Transparent squid proxy not working in OpenWrt repeater

To make it work, you will need to configure the device according to the guide section Using NAT. More configuration details can be found here. Be aware that it won’t be a “repeater” anymore and there will be some side effects.

If the main router clients' have to see the clients connected to the former repeater, you will have to create a static route in the main router and some additional firewall rules in the second router.

1 Like

You can pretty much forget a transparent proxy in a modern https-everywhere web. Not to say that you'd have much more luck with non-transparent proxying or doing it on a relatively low-end device such as yours.

You can run a (transparent) squid on a 64MB openwrt router with a custom image, assuming some tweaking. Regarding https-traffic, a transparent squid can be used for SNI-inspection, for example.

1 Like

@pavelgl ,
Thanks for your suggestion.
I tried setting up the second router using the instructions you provided and yes as you mentioned the devices on the main router were not able to reach the devices connected to the second router. I do not get UI or SSH access to the main router from my ISP, so was not able to try creating a static route.

As seen in the snapshot above, I want a setup where I can access the second router and also the devices connected to it from a machine (test runner) connected to the main router.
Devices connected to the second router do not have an option to configure a proxy, so I am using a transparent HTTPS proxy in the secondary router to deny traffic to certain domains from the connected devices.

Except for the proxy rest of the things worked for me when the second router was configured as a repeater.

Any suggestions on what is the best way to configure the second router for my needs?

I assume that you have already created a static route in "Test runner" to the second router's LAN (LAN2).

Make the following changes in the firewall configuration of the OpenWrt device, replacing "$Test_runner_IP" with the correct IP address.

  1. Disable masquerading from LAN2 to Test runner (pay attention to the negative "!" operator).
uci set firewall.@zone[1].masq_dest="!$Test_runner_IP"
  1. Open the firewall for SSH connections from Test runner.
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-SSH-from-TR"
uci set firewall.@rule[-1].proto="tcp"
uci set firewall.@rule[-1].family="ipv4"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].src_ip="$Test_runner_IP"
uci set firewall.@rule[-1].dest_port="22"
uci set firewall.@rule[-1].target="ACCEPT"
  1. Open the firewall for connections from Test runner to LAN2 (add some restrictions here if you want).
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-from-TR-to-LAN2"
uci set firewall.@rule[-1].proto="any"
uci set firewall.@rule[-1].family="ipv4"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].src_ip="$Test_runner_IP"
uci set firewall.@rule[-1].dest="lan"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

That should be enough.

There is no need for NAT in this situation, or for a proxy. Set the device up as a wired AP, and then turn on bridge netfiltering and simply block outgoing packets to the IP addresses of interest.

If however you only know the domain names you want blocked, then you will need something extra

@pavelgl ,

Below are the IP and gateway information of the devices in my setup:
Test runner:
IP: 192.168.1.105
GW: 192.168.1.1

Second router:
Lan IP: 192.168.2.1
GW: 192.168.1.1
Wwan IP: 192.168.1.128

Device 1:
IP: 192.168.2.152
GW: 192.168.2.1

Added the static route in Test runner as below:

sudo route -n add -net 192.168.2.0/24 192.168.1.1

After adding all the firewall settings to second router as you suggested I was able to ssh second router from Test runner. But was not able to access Device1's web page from Test runner.

@dlakelan,

I tried setting up the second router as a wired AP using the instructions here: https://openwrt.org/docs/guide-user/network/wifi/dumbap
Enabled bridge firewall using these instructions: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge#command-line_instructions

Added the below rule to firewall configuration to reject any traffic from the devices connected to the second router

config rule
	option src 'lan'
	option dest '*'
	option target 'REJECT'
	list src_ip '192.168.1.168'
	list src_ip '192.168.1.242'
	option name 'Block traffic from devices'
	option enabled '0'

This is not blocking any traffic from the devices. Is there anything else that I should do for this to work?

maybe this disables the rule, so option enabled '1' ?

Yes even when enabled '1' it does not work, I have toggled it multiple times to test.

