Transparent web proxy – DD-WRT Wiki
From DD-WRT Wiki
Jump to: navigation, search
Running a transparent proxy server on your network can be used for more advanced content filtering of web pages for environments such as a school or library (where in some locales, filtering is required by law) or as a way to protect children in the household.
This guide will help you enable a transparent proxy server on your network by having your WRT54G router forward all traffic to the proxy server automatically.
1 Desktop Setup
1. 1 Squid versions older than 2. 6
1. 2 Squid versions 2. 6 or newer
2 Router Setup
2. 1 Proxy Server on the LAN Subnet
2. 2 Proxy Server on the LAN Subnet — Alternative Solution
2. 3 Proxy Server on Different Network and Using Chillispot
3 Reverse proxy
 Squid versions older than 2. 6
First install Squid on your Unix box. After that you have to set up Squid to do transparent proxying with these settings:
 Squid versions 2. 6 or newer
With Squid installed on your Unix/Linux box, set the following:
_port 192. 168. 1. 10:3128 transparent
substituting the IP address you’re listening on, and the port you wish to use in the example, making sure they match the variables at the top of the router setup script below.
Important for Debian users!
The Squid3 (E5-5) package from Debian Etch isn’t working with this kind of transparent proxy. Try using Squid3 from Debian Lenny or downgrade to Squid-2. 6 in Etch.
You will need to use iptables to tell your router how to forward traffic. If you don’t have a good grasp on iptables yet, someone has already done the work and written a shell script to do the work for you. Be sure to edit the variables at the top.
These script need to be saved to your firewall script. In the WEB UI navigate to Administration -> Commands and paste your edited script in the input box, then press the Save Firewall button.
 Proxy Server on the LAN Subnet
This script can be found at:
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`
iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d $LAN_NET -p tcp –dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0! -s $PROXY_IP -p tcp –dport 80 -j DNAT –to $PROXY_IP:$PROXY_PORT
iptables -t nat -I POSTROUTING -o br0 -s $LAN_NET -d $PROXY_IP -p tcp -j SNAT –to $LAN_IP
iptables -I FORWARD -i br0 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp –dport $PROXY_PORT -j ACCEPT
Change the PROXY_IP and PROXY_PORT variables to match your proxy server’s IP address and TCP port.
If you need to allow a host to bypass the transparent proxy (such as a game system, or media receiver), then add this command which allows a specific IP to bypass the proxy. You can use it to add as many exceptions as you like. DirecTV receivers which have Video On Demand need to bypass the proxy.
iptables -t nat -I PREROUTING -i br0 -s [IPADDRESS] -j ACCEPT
 Proxy Server on the LAN Subnet — Alternative Solution
This solution described in the previous section redirects packets to the proxy server using Network Address Translation to modify the actual packets. The result is that packets arriving at the proxy have a source IP address of the router rather than the original client. As a result, it’s not possible to see the IP address of the originating client in the proxy logs, nor is it possible to apply access rules in the proxy based on the originating client IP address.
The following alternative approach uses the mangle table to mark packets and route them to the proxy using a custom routes table, which only has one defaut route directly to the proxy box. This requires some additional iptable configuration on your proxy server, but it also has the advantage of retaining the client IP address. This solution was adapated from information found at
iptables -t mangle -A PREROUTING -p tcp –dport 80 -s $PROXY_IP -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp –dport 80 -j MARK –set-mark 3
ip rule add fwmark 3 table 2
ip route add default via $PROXY_IP dev br0 table 2
Change the PROXY_IP variable to match your proxy server’s IP address.
iptables -t mangle -A PREROUTING -p tcp –dport 80 -s [IPADDRESS] -j ACCEPT
The changes above will route packets to your the IP Address of your poxy server, but since the packets were unmodified, they will still arrive at the proxy on port 80. You will still need to redirect the packets to the correct proxy port as they arrive. Add the following rule to the iptable on your proxy machine (note, extra steps will be needed on your proxy box to make this change persistent, but they are not covered here).
iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 80 -j REDIRECT –to-port [PROXY_PORT]
Replace PROXY_PORT with the correct port for your proxy, which would be 3128 from the previous example.
