Redsocks - routing DNS (udp)

Hi all, I'm trying to funnel specific devices through a proxy connected to my router, but am having trouble funneling the DNS queries through. The aim is to have multiple phones connected to this router, and allow certain devices to use the proxy connection, whilst leaving my PC on the repeated wifi connection. We do not want to have any VPN/proxy configurations on a phone level.

​Setup

iProxy (mobile data sim)

GL-MT3000 Beryl AX router (openwrt, Redsocks installed) - Connected to home WiFi

iPhones

Using the below config and iptables, I'm able to allow my iphone (local ip 192.168.8.153) to use the proxy connections for tcp traffic (I can see the Proxy public ip and no webrtc leaks, but can still see my wifi DNS).

redsocks.conf

base {
        log_debug = on; log_info = on;
        log = "syslog:local7";
        daemon = on;
        redirector = iptables;
}
redsocks {
        local_ip = 0.0.0.0; local_port = 12345;
        ip = iproxy ip; port = iproxy port; type = socks5; login = "iproxy username"; password = "iproxy password";
}
redudp {
        local_ip = 127.0.0.1; local_port = 10053;
        ip = iproxy ip; port = iproxy port; type = socks5; login = "iproxy username"; password = "iproxy password";

        dest_ip = 8.8.8.8; dest_port = 53;
        udp_timeout = 30;
        udp_timeout_stream = 180;
}
dnstc {
        local_ip = 127.0.0.1; local_port = 5300;
}

Iptables

# Resetting to default 

iptables -t nat -F
iptables -F
iptables -t mangle -F
iptables -t raw -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Allowing local Wifi connections

iptables -t nat -A POSTROUTING -o apcli0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o apclix0 -j MASQUERADE
iptables -A FORWARD -i br-lan -o apcli0 -j ACCEPT
iptables -A FORWARD -i apcli0 -o br-lan -j ACCEPT
iptables -A FORWARD -i br-lan -o apclix0 -j ACCEPT
iptables -A FORWARD -i apclix0 -o br-lan -j ACCEPT

# Funelling iPhones traffic through Redsocks

iptables -t nat -N REDSOCKS
iptables -t nat -A PREROUTING -s 192.168.8.153 -p tcp -j REDSOCKS
iptables -t nat -A PREROUTING -s 192.168.8.153 -p udp -j REDSOCKS

iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN

iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-port 12345
iptables -t nat -A REDSOCKS -p udp -j REDIRECT --to-port 12345

# Restarting to update config

service redsocks restart
service redsocks start

I've tried targeting udp ports by using iptables like "iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-port 5300" but still no luck - has anyone been able to use Redsocks in a similar setup to me and successfully funnel all DNS through your proxy? Thanks!

I assume you've seen https://github.com/darkk/redsocks/issues/111#issuecomment-362390292 ?

iptables ... local_ip = 127.0.0.1; local_port = 5300; ... apcli0

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall

Thanks for the replies, and showing me the preformatted text option! Please see below:
ubus call system board

{
        "kernel": "5.4.211",
        "hostname": "GL-MT3000",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT3000",
        "board_name": "glinet,mt3000-snand",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02-SNAPSHOT",
                "revision": "r15812+899-46b6ee7ffc",
                "target": "mediatek/mt7981",
                "description": "OpenWrt 21.02-SNAPSHOT r15812+899-46b6ee7ffc"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'Redacted'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        option macaddr 'Redacted'

config device
        option name 'eth1'
        option macaddr 'Redacted'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option isolate '0'

config device
        option name 'eth0'
        option macaddr 'Redacted'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option force_link '0'
        option ipv6 '0'
        option classlessroute '0'
        option metric '10'

config interface 'wan6'
        option proto 'dhcpv6'
        option device '@wan'
        option disabled '1'

config interface 'tethering6'
        option device '@tethering'
        option proto 'dhcpv6'
        option disabled '1'

config interface 'wwan6'
        option device '@wwan'
        option proto 'dhcpv6'
        option disabled '1'

config interface 'guest'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr 'Redacted'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '1'
        option igmp_snooping '0'
        option isolate '0'
        option bridge_empty '1'
        option disabled '1'

config interface 'modem_1_1_2_6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@modem_1_1_2'

config rule 'policy_direct_rt'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule 'policy_default_rt_vpn'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule6 'policy_direct_rt6'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule6 'policy_default_rt_vpn6'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule 'policy_default_rt_vpn_ts'
        option lookup 'main'
        option priority '1099'
        option mark '0x80000/0xc0000'
        option invert '0'

config interface 'wwan'
        option proto 'dhcp'
        option classlessroute '0'
        option hostname 'Redacted'
        option mtu '1500'

config interface 'ovpnclient'
        option proto 'ovpnclient'
        option config '30484_1'
        option disabled '1'

cat /etc/config/wireless

config wifi-device 'mt798111'
        option type 'mtk'
        option band '2g'
        option htmode 'HE40'
        option channel 'auto'
        option txpower '100'
        option country 'DE'
        option random_bssid '1'
        option disabled '0'
        option legacy_rates '0'

