If you browse the web, run reconnaissance, or test network defenses, your IP address is your calling card. One slip and your location, ISP, and identity are logged. For privacy-conscious users and ethical hackers, that’s a risk you can’t afford. ProxyChains lets you route your traffic through multiple proxies in a chain. Each hop peels away a layer of your digital footprint. By the end, your real IP is buried under several layers of anonymous relays. This guide walks through a complete proxychains setup so you can stay hidden during penetration tests or sensitive research.
ProxyChains forces any TCP application through a chain of proxies, masking your real IP. You will learn installation, configuration of chain types (dynamic, strict, random), adding proxies from sources like SOCKS5 or HTTP, testing for leaks, and common pitfalls. Master this tool and your digital footprint vanishes behind multiple hops.
What Is ProxyChains and Why Use a Proxy Chain?
ProxyChains is a Unix tool that hijacks network connections from command-line applications and reroutes them through a list of proxy servers. Instead of relying on a single proxy, you can chain several together. Each proxy in the chain sees only the previous hop and the next hop. Your final destination sees only the last proxy’s IP.
Think of it like a relay race. Your data passes from proxy to proxy. Each runner only knows who handed them the baton and who they pass it to. No single node knows the full path. This makes tracing back to you extremely difficult.
Penetration testers use proxychains to hide their scanning IP when probing targets. Privacy enthusiasts use it to prevent tracking while using tools like curl, wget, or nmap. It’s a core tool in any anonymity arsenal.
Installing ProxyChains on Your System
Most Linux distributions include proxychains in their repositories. In 2026, the latest stable version is 4.17, but version numbers vary by distro. Installation is straightforward.
On Debian, Ubuntu, or Kali Linux
Open a terminal and run:
sudo apt update
sudo apt install proxychains4
On older systems you might see proxychains without the 4. The proxychains4 package is the actively maintained fork (known as proxychains-ng). Always install that version.
On Arch Linux
sudo pacman -S proxychains-ng
On Fedora or CentOS
sudo dnf install proxychains-ng
After installation, verify it works:
proxychains4 -h
You should see usage information. If you get a “command not found” error, double-check the package name.
Configuring ProxyChains: The Essentials
The configuration file lives at /etc/proxychains4.conf. You need root or sudo to edit it. Open it with your favorite text editor:
sudo nano /etc/proxychains4.conf
The file is well-commented. Focus on three sections: the chain type, the proxy list, and the DNS settings.
Proxy Chain Types
ProxyChains offers four chain types. Your choice affects anonymity, speed, and reliability.
| Chain Type | Behavior | Best Use Case |
|---|---|---|
dynamic_chain |
Tries proxies in order; skips dead ones; uses as many as available | General anonymity with fault tolerance |
strict_chain |
Must use all proxies in order; fails if one is down | Maximum anonymity when every hop is required |
random_chain |
Picks a random number of proxies from the list each time | Harder to predict traffic pattern |
round_robin_chains |
Cycles through proxies one by one in order | Load balancing across multiple proxies |
For most users, dynamic_chain provides the best balance. It keeps you chained through multiple proxies but doesn’t break if one server goes offline.
Adding Proxy Servers
Scroll down to [ProxyList]. By default, you’ll see a sample socks4 127.0.0.1 9050 line. Replace it with your own proxies. Each line uses this format:
type IP_address port [user pass]
Supported types are http, socks4, socks5. If your proxy requires authentication, add the username and password after the port.
Example of a realistic chain:
# Proxy 1 - a SOCKS5 proxy from a paid service
socks5 192.168.1.50 1080
# Proxy 2 - a free HTTP proxy (less reliable)
http 203.0.113.45 3128
# Proxy 3 - Tor SOCKS proxy (requires Tor running)
socks5 127.0.0.1 9050
You can add as many proxies as you want. The more you add, the slower the connection becomes. A chain of three is a good starting point.
DNS Settings
ProxyChains can leak DNS requests if not configured correctly. In the config file, find the line proxy_dns. Uncomment it and set it to on. This forces all DNS resolutions through the proxy chain rather than your local resolver.
Step-by-Step ProxyChain Setup
Follow these steps to get a working chain in under ten minutes.
-
Install ProxyChains using the package manager for your distribution (see above).
-
Edit the configuration file as root. Uncomment the line that says
dynamic_chainand comment outstrict_chainif it’s active. Setproxy_dns = on. -
Add your proxy servers under
[ProxyList]. Use at least two different types (e.g., SOCKS5 and HTTP) for diversity. If you use Tor, make sure Tor is running on port 9050. -
Save the file and exit the editor.
-
Test the chain with a simple command that shows your external IP:
proxychains4 curl -s ifconfig.me
If it returns an IP that matches the last proxy in your list (or a different one if using dynamic chain), it’s working. Run it multiple times to see if the IP changes with random chain.
- Verify DNS leak by using a DNS leak test site. For example:
proxychains4 curl -s https://dnsleaktest.com
Scroll through the output to see which DNS servers are reported. They should be the proxies’ DNS, not yours.