 Proxy Server on Different Network and Using Chillispot
Scripts above are used when the Proxy Server is on same network, who needs proxy transparent with dd-wrt Chillispot enabled in most case (mine too), the Proxy Server is on different Network. I have changed the script Option 1 above to this needs. Edit the bolded variables to match your configuration.
CHILLI_IP=192. 182. 1
iptables -t nat -A PREROUTING -i tun0 -s $CHILLI_NET -d $LAN_NET -p tcp –dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i tun0 -s $CHILLI_NET -p tcp –dport 80 -j DNAT –to $PROXY_IP:$PROXY_PORT
iptables -t nat -A POSTROUTING -o br0 -s $PROXY_IP -p tcp -d $CHILLI_NET -j SNAT –to $CHILLI_IP
iptables -I FORWARD -i tun0 -o br0 -s $CHILLI_NET -d $PROXY_IP -p tcp –dport $PROXY_PORT -j ACCEPT
Squid can also be used as a “reverse proxy” or “web accelerator” if the computer(s) behind it are web servers running database-intensive applications such as wiki, blog or forum hosting.
For Squid 2. 4 and earlier, this is referred to as “accelerate single host” mode; for version 2. 6 the commands in look like:
# Squid normally listens to port 3128, remove this:
# _port 3128
# Instead, change so that squid listens to port 80, substituting your external (WAN) static address here:
_port 999. 999. 999:80 vhost
# Then have all the requests forwarded to your actual web server (LAN address, change to match your network):
cache_peer 192. 2 parent 80 0 no-query originserver
Squid obtains a speed improvement by storing copies of rendered web pages to the file system and serving the stored copies to users instead of having the actual web server repeatedly regenerate dynamic content. As such, it is suited primarily for use on devices with adequate hard disk storage and may not be suited to small servers with limited storage space.
As the “reverse proxy” Squid configuration is used by large wiki sites such as Wikipedia, and Wikipedia’s meta wiki do offer some information on the use of Squid in this manner.
DD-WRT Router DNS Proxy Setup Instructions – IronSocket
Setting up DNS Proxy
Our DNS Proxy requires your Public IP Address to be authorized to access the service. You can head over to the IP Authorization page to configure your access. We also have this handy guide to follow if you need any help.
Instead of setting up your devices individually, you can just simply setup the DNS addresses on your router and have your devices obtain the DNS values automatically (via DHCP).
Login to your router
Go to “Setup” > “Basic Setup”
Enter these DNS IP addresses on the Static DNS boxes
Static DNS 1: 138. 197. 111. 193
Static DNS 2: 64. 225. 90. 91
Static DNS 3: (Leave Blank)
Check the check-box next to “Use DNSMasq for DNS”
Click on the “Apply Settings” button. This will reboot your router and will apply the new DNS servers.
Restart your computer and other devices that you want to use the DNS Proxy service on so that they will get the new DNS IP settings from your router.
After your IP is authorized, you can start accessing geo-restricted channels to watch movies or listen to music.
How to configure smart DNS proxy on a DD-WRT router
@lahmstache October 4, 2017
Many media streaming services will only allow certain content in specific countries. The most common way to enforce those restrictions is to examine the viewer’s IP address and attempt to geo-locate it to a region. VPNs are a common way to circumvent these geo-location tactics, but VPNs can slow down traffic. That’s fine for normal web use, but it makes streaming difficult. SmartDNS has another method of handling this.
What is a smart DNS proxy?
Smart DNS is a combination of Domain Name Server (DNS) servers and tactically located proxies. The DNS system resolves human-readable domain names to computer-readable Internet Protocol (IP) addresses. Using Netflix as an example: your Netflix app makes a DNS query to find out the IP address of the Netflix server it should connect to. The app then uses that information to request content from that IP address. Under normal operations, this allows the Netflix server to see your real IP address. This is a necessary piece of information that the server needs in order to send the stream back to your app. If the Netflix server sees a Canadian IP requesting United States content, it will not allow that.
How does a smart DNS proxy work?
