Proxies and Tor
Make an interface route only certain websites
This makes the browser use a specific interface only for specific URLs. I use it with USB phone tethering, that's why many things are called that way. But it should work with any interface.
How it works: The default route of the interface is within an own ip table that only gets entered for requests bound to the IP of that interface. Locally running tinyproxy binds to that one. Then the browser decides via proxyconfig.pac for what URL to use that proxy.
1. Create connection in Network Manager
...with the name DHCP as Proxy
a) per cli
| nmcli con add type ethernet ipv6.method disabled ipv4.never-default true connection.zone public 802-3-ethernet.auto-negotiate true con-name "DHCP as Proxy"
|
Edit to whatever you need, i.e. you might not need connection.zone, which is the firewall zone.
b) or per GUI:
- Create connection in NetworkManager called
DHCP as Proxy
- set to DHCP IPv4, disable IPv6
- disable setting the default route (IPv4 → Routes → [X] Use only for Resources of this connection)
2. Install tinyproxy
/etc/tinyproxy/tinyproxy.conf
| [...]
Port 8888
Listen 127.0.0.1
# Bind will be overwritten by nm dispatch script
# just make sure it's uncommented, doesn't matter what IP it is
Bind 192.168.143.191
[...]
|
3. Add routing table
/etc/iproute2/rt_tables
4. Add Network Manager dispatch script
This script will run whenever a connection gets established, set the routes correctly, bind tinyproxy to its IP and start it.
/etc/NetworkManager/dispatcher.d/tether_toggle.sh
| #!/bin/sh
#
# Make sure table phone is defined in /etc/iproute2/rt_tables
# with priority 2
PHONE_CON_ID="DHCP as Proxy"
TINYPROXY_CONFIG="/etc/tinyproxy/tinyproxy.conf"
if [ "${CONNECTION_ID}" = "${PHONE_CON_ID}" ]; then
case "${2}" in
up)
# getting connection paramters:
[ "${DEVICE_IP_IFACE}" ] || DEVICE_IP_IFACE=`ls /sys/bus/usb/drivers/rndis_host/*.0/net 2> /dev/null`
[ "${DHCP4_ROUTERS}" ] || DHCP4_ROUTERS=`ip -4 route show table all default dev "${DEVICE_IP_IFACE}" | sed 's/.*via \([^ ]*\).*/\1/g'`
[ "${DHCP4_IP_ADDRESS}" ] || DHCP4_IP_ADDRESS=`ip -4 addr show dev "${DEVICE_IP_IFACE}" | grep inet | sed 's/.*inet \([^\/]*\)\/.*/\1/'`
# create default route on phone table
ip route add default via "${DHCP4_ROUTERS}" table phone
# example rule for a custom IPs to route through
#ip route add "${EXTERNAL_IP}" via ${DHCP4_ROUTERS}
# traffic bound to DHCP4_IP_ADDRESS over phone
ip rule add from ${DHCP4_IP_ADDRESS} lookup phone prio 1000
# bind tinyproxy to DHCP4_IP_ADDRESS and start it
sed -i "s/Bind .*/Bind ${DHCP4_IP_ADDRESS}/" "${TINYPROXY_CONFIG}"
systemctl start tinyproxy
{
# make really sure that there is no general default route for device
sleep 3
CNT=0
while [ "$(ip -4 route show default dev ${DEVICE_IP_IFACE})" != "" ] && [ ${CNT} -lt 10 ]; do
CNT=$((CNT+1))
ip route del default dev "${DEVICE_IP_IFACE}"
sleep 1
done
} &
;;
down)
systemctl stop tinyproxy
;;
esac
fi
|
make it executable
| chmod +x /etc/NetworkManager/dispatcher.d/tether_toggle.sh
|
5. setup proxy autoconfig for browser
~/.config/proxyconfig.pac
| function FindProxyForURL(url, host) {
if (dnsDomainIs(host, "sys.4channel.org")
|| dnsDomainIs(host, "sys.4chan.org")
|| dnsDomainIs(host, "boards.4channel.org")
|| dnsDomainIs(host, "boards.4chan.org")
|| dnsDomainIs(host, "www.4channel.org")
|| dnsDomainIs(host, "www.4chan.org")
)
return "PROXY 127.0.0.1:8888; DIRECT";
if (dnsDomainIs(host, ".onion"))
return "SOCKS 127.0.0.1:9050";
return "DIRECT";
}
|
(note that 127.0.0.1:9050 is local running TOR here, if you use that, you will also want "network.http.referer.hideOnionSource": true in firefox)
Now set ~/.config/proxyconfig.pac as Automatic Proxy Configuration in whatever browser you need, like in firefox user.js:
| user_pref("network.proxy.autoconfig_url", "file:///home/username/.config/proxyconfig.pac");
user_pref("network.proxy.socks_remote_dns", true);
user_pref("network.proxy.type", 2);
|
or in chromium browsers by launching with the parameter:
| --proxy-pac-url='data:application/x-javascript-config;base64,'$(base64 -w0 ~/.config/proxyconfig.pac)
|
Script to enable / disable phone tethering on KDE
On enable, we send the phone to airplane mode for a temporary time, to reroll the IP. Disabling doesn't work on Android 13+ phones anymore. This uses kdialog as graphical selection window.
Install adb
| dnf install android-tools
|
~/.local/bin/tether
| #!/bin/sh
TEXT="Android USB Tethering"
IFACE=`ls /sys/bus/usb/drivers/rndis_host/*.0/net 2> /dev/null`
if [ "${IFACE}" ]; then
INPT=`kdialog --title "Tethering" --radiolist "${TEXT}" enable "Enabled" on disable "Disabled" off`
else
INPT=`kdialog --title "Tethering" --radiolist "${TEXT}" enable "Enabled" off disable "Disabled" on`
fi
[ "${?}" != 0 ] && exit
if [ "${INPT}" = "enable" ] && [ -z "${IFACE}" ]; then
# disable WIFI
echo "Disable WiFi on phone"
adb shell svc wifi disable
sleep 2
# airplane mode on/off to change IP
echo "Rolling new IP"
adb shell cmd connectivity airplane-mode enable
sleep 2
adb shell cmd connectivity airplane-mode disable
sleep 2
# adb over network, to keep phone accessible even during tethering
echo "Enabling adb on TCP"
adb tcpip 5555
sleep 2
# enable usb tethering
echo "Enabling USB Tethering"
adb shell svc usb setFunctions rndis
adb kill-server
elif [ "${INPT}" = "disable" ] && [ "${IFACE}" ]; then
PHONE_IP=`ip -4 route show table all default dev "${IFACE}" | sed 's/.*via \([^ ]*\).*/\1/g'`
if (( $(grep -c . <<<"${PHONE_IP}") > 1 )); then
PHONE_IP="[`grep : <<<"${PHONE_IP}"`%${IFACE}]:5555"
fi
echo "Phone IP: ${PHONE_IP}"
if [ "${PHONE_IP}" ]; then
adb connect "${PHONE_IP}"
adb shell svc wifi enable
adb shell svc usb setFunctions mtp
adb disconnect
adb kill-server
fi
fi
exit ${?}
|
| chmod +x ~/.local/bin/tether
|