config wifi-iface 'wifi2g'
        option device 'mt798111'
        option mode 'ap'
        option network 'lan'
        option ifname 'ra0'
        option ssid 'GL-MT3000-adb'
        option encryption 'psk2'
        option key 'Redacted'
        option wds '1'
        option isolate '0'
        option ieee80211k '1'
        option bss_transition '1'
        option macaddr 'Redacted'

config wifi-device 'mt798112'
        option type 'mtk'
        option band '5g'
        option channel 'auto'
        option htmode 'HE80'
        option txpower '100'
        option country 'DE'
        option random_bssid '1'
        option disabled '0'
        option legacy_rates '0'

config wifi-iface 'wifi5g'
        option device 'mt798112'
        option mode 'ap'
        option network 'lan'
        option ifname 'rax0'
        option ssid 'GL-MT3000-adb-5G'
        option encryption 'psk2'
        option key 'Redacted'
        option wds '1'
        option isolate '0'
        option ieee80211k '1'
        option bss_transition '1'
        option macaddr 'Redacted'

config wifi-iface 'guest2g'
        option device 'mt798111'
        option network 'guest'
        option mode 'ap'
        option ifname 'ra1'
        option encryption 'psk2'
        option key 'goodlife'
        option ssid 'GL-MT3000-adb-Guest'
        option guest '1'
        option disabled '1'
        option wds '1'
        option isolate '1'
        option macaddr 'Redacted'

config wifi-iface 'guest5g'
        option device 'mt798112'
        option network 'guest'
        option mode 'ap'
        option ifname 'rax1'
        option encryption 'psk2'
        option key 'goodlife'
        option ssid 'GL-MT3000-adb-5G-Guest'
        option guest '1'
        option disabled '1'
        option wds '1'
        option isolate '1'
        option macaddr 'Redacted'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option input 'DROP'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'

config redirect 'dns_vpn'
        option name 'dns for vpn'
        option src 'lan'
        option src_dport '53'
        option dest 'lan'
        option dest_port '1653'
        option mark '!0x8000/0xc000'
        list proto 'tcp'
        list proto 'udp'
        option enabled '0'

config redirect 'dns_vpn_guest'
        option name 'dns for vpn guest'
        option src 'guest'
        option src_dport '53'
        option dest 'guest'
        option dest_port '1653'
        option mark '!0x8000/0xc000'
        list proto 'tcp'
        list proto 'udp'
        option enabled '0'

config rule 'process_mark'
        option name 'process_mark'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 65533'
        option target 'MARK'
        option set_xmark '0x8000/0xc000'

config rule 'process_mark_dns'
        option name 'process_mark_dns'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 453'
        option target 'MARK'
        option set_xmark '0x8000/0xc000'

config rule 'process_explict_vpn'
        option name 'process_explict_vpn'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 20000'
        option target 'MARK'
        option set_xmark '0x20000/0x20000'

config rule 'wan_in_conn_mark'
        option name 'wan_in_conn_mark'
        option src 'wan'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
        option enabled '0'

config rule 'lan_in_conn_mark_restore'
        option name 'lan_in_conn_mark_restore'
        option src 'lan'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
        option enabled '0'

config rule 'out_conn_mark_restore'
        option name 'out_conn_mark_restore'
        option dest '*'
        option set_xmark '0x8000/0xc000'
        option target 'MARK'
        option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark'
        option enabled '0'

config include 'swap_wan_in_conn_mark'
        option type 'script'
        option reload '1'
        option path '/etc/firewall.swap_wan_in_conn_mark.sh'
        option enabled '0'

config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'

config zone
        option name 'guest'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding
        option src 'guest'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule
        option name 'Allow-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config include 'vpn_server_policy'
        option type 'script'
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'
        option enabled '1'

config include 'portal_ttl'
        option path '/etc/firewall-portal.user'
        option reload '1'

config redirect 'dns_over_lan'
        option src 'lan'
        option src_dport '53'
        option dest 'lan'
        option dest_ip '192.168.8.1'
        option target 'DNAT'

config redirect 'dns_over_guest'
        option src 'guest'
        option src_dport '53'
        option dest 'guest'
        option dest_ip '192.168.9.1'
        option target 'DNAT'

config zone 'ovpnclient'
        option name 'ovpnclient'
        option forward 'DROP'
        option output 'ACCEPT'
        option mtu_fix '1'
        option network 'ovpnclient'
        option input 'DROP'
        option masq '1'
        option masq6 '1'
        option enabled '0'

config forwarding 'ovpnclient2wan'
        option src 'ovpnclient'
        option dest 'wan'
        option enabled '0'

config forwarding 'lan2ovpnclient'
        option src 'lan'
        option dest 'ovpnclient'
        option enabled '0'

config forwarding 'guest2ovpnclient'
        option src 'guest'
        option dest 'ovpnclient'
        option enabled '0'

You should ask gl.inet
in particular nat to loopback never (like for last 10 years) worked on openwrt.
If you search forum for redsocks you find more appropriate nft ruleset to forward all correctly.

Or install proper Openwrt...


It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

In particular redsocks on OpenWRtz manages firewall itself, so you do not have to solve 100-piece captcha every morning.