Tinyproxy error opensock: Could not establish a connection to ::1

wafles · September 16, 2021, 6:53pm

I tried to find information online, and I think tinyproxy is supposed to support ipv6, from what I saw on some github issues. I am not sure why this is not working. I spent a few hours trying to make this work, and ended up with nothing.

Hopefully you guys know any solutions using openwrt or proxify. I just need syncthing to be able to see devices on this subnet

below is my config

config tinyproxy
        option User 'nobody'
        option Group 'nogroup'
        option Port '8888'
        option Timeout '600'
        option DefaultErrorFile '/usr/share/tinyproxy/default.html'
        option StatFile '/usr/share/tinyproxy/stats.html'
        option LogFile '/var/log/tinyproxy.log'
        option LogLevel 'Info'
        option MaxClients '100'
        option MinSpareServers '5'
        option MaxSpareServers '20'
        option StartServers '10'
        option MaxRequestsPerChild '0'
        option ViaProxyName 'tinyproxy'
        list ConnectPort '22'
        list ConnectPort '80'
        list ConnectPort '443'
        list ConnectPort '563'
#       list ConnectPort '2000'
#       list ConnectPort '3000'
#       list ConnectPort '8125'
        list ConnectPort '8384'
#       list ConnectPort '9040'
#       list ConnectPort '9050'
#       list ConnectPort '9051'
        option enabled '1'
        list Allow '127.0.0.1'
        list Allow '0.0.0.0/0'
        list Allow '::1'
        list Allow '192.168.0.1/24'
        list Allow 'fe80::/64'

log

CONNECT   Sep 16 14:57:23 [3425]: Connect (file descriptor 10): 192.168.2.9 [192.168.2.9]
CONNECT   Sep 16 14:57:23 [3425]: Request (file descriptor 10): CONNECT [::1]:8384 HTTP/1.1
INFO      Sep 16 14:57:23 [3425]: No upstream proxy for ::1
INFO      Sep 16 14:57:23 [3425]: opensock: opening connection to ::1:8384
INFO      Sep 16 14:57:23 [3425]: opensock: getaddrinfo returned for ::1:8384
ERROR     Sep 16 14:57:23 [3425]: opensock: Could not establish a connection to ::1
INFO      Sep 16 14:57:23 [3425]: no entity
CONNECT   Sep 16 14:57:23 [1859]: Connect (file descriptor 10): 192.168.2.9 [192.168.2.9]
CONNECT   Sep 16 14:57:23 [1859]: Request (file descriptor 10): CONNECT [::1]:8384 HTTP/1.1
INFO      Sep 16 14:57:23 [1859]: No upstream proxy for ::1
INFO      Sep 16 14:57:23 [1859]: opensock: opening connection to ::1:8384
INFO      Sep 16 14:57:23 [1859]: opensock: getaddrinfo returned for ::1:8384
ERROR     Sep 16 14:57:23 [1859]: opensock: Could not establish a connection to ::1
INFO      Sep 16 14:57:23 [1859]: no entity
CONNECT   Sep 16 14:57:23 [3425]: Connect (file descriptor 10): 192.168.2.9 [192.168.2.9]
CONNECT   Sep 16 14:57:23 [3425]: Request (file descriptor 10): CONNECT 127.0.0.1:8384 HTTP/1.1
NOTICE    Sep 16 14:57:23 [3425]: Request for the stathost.
INFO      Sep 16 14:57:23 [3425]: no entity
CONNECT   Sep 16 14:57:23 [1859]: Connect (file descriptor 10): 192.168.2.9 [192.168.2.9]
CONNECT   Sep 16 14:57:23 [1859]: Request (file descriptor 10): CONNECT 127.0.0.1:8384 HTTP/1.1
NOTICE    Sep 16 14:57:23 [1859]: Request for the stathost.
INFO      Sep 16 14:57:23 [1859]: no entity

log 2 (Only one port when using ::1 is given direct connection, done through proxify)

