Redirect OpenWrt outbound traffic to external proxy - proxy

I am trying to force a WiFi router with OpenWrt to send traffic to a mitm proxy.
I see that it is possible to install a proxy alongside OpenWrt on the router, but I'm not clear if that's the right solution or how to configure it.
Specifically, I want to install OpenWrt onto a wireless access point and have all the inbound wireless traffic sent to a proxy.
More specifically
Android app connects to WiFi
(setting a proxy on the Android wifi interface typically only proxies browser traffic and doesn't work in my case)
Traffic is handled by OpenWrt on the router.
Traffic is sent from OpenWrt to OWASP Zap on an external machine for inspection.
I understand certificate pinning etc and this is not a problem.
If it's relevant, my target router is a Netgear EX3700, with one WiFi and one Ethernet interface.
Thanks

Related

How to redirect network traffic to a tcp/udp connection in golang

So I've seen projects like trojan-go,v2ray-go
They are making their own proxy protocols in user space level. I am trying to do the same thing but I don't know how to redirect network traffic from clients to proxy server.
Basically I don't understand how those tools (or any tool) can redirect internet traffic of the device to a certain server, so when the packets are going to the internet they go to the proxy server first instead of their destination ip address.
How can I do it in golang without dealing with netlink and Iptables?
I know apps like wireguard do this by dealing with layer 3-4 stuff using netlink API but I need to know how apps do it without adding a new network interface.

Force Chromium to Use Proxy IP Address in WebRTC instead of Public IP

Browsers leaks Public IP through WebRTC protocols while routing traffics through browser specific proxies such as chrome vpn extensions. but using Native VPN Application (OS Specific) doesn't produce public ip through WebRTC.
How to overcome this problem and force chromium to use proxy IP instead of public IP for WebRTC communication.
Note- Blocking WebRTC from Browser does hide the public ip but many websites eg. google.com, godaddy.com treats you as a bot and blacklist you from using some of their services.
This issue is more related to browser fingerprinting than ungoogling stuffs..
No Extensions available to solve this problem till now but some of the automation tools such as Kameleo.com is able to do such things but those are pricy.
Possible solutions
Force chromium to use proxy ip through ICE Framework TURN/STUN signaling services
I also don't know how to seup STUN connection so please also guide me for the coding part.
https://isaacbrains.com
TLDR: Configure and deploy your own TURN server and configure your WebRTC app to use relay candidates only via iceTransportPolicy and use only TURN for your iceServers.
Something like this:
let config = {
iceServers: [{urls: "turn:turn.yourdomain.com:3478"}],
iceTransportPolicy:"relay"
};
WebRTC does not use browser proxies. Browser proxies bridge connections via http/https to websites. And browser proxies don't fit into the model WebRTC uses to connect to another client ad-hoc packet transfer of UDP packets.
STUN exists primarily for clients to discover and share their own public IP address and port mapping. It sounds like you want to avoid STUN since you don't want srflx candidates anyway.
TURN is a relay server protocol for WebRTC, VOIP, and other types of P2P connections. It's primary job is to be a fallback when direct client to client communication is not possible. But it sounds like you want to avoid that altogether and just have the SDP advertise your relay (TURN) addresses only.

HTTP hole punching - Web server behind NAT

I have some Raspberry Pi servers behind NATs (non configurable, ISP provided), on dynamic IPs, and a "master" server with static IP and port forwarding configured on the router. I want to be able to access the page served by any of those RPi servers from any browser. I've read about TCP hole punching, but I can't figure out how to make it work from a browser (I guess using AJAX). I could use the "master" server as a relay server, but don't know how to. BTW, all traffic to/from the servers use HTTPS, not HTTP.
EDIT:
The Raspberries and the server are NOT on the same network.
You might investigate the use of a reverse proxy (I've used NGINX). A reverse proxy allows traffic to hit your server with the static IP, and forward HTTP traffic to other servers behind the firewall.
It gets a little more tricky with HTTPS, but it can be worked out.

Programmable router

I'd like to set up a proxy between my home network and internet.
Currently computers at home connect to a cisco router which is connected to internet.
What I'd like is to set up system so that all internet traffic goes through a proxy - in my case it is a dedicated extra computer (server).
Are there programmable routers that can run some software within the router or using a connected computer?
This way I could use a program to see what goes out and comes in.
If you only want to monitor your network then investigate and learn how to use WireShark. If you want to take the long and much harder route of making a proxy server, use a squid proxy. It runs on a Linux server and you can get a lot of user friendly GUI's. Plus there are hundreds of tutorials.

How to establish a client server connection outside the LAN?

I am unable to establish a connection to the server of my client server app written in vb 6.0.
This is just because that the server of the app is behind a LAN router and the router of the LAN is not in my access so as to configure it. If it is possible to establish a connection so please let me know how? and if it is not possible than how the programs like team viewer and LogMein can establish a connection.
Ask the person who does administer the router to open the port or to give you a VPN tunnel, or to move the server to a lan with lower security requirements. If you have a good reason for needing this they shouldn't make a fuzz about it.
TeamViewer and LogMeIn rely on central systems under their own control. Both the client and the server make an outgoing connection to the central system that patches them through to each other. So on both sides the firewall only has to allow outgoing connections.
Depending on the router at the server end you might be able to use UPnP in your server to map the port through the NAT router.
See Easy UPnP NAT Traversal for a VB6 discussion of the topic.

Resources