Subspace Proxy is a specialized, lightweight GUI application designed to isolate Linux applications within their own Network Namespaces.
It allows you to route specific processes (like Steam, Firefox, or terminal commands) through distinct proxy tunnels (SOCKS5, HTTP, Shadowsocks, etc.) without affecting your system-wide network configuration.
- Network Isolation: Uses Linux Namespaces (
ip netns) to sandbox applications networking. - Protocols: Connect via SOCKS5, SOCKS4, HTTP, Shadowsocks, and Relay. (More coming soon)
- Desktop Integration: Automatically injects PulseAudio, PipeWire, Wayland, X11, and D-Bus environment variables, ensuring GUI applications work with sound and video.
- Diagnostics: Built-in tools to Ping the target server and check Port status before launching.
- Smart Management: Automatically handles virtual interfaces (
veth,tun), routing tables, and cleanup.
Imagine you computer as a house:
- Namespace Creation: The app creates a new Network Namespace (seperate network stack).
Like creating a new room in your house.
- Bridging: It links the namespace to your host system using a Veth (Virtual Ethernet) pair.
A door to connect your house and your room.
- Proxying: Inside the namespace, traffic is routed to a TUN interface. The tun2socks utility captures traffic from the TUN interface and forwards it to your specified proxy server.
Imagine a conveyor belt (TUN) leading to a packaging machine (Tun2Socks). Every "letter" is re-addressed in a new package before it leaves.
- Launching: When you run a command, the app injects your current user's desktop environment (X11/Wayland/Audio) into the namespace so the app behaves normally, but its traffic is forced through the tunnel.
Now when an app in run in the room, all of its mail (Network Packets) is sent through the packaging machine and out the door, and once the recipient (Remote Server) opens the package and mails the real letter, its response can come back to the house.
Before using the app, ensure your kernal supports namespace, veth, and tun/tap. As well as having fully functioning iproute2, iputils, and bash packages.
- Click + New to create a profile.
- Enter your Proxy Name (cosmetic), IP, Port, and Protocol.
- (Optional) Configure authentication, such as user/protocol, password, and other specifics in the advanced settings.
- Save the profile.
- Test Connection: Use the
PingandPortbuttons to double check the connection that is about to be made. - Setup Environment: Click the Setup button. This creates the namespace and virtual interfaces.
- Enter Command: In the top command bar, type the application you want to run:
firefoxsteamcurl ifconfig.me
- Run: Click the Run button to launch the command in the active namespace whose button was clicked. You can re-enter the command and run multiple times in the same namespace!
When finished, click Clean. This destroys the namespace, deletes the virtual interfaces, and kills all processes within. Closing the app will not clean up automatically, the namespace and processes are independant of the app and will continue running.
- Root Privileges: This application requires
sudopermissions to create namespaces and modify network interfaces. - Non-Interactive: Commands are launched non-interactively. You cannot run interactive shells like
bash,zsh, orfishthat require TTY input. - System Modifications: While running, the app enables global IP forwarding (
sysctl -w net.ipv4.ip_forward=1). - Container Conflicts: May misbehave if run inside Docker or other sandboxed environments due to nested namespace restrictions.
This project is built using Tauri, Vue 3, Vite, and Tun2Socks.
- Linux (Kernel with namespace, veth, and tun/tap support)
- Node.js & npm
- Rust & Cargo
tun2socksiproute2iputilsbashsudo
# 1. Install dependencies
npm install
# 2. Run in development mode
npm run tauri devThis project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). See the LICENSE file for details.