INFO      Sep 16 14:54:03 [1859]: Closed connection between local client (fd:10) and remote client (fd:11)
CONNECT   Sep 16 14:54:16 [1859]: Connect (file descriptor 10): 192.168.2.9 [192.168.2.9]
CONNECT   Sep 16 14:54:16 [1859]: Request (file descriptor 10): CONNECT 127.0.0.1:8384 HTTP/1.1
NOTICE    Sep 16 14:54:16 [1859]: Request for the stathost.
INFO      Sep 16 14:54:16 [1859]: no entity
CONNECT   Sep 16 14:54:16 [3425]: Connect (file descriptor 10): 192.168.2.9 [192.168.2.9]
CONNECT   Sep 16 14:54:16 [3425]: Request (file descriptor 10): CONNECT 127.0.0.1:8384 HTTP/1.1
NOTICE    Sep 16 14:54:16 [3425]: Request for the stathost.
INFO      Sep 16 14:54:16 [3425]: no entity
CONNECT   Sep 16 14:54:23 [3425]: Connect (file descriptor 10): 192.168.2.9 [192.168.2.9]
CONNECT   Sep 16 14:54:23 [3425]: Request (file descriptor 10): CONNECT 127.0.0.1:8384 HTTP/1.1
NOTICE    Sep 16 14:54:23 [3425]: Request for the stathost.
INFO      Sep 16 14:54:23 [3425]: no entity
CONNECT   Sep 16 14:54:23 [1859]: Connect (file descriptor 10): 192.168.2.9 [192.168.2.9]
CONNECT   Sep 16 14:54:23 [1859]: Request (file descriptor 10): CONNECT 127.0.0.1:8384 HTTP/1.1
NOTICE    Sep 16 14:54:23 [1859]: Request for the stathost.
INFO      Sep 16 14:54:23 [1859]: no entity

Edit: Tried setting the proxy as a listening address, here's the log

CONNECT   Sep 16 15:03:13 [1859]: Connect (file descriptor 10): 192.168.2.9 [192.168.2.9]
CONNECT   Sep 16 15:03:13 [1859]: Request (file descriptor 10): CONNECT 192.168.1.1:80 HTTP/1.1
INFO      Sep 16 15:03:13 [1859]: No upstream proxy for 192.168.1.1
INFO      Sep 16 15:03:13 [1859]: opensock: opening connection to 192.168.1.1:80
INFO      Sep 16 15:03:13 [1859]: opensock: getaddrinfo returned for 192.168.1.1:80
CONNECT   Sep 16 15:03:13 [1859]: Established connection to host "192.168.1.1" using file descriptor 11.
INFO      Sep 16 15:03:13 [1859]: Not sending client headers to remote machine

trendy · September 16, 2021, 7:05pm

Verify that tinyproxy is listening to ipv6 netstat -lnp | grep 8888
Don't add the link local addresses, use the ULA better.

wafles · September 16, 2021, 7:09pm

I don't think it is. I guess I'll remove fe80 from the list

Edit: Or it is? I guess 0::: is ipv6

vgaetera · September 16, 2021, 7:20pm

The proper IPv6 LLA prefix must be fe80::/10, or use own ULA prefix.

wafles · September 16, 2021, 7:24pm

alright, fixed (syncthing still doesn't work btw)

vgaetera · September 16, 2021, 7:33pm

Which mode is that proxy supposed to operate?

A canonical proxy requires explicit client side configuration.
A transparent proxy relies on the firewall intercepting rules.

wafles · September 16, 2021, 7:37pm

uh.... I don't know, I guess it's a transparent proxy because I often have to go to tinyproxy settings and allow ports to it. It's using the default configuration on openwrt

vgaetera · September 16, 2021, 7:40pm

Ports allowed to connect to are unrelated to the operating mode.
Have you configured this proxy explicitly on the client side?
What are the related firewall rules on the router?

uci show firewall; iptables-save -c; ip6tables-save -c

wafles · September 16, 2021, 8:03pm

I used this guide https://openwrt.org/docs/guide-user/services/proxy/tinyproxy the proxy is hosted on the router, not by a device on the network. The device trying to connect to the proxy is on a vlan, but the issue happens even without the vlan

Kind of lost, I don't understand these questions.

