Setup Proxy Server setting within router

Hello community,
I am new to Networking and recently purchase an Openwrt router to use. I Have a internet connection which I access using Proxy setting IP 192.168.4.10 and Port 3128 with username and Password. I Connected a wifi router (MI WIFI 3C) as access point to convert wired network to wireless network, but problem is that I have to setup/feed Proxy in each and every device which I connect to Wifi or Lan. I just need a simple solution for my problem to feed proxy server within router (OPENWRT) so that I can connect any devices to wifi without need of setting proxy in each and every devices.

Thanks You

Google for WPAD standard and DHCP's option 252, perhaps that will fulfill your needs.

since you're requiring username and password, it seems that there is no way around this, as each device needs a username and password associated. if you are not actually using the username and password for anything then if you get rid of it you can use the WPAD standard, in which case you only need to click some sort of auto proxy discovery button as you set up the wifi. On the other hand, the WPAD standard is generally bad security practice, as it runs javascript on your devices. I suggest to simply enter the proxy information manually, eventually after a few devices have it, you are done.

If this is a public hotspot type install and you may have thousands of people accessing who are not knowledgeable enough to enter proxy information, you might want to reconsider using the proxy.

I don't recommend trying to do transparent proxy, it is very tricky to get this to work right with SSL.

  • You can deploy proxy settings via configuration management software such as Ansible or use GPO if you have a domain.
  • Squid proxy chaining should be possible but transparent proxy with chaining doesn't look like a simple solution.
  • WPAD has security issues and it's not reliable in the aspect of compatibility.

@reinerotto

I've always used explicit proxy because I know for HTTPS the client will know it needs to do a CONNECT through the proxy, and the proxy will get a domain name to connect to. I can then filter on this domain name if desired.

With transparent, my understanding is the client tries to connect directly to a given IP address, the proxy intercepts it, connects to the IP address and tunnels traffic for the client. It does NOT get a domain name, only an IP address, and so the only kind of filtering that can be done is on the IP address, which is already available in Iptables with ipsets... so my impression is that transparent proxy offers much less functionality than for explicit proxy. Correct me if I'm wrong.

There are many many web pages discussing the "SSL bump" technique which is completely outside the scope of any "transparent" SSL (because in fact it's a man-in-the-middle attack that you must explicitly allow on each client). Unfortunately because that takes up a lot of the web's energy to describe, it's not so clear how you even configure transparent SSL tunneling without bump. I'd appreciate if you can link to a good site for doing that.

Also for a background discussion of the security implications of WPAD method: https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol#Security

Given all these issues, I've chosen to just set up explicit proxies on my devices. This way I know my devices are talking to the proxy, they know and respond appropriately to the proxy, features are maximized, and compatibility issues, debugging, and wasted time are minimized.

First of all,
apologies, you are correct, when stating
"... I don't recommend trying to do transparent proxy, it is very tricky to get this to work right with SSL. ..." I am always mixing up explicit/intercepting squid. Mea culpa.

However, you can (still) do some filtering of domain name with very basic https-interception. Based on SNI. Although there are activities from goggle, for example, to close this weakness. It needs very basic SSL-interception, without de-ciphering. However, as soon as you want to get more advanced functionality, you are correct, it will need real splice-and-bump.
Which is a MITM, and rather complicated.
Best source for up-to-date info is http://squid-web-proxy-cache.1019090.n4.nabble.com/
Which is the squid users mailing list, very well supported by authors of squid.

Back to original question of this thread, I agree, no reasonable solution besides explicit proxy. Also because of basic auth, which does not work on interception. Using WPAD is a possible option for easier deployment of explicit proxy within local network, in case the security implications are not an issue.

1 Like