Using mitmproxy for all HTTP/HTTPS traffic coming from an ipsec vpn server


#1

Background: I want to use mitmproxy with my iPhone while on 3G. In iOS you can only use a proxy for WiFi connections and not while using mobile data. So instead I can use a VPN server that needs to forward its request through mitmproxy.

I want to create a VPN server that automatically forwards all outgoing HTTP/HTTPS requests to mitmproxy, however I have failed creating an iptables configuration that works.

To do this I’ve used docker-compose with the hwdsl2/ipsec-vpn-server and mitmproxy/mitmproxy images.

I have added the following iptables config to ipsec-vpn-server (where HOST will be the local ip address of the mitmproxy server)

HOST=$(host -4 mitmproxy | head -1 | awk '{ print $4 }')
iptables -t nat -A PREROUTING -i eth+ -p tcp --destination-port 80 -j DNAT --to-destination $HOST:8080
iptables -t nat -A PREROUTING -i eth+ -p tcp --destination-port 443 -j DNAT --to-destination $HOST:8080

and I run mitmdump using mitmdump -T --host.

However when I connect my iPhone to the VPN I just get an endless stream of output from mitmdump saying

172.18.0.2:49801: clientconnect

How do I fix this so that mitmproxy actually works?

The full configuration I’ve used is at: https://gist.github.com/Tyilo/03889ddc651fcf96e1208b65bfc7aa7f

Here is a diagram of what I want to achieve:

       +----------------------+
       |                      |
       |       iPhone         |
       |                      |
       +-----------+----------+
                   |
                   |
+--------------------------------------+
|      +-----------v----------+        |
|      |                      |        |
|      |        VPN server    +-----+  |
|      |                      |     |  |
|      +----------------------+     |  |
|                 |HTTP/HTTPS       |  | My server
|                 |                 |  |
|      +----------v-----------+     |  |
|      |                      |     |  |
|      |      mitmproxy       |     |  |
|      |                      |     |  |
|      +----------------------+     |  |
+--------------------------------------+
                  |                 |
                  |                 |non-HTTP/HTTPS traffic
                  |                 |
        +---------v-----------+     |
        |                     |     |
        |      Internet       +^----+
        |                     |
        +---------------------+

#2

Hi,

You’re running into the first issue described at http://docs.mitmproxy.org/en/stable/modes.html#transparent-proxy - don’t DNAT before sending your data to the mitmproxy instance. :slight_smile:


#3

How do I do this without DNAT?


#4

Did you get this successfully setup? I’m looking to do the same thing (though I’ve been playing with OpenVPN).


#5

Maybe try to put vpn server and mitmproxy in the same machine and use REDIRECT instead of DNAT