# Generated by ip6tables-save v1.8.7 on Thu Sep 16 15:57:29 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16:1408]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_ACCEPT - [0:0]
[3553:311595] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[97:6874] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[69:5290] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[7:392] -A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
[21:1192] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[3553:311595] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[110:13698] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[28:3486] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[48:7104] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[8:764] -A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
[10:936] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[10:936] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[21:1192] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[21:1192] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_ACCEPT
[10:936] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[10:936] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[21:1192] -A zone_guest_src_ACCEPT -i br-guest -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[28:3486] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 443 -m set --match-set doh6 dst -m comment --comment "!fw3: Deny-DoH" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m udp --dport 443 -m set --match-set doh6 dst -m comment --comment "!fw3: Deny-DoH" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 853 -m comment --comment "!fw3: Deny-DoT" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m udp --dport 853 -m comment --comment "!fw3: Deny-DoT" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[69:5290] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[69:5290] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[28:3486] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[28:3486] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[69:5290] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[48:7104] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[8:764] -A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[7:392] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[7:392] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_ACCEPT
[56:7868] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[56:7868] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i eth0.2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_src_ACCEPT -i wlan0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Thu Sep 16 15:57:29 2021

Edit: Not sure if the command is repeating itself, here's the pastebin https://pastebin.com/nTcJnbS5

wafles · September 16, 2021, 8:50pm

like this?

# Fetch LAN subnet
. /lib/functions/network.sh
network_flush_cache
network_get_subnet6 NET_SUB6 lan
 
# Configure IP sets
uci -q delete firewall.proxy6
uci set firewall.proxy6="ipset"
uci set firewall.proxy6.name="proxy6"
uci set firewall.proxy6.family="ipv6"
uci set firewall.proxy6.storage="hash"
uci set firewall.proxy6.match="net"
uci add_list firewall.proxy6.entry="::1/128 nomatch"
uci add_list firewall.proxy6.entry="fe80::/10 nomatch"
uci add_list firewall.proxy6.entry="${NET_SUB6} nomatch"
uci add_list firewall.proxy6.entry="::/1"
uci add_list firewall.proxy6.entry="8888::/1"

uci commit firewall
/etc/init.d/firewall restart

Edit: I still get the same error

vgaetera · September 16, 2021, 8:55pm

. /lib/functions/network.sh
network_flush_cache
for IPV in 4 6
do
eval network_get_subnet${IPV%4} NET_SUB lan
uci -q delete firewall.proxy_int${IPV%4}
uci set firewall.proxy_int${IPV%4}="redirect"
uci set firewall.proxy_int${IPV%4}.name="Proxy-Intercept"
uci set firewall.proxy_int${IPV%4}.src="lan"
uci set firewall.proxy_int${IPV%4}.dest_port="8888"
uci set firewall.proxy_int${IPV%4}.proto="tcp"
uci set firewall.proxy_int${IPV%4}.ipset="proxy${IPV%4} dest"
uci set firewall.proxy_int${IPV%4}.family="ipv${IPV}"
uci set firewall.proxy_int${IPV%4}.target="DNAT"
uci -q delete firewall.proxy${IPV%4}
uci set firewall.proxy${IPV%4}="ipset"
uci set firewall.proxy${IPV%4}.name="proxy${IPV%4}"
uci set firewall.proxy${IPV%4}.family="ipv${IPV}"
uci set firewall.proxy${IPV%4}.match="net"
uci add_list firewall.proxy${IPV%4}.entry="${NET_SUB} nomatch"
done
uci add_list firewall.proxy.entry="127.0.0.0/8 nomatch"
uci add_list firewall.proxy.entry="0.0.0.0/1"
uci add_list firewall.proxy.entry="128.0.0.0/1"
uci add_list firewall.proxy6.entry="::1/128 nomatch"
uci add_list firewall.proxy6.entry="fe80::/10 nomatch"
uci add_list firewall.proxy6.entry="::/1"
uci add_list firewall.proxy6.entry="8000::/1"
uci commit firewall
/etc/init.d/firewall restart

wafles · September 16, 2021, 9:01pm

I still get the same error https://pastebin.com/AcYJXKeW

vgaetera · September 16, 2021, 9:08pm

Disable the original redirect to proxy.
Then copy-paste the above code again as I fixed a couple of typos.
If the issue persists, check this:

uci show firewall; \
iptables-save -c -t nat; ipset list proxy; \
ip6tables-save -c -t nat; ipset list proxy6

wafles · September 16, 2021, 9:11pm

here it is

uci show firewall; \
> iptables-save -c -t nat; ipset list proxy; \
> ip6tables-save -c -t nat; ipset list proxy6
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6' 'wwan'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Transparent Proxy Redirect'
firewall.@redirect[0].src='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].dest_port='8888'
firewall.@redirect[0].src_dport='80'
firewall.@redirect[0].src_dip='!192.168.1.1'
firewall.@redirect[0].dest='guest'
firewall.@redirect[0].dest_ip='192.168.1.1'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
firewall.doh=ipset
firewall.doh.name='doh'
firewall.doh.family='ipv4'
firewall.doh.storage='hash'
firewall.doh.match='ip'
firewall.doh6=ipset
firewall.doh6.name='doh6'
firewall.doh6.family='ipv6'
firewall.doh6.storage='hash'
firewall.doh6.match='ip'
firewall.doh_fwd=rule
firewall.doh_fwd.name='Deny-DoH'
firewall.doh_fwd.src='lan'
firewall.doh_fwd.dest='wan'
firewall.doh_fwd.dest_port='443'
firewall.doh_fwd.proto='tcp udp'
firewall.doh_fwd.family='ipv4'
firewall.doh_fwd.ipset='doh dest'
firewall.doh_fwd.target='REJECT'
firewall.doh6_fwd=rule
firewall.doh6_fwd.name='Deny-DoH'
firewall.doh6_fwd.src='lan'
firewall.doh6_fwd.dest='wan'
firewall.doh6_fwd.dest_port='443'
firewall.doh6_fwd.proto='tcp udp'
firewall.doh6_fwd.family='ipv6'
firewall.doh6_fwd.ipset='doh6 dest'
firewall.doh6_fwd.target='REJECT'
firewall.dot_fwd=rule
firewall.dot_fwd.name='Deny-DoT'
firewall.dot_fwd.src='lan'
firewall.dot_fwd.dest='wan'
firewall.dot_fwd.dest_port='853'
firewall.dot_fwd.proto='tcp udp'
firewall.dot_fwd.target='REJECT'
firewall.dns_masq=nat
firewall.dns_masq.name='Masquerade-DNS'
firewall.dns_masq.src='lan'
firewall.dns_masq.dest_ip='192.168.1.96'
firewall.dns_masq.dest_port='53'
firewall.dns_masq.proto='tcp udp'
firewall.dns_masq.target='MASQUERADE'
firewall.guest=zone
firewall.guest.name='guest'
firewall.guest.network='guest'
firewall.guest.output='ACCEPT'
firewall.guest.input='ACCEPT'
firewall.guest.forward='ACCEPT'
firewall.guest_wan=forwarding
firewall.guest_wan.src='guest'
firewall.guest_wan.dest='wan'
firewall.guest_wan.enabled='1'
firewall.guest_dns=rule
firewall.guest_dns.name='Allow-DNS-Guest'
firewall.guest_dns.src='guest'
firewall.guest_dns.dest_port='53'
firewall.guest_dns.proto='tcp udp'
firewall.guest_dns.target='ACCEPT'
firewall.guest_dhcp=rule
firewall.guest_dhcp.name='Allow-DHCP-Guest'
firewall.guest_dhcp.src='guest'
firewall.guest_dhcp.dest_port='67'
firewall.guest_dhcp.proto='udp'
firewall.guest_dhcp.family='ipv4'
firewall.guest_dhcp.target='ACCEPT'
firewall.tor=ipset
firewall.tor.name='tor'
firewall.tor.family='ipv4'
firewall.tor.storage='hash'
firewall.tor.match='net'
firewall.tor.entry='127.0.0.0/8 nomatch' '192.168.2.1/24 nomatch' '0.0.0.0/1' '128.0.0.0/1'
firewall.tor6=ipset
firewall.tor6.name='tor6'
firewall.tor6.family='ipv6'
firewall.tor6.storage='hash'
firewall.tor6.match='net'
firewall.tor6.entry='::1/128 nomatch' 'fe80::/10 nomatch' ' nomatch' '::/1' '8000::/1'
firewall.tcp_int=redirect
firewall.tcp_int.name='Intercept-TCP'
firewall.tcp_int.src='guest'
firewall.tcp_int.dest_port='9040'
firewall.tcp_int.proto='tcp'
firewall.tcp_int.extra='--syn'
firewall.tcp_int.ipset='tor dest'
firewall.tcp_int.target='DNAT'
firewall.@rule[15]=rule
firewall.@rule[15].name='Allow-IGMP-Guest'
firewall.@rule[15].src='guest'
firewall.@rule[15].target='ACCEPT'
firewall.@rule[15].proto='igmp'
firewall.@rule[15].family='ipv4'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.proxy=ipset
firewall.proxy.name='proxy'
firewall.proxy.family='ipv4'
firewall.proxy.storage='hash'
firewall.proxy.match='net'
firewall.proxy.entry='127.0.0.0/8 nomatch' '192.168.1.1/24 nomatch' '0.0.0.0/1' '128.0.0.0/1'
firewall.proxy6=ipset
firewall.proxy6.name='proxy6'
firewall.proxy6.family='ipv6'
firewall.proxy6.storage='hash'
firewall.proxy6.match='net'
firewall.proxy6.entry='::1/128 nomatch' 'fe80::/10 nomatch' 'fdb2:4498:a235::1/60 nomatch' '::/1' '8000::/1'
firewall.proxy_int=redirect
firewall.proxy_int.name='Proxy-Intercept'
firewall.proxy_int.src='lan'
firewall.proxy_int.dest_port='8888'
firewall.proxy_int.proto='tcp'
firewall.proxy_int.ipset='proxy dest'
firewall.proxy_int.target='DNAT'
# Generated by iptables-save v1.8.7 on Thu Sep 16 17:10:46 2021
*nat
:PREROUTING ACCEPT [67:14035]
:INPUT ACCEPT [22:3940]
:OUTPUT ACCEPT [11:2569]
:POSTROUTING ACCEPT [10:2506]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[68:14087] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1:68] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[55:11280] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
[12:2739] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[15:2787] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:63] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[5:338] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
[3:1996] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[3:1996] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[12:2739] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[1:52] -A zone_guest_prerouting -p tcp -m set --match-set tor dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
[1:63] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -d 192.168.1.96/32 -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Masquerade-DNS" -j MASQUERADE
[1:63] -A zone_lan_postrouting -d 192.168.1.96/32 -p udp -m udp --dport 53 -m comment --comment "!fw3: Masquerade-DNS" -j MASQUERADE
[1:68] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting ! -d 192.168.1.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Transparent Proxy Redirect" -j DNAT --to-destination 192.168.1.1:8888
[0:0] -A zone_lan_prerouting -p tcp -m set --match-set proxy dst -m comment --comment "!fw3: Proxy-Intercept" -j REDIRECT --to-ports 8888
[5:338] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[5:338] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[55:11280] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Sep 16 17:10:46 2021
Name: proxy
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 588
References: 1
Number of entries: 4
Members:
192.168.1.0/24 nomatch
128.0.0.0/1
127.0.0.0/8 nomatch
0.0.0.0/1
# Generated by ip6tables-save v1.8.7 on Thu Sep 16 17:10:46 2021
*nat
:PREROUTING ACCEPT [17:12955]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [6:520]
:POSTROUTING ACCEPT [6:520]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[17:12955] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[0:0] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[9:4211] -A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
[8:8744] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[6:520] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[8:8744] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[0:0] -A zone_guest_prerouting -p tcp -m set --match-set tor6 dst -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3: Intercept-TCP" -j REDIRECT --to-ports 9040
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -p tcp -m set --match-set proxy6 dst -m comment --comment "!fw3: Proxy-Intercept" -j REDIRECT --to-ports 8888
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[9:4211] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Sep 16 17:10:46 2021
Name: proxy6
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1664
References: 1
Number of entries: 5
Members:
::/1
8000::/1
fe80::/10 nomatch
::1 nomatch
fdb2:4498:a235::/60 nomatch

