Hi, i try to configure a proxy server on my openwrt device, which sends traffic out via the wan port and not via default vpn connection.
For this i try to add a firewall mark to to packages which are come in by the proxy server (privoxy)
I guess the routing should work and the problem is that are no fw-marks are added to the packages which came in for proxy, but i dont know how to test this, here is my config
ip -4 ru
0: from all lookup local
9999: from all fwmark 0x2 lookup 1
10000: from 192.168.178.40 lookup 1
20000: from all to 192.168.178.40/24 lookup 1
32766: from all lookup main
32767: from all lookup default
90003: from all iif lo lookup 1
ip route show table 1
default via 192.168.178.1 dev eth1 src 192.168.178.40
192.168.178.0/24 dev eth1 scope link
192.168.178.1 is the fritzbox from my ISP
This look good for me, but it does not work, if i configure the proxy and check my ip address it shows that i came from my vpn provider.
i try to add the firewall-mark to the proxy packages which this rule /etc/config/firewall
config rule
option name 'Privoxy FW-Mark'
option family 'ipv4'
list proto 'tcp'
option src '*'
option dest_port '8118'
option target 'MARK'
option set_mark '0x2'
This rule looks also okay for me, but as i wrote i don't know how to check if the mark in added to the packages which came in over the proxy port.
Can anyone tell me what are the problem here and how to fix this?
I just want to run a proxy server on my openwrt device which bypass my default 'all goes out via vpn' and instead send the packages out over my wan interface.
No its not, but i try to explain more details.
My Fritzbox is just a ordinary router i get from my isp, it is connect on the wan port to my openwrt device, i guess we can ignore it.
my openwrt device send all packages over a wireguard vpn to the internet
root@openwrt:~# ip r
default dev mv_zurich scope link
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.2.0/24 dev br-wifi scope link src 192.168.2.1
192.168.3.0/24 dev phy0-ap1 scope link src 192.168.3.1
193.32.127.70 via 192.168.178.1 dev eth1
what i want to archive is relativ simple, run a proxy server on my openwrt device like privoxy, tinyproxy or squid, to bypass my default wireguard route an send all packages over my wan interface which came in to the proxy
proxy -> wan -> internet
for this i want to add a mark on all packages which came in via the proxy, so i can simple use my routing from all fwmark 0x2 lookup 1this should send out the package over the wan interface instand of the default vpn route.
okay i dig a bit around, i found a workaround for my needs, but i guess there is a better way to do it.
First i create a user for tinyproxy useradd --no-create-home --no-user-group --home-dir /var --shell /bin/false tinyproxy
and configure tinyproxy to run as this user.
next i create a routeting lookup for my mark ip rule add fwmark 2 table 1
problem now i try to load a nft on boot
root@openwrt:~# cat /etc/nftables.d/20-wan-proxy.nft
chain mangle_output {
type route hook output priority mangle; policy accept;
ip addr != 192.168.1.0/24 meta skuid tinyproxy meta mark set 0x00000002
}
but this does not work if i reboot my router, my hole ruleset is not loaded, e.g. nft list ruleset return nothing
my workaround is
root@openwrt:~# cat /etc/proxy-test.nft
table inet fw4 {
chain mangle_output {
type route hook output priority mangle; policy accept;
ip daddr != 192.168.1.0/24 meta skuid tinyproxy meta mark set 0x00000002
}
}
if i now load this with nft -f /etc/proxy-test.nft
i can see my rule is added to my ruleset and my bypass is working
is there a better more "openwrt like" way to archieve this?
root@openwrt:~# cat /etc/nftables.d/20-wan-proxy.nft
chain mangle_output {
type route hook output priority mangle; policy accept;
ip daddr != 192.168.1.0/24 meta skuid squid meta mark set 0x00000002
}
as extra note, is replace tinyproxy with squid which perform better