I've set up a system to access websites using the most appropriate local dial-out. Mostly because of goddamned GDPR (many US websites are closed for Europeans), but it's all-around useful. I briefly described it in a comment here, but since several people asked me to provide more info, here it is.
FriendlyElec NanoPi R5S, 4 GiB RAM / 32 GiB eMMC, 1 TiB Samsung MVME SSD.
Docker runs on top. I use a "fake" VLAN=70 to assign unique IP addresses to containers, and those addresses are visible from LAN. Got the idea from this article.
Here's the relevant docker-compose bit.
eth2.70 is the fake VLAN id=70.
networks: default: driver: macvlan driver_opts: parent: eth2.70 ipam: config: - subnet: 10.70.70.0/24 gateway: 10.70.70.1
In Docker, I have several TinyProxy containers with almost no configuration.
proxy-ny: image: ajoergensen/tinyproxy container_name: proxy-ny restart: always environment: - TZ=Europe/Madrid volumes: - ./tinyproxy/tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf:ro - ./tinyproxy/rsyslog-ny.conf:/etc/rsyslog.conf:ro - /etc/TZ:/etc/TZ:ro networks: default: ipv4_address: 10.70.70.102 dns: "192.168.11.1" proxy-ca: image: ajoergensen/tinyproxy container_name: proxy-ca restart: always environment: - TZ=Europe/Madrid volumes: - ./tinyproxy/tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf:ro - ./tinyproxy/rsyslog-ca.conf:/etc/rsyslog.conf:ro networks: default: ipv4_address: 10.70.70.101 dns: "192.168.11.1"
Here I have two tinyproxies, one for my NYC wg-connection and another for my California one (NYC is closer to me, California is for streaming). The idea is to route traffic based on tinyproxy's IP address via a relevant Wireguard connection. Here's the config (same for all):
User tinyproxy Group tinyproxy Port 8888 Listen 0.0.0.0 Timeout 600 DefaultErrorFile "/usr/share/tinyproxy/default.html" StatFile "/usr/share/tinyproxy/stats.html" Syslog On LogLevel Info MaxClients 100 Allow 0.0.0.0/0 ViaProxyName "creepydice" ConnectPort 443 ConnectPort 563
I want each tinyproxy to report via syslog, so I personalize them with hostnames. My syslog is at
192.168.11.10. I basically added two lines to the default config -
# # http://www.rsyslog.com/doc/ # $LocalHostName proxy-ny *.* @@192.168.11.10:514 # Input modules $ModLoad immark.so # provide --MARK-- message capability # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf
So now I have multiple tinyproxies, each with its own IP address, and listening on port 8888.
To route traffic properly I use Policy-Based Routing module (PBR). Here's the relevant bit from PBR config. The
wg_cal interface is for multimedia ("streaming account"), so my streaming hardware is routed there, as well as
10.70.70.101 if I need to setup something on e.g. Netflix.com.
config policy option name '101-US-CA and mm-us' option src_addr '10.30.30.0/24 office-facebook-portal.lan 10.70.70.101' option interface 'wg_cal' config policy option name '102-US-NYC' option interface 'wg_nyc' option src_addr '10.70.70.102'
Finally, I use ProxySwitchyOmega extension in Chrome (desktop) and Kiwi (mobile; via VPN to home).