Set Up a SOCKS Proxy via Azure Blob Storage in Restricted Networks

Have you ever been in an environment where direct network access is blocked, but cloud services like Azure Blob Storage are still reachable? What if I told you that you could tunnel your internet traffic through those blob storage endpoints? That’s exactly what ProxyBlob does.

In this post, I’ll walk you through what ProxyBlob is, how it works, how to set it up, and how you can use it to build a SOCKS proxy in restricted environments using Azure Blob Storage.

Prefer watching instead of reading? Here’s a quick video guide

https://youtu.be/Yf4-S5kpm_0?embedable=true

What Is ProxyBlob?

ProxyBlob is an open-source tool developed by Quarkslab that lets you create a SOCKS5 proxy tunnel through Azure Blob Storage.

• It helps your apps connect to the internet indirectly, by routing your traffic through Azure’s blob storage service.
• It’s ideal for situations where *.blob.core.windows.net is allowed, but other outbound traffic is blocked (e.g., in corporate or monitored networks).

Components of ProxyBlob

ProxyBlob has two main parts:

• Proxy Server – This runs on your machine and offers a SOCKS5 proxy interface.
• Agent – This runs inside the restricted target network and communicates with the proxy using Azure Blob Storage.

These two talk to each other by sending and receiving data via blobs.

Features of ProxyBlob

• SOCKS5 protocol support (TCP + UDP)
• Works entirely via Azure Blob Storage
• CLI with interactive commands
• Can manage multiple agents
• Easy to test locally using Azurite (Azure emulator)

Prerequisites

Before diving into setup, make sure you have:

• Go 1.23+ installed
• An Azure account
• Access to create Azure Storage Accounts
• Optionally, Docker or VS Code if testing with Azurite

Setting Up ProxyBlob

Let’s break this into simple steps:

Create an Azure Storage Account

You need a Premium Block Blob Storage Account. Here’s how you can do it via the Azure Portal:

• Go to https://portal.azure.com
• Search for “Storage accounts” and click ”+ Create”
• Fill in the form:
  • Name: your-storage-name
  • Region: Close to you
  • Performance: Premium
  • Redundancy: LRS
  • Account kind: BlockBlobStorage

Once created, go to Security + networking > Access keys to get your storage credentials.

Or use the Azure CLI:

az login
az group create --name proxyblob-rg --location "Central US"
az storage account create \
  --name myproxyblob \
  --resource-group proxyblob-rg \
  --location "Central US" \
  --sku "Premium_LRS" \
  --kind BlockBlobStorage
az storage account keys list --account-name myproxyblob --output table

Local Testing with Azurite

If you just want to test locally:

With VS Code extension:

• Install the Azurite extension
• Start the Blob Service

With Docker:

docker pull mcr.microsoft.com/azure-storage/azurite
docker run -p 10000:10000 mcr.microsoft.com/azure-storage/azurite

Default creds:

• Account: devstoreaccount1
• Key: (Long key provided in README)

Clone and Build ProxyBlob

git clone https://github.com/quarkslab/proxyblob
cd proxyblob
make

This builds two binaries:

• proxy – for your local machine
• agent – for the restricted network

Configuration

Create a config file like this:

{
  "storage_url": "http://localhost:10000/",  // remove if using real Azure
  "storage_account_name": "your-storage-name",
  "storage_account_key": "your-key"
}

Save it as config.json or my-config.json.

Running ProxyBlob

Start the Proxy Server

./proxy -c my-config.json

This launches an interactive CLI.

Key commands:

• create – generates a new agent container and a connection string
• list – shows agent status
• select – selects agent
• start – starts the proxy listener (default port: 1080)

Example:

proxyblob » create
proxyblob » list
proxyblob » select <container-id>
proxyblob » start

Start the Agent

You have two ways to pass the connection string:

Via CLI:

./agent -c <generated-connection-string>

Or embed at build time:

make agent TOKEN=<generated-connection-string>
./agent

How It Works (Architecture)

Here’s a simplified explanation of the workflow:

• Proxy writes requests as blobs into Azure storage
• Agent polls the blobs, reads the request, and processes it
• Agent writes back the response into a separate blob
• Proxy reads the response and forwards it to the client app

This creates a loop that emulates a direct SOCKS5 tunnel — but completely through blob storage.

You can now use tools like proxychains:

proxychains curl http://example.com
proxychains xfreerdp /v:myhost /u:user

Troubleshooting Tips

Check the exit code:

echo $?

Common Fixes:

• Check Azure credentials
• Verify storage account accessibility
• Look for firewall issues
• Ensure correct connection string

What’s Coming Next?

According to the README, future improvements may include:

• Support for the BIND SOCKS command
• Better error handling
• Speed optimizations

Final Thoughts

ProxyBlob is a powerful example of protocol tunneling using cloud services. It’s especially useful for red teamers, pentesters, and defenders to understand the potential abuse of cloud storage services.

If you’re serious about network security, covert channels, or cloud abuse scenarios, I highly recommend experimenting with ProxyBlob — just make sure to use it ethically and responsibly.