Common Mistakes and How to Fix Them
Even experienced users trip up on these issues. Check this list if your chain isn’t working.
- Proxy server is down or unreachable – Test each proxy individually with
curl -x <type>://<ip>:<port> ifconfig.me. Remove dead proxies from the list. - Wrong chain type selected – If you use strict_chain, one dead proxy breaks everything. Switch to dynamic_chain during testing.
- ProxyChains not running as root – Some tools (like nmap) require root privileges to bind to raw sockets. Run your command with
sudoif needed. - DNS leaks – Forgot to enable
proxy_dns. Double-check the config file. Also consider using a VPN underneath for an extra layer. - Application not compatible – ProxyChains only works with TCP protocols. UDP applications like DNS (if not forced through chain) or VoIP will bypass it.
- Tor not running – If you chain through Tor’s SOCKS proxy, ensure Tor service is active:
sudo systemctl start tor.
Expert advice: “Always test your chain with a tool that shows both your public IP and DNS server. One leak can undo an entire setup. I use
proxychains4 curl -s https://ipinfo.iofor IP and then pipe the output to check theorgfield. If it shows your ISP, your chain is broken.” – Anonymous security researcher
Testing Your Proxy Chain for Anonymity
A working chain doesn’t guarantee anonymity. You must validate.
Use these checks:
- IP leak test – Visit
ifconfig.meoripinfo.iothrough proxychains. The IP should not be yours. - DNS leak test – Use
dnsleaktest.comoripleak.net. Ensure the DNS servers shown belong to your proxy providers. - WebRTC leak – WebRTC can reveal your real IP even behind a proxy. Disable it in your browser, but since proxychains works on command-line tools, this is less of a concern.
- Time zone and location – Some sites use time zone or browser language to fingerprint you. For CLI tools, this is minimal, but be aware.
For penetration testing, also check that your tools (nmap, sqlmap, etc.) are actually using the chain. Run proxychains4 nmap -sT -Pn target.com and watch the output for “Connecting to proxy” messages.
Advanced Tips for Maximum Privacy
Once you have a basic chain working, you can strengthen your setup.
Combine ProxyChains with a VPN
A VPN encrypts all traffic from your machine to a VPN server. ProxyChains then routes from that server through the proxy chain. This adds encryption on top of obfuscation. The VPN provider sees only that you’re connecting to proxies; the proxies see the VPN’s IP; the target sees the last proxy’s IP.
Rotate Proxies Automatically
Use random_chain mode with a large proxy list (20 or more). Scripts can refresh the list periodically. For example, you can write a cron job that fetches fresh proxies from a reliable source and updates the config file.
Use ProxyChains with Tor
Tor provides strong anonymity, but it’s slow. Chain a faster SOCKS5 proxy before Tor. The first hop hides your IP from the Tor network, and Tor hides the final destination from the first proxy. This is called a “proxy bridge.”
Filter Out Bad Proxies
Not all free proxies are safe. Some log traffic, inject ads, or are run by malicious actors. Stick with verified sources: paid proxy services (like WinProxy), or your own self-hosted proxies. If you need a list, validate each one before adding.
Common Configuration Pitfalls
Avoid these errors to keep your chain stable.
- Mixing types incorrectly – You can chain HTTP and SOCKS proxies, but some applications (like nmap) only work with SOCKS. Use SOCKS5 for reliability.
- Too many proxies – Each hop adds latency. More than five usually becomes unusable for interactive work. Stick to three or four.
- Using the same proxy type from the same provider – If all proxies come from one company, they might share infrastructure and could be compromised together. Diversify sources.
- Forgetting to restart services – After editing the config, you don’t need to restart anything, but if you changed DNS settings, clear your local DNS cache:
sudo systemd-resolve --flush-caches.
Strengthening Your Overall Security Posture
ProxyChains is a powerful tool, but it’s not a silver bullet. For complete anonymity in 2026, pair it with other tools. Use a privacy-focused browser for web surfing, a VPN for bulk traffic, and encrypted messaging for communication. Regularly update your proxy list and monitor for leaks.
If you are setting up proxy servers for an enterprise or team, consider reading our guide on optimizing proxy server performance for enterprise networks. For choosing the right proxies, see our comparison of SOCKS5 vs HTTP proxies: which one should you use for secure browsing. And if you want to go beyond chaining, our guide on implementing advanced proxy server configurations for optimal privacy covers multi-layered setups.
Putting Your Proxy Chain to Work
Now it’s your turn. Open a terminal, install ProxyChains, and set up a chain of three proxies. Test it with curl, then run a simple port scan with nmap to confirm it’s working. Remember to check for DNS leaks and IP leaks after every config change. The more you practice, the more natural it becomes.
Your privacy isn’t a one-time fix. It’s a habit. And with ProxyChains, you have a reliable way to keep your digital footprint hidden every time you run sensitive tools. Start building your chain today.