Funnel traffic from local devices through a remote proxy server

Hi Everyone,

Does anyone know how to set up OpenWrt or similar Linux router to funnel traffic from connected local devices (e.g., local phone, IoT devices, etc.) through a remote proxy server with a username and password to connect? The problem is, IoT devices don't have a GUI like the following for an iOS phone:, but I would like to reroute the traffic through that proxy server. Is there any way to facilitate this need on OpenWrt or routers in general? Thanks so much in advance.

dont think one exists...

back in the day there was a cool smoothwall plugin that did this with 3 clicks...

these days things are a little more complicated...

Isn't Server Name Indication (SNI), i.e. the name of the https server you connect to, still almost always unencrypted? Which means it can be used by a transparent proxy.

Squid may support it. The Goproxy library can also be used to program one.

1 Like

yeah, that sort of rings a bell... I think that's how the smoothwall one worked...

i.e. runs a squid instance and redirects all traffic to itself

edit: actually now that I think about it... it was a setting in the squid plugin... ( for upstream traffic )... which is then set to transparent...

squid most of all is a http(s) proxy, only. In case, this is good enough, transparent (intercepting) proxying all http(s) can be done on openwrt, assuming, it is not a low end device.

1 Like

Thanks everyone. So that we are on the same page. Do you all mean the following?

IoT device <-> OpenWrt (running squid proxy) <-> remote proxy <-> destination endpoint

If this is the case, the remote proxy requires a username and a password. Can we set them up on the squid proxy?

squid does not support transparent/intercept proxying combined with plain auth to the upstream (parent) proxy. However, this might be my outdated info. Best is, you go to squids mailing list, and ask there specifically. They are very helpful.
BTW: I see, what you are looking at. Not a bad idea.

If you host your own DNS you could set it up so all (or some) DNS requests resolve to the IP of the proxy, then run sniproxy on that host, instead of a regular proxy.

You are shure, sniproxy can handle basic proxy auth for the upstream proxy ? AFAIK, this is accomplished by using http-header info, which is not available to sniproxy.

It doesn't, it's not a regular proxy, per se, but it proxies traffic ,)

If you need it to act as a regular proxy, then it's not for you, technically, the clients aren't aware of its existence.

I use it for bypassing geolocked sites in US.
All sites requiring this, I've mapped to the IP of the sniproxy, and they all work flawlessly.
The client doesn't know it's being proxied.

If you want to test the one I've set up, send me a PM.

Hi everyone, thanks for the great insights. So, I think at this point I found out that we can bypass the username and password. So, the remote proxy becomes something that can be used without any username and password. This already works with a smartphone (I set up the proxy address and port and it worked).

Basically this is the setup in mind:

IoT device <-> RaspberryPi router <-> remote proxy

Any thoughts about the firewall rules we need to set up on the router? Maybe IP tables? I was googling but couldn't really find anything really useful if we simply want to redirect our traffic or just funnel it through the remote proxy.
Any insights are much appreciated.

Then you used an "Explicit Proxy" on your phone. This works very different to a "Transparent/intercepting Proxy", what I understand, you really want. I suggest, you better do some learning in this respect, which is not openwrt specific, BTW. Anyway, getting rid of password protection on upstream proxy makes possible, what you are asking for. But still, it is a steep learning curve. goggle "squid proxy intercept" and you will find a lot of information. Info from squid wiki to be preferred, because should be most recent. Or goggle "sniproxy intercept".

Thank you so much @reinerotto. Really appreciate your insights. :slight_smile: