Using mitmproxy for all HTTP/HTTPS traffic coming from an ipsec vpn server

1

Background: I want to use mitmproxy with my iPhone while on 3G. In iOS you can only use a proxy for WiFi connections and not while using mobile data. So instead I can use a VPN server that needs to forward its request through mitmproxy.

I want to create a VPN server that automatically forwards all outgoing HTTP/HTTPS requests to mitmproxy, however I have failed creating an iptables configuration that works.

To do this I’ve used docker-compose with the hwdsl2/ipsec-vpn-server and mitmproxy/mitmproxy images.

I have added the following iptables config to ipsec-vpn-server (where HOST will be the local ip address of the mitmproxy server)

HOST=$(host -4 mitmproxy | head -1 | awk '{ print $4 }')
iptables -t nat -A PREROUTING -i eth+ -p tcp --destination-port 80 -j DNAT --to-destination $HOST:8080
iptables -t nat -A PREROUTING -i eth+ -p tcp --destination-port 443 -j DNAT --to-destination $HOST:8080

and I run mitmdump using mitmdump -T --host.

However when I connect my iPhone to the VPN I just get an endless stream of output from mitmdump saying

172.18.0.2:49801: clientconnect

How do I fix this so that mitmproxy actually works?

The full configuration I’ve used is at: https://gist.github.com/Tyilo/03889ddc651fcf96e1208b65bfc7aa7f

Here is a diagram of what I want to achieve:

       +----------------------+
       |                      |
       |       iPhone         |
       |                      |
       +-----------+----------+
                   |
                   |
+--------------------------------------+
|      +-----------v----------+        |
|      |                      |        |
|      |        VPN server    +-----+  |
|      |                      |     |  |
|      +----------------------+     |  |
|                 |HTTP/HTTPS       |  | My server
|                 |                 |  |
|      +----------v-----------+     |  |
|      |                      |     |  |
|      |      mitmproxy       |     |  |
|      |                      |     |  |
|      +----------------------+     |  |
+--------------------------------------+
                  |                 |
                  |                 |non-HTTP/HTTPS traffic
                  |                 |
        +---------v-----------+     |
        |                     |     |
        |      Internet       +^----+
        |                     |
        +---------------------+
2

Hi,

You’re running into the first issue described at http://docs.mitmproxy.org/en/stable/modes.html#transparent-proxy - don’t DNAT before sending your data to the mitmproxy instance. :slight_smile:

3

How do I do this without DNAT?

4

Did you get this successfully setup? I’m looking to do the same thing (though I’ve been playing with OpenVPN).

5

Maybe try to put vpn server and mitmproxy in the same machine and use REDIRECT instead of DNAT

6

Hi,

if you set up your iPhone in supervision mode then you can set Global HTTP Proxy in profile for your iPhone using Apple Configurator 2. Then this proxy is used while 3G as well as while WiFi.
Only problem is when you use mitmprox with --proxyauth logn:pass then HTTPS communication doesn’t work. :frowning:

7

Did you manage to get the VPN and Mitmproxy working.

8

No, I didn’t get it to work

9

Here’s my attempt, which works to my satisfaction: https://github.com/abcnews/data-life/tree/master/server

1 Like
10

Thanks for this repo.
The Transparent proxy setup is really usefull and does a great job.
I tried to do the mitmproxy in the docker container but that does not seem to be working.

Is it possible to be able to only accept certain domains (IP address) through the transparent mode. Since when i try to do a regex for ignoring all IP addresses, it does not working.

11

If you use the docker-compose file in my repo for both proxy and VPN it should just work*.

The proxy is only exposed to the local (docker) network so will only accept connections through the VPN.

12

When using your docker-compose. I can connect to the VPN but the mitmproxy is not doing anything.

Is there any extra settings I need to do on an Android device so that it forwards to 172.20.128.2
Currently I just create VPN on android and enter the Server Address, PSK, username and password.

~Thanks

13

I haven’t tested on Android, but I’ve heard that it’s difficult to force traffic through a VPN. Maybe someone with some Android knowledge could pipe up here. I’d be really interested too since I’m planning on tackling an Android device soon.