Smart DNS servers reply with different IP addresses for specific queries. For example, a device running a Netflix app starts by requesting the IP address for the Netfilx service from your DNS servers. When using smart DNS, the DNS servers will return the IP address of a smart proxy server rather than a Netflix IP. That smart DNS proxy IP will exist in the same country as the service you want to access; in my case – the United States, allowing access to the restricted content.
That means the flow of traffic is from my device -> to a smart DNS proxy that is allowed to access the Netflix content -> to the Netflix servers. The video stream comes back in reverse order; it is sent from Netflix -> to the smart DNS proxy -> to my device. Since the Netflix server can only see the proxy’s IP address, it doesn’t know to restrict the content. Note that only sites the smart DNS service is configured for use the proxies. For example, queries to a search engine like Google would cause the smart DNS servers to respond with Google’s real IP and your subsequent visit to Google would not go through the smart DNS proxies. I’ve tried to illustrate that concept in the diagram below.
Are smart dns proxies better than a VPN?
Security and anonymity have many layers. There is no silver bullet and different technologies address different problems. A VPN is not inherently better or worse than a proxy, it’s just different.
VPNs provide superior privacy over proxies because VPNs encrypt traffic and hide your real IP address. Proxies, on the other hand, allow for much higher speeds but the downside is that speed comes by sacrificing privacy. Your ISP will know that you’re streaming from a smart DNS proxy whereas it is much harder for your ISP to see what you’re doing inside an encrypted VPN tunnel.
How private is a smart DNS proxy service?
Once you switch to a smart DNS set of nameservers, all of your DNS queries will be sent to those DNS servers. Even when you’re not intending to stream and just carrying on with your day-to-day business, the smart DNS service can see all your DNS queries. Privacy conscious people will naturally need to trust services that have access to this much information about their browsing habits.
In order to use most smart DNS proxy services, your current IP address has to be registered in the system. This is how you are authorized to use its nameservers in lieu of the fact that DNS servers don’t support authentication.
You can infer from this that at least your current IP address is recorded in the system. Some smart DNS providers seem to keep previous IPs, at least for a while. When I changed my IP address in the SmartDNSProxy service, this message was displayed:
Please note: We have detected that you were previously using a VPN service/Data Center IP, please disconnect from the VPN/Data Center and use your own IP address to activate our services.
It does not explicitly say what my previous IP was, but it’s definitely tracking the fact that it changed. However, since your current IP address will be included in any DNS query to its system, there’s no obvious additional downside to this.
How to configure your DD-WRT router to use a smart DNS proxy
The advantage to configuring your router to use smart DNS is you will no longer need to configure each individual device on your internal network. As long as all those devices are connected to the same router, configuring it to send DNS queries to the smart DNS servers will cover you.
The first step is to get the IP address of the smart proxy DNS servers that you want to use. Each service provides DNS server IP addresses somewhere on their site, although you may have to be logged in to your account to see them. Some providers, like SmartDNSProxy, have DNS servers all around the world that can improve DNS query speeds. In general, you’ll want to choose a DNS server as close to your physical location as possible. My DD-WRT router supports up to three static DNS entries, but most smart DNS services provide only two DNS servers.
Access your DD-WRT administrator interface and log in. This is usually at but you may have changed that during setup. Navigate to the Setup -> Basic Setup tab.
Scroll down to find the Network Address Server Settings (DHCP) and enter your chosen smart DNS IP address(es) into the Static DNS 1/2/3 fields.
Click the Apply Settings button at the bottom of the page. At this point you should be using the new DNS servers. If you’re still blocked, you may find that you have to reboot the router. To do this, navigate to the Administration tab and click the Reboot Router button at the bottom of the page.
Test your new settings to ensure it is working
The definitive test would be to access the content that was previously unavailable. If it loads, then it’s working. If you’d like some hard data on it, you can use the Comparitech DNS leak test to check which nameservers your system is using. It should report the smart DNS servers.
Smart dns is an innovative service that makes use of DNS poisoning. Typically, DNS poisoning is an attack mechanism to reroute people from legitimate sites to malicious sites. But, in this case the same techniques are used to provide a service useful to many people.