security/xproxy: add new plugin

[dasunNimantha]

Important notices
Before you submit a pull request, we ask you kindly to acknowledge the following:

• I have read the contributing guidelines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• I opened an issue first for non-trivial changes and linked it below.
• AI tools were used to create at least part of the code submitted herewith.

If AI was used, please disclose:

• Model used: Claude 4.6 Opus High (Anthropic)
• Extent of AI involvement: AI assisted with code generation, architecture decisions, and review throughout development. All code was tested and verified on a live OPNsense 25.x installation.

---

Related issue
#5347

---

Describe the problem
There is currently no OPNsense plugin for Xray-core integration. Users who want to route LAN traffic through a VLESS, VMess, Shadowsocks, or Trojan tunnel must manually configure xray from the command line, create TUN interfaces, set up gateways, and write firewall rules.

---

Describe the proposed solution
New plugin: security/xproxy — Xray-core proxy client with transparent LAN routing.

When enabled, all LAN traffic is routed through a proxy tunnel without requiring any configuration on individual devices — phones, IoT, smart TVs, and guest devices are covered automatically.

Architecture

• xray-core — multi-protocol proxy runtime providing local SOCKS5/HTTP endpoints
• hev-socks5-tunnel — lightweight C-based TUN bridge (~6 MB RSS) that connects the SOCKS5 endpoint to a virtual network interface
• Policy-based routing — OPNsense gateway + firewall rules route selected LAN traffic through the TUN interface

Features

• Transparent proxying via TUN interface — no per-device configuration needed
• VLESS (with XTLS-Vision / Reality), VMess, Shadowsocks, and Trojan protocols
• Import server profiles from standard proxy URIs (vless://, vmess://, ss://, trojan://)
• Policy-based routing with dynamic firewall rules — rules are only active while the service is running
• Multiple server profiles with quick switching and auto-select on add/import/delete
• Bypass list for local/same-subnet traffic (Samba, NFS, printers)
• Service log viewer with auto-refresh
• Web UI under VPN › Xproxy with tabs for General, Servers, Import, and Log

Hardening

• Process lifecycle: file locking, PID verification, orphan cleanup, crash recovery
• Go runtime tuning for xray-core (GOGC=100, GOMEMLIMIT=512MiB)
• Optimised xray config: sniffing with routeOnly, connection policy tuning, DNS caching, TCP Fast Open
• Persistent TCP buffer tuning via sysctl.d/xproxy.conf
• setup.sh with retry logic, version tracking, binary validation, and atomic downloads
• Log rotation to prevent unbounded growth

Testing

Tested on OPNsense 25.x (FreeBSD 14, amd64) with VLESS+XTLS-Vision+Reality tunnels to Oracle Cloud and Digital Ocean. Sustained 300+ Mbps download, 100+ Mbps upload. Memory stable after extended operation (xray ~43 MB RSS, hev-socks5-tunnel ~6 MB RSS).

[Monviech]

We do have a template for PRs, please do not delete it. If you are using AI please tell your agent to not delete it. There are no downsides here, it just helps with triage.

[dasunNimantha]

We do have a template for PRs, please do not delete it. If you are using AI please tell your agent to not delete it. There are no downsides here, it just helps with triage.

oops, I've updated the PR description to include all the required fields. Thanks for the heads up.