this post was submitted on 25 Dec 2024
30 points (96.9% liked)

Selfhosted

40731 readers
505 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
30
How do I setup a "portable proxy" using a Raspberry Pi? (lemmy.ml)
submitted 20 hours ago* (last edited 20 hours ago) by Charger8232@lemmy.ml to c/selfhosted@lemmy.world
24 comments fedilink hide all child comments
 

I'm looking to try some hands-on experience setting up proxies. However, the proxy I want to setup is a bit unique. My end goal is to be able to do the following:

  • Connect a Raspberry Pi to a network using Ethernet or Wi-Fi
  • Automatically have the Raspberry Pi (as soon as it is powered on and connected) send its own public IP address (and other relevant proxy information, where applicable) to a home server (and periodically retry sending this information if the server is down)
  • Be able to proxy my connection from a separate network through the Raspberry Pi (by simply entering in the IP address and port as a normal proxy) so that my public IP address will now show up as that of the network the Raspberry Pi is connected to

I want to avoid configuring port forwarding for networks the Raspberry Pi is connected to. I can configure port forwarding for the network my home server is connected to, but if possible I would like to avoid that as well (for convenience and security).

I also want to avoid using a third party service (e.g. Linode) to manage the proxy for me. I want the Raspberry Pi to do all the work here, ideally using open source software such as Privoxy or Squid. I want this to be an HTTP proxy. If possible, I would like to encrypt the proxy connection.

I'm not sure if any of this would be possible without port forwarding. Maybe some sort of reverse proxy would help with this. I understand how a proxy such as this could have the potential for misuse, as do most things. I'm making this post for educational purposes only, so that I can better my understanding of proxies and network security.

Any guides or videos on how to set this up are greatly appreciated. I found a few, but none quite capture what I'm describing here. Most don't talk about using this across separate networks, only local networks.

Thank you!

top 24 comments
sorted by: hot top controversial new old
[–] oldfart@lemm.ee 1 points 3 minutes ago

You will have 2 pieces of the puzle.

  1. Is the proxy, you can use tinyproxy or ssh -D

  2. Is the nat traversal /p2p connection. You can use tor hidden service, tuntox or reverse SSH for that. The first two work when both ends are behind NAT.

You connect using the NAT traversal solution of your choice to the raspberry pi, and you forward proxy port from raspberry to a local port. You configure your browser to use localhost as a proxy.

[–] GreenKnight23@lemmy.world 3 points 13 hours ago

sounds like you want a rpi-zero Ethernet gadget.

I made one years ago that pretended to be an Ethernet adapter as soon as you plugged it into your USB port.

it would boot, connect to WiFi, then connect to VPN, and the laptop it was plugged into would then use that as the primary network source as if it was connected to a lan.

downsides:

  • WiFi sucks and I only saw ~ 250mb connections
  • USB is slow capped at 450mb

but it does work in a pinch.

I think RPI A and B were gadget capable but they dropped support after rpi2 was released.

don't forget you're going to need to setup the proper routing tables and install a DHCP server(maybe...might be able to do static routing but I found it easier to just install dnsmasq).

[–] shadejinx@lemmy.world 9 points 17 hours ago (1 children)

The answer is an SSH reverse tunnel. Have privoxy running in the rPi listening on localhost. Have it then connect to your home server via SSH with reverse tunnels enabled, tunneling the privoxy port. On your home server you run another instance of Privoxy that’s listening in your home network and proxy forwarding over the tunnel and you’re done.

I used to use this setup for pen testing.

[–] psmgx@lemmy.world 4 points 16 hours ago (1 children)

I used to use this setup for pen testing

Used to. Why no longer?

[–] shadejinx@lemmy.world 5 points 15 hours ago

I don't do that for a living anymore

[–] goatsarah@thegoatery.dyndns.org 5 points 18 hours ago (1 children)

@Charger8232 Feels like an OpenWRT installation running Tailscale could do this unless I massively misunderstand what you’re trying to do.

[–] kaedon@slrpnk.net 2 points 14 hours ago

Yeah, I think tailscale is the way to go. You can also self-host the coordination server if you don't want to use any third party services.

[–] Prunebutt@slrpnk.net 7 points 20 hours ago* (last edited 20 hours ago) (2 children)

Without having too much knowledge in proxys: Especially since NATs are so widespread, I think, you'd need something like tailscale/Nebula/ZeroTier (or simply some Wireguard connection) for this.

