Using mitmproxy for all HTTP/HTTPS traffic coming from an ipsec vpn server

Tyilo · January 14, 2018, 11:19pm

Background: I want to use mitmproxy with my iPhone while on 3G. In iOS you can only use a proxy for WiFi connections and not while using mobile data. So instead I can use a VPN server that needs to forward its request through mitmproxy.

I want to create a VPN server that automatically forwards all outgoing HTTP/HTTPS requests to mitmproxy, however I have failed creating an iptables configuration that works.

To do this I’ve used docker-compose with the hwdsl2/ipsec-vpn-server and mitmproxy/mitmproxy images.

I have added the following iptables config to ipsec-vpn-server (where HOST will be the local ip address of the mitmproxy server)

HOST=$(host -4 mitmproxy | head -1 | awk '{ print $4 }')
iptables -t nat -A PREROUTING -i eth+ -p tcp --destination-port 80 -j DNAT --to-destination $HOST:8080
iptables -t nat -A PREROUTING -i eth+ -p tcp --destination-port 443 -j DNAT --to-destination $HOST:8080

and I run mitmdump using mitmdump -T --host.

However when I connect my iPhone to the VPN I just get an endless stream of output from mitmdump saying

172.18.0.2:49801: clientconnect

How do I fix this so that mitmproxy actually works?

The full configuration I’ve used is at: https://gist.github.com/Tyilo/03889ddc651fcf96e1208b65bfc7aa7f

Here is a diagram of what I want to achieve:

       +----------------------+
       |                      |
       |       iPhone         |
       |                      |
       +-----------+----------+
                   |
                   |
+--------------------------------------+
|      +-----------v----------+        |
|      |                      |        |
|      |        VPN server    +-----+  |
|      |                      |     |  |
|      +----------------------+     |  |
|                 |HTTP/HTTPS       |  | My server
|                 |                 |  |
|      +----------v-----------+     |  |
|      |                      |     |  |
|      |      mitmproxy       |     |  |
|      |                      |     |  |
|      +----------------------+     |  |
+--------------------------------------+
                  |                 |
                  |                 |non-HTTP/HTTPS traffic
                  |                 |
        +---------v-----------+     |
        |                     |     |
        |      Internet       +^----+
        |                     |
        +---------------------+

mhils · January 18, 2018, 6:48pm

Hi,

You’re running into the first issue described at http://docs.mitmproxy.org/en/stable/modes.html#transparent-proxy - don’t DNAT before sending your data to the mitmproxy instance.

Tyilo · February 4, 2018, 7:25pm

How do I do this without DNAT?

drzax · May 22, 2018, 12:46am

Did you get this successfully setup? I’m looking to do the same thing (though I’ve been playing with OpenVPN).

netiger1986 · June 5, 2018, 12:26pm

Maybe try to put vpn server and mitmproxy in the same machine and use REDIRECT instead of DNAT

marting · July 20, 2018, 5:49pm

Hi,

if you set up your iPhone in supervision mode then you can set Global HTTP Proxy in profile for your iPhone using Apple Configurator 2. Then this proxy is used while 3G as well as while WiFi.
Only problem is when you use mitmprox with --proxyauth logn:pass then HTTPS communication doesn’t work.

uniQ · October 3, 2018, 1:22am

Did you manage to get the VPN and Mitmproxy working.

Tyilo · October 3, 2018, 1:54am

No, I didn’t get it to work

drzax · October 4, 2018, 2:53am

Here’s my attempt, which works to my satisfaction: https://github.com/abcnews/data-life/tree/master/server

uniQ · October 14, 2018, 1:58am

Thanks for this repo.
The Transparent proxy setup is really usefull and does a great job.
I tried to do the mitmproxy in the docker container but that does not seem to be working.

Is it possible to be able to only accept certain domains (IP address) through the transparent mode. Since when i try to do a regex for ignoring all IP addresses, it does not working.

drzax · October 14, 2018, 3:17am

If you use the docker-compose file in my repo for both proxy and VPN it should just work*.

The proxy is only exposed to the local (docker) network so will only accept connections through the VPN.

uniQ · October 22, 2018, 3:29pm

When using your docker-compose. I can connect to the VPN but the mitmproxy is not doing anything.

Is there any extra settings I need to do on an Android device so that it forwards to 172.20.128.2
Currently I just create VPN on android and enter the Server Address, PSK, username and password.

~Thanks

drzax · October 25, 2018, 4:55am

I haven’t tested on Android, but I’ve heard that it’s difficult to force traffic through a VPN. Maybe someone with some Android knowledge could pipe up here. I’d be really interested too since I’m planning on tackling an Android device soon.

Topic		Replies	Views
[newbie] intercept iOS on RPi (ubuntu)	1	1110	February 4, 2017
Configuring iPhone client for Transparent Mode & VPN help	0	1494	June 24, 2018
Trying to mitmproxy for iphone help	5	3044	September 3, 2017
Configuration for OpenVPN help	2	2379	December 19, 2018
Forward HTTPS to HTTP in Parallels VM help	0	902	January 7, 2019

Using mitmproxy for all HTTP/HTTPS traffic coming from an ipsec vpn server

Related Topics