How to set up transparent gateway

How to configure transparent gateway on Raspberry Pi

Troditional transparent proxy methods like ‘to be AP’ and ‘to be Gateway’ are almost as the same performance. However, when there isn’t any proxy software installed on your device, or the software inn’t compatible with your device, a well-configured transparent AP or gateway on an embedded device in order to reach the world. Here comes the procedures.

Before we get started, here’re some tool I use and recommend:

  • Raspberry Pi 3B
  • Reliable cables
  • Reliable power source
  • A computer

Install dependency

open two dokodemo-doors at inbound settings

one for redirecting requests, another one for DNS querying. Dokodemo-door is a very convenient function of v2ray that can drive your traffic to where you want to visit through your foreign server with v2ray installed. You would need redsocks to receive those traffics that are redirected to it and convert them from protocol http to pro socks, then the proxy softwares will be able to handle the requests. But dokodemo-door has been combained the two parts mentioned privious into one part. Which means you don’t have to care about the protocol convertion, the only thing you need to do is to write iptables rules. For more about dokodemo-door, go to here.

Add code blocks to your config.json like the following,The first one is to be set as transparent proxy, you can see it will listen to port 1111, which means you will send your traffic to this port by iptables to go aboard.

The second one which listen to port 5353 localhost is uesd to handle DNS query requests sent by dnsmasq, important ditto.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
{
"domainOverride": ["http", "tls"],
"protocol":"dokodemo-door",
"port":1111,
"settings":{
"network":"tcp,udp",
"timeout":30,
"followRedirect":true
}
},
{
"protocol":"dokodemo-door",
"port":5353,
"listen":"127.0.0.1",
"settings":{
"port":53,
"address":"8.8.8.8",
"network":"udp",
"timeout":0,
"followRedirect":false
}
}

Install dnsmasq

dnsmasq is a self-managed dns software which can prevent DNS Pollution, it has been highly recommended by many of those professionals.

type two commands listed below to install dnsmasq.

1
2
sudo apt install dnsmasq
mkdir -p /etc/dnsmasq.d

add this lineconf-dir=/etc/dnsmasq.d to tail of dnsmasq configuration file at /etc/dnsmasq.conf to set another directory to store those who are needed to query via google public DNS.

1
cat 'conf-dir=/etc/dnsmasq.d' >> /etc/dnsmasq.conf

Configure query rules

gfwlist2dnsmasq is a tool that can transfer gfwlist to dnsmasq related configuration file. Do the following to install that.

1
2
3
4
5
git clone https://github.com/cokebar/gfwlist2dnsmasq.git
cd gfwlist2dnsmasq
chmod +x gfwlist2dnsmasq.sh
./gfwlist2dnsmasq.sh -o gfwlist.conf -s gfwlist
cp gfwlist.conf /etc/dnsmasq.d/

This will make gfwlist’s domain be queried at 127.0.0.1:5353,as same as quering at 8.8.8.8 directly,which means it can prevent getting wrong results.

Install ipset

IP sets are a framework inside the Linux kernel, which can be administered by the ipset utility. Depending on the type, an IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set.

1
apt-get install ipset -y

Set blacklist

Blacklist is so called gfwlist. It’s a list maintained by volunteers which include websites blocked in China.

1
ipset -N gfwlist iphash

Set whitelist

Whitelist includes all China IP address blocks.

1
2
3
4
5
6
7
8
9
ipset -N chnroute hash:net maxelem 65536
curl 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | grep ipv4 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > chnroute.txt
ipset add chnroute 1.0.1.0/24
ipset add chnroute 1.0.2.0/23
ipset add chnroute 1.0.8.0/21
ipset add chnroute 1.0.32.0/19
ipset add chnroute 1.1.0.0/24

Then write a shell script to import IP address from chnroute.txt to chnroute set in ipset.

1
vim set-ipset.sh

paste these into set-ipset.sh

1
2
3
4
#!/bin/bash
for ip in $(cat '/root/chnroute.txt'); do
ipset add chnroute $ip
done

Then do

1
2
chmod +x set-ipset.sh
./set-ipset.sh

Ready to run

Now one last step to finish, you have two choices. Running as blacklist mode is for one, in which the server will be able to match the blocked IP addresses and visit them via proxy automatically. For another is the mode of whitelist, it offten could be smoothly then previous one, the traffic will be return to the default route, once non-china IP address are matched, traffic to this IP address will be driven to proxy port.

  • WARNING: YOU CAN ONLY CHOOSE ONE OF TWO OPTIONS!

OPTION 1: Running as blacklist mode

1
2
iptables -t nat -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1111
iptables -t nat -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-port 1111

OPTION 2: Running as whitelist mode

1
2
3
4
5
iptables -t nat -A PREROUTING -p udp --dport 53 -j RETURN
iptables -t nat -A PREROUTING -p tcp -m set ! --match-set chnroute dst -j REDIRECT --to-port 1111
iptables -t nat -A OUTPUT -p udp --dport 53 -j RETURN
iptables -t nat -A OUTPUT -p tcp -d Your proxy IP address -j RETURN
iptables -t nat -A OUTPUT -p tcp -m set ! --match-set chnroute dst -j REDIRECT --to-port 1111

Check out and flush iptables settings

To check out current iptables settings, do

1
iptables -t nat -L

If you set iptables by wrong, just type there to flush it.

1
iptables -t nat -F

Backup and restore ipsets and iptables

ipset and iptables will be flushed automatically by default, if you want to restore it everytime after reboot finished. Do as the following

  • backup

    1
    2
    iptables-save > /etc/iptables-backup
    ipset-save > /etc/ipset-backup
  • restore
    You must restore ipset after reboot

    1
    2
    iptables-restore < /etc/iptables-backup
    ipset-restore < /etc/ipset-backup
  • All done

Change the gateway address and DNS address to your embedded divice’s ip address and you a good to go!

Extra Settings if needed

Set a static IP address for gateway

if you want to set a static ip address for PI, edit /etc/dhcpcd.conf the append the following scripts and save.

1
2
3
4
interface eth0
static ip_address=192.168.1.100/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1
  • the IP address, routers and DNS server must be set according your local network settings, do not copy & paste it anyway.

Set the default gateway and DNS of you main router

if you want to be proxied automatically once connected to router, you may need make some extra settings on you main router.

go to the control panel of your router, (visit 192.168.1.1 by default), then find the DHCP settings, set the gateway to your PI’s IP address, set the DNS to your PI’s address, too. Save and quit.

  • Then you will get a automatic transparent gateway, while you connect to the WIFI, you will be able to touch the world without any extra settings.

References

1
2
3