vgaetera · September 16, 2021, 9:18pm

It looks correct, except you should disable/remove that redirect:

wafles · September 16, 2021, 9:22pm

oh alright

Same issue

trendy · September 16, 2021, 9:27pm

Without redirects tinyproxy works fine for me with IPv6.
Most likely it won't work properly with transparent, as most of the content is served over https and you'll have warnings for mitm attack when trying to intercept https.

vgaetera · September 16, 2021, 9:31pm

Describe your testing method and check traffic counters after trying to use the proxy:

iptables-save -c -t nat | grep -e Proxy-Intercept; \
ip6tables-save -c -t nat | grep -e Proxy-Intercept

wafles · September 16, 2021, 9:44pm

Yeah, it works for ipv4, I had only had a problem recently when trying to access syncthingtrayzor. The way I test this is by press syncthing then refresh browser, it will be blank, after that I look at the proxify logs and it says that

[09.16 17:41:10] cefsharp.browsersubprocess.exe (12516) - [::1]:8384 (IPv6) error : Could not connect through proxy 192.168.2.1(192.168.2.1):8888 - Proxy server cannot establish a connection with the target, status code 500

Proxify uses 192.168.2.1:8888 as a proxy server.

After that, I run cat /var/log/tinyproxy.log to look at tinyproxy's logs and see if the issue is still happening, and if I see the error is still there I believe the issue persists. This is the only way I know how to test this

iptables-save -c -t nat | grep -e Proxy-Intercept; \
> ip6tables-save -c -t nat | grep -e Proxy-Intercept
[356:21360] -A zone_lan_prerouting -p tcp -m set --match-set proxy dst -m comment --comment "!fw3: Proxy-Intercept" -j REDIRECT --to-ports 8888
[0:0] -A zone_lan_prerouting -p tcp -m set --match-set proxy6 dst -m comment --comment "!fw3: Proxy-Intercept" -j REDIRECT --to-ports 8888

my computer (doing ssh and proxify) is connected to the 192.168.2.1 subnet. I have a mobile device on this subnet as well. I have another mobile device connected to the 192.168.1.1 subnet, the goal is to make syncthing able to see this device (which can be done if every device uses this proxy for syncthing). My pihole laptop also has syncthing installed (not running). It could work if I could use this device instead to transfer files across all the network. Sadly, wirelessly connecting ubuntu to two wireless hotspot seems difficult, and probably not possible because my laptop is from 2010 or older (not sure). This pihole laptop is connected to the openwrt router with an ethernet cable.

vgaetera · September 16, 2021, 10:15pm

Try opening from the LAN client:

It should increment both IPv4 and IPv6 counters.
Assuming the client has dual-stack connectivity.