I've set up a system to access websites using the most appropriate local dial-out. Mostly because of goddamned GDPR (many US websites are closed for Europeans), but it's all-around useful. I briefly described it in a comment here, but since several people asked me to provide more info, here it is.
Hardware:
FriendlyElec NanoPi R5S, 4 GiB RAM / 32 GiB eMMC, 1 TiB Samsung MVME SSD.
Software:
FriendlyWRT/OpenWRT 23.03.3
Docker runs on top. I use a "fake" VLAN=70 to assign unique IP addresses to containers, and those addresses are visible from LAN. Got the idea from this article.
Here's the relevant docker-compose bit. eth2.70 is the fake VLAN id=70.
networks:
default:
driver: macvlan
driver_opts:
parent: eth2.70
ipam:
config:
- subnet: 10.70.70.0/24
gateway: 10.70.70.1
In Docker, I have several TinyProxy containers with almost no configuration.
proxy-ny:
image: ajoergensen/tinyproxy
container_name: proxy-ny
restart: always
environment:
- TZ=Europe/Madrid
volumes:
- ./tinyproxy/tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf:ro
- ./tinyproxy/rsyslog-ny.conf:/etc/rsyslog.conf:ro
- /etc/TZ:/etc/TZ:ro
networks:
default:
ipv4_address: 10.70.70.102
dns: "192.168.11.1"
proxy-ca:
image: ajoergensen/tinyproxy
container_name: proxy-ca
restart: always
environment:
- TZ=Europe/Madrid
volumes:
- ./tinyproxy/tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf:ro
- ./tinyproxy/rsyslog-ca.conf:/etc/rsyslog.conf:ro
networks:
default:
ipv4_address: 10.70.70.101
dns: "192.168.11.1"
Here I have two tinyproxies, one for my NYC wg-connection and another for my California one (NYC is closer to me, California is for streaming). The idea is to route traffic based on tinyproxy's IP address via a relevant Wireguard connection. Here's the config (same for all):
tinyproxy.conf
User tinyproxy
Group tinyproxy
Port 8888
Listen 0.0.0.0
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Syslog On
LogLevel Info
MaxClients 100
Allow 0.0.0.0/0
ViaProxyName "creepydice"
ConnectPort 443
ConnectPort 563
I want each tinyproxy to report via syslog, so I personalize them with hostnames. My syslog is at 192.168.11.10. I basically added two lines to the default config -
*.* @@192.168.11.10:514
and
$LocalHostName proxy-ny:
Here goes rsyslog-ny.conf
#
# http://www.rsyslog.com/doc/
#
$LocalHostName proxy-ny
*.* @@192.168.11.10:514
# Input modules
$ModLoad immark.so # provide --MARK-- message capability
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
So now I have multiple tinyproxies, each with its own IP address, and listening on port 8888.
To route traffic properly I use Policy-Based Routing module (PBR). Here's the relevant bit from PBR config. The wg_cal interface is for multimedia ("streaming account"), so my streaming hardware is routed there, as well as 10.70.70.101 if I need to setup something on e.g. Netflix.com.
config policy
option name '101-US-CA and mm-us'
option src_addr '10.30.30.0/24 office-facebook-portal.lan 10.70.70.101'
option interface 'wg_cal'
config policy
option name '102-US-NYC'
option interface 'wg_nyc'
option src_addr '10.70.70.102'
Finally, I use ProxySwitchyOmega extension in Chrome (desktop) and Kiwi (mobile; via VPN to home).