[–] pedroapero@lemmy.ml 1 points 1 hour ago* (last edited 1 hour ago)

Agree on Wireguard. It is faster, more stable and most likely more secured than SSH. And it will work with any application (no per-application configuration required). Without a third party tunneling service, you will need to expose a port in any case (you can setup port-knocking if you want to).

[–] Oisteink@feddit.nl 2 points 18 hours ago* (last edited 18 hours ago)

A service like tailscale will solve the connection to your home net automagically. You are however stuck without routing from friend-net so you cant access homenet devices directly

You can solve this by setting up a reverse proxy like caddy on your raspi, and access home-net web-apps and services through that. Like [assigned-friendnet-ipaddress]:8444 or similar. The reverse proxy would forward this to homenet devices through the tailscale vpn

[–] friend_of_satan@lemmy.world 3 points 16 hours ago* (last edited 16 hours ago)

This would be easy with ssh -D 8000 remotehost. I actually do exactly this every day, but not from a Pi, and with a bunch of -L forwards too.

Configure your browser to use 127.0.0.1:8000 as a socks 5 proxy and voila.

Bonus points for having a proxy.pac file with more advanced proxy configuration logic.

Also check out sshuttle.

[–] just_another_person@lemmy.world 3 points 20 hours ago* (last edited 18 hours ago)

You're just describing a dozen different things that fit this mold, so let me throw some out there and you can decide what does what you want:

  • SOCKS
  • STUN
  • Haproxy
  • Reverse Proxy

These all do what you want if you're taking the steps to automate pointing to them from whatever your destination endpoint might be. So then you're basically NOT using a VPN, and only a proxy.

Honestly, I'd just install OpenWRT on the Pi and try out different plugins to find what does what you want. You can honestly simplify this all by using Dynamic DNS in the first place to just have a predictable hostname.

[–] Evil_incarnate@lemm.ee 2 points 19 hours ago (1 children)

Commenting because I want to do something like this too.

[–] Charger8232@lemmy.ml 2 points 19 hours ago

I'll let you know if I figure it out! I don't know much about proxies, but I'm still willing to try

[–] IsoKiero@sopuli.xyz 1 points 20 hours ago (1 children)

So, you want a box which you can connect to any network around and then use some other device to connect to your raspberry box which redirects your traffic trough your home connection to the internet?

The easiest (at least for me) would be to create VPN server on your home network. Have a dyndns setup on your home network to reach it in the first place, open/redirect a port for openvpn (or whatever you like) and have a client on raspberry running on it. After that you can connect your other device to the raspberry box (via wifi or ethernet) and create ip-forwarding/NAT rules for your traffic so that everything goes to the raspberry box, then to your home server via VPN tunnel and from there to the internet.

You can use any HTTP proxy with this, or just let the network do it's thing and tunnel everything via your home connection, but in either case the internet would only see your encrypted VPN traffic to your home network and everything else is originated from your home connection.

You can replace VPN with just HTTP proxy, but both are pretty close the same on the terms of 'cost', so your network latency, bandwidth and other stuff doesn't really change regardless of the approach. But if you just want the HTTP proxy you can forward a port on your home network for the proxy and just use that on your devices without raspberry box and achieve the very same end result without extra hardware.

And obviously, if you go with VPN tunneling for everything, you don't need raspberry for that either, just a VPN client which connects to your home network and that's it. The case where you have devices which can't use VPN directly would benefit from the raspbery box, but if you already can set up a HTTP proxy for the thing you're actually using, I don't see the benefit of running a separate hardware for anything.

Some port forwarding or opening ports from firewall is needed on any scenario. But there's a ton of options to limit access from anyone accessing your stuff. However, this goes way beyond the scope of your question and more details are necessary on what you're actually trying to achieve with setup like this.

[–] Charger8232@lemmy.ml 1 points 19 hours ago (1 children)

So, you want a box which you can connect to any network around and then use some other device to connect to your raspberry box which redirects your traffic trough your home connection to the internet?

I think you may have misunderstood. I'll try to clarify a bit:

I have a Raspberry Pi, which I'll connect to, say, a friend's network called "FriendNet"

I have a computer at home (which I'll just call my "home computer") connected to my home network called "HomeNet"

I also have a server connected to HomeNet, which is always active. Let's call it my "home server"

I would like to proxy my home computer's connection through the Raspberry Pi, so that my IP address will show up as the public IP address for FriendNet (i.e. tunneling my connection through FriendNet using the Raspberry Pi).

The Raspberry Pi will automatically send the proxy details to my home server, so that I can get the network details of the Raspberry Pi to connect my home computer to it without needing to figure it out manually. That would probably be achieved with a basic Python script.

