Troditional transparent proxy methods like ‘to be AP’ and ‘to be Gateway’ are almost as the same performance. However, when there isn’t any proxy software installed on your device, or the software inn’t compatible with your device, a well-configured transparent AP or gateway on an embedded device in order to reach the world. Here comes the procedures.
Before we get started, here’re some tool I use and recommend:
- Raspberry Pi 3B
- Reliable cables
- Reliable power source
- A computer
one for redirecting requests, another one for DNS querying. Dokodemo-door is a very convenient function of v2ray that can drive your traffic to where you want to visit through your foreign server with v2ray installed. You would need redsocks to receive those traffics that are redirected to it and convert them from protocol http to pro socks, then the proxy softwares will be able to handle the requests. But dokodemo-door has been combained the two parts mentioned privious into one part. Which means you don’t have to care about the protocol convertion, the only thing you need to do is to write iptables rules. For more about dokodemo-door, go to here.
Add code blocks to your
config.json like the following，The first one is to be set as transparent proxy, you can see it will listen to port 1111, which means you will send your traffic to this port by iptables to go aboard.
The second one which listen to port 5353 localhost is uesd to handle DNS query requests sent by dnsmasq, important ditto.
dnsmasq is a self-managed dns software which can prevent DNS Pollution, it has been highly recommended by many of those professionals.
type two commands listed below to install dnsmasq.
add this line
conf-dir=/etc/dnsmasq.d to tail of dnsmasq configuration file at
/etc/dnsmasq.conf to set another directory to store those who are needed to query via google public DNS.
gfwlist2dnsmasq is a tool that can transfer gfwlist to dnsmasq related configuration file. Do the following to install that.
This will make gfwlist’s domain be queried at 127.0.0.1:5353,as same as quering at 18.104.22.168 directly，which means it can prevent getting wrong results.
IP sets are a framework inside the Linux kernel, which can be administered by the ipset utility. Depending on the type, an IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set.
Blacklist is so called gfwlist. It’s a list maintained by volunteers which include websites blocked in China.
Whitelist includes all China IP address blocks.
Then write a shell script to import IP address from chnroute.txt to
chnroute set in ipset.
paste these into set-ipset.sh
Now one last step to finish, you have two choices. Running as blacklist mode is for one, in which the server will be able to match the blocked IP addresses and visit them via proxy automatically. For another is the mode of whitelist, it offten could be smoothly then previous one, the traffic will be return to the default route, once non-china IP address are matched, traffic to this IP address will be driven to proxy port.
- WARNING: YOU CAN ONLY CHOOSE ONE OF TWO OPTIONS!
To check out current iptables settings, do
If you set iptables by wrong, just type there to flush it.
ipset and iptables will be flushed automatically by default, if you want to restore it everytime after reboot finished. Do as the following
backup12iptables-save > /etc/iptables-backupipset-save > /etc/ipset-backup
You must restore ipset after reboot12iptables-restore < /etc/iptables-backupipset-restore < /etc/ipset-backup
Change the gateway address and DNS address to your embedded divice’s ip address and you a good to go!
if you want to set a static ip address for PI, edit
/etc/dhcpcd.conf the append the following scripts and save.
- the IP address, routers and DNS server must be set according your local network settings, do not copy & paste it anyway.
if you want to be proxied automatically once connected to router, you may need make some extra settings on you main router.
go to the control panel of your router, (visit 192.168.1.1 by default), then find the
DHCP settings, set the
gateway to your PI’s IP address, set the DNS to your PI’s address, too. Save and quit.
- Then you will get a automatic transparent gateway, while you connect to the WIFI, you will be able to touch the world without any extra settings.