Help needed for a transparent proxy on openwrt

this is not a small question with easy fix.
this is an idea for my router to act as a transparent proxy for web traffic(http and https) so that my Country level filtering be circumvented at router level.(I am from Iran).

I tried to use pac paroxy on my devices but many of them dont support it (even my new android phone seems to have issues with pac proxy support) so I am trying to use transparent proxy once and for all.

I need some ideas to make this happen. or maybe somebody have already done this?

1-host(domain,subdomain) based routing( if not on proxy then I have to use ip based on iptable)
2-be configurable so I can add domains to the list.(similar to a pac proxy config)
3- https capable.

so far I know that using iptable and tor on my router can work with http traffic and just need a http proxy (as far as I know) but I have not found much for https because it seems I cant just use a tcp proxy like tor and redirect ip packages to that on the router.

I once tried with redsocks proxy but didn't seems to work with https and tor.

any ideas will be appreciated.

A https capable transparent proxy requires a "man-in-the-middle-attack" I think, i e to decrypt and encrypt using an fake certificate. Which in turn requires you to install a CA certificate used by the fake certificates on all devices. If the devices use certificate pinning, then they will discover that you are faking the certificates.

the https part doesn't need to be MIMT.
http proxies are able to use CONNECT to proxy a https proxy without decrypting it.
my issue is that with redsocks (and the like) when I send the redirected data from iptables to redsocks and then redsocks sends it to ,say tor, tor doesn't understand it cause it is a socks proxy and the data needs to be packaged correctly for it to be understood, which in none-transparent way ,as in with Firefox proxy setting, web client(firefox) does that.

btw there are absolutely ways to redirect https without decrypting it based on sni(server-name-identification).
there are actually proxies for that exact purpose. and they where the ones I tested but there are forward proxies not reverse proxies. (I think).

and when I said trasnpernt proxy I mean the proxy part ,as in with iptable or something like that.
this happens in all the networks everyday and they dont decrypt the data they just inspect the ip capsule.

please if you dont know what my end goal is , dont comment about semantics.
still,,, thanks for the answer.

1 Like

The simplest might be a VPN that tunneled the desired traffic securely across the demarcation lines of interest to you.

SNI, at least as I understand it, won't significantly help your situation. It is often used where a server provides content for many different host names. It offers a certificate that "matches" a list the names to which a server will respond. It doesn't "impersonate" them in any way, but provides a legitimate, verifiable certificate that says, "Yes, I don't know who you're trying to reach as we haven't established a secure channel yet, but I'm,, and and you can confirm that based on the certificate's trust chain."

I'm not familiar with the practical use of Tor in the kind of situation you describe. I did a quick search on Google, and there appear to be many references in the result set that I see here that might help with this specific combination.

sni in transit is what is important to me.
right now it is unencrypted so my country uses that to block subdomains (like but not (after using ip blocks)
this is applied based on sni for many sites so they dont have to ip block.
though ip redirection is also used so that is also important to me.
so basically I am looking for a way to use iptable to redirect for example all the traffic on port 443 to process on openwrt (or maybe on a local proxy on lan) and that proxy decides to connect to the remote address based on ip and/or sni of request, which both are readable in clear text.

and about the server side sni that you pointed out, no I dont think that is correct about sni and server.
sni right now is not encrypted so the server can see the request and redirect it internally. that's how google and others do it. tls1.3 is trying to encrypt sni (experimented by cloudflare) and THAT has the thing you mentioned about a common certificate.

though this is not related to my question and I would be happy with a ip based proxy too that can proxy https.

again for the 1000th times, no you dont need to decrypt https to redirect the ip package (as far as I understand).
the important part is that the server at the end has the private key and decrypt the data but the data is in a ip capsule and that capsule is not encrypted.

You can use "squid" proxy to do, what you want.
However, it needs quite some RAM, so 128MB recommended. More is better.

so squid can redirect based on sni or ip? or both?
can it do it transparent with iptable redirection the connection to it?

Squid is probably the most capable proxy there is so if anything can do it, squid can. Yes transparent is possible though I think it works better for some devices if you just do it as normal configured proxy, squid can be both at same time (listening on multiple ports).

Might be what you want. I think it's better to avoid all this baloney and just config clients to use the proxy explicitly, unless you're talking about setting this up at a university with 18000 users most of whom don't know which is the "any" key.

it is for home but i am sick of low proxy support.
even my new xaiomi a2 android is worse than my old lg g4 android for proxy support.
for example in Firefox doesn't use pac proxy setting for HTTP but does for HTTPs.
the most weird bug ever.

I put the proxy in manually to Firefox on Linux, on Mac, on win 10, on 5 different kinds of Android devices, all of them work perfectly with my squid and manual config.

I do have set proxy for every device I have that has support for pac proxy config ,but every they dont always work and also some of my devices dont have support for that.

so the guy that said use squid that meant use it with setting explicit proxy in firefox?
that's not transparent proxy at all.

No. I very well understood, what you are looking at.
Again: You can run squid in intercept mode (transparent) on openwrt. No browser config.
Not so simple to configure squid, especially, as you also want to intercept https; expect some time for mastering squid. And provide ample RAM on openwrt. Also, master squid on full-blown LINUX first, before port to openwrt. Will save you some hassles.

Don't use PAC, it's a security hazard, and manual proxy config works better and more widely supported. On Android, you do manual config, enter name and port of proxy, voila. Works well on any Android from last 5 yrs at least.

I use pac proxy to proxify the domains that are blocked by my country.

just proxy everything!

1 Like

that would slow down my already slow internet and many sites (like those on cloudflare) have issues with tor.

Evidently I'm missing something. Run the proxy (squid) on your router. Nothing will slow down. Now teach squid which sites to proxy through secure remote proxies and which to just fetch directly... Problem solved?

squid does transparent https proxy?
i dont think it can without certificate installation.
I have thought of two way to do proxy.
one is to use iptable and redirect blocked ips to a proxy and use that but that is too cumbersome and nowadays many sites have shared ips (like couldflare and google and cdns).

another way which would be better is using my dns server to give a local ip to blocked domains and then somehow use a proxy on that local ip but I am not sure that works because I am changing the destination IP and the proxy has no way of knowing where to connect.

this idea is from a website that give dns server ip and I can use it to connect to websites that are blocked for my country.

like this:
drill @ 262 IN CNAME 268 IN A

paypal is blocked for iran but that website (shekan,ir) gives a dns ip and using that I think I get connected to their domain and then they proxy transparently to the blocked domain.

now I want to do that but locally (the dns ip be in my local lan and proxy on there too).
but I dont know how they do it.

Squid does https proxy, there is no need for transparent if you just set it as the proxy for everything on your network. Since your network is small enough to be entirely under your control, so I say "just proxy everything". Make all devices use your squid explicitly. This explicit static proxy works way better and is more secure compared to the javascript based automatic proxy discovery stuff.

So, set up squid, make all your devices use your squid, and then have squid decide whether to route certain things through remote proxies for purpose of security etc.

1 Like

I am aware of "proxy all" and I can do that even without squid(with tor transport and less overhead)
I wanted to proxy just some domains not all my traffic .
again for all the others that try to answer this topic: I dont want to proxy all traffic. I am already able to do that.
I just want to proxy some domains but transparently.
I am aware that is possible with ip redirect in iptable but that has too many bad effects.