I'm not trying to setup a home VPN server, but rather use an external network as a non-permanent proxy.

[–] IsoKiero@sopuli.xyz 2 points 18 hours ago (2 children)

So, you want the traffic to go other way around. Traffic from the HomeNet should go to the internet via FriendNet, right? In that case, if you want the raspberry box to act as a proxy (or vpn) server, you need to forward relevant ports on the FriendNet to your raspberry pi so that your HomeComputer can connect to the raspberry box.

Or you can set up a VPN and route traffic trough that to the other way. Tunnels work both ways, so it's possible to set up a route/http proxy/whatever trough the VPN tunnel to the internet, even if the raspberry box is the client from VPN server point of view.

I don't immediately see the benefit of tunneling your traffic trough the FriendNet to the internet, unless you're trying to bypass some IP block of something other potentially malicious or at least something being on the gray area. But anyways, you need a method for your proxy client to connect to the proxy server. And in generic consumer space, that needs firewall rules and/or port forwarding (altough both are firewall rules, strictly speaking) so that your proxy server on raspberry box is visible to the internet in the first place.

Once your proxy server is visible to the internet it's just a matter of writing up few scripts for the server box to send a message to the client end that my public IP is <a.b.c.d> and change proxy client configuration accordingly, but you still need some kind of setup for the HomeNet to receive that, likely a dynds-service and maybe some port forwarding.

Again, I personally would set up something like that with a VPN tunnel from raspberry box to the HomeServer, but as I don't really undestand what you're going after with setup like this it's impossible to suggest anything else.

[–] Oisteink@feddit.nl 1 points 18 hours ago (1 children)

To me it seems like he wants to be able to «bring along» his homenet services without exposing them on the internet.

Tip for OP is to explain wanted outcome, not process to get there. Its hard to do, but gives better results

[–] Charger8232@lemmy.ml 2 points 18 hours ago* (last edited 18 hours ago) (2 children)

Tip for OP is to explain wanted outcome, not process to get there. Its hard to do, but gives better results

Besides being able to learn about all of this, this would be the ideal outcome:

  • Send the Raspberry Pi to a friend who knows about this
  • Have the friend plug in the Raspberry Pi to his Ethernet
  • Use the friend's network as a VPN/proxy/whatever to obscure my home IP address

I wouldn't want to make the friend set up port forwarding or configure the Raspberry Pi himself, I want to do as much as I can on my own. And, if that friend ever relocates his residence or changes his ISP, setting it up again should be as easy as him plugging in the Raspberry Pi to the new network and I reconfigure it from my end.

[–] IsoKiero@sopuli.xyz 1 points 9 hours ago (1 children)

Use the friend’s network as a VPN/proxy/whatever to obscure my home IP address

And then your friend is responsible for your actions on the internet. The end goal you described is so vague that at least I wouldn't let your raspberry connect on my network.

There's a ton of VPN services which give you the end result you want without potential liability or other issues for your friend. If you just want to tinker, this thread has quite a bit of information to get you started.

[–] emeralddawn45@discuss.tchncs.de 1 points 16 minutes ago

I have a feeling OP's "friends" wont necessarily even be aware hes connected the device to their network. It sounds to me like he wants something he can hide places to take advantage of unsecured or public networks without having to sit there with his laptop doing whatever shady shit he has planned.

[–] Oisteink@feddit.nl 1 points 17 hours ago (1 children)

Then an exit node is what you want. You can set up with vpn like wireguard using port forward on your side. The raspberry would connect using static ip or dynamic dns.

You can get tailscale basic tier for free, and that will provide an easy to use solution

[–] Oisteink@feddit.nl 1 points 17 hours ago

There is also headscale if you want self-hosted, but its not plug and play like tailscale/zerotier and similar mesh-vpn solutions

[–] Charger8232@lemmy.ml 1 points 18 hours ago

So, you want the traffic to go other way around. Traffic from the HomeNet should go to the internet via FriendNet, right?

That is what I would like to achieve, yes. Since I want to avoid setting up port forwarding on FriendNet, I would need to configure port forwarding on HomeNet. The Raspberry Pi would have to act a client, and either the home server or the home computer would act as the server, and the Raspberry Pi would proxy traffic from the server to the internet.

I can't think of how it would work in practice, though. I'm assuming in this case the home server would act as a proxy between the home computer and the Raspberry Pi, and the Raspberry Pi would act as a proxy between the home server and the internet. Unless there's an easier way that would remove the home server entirely, that might be the best way to do it.