Using mitmproxy for all HTTP/HTTPS traffic coming from an ipsec vpn server


#1

Background: I want to use mitmproxy with my iPhone while on 3G. In iOS you can only use a proxy for WiFi connections and not while using mobile data. So instead I can use a VPN server that needs to forward its request through mitmproxy.

I want to create a VPN server that automatically forwards all outgoing HTTP/HTTPS requests to mitmproxy, however I have failed creating an iptables configuration that works.

To do this I’ve used docker-compose with the hwdsl2/ipsec-vpn-server and mitmproxy/mitmproxy images.

I have added the following iptables config to ipsec-vpn-server (where HOST will be the local ip address of the mitmproxy server)

HOST=$(host -4 mitmproxy | head -1 | awk '{ print $4 }')
iptables -t nat -A PREROUTING -i eth+ -p tcp --destination-port 80 -j DNAT --to-destination $HOST:8080
iptables -t nat -A PREROUTING -i eth+ -p tcp --destination-port 443 -j DNAT --to-destination $HOST:8080

and I run mitmdump using mitmdump -T --host.

However when I connect my iPhone to the VPN I just get an endless stream of output from mitmdump saying

172.18.0.2:49801: clientconnect

How do I fix this so that mitmproxy actually works?

The full configuration I’ve used is at: https://gist.github.com/Tyilo/03889ddc651fcf96e1208b65bfc7aa7f

Here is a diagram of what I want to achieve:

       +----------------------+
       |                      |
       |       iPhone         |
       |                      |
       +-----------+----------+
                   |
                   |
+--------------------------------------+
|      +-----------v----------+        |
|      |                      |        |
|      |        VPN server    +-----+  |
|      |                      |     |  |
|      +----------------------+     |  |
|                 |HTTP/HTTPS       |  | My server
|                 |                 |  |
|      +----------v-----------+     |  |
|      |                      |     |  |
|      |      mitmproxy       |     |  |
|      |                      |     |  |
|      +----------------------+     |  |
+--------------------------------------+
                  |                 |
                  |                 |non-HTTP/HTTPS traffic
                  |                 |
        +---------v-----------+     |
        |                     |     |
        |      Internet       +^----+
        |                     |
        +---------------------+

#2

Hi,

You’re running into the first issue described at http://docs.mitmproxy.org/en/stable/modes.html#transparent-proxy - don’t DNAT before sending your data to the mitmproxy instance. :slight_smile:


#3

How do I do this without DNAT?


#4

Did you get this successfully setup? I’m looking to do the same thing (though I’ve been playing with OpenVPN).


#5

Maybe try to put vpn server and mitmproxy in the same machine and use REDIRECT instead of DNAT


#6

Hi,

if you set up your iPhone in supervision mode then you can set Global HTTP Proxy in profile for your iPhone using Apple Configurator 2. Then this proxy is used while 3G as well as while WiFi.
Only problem is when you use mitmprox with --proxyauth logn:pass then HTTPS communication doesn’t work. :frowning: