How do I setup a "portable proxy" using a Raspberry Pi?
I'm looking to try some hands-on experience setting up proxies. However, the proxy I want to setup is a bit unique. My end goal is to be able to do the following:
- Connect a Raspberry Pi to a network using Ethernet or Wi-Fi
- Automatically have the Raspberry Pi (as soon as it is powered on and connected) send its own public IP address (and other relevant proxy information, where applicable) to a home server (and periodically retry sending this information if the server is down)
- Be able to proxy my connection from a separate network through the Raspberry Pi (by simply entering in the IP address and port as a normal proxy) so that my public IP address will now show up as that of the network the Raspberry Pi is connected to
I want to avoid configuring port forwarding for networks the Raspberry Pi is connected to. I can configure port forwarding for the network my home server is connected to, but if possible I would like to avoid that as well (for convenience and security).
I also want to avoid using a third party service (e.g. Linode) to manage the proxy for me. I want the Raspberry Pi to do all the work here, ideally using open source software such as Privoxy or Squid. I want this to be an HTTP proxy. If possible, I would like to encrypt the proxy connection.
I'm not sure if any of this would be possible without port forwarding. Maybe some sort of reverse proxy would help with this. I understand how a proxy such as this could have the potential for misuse, as do most things. I'm making this post for educational purposes only, so that I can better my understanding of proxies and network security.
Any guides or videos on how to set this up are greatly appreciated. I found a few, but none quite capture what I'm describing here. Most don't talk about using this across separate networks, only local networks.
Thank you!
Prunebutt
in reply to The 8232 Project • • •Oisteink
in reply to Prunebutt • • •A service like tailscale will solve the connection to your home net automagically. You are however stuck without routing from friend-net so you cant access homenet devices directly
You can solve this by setting up a reverse proxy like caddy on your raspi, and access home-net web-apps and services through that. Like [assigned-friendnet-ipaddress]:8444 or similar.
The reverse proxy would forward this to homenet devices through the tailscale vpn
pedroapero
in reply to Prunebutt • • •Without a third party tunneling service, you will need to expose a port in any case (you can setup port-knocking if you want to).
IsoKiero
in reply to The 8232 Project • • •So, you want a box which you can connect to any network around and then use some other device to connect to your raspberry box which redirects your traffic trough your home connection to the internet?
The easiest (at least for me) would be to create VPN server on your home network. Have a dyndns setup on your home network to reach it in the first place, open/redirect a port for openvpn (or whatever you like) and have a client on raspberry running on it. After that you can connect your other device to the raspberry box (via wifi or ethernet) and create ip-forwarding/NAT rules for your traffic so that everything goes to the raspberry box, then to your home server via VPN tunnel and from there to the internet.
You can use any HTTP proxy with this, or just let the network do it's thing and tunnel everything via your home connection, but in either case the internet would only see your encrypted VPN traffic to your home network and everything else is originated from your home connection.
You can replace VPN with just HTTP proxy, but both are pretty close the same on th
... show moreSo, you want a box which you can connect to any network around and then use some other device to connect to your raspberry box which redirects your traffic trough your home connection to the internet?
The easiest (at least for me) would be to create VPN server on your home network. Have a dyndns setup on your home network to reach it in the first place, open/redirect a port for openvpn (or whatever you like) and have a client on raspberry running on it. After that you can connect your other device to the raspberry box (via wifi or ethernet) and create ip-forwarding/NAT rules for your traffic so that everything goes to the raspberry box, then to your home server via VPN tunnel and from there to the internet.
You can use any HTTP proxy with this, or just let the network do it's thing and tunnel everything via your home connection, but in either case the internet would only see your encrypted VPN traffic to your home network and everything else is originated from your home connection.
You can replace VPN with just HTTP proxy, but both are pretty close the same on the terms of 'cost', so your network latency, bandwidth and other stuff doesn't really change regardless of the approach. But if you just want the HTTP proxy you can forward a port on your home network for the proxy and just use that on your devices without raspberry box and achieve the very same end result without extra hardware.
And obviously, if you go with VPN tunneling for everything, you don't need raspberry for that either, just a VPN client which connects to your home network and that's it. The case where you have devices which can't use VPN directly would benefit from the raspbery box, but if you already can set up a HTTP proxy for the thing you're actually using, I don't see the benefit of running a separate hardware for anything.
Some port forwarding or opening ports from firewall is needed on any scenario. But there's a ton of options to limit access from anyone accessing your stuff. However, this goes way beyond the scope of your question and more details are necessary on what you're actually trying to achieve with setup like this.
The 8232 Project
in reply to IsoKiero • • •I think you may have misunderstood. I'll try to clarify a bit:
I have a Raspberry Pi, which I'll connect to, say, a friend's network called "FriendNet"
I have a computer at home (which I'll just call my "home computer") connected to my home network called "HomeNet"
I also have a server connected to HomeNet, which is always active. Let's call it my "home server"
I would like to proxy my home computer's connection through the Raspberry Pi, so that my IP address will show up as the public IP address for FriendNet (i.e. tunneling my connection through FriendNet using the Raspberry Pi).
The Raspberry Pi will automatically send the proxy details to my home server, so that I can get the network details of the Raspberry Pi to connect my home computer to it without needing to figure it out manually. That would probably be achieved with
... show moreI think you may have misunderstood. I'll try to clarify a bit:
I have a Raspberry Pi, which I'll connect to, say, a friend's network called "FriendNet"
I have a computer at home (which I'll just call my "home computer") connected to my home network called "HomeNet"
I also have a server connected to HomeNet, which is always active. Let's call it my "home server"
I would like to proxy my home computer's connection through the Raspberry Pi, so that my IP address will show up as the public IP address for FriendNet (i.e. tunneling my connection through FriendNet using the Raspberry Pi).
The Raspberry Pi will automatically send the proxy details to my home server, so that I can get the network details of the Raspberry Pi to connect my home computer to it without needing to figure it out manually. That would probably be achieved with a basic Python script.
I'm not trying to setup a home VPN server, but rather use an external network as a non-permanent proxy.
IsoKiero
in reply to The 8232 Project • • •So, you want the traffic to go other way around. Traffic from the HomeNet should go to the internet via FriendNet, right? In that case, if you want the raspberry box to act as a proxy (or vpn) server, you need to forward relevant ports on the FriendNet to your raspberry pi so that your HomeComputer can connect to the raspberry box.
Or you can set up a VPN and route traffic trough that to the other way. Tunnels work both ways, so it's possible to set up a route/http proxy/whatever trough the VPN tunnel to the internet, even if the raspberry box is the client from VPN server point of view.
I don't immediately see the benefit of tunneling your traffic trough the FriendNet to the internet, unless you're trying to bypass some IP block of something other potentially malicious or at least something being on the gray area. But anyways, you need a method for your proxy client to connect to the proxy server. And in generic consumer space, that needs firewall rules and/or port forwarding (altough both are firewall rules, strictly speaking) so that your proxy server on raspberry b
... show moreSo, you want the traffic to go other way around. Traffic from the HomeNet should go to the internet via FriendNet, right? In that case, if you want the raspberry box to act as a proxy (or vpn) server, you need to forward relevant ports on the FriendNet to your raspberry pi so that your HomeComputer can connect to the raspberry box.
Or you can set up a VPN and route traffic trough that to the other way. Tunnels work both ways, so it's possible to set up a route/http proxy/whatever trough the VPN tunnel to the internet, even if the raspberry box is the client from VPN server point of view.
I don't immediately see the benefit of tunneling your traffic trough the FriendNet to the internet, unless you're trying to bypass some IP block of something other potentially malicious or at least something being on the gray area. But anyways, you need a method for your proxy client to connect to the proxy server. And in generic consumer space, that needs firewall rules and/or port forwarding (altough both are firewall rules, strictly speaking) so that your proxy server on raspberry box is visible to the internet in the first place.
Once your proxy server is visible to the internet it's just a matter of writing up few scripts for the server box to send a message to the client end that my public IP is <a.b.c.d> and change proxy client configuration accordingly, but you still need some kind of setup for the HomeNet to receive that, likely a dynds-service and maybe some port forwarding.
Again, I personally would set up something like that with a VPN tunnel from raspberry box to the HomeServer, but as I don't really undestand what you're going after with setup like this it's impossible to suggest anything else.
The 8232 Project
in reply to IsoKiero • • •That is what I would like to achieve, yes. Since I want to avoid setting up port forwarding on FriendNet, I would need to configure port forwarding on HomeNet. The Raspberry Pi would have to act a client, and either the home server or the home computer would act as the server, and the Raspberry Pi would proxy traffic from the server to the internet.
I can't think of how it would work in practice, though. I'm assuming in this case the home server would act as a proxy between the home computer and the Raspberry Pi, and the Raspberry Pi would act as a proxy between the home server and the internet. Unless there's an easier way that would remove the home server entirely, that might be the best way to do it.
Oisteink
in reply to IsoKiero • • •To me it seems like he wants to be able to «bring along» his homenet services without exposing them on the internet.
Tip for OP is to explain wanted outcome, not process to get there. Its hard to do, but gives better results
The 8232 Project
in reply to Oisteink • • •Besides being able to learn about all of this, this would be the ideal outcome:
- Send the Raspberry Pi to a friend who knows about this
- Have the friend plug in the Raspberry Pi to his Ethernet
- Use the friend's network as a VPN/proxy/whatever to obscure my home IP address
I wouldn't want to make the friend set up port forwarding or configure the Raspberry Pi himself, I want to do as much as I can on my own. And, if that friend ever relocates his residence or changes his ISP, setting it up again should be as easy as him plugging in the Raspberry Pi to the new network and I reconfigure it from my end.
Oisteink
in reply to The 8232 Project • • •Then an exit node is what you want. You can set up with vpn like wireguard using port forward on your side. The raspberry would connect using static ip or dynamic dns.
You can get tailscale basic tier for free, and that will provide an easy to use solution
Oisteink
in reply to Oisteink • • •IsoKiero
in reply to The 8232 Project • • •And then your friend is responsible for your actions on the internet. The end goal you described is so vague that at least I wouldn't let your raspberry connect on my network.
There's a ton of VPN services which give you the end result you want without potential liability or other issues for your friend. If you just want to tinker, this thread has quite a bit of information to get you started.
emeralddawn45
in reply to IsoKiero • • •just_another_person
in reply to The 8232 Project • • •You're just describing a dozen different things that fit this mold, so let me throw some out there and you can decide what does what you want:
These all do what you want if you're taking the steps to automate pointing to them from whatever your destination endpoint might be. So then you're basically NOT using a VPN, and only a proxy.
Honestly, I'd just install OpenWRT on the Pi and try out different plugins to find what does what you want. You can honestly simplify this all by using Dynamic DNS in the first place to just have a predictable hostname.
Evil_incarnate
in reply to The 8232 Project • • •The 8232 Project
in reply to Evil_incarnate • • •Sarah Brown
in reply to The 8232 Project • •Selfhosted reshared this.
kaedon
in reply to Sarah Brown • • •GitHub - juanfont/headscale: An open source, self-hosted implementation of the Tailscale control server
GitHubshadejinx
in reply to The 8232 Project • • •The answer is an SSH reverse tunnel. Have privoxy running in the rPi listening on localhost. Have it then connect to your home server via SSH with reverse tunnels enabled, tunneling the privoxy port. On your home server you run another instance of Privoxy that’s listening in your home network and proxy forwarding over the tunnel and you’re done.
I used to use this setup for pen testing.
psmgx
in reply to shadejinx • • •Used to. Why no longer?
shadejinx
in reply to psmgx • • •friend_of_satan
in reply to The 8232 Project • • •This would be easy with
ssh -D 8000 remotehost. I actually do exactly this every day, but not from a Pi, and with a bunch of-Lforwards too.Configure your browser to use 127.0.0.1:8000 as a socks 5 proxy and voila.
Bonus points for having a proxy.pac file with more advanced proxy configuration logic.
Also check out sshuttle.
Proxy Auto-Configuration (PAC) file - HTTP | MDN
MDN Web DocsGreenKnight23
in reply to The 8232 Project • • •sounds like you want a rpi-zero Ethernet gadget.
I made one years ago that pretended to be an Ethernet adapter as soon as you plugged it into your USB port.
it would boot, connect to WiFi, then connect to VPN, and the laptop it was plugged into would then use that as the primary network source as if it was connected to a lan.
downsides:
but it does work in a pinch.
I think RPI A and B were gadget capable but they dropped support after rpi2 was released.
don't forget you're going to need to setup the proper routing tables and install a DHCP server(maybe...might be able to do static routing but I found it easier to just install dnsmasq).
oldfart
in reply to The 8232 Project • • •You will have 2 pieces of the puzle.
You connect using the NAT traversal solution of your choice to the raspberry pi, and you forward proxy port from raspberry to a local port. You configure your browser to use localhost as a proxy.