A quick question for the scholars:
is it possible to install and set up a mitmproxy on openwrt routers and if so which one?
Thank you
neuro
Probably any proxy (squid, nginx, tinyproxy, ...) can be configured as a transparent proxy (if that is what you mean) if you redirect port 80 on the router.
1 Like
You don't say, so I'm going to assume you are wanting to inspect, for example, https web traffic contents?
If so, the theoretical answer is "yes, you can do that," but the practical answer is, "no, almost no OpenWrt devices will have the horsepower to decode encrypted packets, assemble them into a meaninful stream, analyze their contents and declare a verdict on them in real time." You need something like squid for the proxy itself and snort/suricata to do the inspection, and getting those to run on a home router is simply not going to happen.
These tools are typically run on big multi-core server scale routers in enterprise environments, where internal resources (web sites, database APIs and that sort of thing) are exposed for external access. Since it's very rare that a home user has these requirements, deep packet inspection and related technologies are not needed.
4 Likes
Jepp, that's the answer I expected...!
Thanks for that.
Neuro
Normally you redirect/dnat candidate traffic off router to wherever you run midmproxy.
The horse power is one thing (and a very valid one), but what's typically more of an issue, if deploying your own MitM intercepting CA to all devices - and once you figure that out, there's really no point in a transparent proxy anymore (because that will require more tinkering on each and every device, than configuring the non-transparent proxy as well).
1 Like
You are absolutely right here.
However, I come from an infrastructure with modem, router, Pi-hole, unbound, Wireguard and one withmProxy and I actually wanted to downsize my setup a bit...
Yes, can. but to build this package is not easy