffic Management action. For more information about Traffic Management actions, see Define a Traffic Management Action in v11. 8. x and Lower and Add a Traffic Management Action to a Policy.
To apply a Traffic Management action in a policy:
Select the Traffic Management tab.
From the Traffic Management Action drop-down list, select a Traffic Management, to create a new Traffic Management action, select Create new and configure the settings as described in the topic Define a Traffic Management Action in v11. x and Lower.
Proxy Action Tab
You can choose a predefined proxy action or configure a user-defined proxy action for this proxy. For more information about how to configure proxy actions, see About Proxy Actions.
To configure the proxy action:
Select the Proxy Action tab.
From the Proxy Action drop-down list, select the proxy action to use for this policy. For information about proxy actions, see About Proxy Actions.
For the TCP-UDP-proxy, you can configure these categories of settings for a proxy action:
TCP-UDP-Proxy: General Settings
On the Scheduling tab, you can specify an operating schedule for the policy. You can select an existing schedule or create a new schedule.
Select the Scheduling tab.
From the Schedule Action drop-down list, select a, to create a new schedule, select Create New and configure the settings as described in the topics Create Schedules for Firebox Actions and Set an Operating Schedule.
The Advanced tab includes settings for NAT, QoS, multi-WAN, and ICMP options.
To edit or add a comment to this proxy policy configuration, type the comment in the Comment text box.
For more information on the options for this tab, see:
Apply NAT Rules
Set the Sticky Connection Duration for a Policy
Set ICMP Error Handling
Set Connection Rate Limits
Enable QoS Marking and Prioritization in a Policy
These sections describe the TCP-UDP-Proxy configuration tabs in Policy Manager.
To set access rules and other options, select the Policy tab.
TCP-UDP-proxy connections are — Specify whether connections are Allowed, Denied, or Denied (send reset) and define who appears in the From and To list (on the Policy tab of the proxy definition). See Set Access Rules for a Policy.
Route outbound traffic using — See About SD-WAN. Tip!
Enable Application Control — Enable Application Control and select the Application Control action to use for this policy. For more information, Application Control in a Policy.
Enable Geolocation — Enable Geolocation and select the Geolocation action to use for this policy. For more information, see Configure Geolocation.
Enable IPS — Enable IPS for this policy. For more information, see Enable or Disable IPS for a Policy.
Proxy action — Select the proxy action to use for this policy. You can also edit the rulesets for proxy actions.
On the Properties tab, you can configure these options:
To edit or add a comment to this policy configuration, type the comment in the Comment text box.
To define the logging settings for the policy, click Logging. For more information, see Set Logging and Notification Preferences.
If you set the TCP-UDP-proxy connections are drop-down list (on the Policy tab) to Denied or Denied (send reset), you can block sites that try to use TCP-UDP. For more information, see Block Sites Temporarily with Policy Settings.
You can also configure these options in your proxy definition:
Set an Operating Schedule
Add a Traffic Management Action to a Policy
Apply NAT Rules (Both 1-to-1 NAT and dynamic NAT are enabled by default in all policies. )
Configure the Proxy Action
About Proxy Policies and ALGs
About the Outgoing Policy
Frequently Asked Questions about udp proxy
What is UDP proxy?
UDP proxy (UDPXY) allows you to watch open IPTV channels on a player that does not accept a multicast UDP stream. The IPTV channel requested by the player will be transmitted to it via an HTTP connection. This feature will be useful for watching IPTV on mobile devices, some smart TVs, and game consoles.Sep 6, 2021
Do proxies support UDP?
HTTP/FTP proxies do not support UDP at all (since HTTP/FTP are TCP-based protocols).Jan 7, 2014
Is proxy TCP or UDP?
The TCP-UDP-proxy is a low precedence policy that allows all outbound TCP and UDP traffic from networks protected by your Firebox. If you remove the Outgoing policy, and do not want to add a separate policy for each type of traffic you want to allow out through your firewall, you can add the TCP-UDP-proxy.