I'd have to see at what point in the firewall it actually gets called, perhaps there's something ahead of it that is passing the traffic by default and so this rule doesn't get hit? Like LAN->LAN by default forwards automatically?

The next hop address must be the Router2 wwan address.

route del -net 192.168.2.0/24
route add -net 192.168.2.0/24 gw 192.168.1.128
1 Like

@pavelgl,

After changing the static route as per your suggestions, the Test runner can now access both the second router and the devices connected to it. Thank you!

But I am still unable to block the domains from the router via a transparent proxy.
I am now using tinyproxy which supports both HTTP and HTTPS as mentioned here https://openwrt.org/docs/guide-user/services/proxy/tinyproxy

The firewall configuration to redirect all the traffic at ports 80 and 443 to tinyproxy proxy port 8888 is as below:

config redirect
        option src 'lan' 
        option proto 'tcp'   
        option dest_port '8888'
        option src_dip '!192.168.2.1'
        option dest_ip '192.168.2.1'
        option name 'Transparent Proxy Redirect'
        option src_dport '80'
                         
config redirect              
        option name 'Transparent Proxy HTTPS Redirect'
        option src 'lan'                              
        option proto 'tcp'                            
        option dest_port '8888'                       
        option src_dport '443'                        
        option src_dip '!192.168.2.1'
        option dest_ip '192.168.2.1' 

tinyproxy configuration:

### AUTOGENERATED CONFIGURATION
### DO NOT EDIT
### SEE /etc/config/tinyproxy INSTEAD

User nobody
Group nogroup
Port 8888
Listen 192.168.2.1
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatHost "127.0.0.1"
StatFile "/usr/share/tinyproxy/stats.html"
LogFile "/var/log/tinyproxy.log"
Syslog Off
LogLevel Info
XTinyproxy Off
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
Allow 127.0.0.1
ViaProxyName "tinyproxy"
Filter "/etc/tinyproxy.filter"
FilterURLs Off
FilterExtended Off
FilterCaseSensitive Off
FilterDefaultDeny No
ConnectPort 443
ConnectPort 563

The filter file /etc/tinyproxy.filter has the domain names to block, Example: google.com

Whenever I launch any website from a browser in the device connected to the router (device IP: 192.168.2.232) the below logs appear in the router's tinyproxy logs at /var/log/tinyproxy.log

CONNECT   Dec 05 09:51:14 [11188]: Connect (file descriptor 9): macjdhananjaya.lan [192.168.2.232]
NOTICE    Dec 05 09:51:14 [11188]: Unauthorized connection from "macjdhananjaya.lan" [192.168.2.232].
INFO      Dec 05 09:51:14 [11188]: Read request entity of 517 bytes

Below error is displayed in the browser:

Lan IP of the second router: 192.168.2.1
Wwan IP: 192.168.1.128

Am I missing any configuration related to SSL, that is causing this issue?

https://stackoverflow.com/questions/42872182/tinyproxy-not-forwarding-requests-getting-unauthorized-connection-from-ip

@pavelgl
After commenting ' Allow 127.0.0.1' line in tinyproxy configuration, different error appears in the tinyproxy logs, but the same error in the browser as before.

CONNECT   Dec 05 20:18:49 [12303]: Connect (file descriptor 9): macjdhananjaya.lan [192.168.2.232]
CONNECT   Dec 05 20:18:49 [12303]: Request (file descriptor 9): 
WARNING   Dec 05 20:18:49 [12303]: Could not retrieve all the headers from the client
INFO      Dec 05 20:18:49 [12303]: Read request entity of 361 bytes

I tried configuring redsocks as per the instructions here https://stackoverflow.com/a/46863429
Added the proxy IP (router's lan IP:192.168.2.1) and port (tinyproxy port :8888) to redsocks configuration as below. Started the redsocks service.

redsocks {                                                                        
        /* `local_ip' defaults to 127.0.0.1 for security reasons,                 
         * use 0.0.0.0 if you want to listen on every interface.                  
         * `local_*' are used as port to redirect to.                             
         */                                                                       
        local_ip = 127.0.0.1;                                                     
        local_port = 12345;                                                       
                                                                                  
        // listen() queue length. Default value is SOMAXCONN and it should be     
        // good enough for most of us.                                       
        // listenq = 128; // SOMAXCONN equals 128 on my Linux box.           
                                                                             
        // `max_accept_backoff` is a delay to retry `accept()` after accept  
        // failure (e.g. due to lack of file descriptors). It's measured in  
        // milliseconds and maximal value is 65535. `min_accept_backoff` is  
        // used as initial backoff value and as a damper for `accept() after 
        // close()` logic.                                                   
        // min_accept_backoff = 100;                                         
        // max_accept_backoff = 60000;                                       
                                                                             
        // `ip' and `port' are IP and tcp-port of proxy-server               
        // You can also use hostname instead of IP, only one (random)        
        // address of multihomed host will be used.                          
        ip = 192.168.2.1;                                                    
        port = 8888;                                                         
                                                                     
        // known types: socks4, socks5, http-connect, http-relay             
        type = http-connect;                                                 
                                                                             
        // login = "foobar";                                                 
        // password = "baz";                                                 
} 

Added the below rule to redirect traffic from 443 to redsocks port 12345:

iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 12345 -m comment --comment "443 redirection to redsocks"

Reloaded and restarted firewall,tinyproxy and redsocks services. But it did not fix the issue.
I still see the same errors in tinyproxy logs and the browser.
Am I missing anything here? Will transparent proxy work for https?

Change this to local_ip = 0.0.0.0; and restart the redsocks service.

I seriously doubt you can make tinyproxy work in transparent mode for https traffic, even using redsocks.

@pavelgl ,
Even after changing the local_ip to 0.0.0.0 and restarting redsocks, I see the same errors in tinyproxy logs.

I have also tried using adblock package to block the domains, even that is not working in the second router for https requests from the devices connected to it.
I am not finding instructions on how to configure squid proxy in transparent mode in a OpenWRT router, any help?
If not using a proxy, what is the best way to block traffic to a specific domain from the second router (OpenWRT)?

You need to dig into squids docs, when trying to intercept https.
I.e. here: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
You then need to adapt these ipt rules to openwrt. OR, like I do, just get rid of the openwrt firewall completely, and replace with plain iptables. Makes advanced setups much easier.
I advise, first to set up intercept squid on vanilla LINUX, i.e. ubuntu, and to port to openwrt, when success.
tinyproxy is not able to intercept https. squid can do it.
Also, get rid of squids config using UCI on openwrt, when porting. Just copy squid.conf from LINUX (ubuntu) test env to openwrt.

If you want to block certain domains for all LAN clients, you could use this approach.

If you stick to the requirements from your OP

you can use custom firewall rules.

Create a file, named domains in the root directory. Enter the domain name you want to block and the client's IP address, separated by semicolon.

youtube.com;192.168.2.10
google.com;192.168.2.12

Insert this script in /etc/firewall.user

domainfile="/root/domains"

while IFS= read -r string
do
domain=$(echo "$string" | sed 's/\;.*//')
bannedip=$(echo "$string" | sed 's/.*\;//')
for domainip in $(nslookup "$domain" | grep Address | grep -v \# | grep -v \:: | sed 's/^.*: //')
 do
 iptables -A forwarding_rule -s "$bannedip"/32 -d "$domainip"/32 -p tcp -m multiport --dports 80,443 -j REJECT
 done
done < "$domainfile"

Enable the reload option in the firewall include section.

uci set firewall.@include[0].reload='1'
uci commit firewall
fw3 restart

Keep in mind that this will only work for ipv4 addresses.

Landed over this topic while doing search for squid proxy as web cache.

This is thread is more than 2 years old, but I didn't see the OP marked this topic as solved.
In case somebody is also interested in doing the same thing, to restrict network client devices to access certain sites, you might consider install a pihole. It work at same network group, block all connected devices be it phone, IOT, laptop...etc.