1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Challange: Help to embed & automate Immunicity Proxy PAC settings

Discussion in 'Asuswrt-Merlin' started by majika, Aug 26, 2013.

  1. majika

    majika New Around Here

    Joined:
    Aug 25, 2013
    Messages:
    4
    Location:
    UK
    Hi,

    This is my first post here so, firstly, I just like to say a Huge thank you to Merlin for the excellent work which is being carried out on WRT FW.
    Secondly, this forum is a huge melting pot of ideas and a great way to exchange ideas and express your thoughts not just individually but also directly with the FW author/tweaker, tinkerer Merlin and with the community at large. **Great stuff**

    Anyway, I have been forced to make use of the Immunicity project which in its normal usage is a simple enough process to use and it works fine.

    Simply configure your browser proxy server settings just by pointing to the Proxy PAC url address to bypass the censored/blocked addresses.

    I would like to know if there is a way to embed this PAC url into the router. I would also like to figure out how to tell my router to automatically check at a specific time (daily) and then update itself.

    Would it then be possible to get the bypass information out of the Immunicity PAC URL and have the router manage my traffic according to the information obtained from the PAC file.

    In other words instead of setting up the proxy settings for each browser / device connected to the network individually but rather just set it up once from a central location; this central location being the ASUS RT-N66U Router.


    My idea would be to:

    1) Setup a script to load either inside init-start or dhcpc-event to trigger wget to fetch the PAC url file and save this info to a temp. directory inside the router file-system.

    2) Then, if required parse the PAC Proxy bypass list into a manageable format which the router will understand.

    3) Next, append the parsed proxy PAC file data from our ../tmp/file ready to be imported into the routing iptable or depending on the best way maybe an OPTWARE/ENTWARE Proxy package maybe able to do this job by itself -> fetch PAC file URL and implement it according to PAC file information.

    4) I don't know how or where to put the CRON job for wget to fetch out the the PAC file and do all the parsing or how to update the proxy?


    Possible Problems:

    This is the URL for the PAC file: http://clientconfig.immunicity.org/pacs/all.pac

    However inside the PAC file it states that the Proxy server name and URL are randomly generated (extract from the PAC file):

    Code:
    function FindProxyForURL(url, host) {
        // Our proxy server name and port
        // This is randomly generated and changes each time you request the PAC file
        var proxyserver = 'gateway-***********.cloud.immunicity.net:8080';
    
    ]


    Any help or suggestions or ideas would be greatly appreciated..

    Thanks
     
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,288
    Location:
    Canada
    I'm no expert on PAC, but I could think of two ways to handle things:

    1) Have dnsmasq (which serves as DHCP server) point to the provider's PAC URL
    2) Put your own PAC file on the router, and tell dnsmasq to point at it

    You can provide the router with your own proxy.pac by copying it to this location:

    Code:
    /www/ext/proxy.pac
    
    Use a user script to copy the file (such as init-start or wan-start).

    For the DHCP option, this is configurable through dnsmasq.conf.add:

    Code:
    dhcp-option=252,"http://router.asus.com/proxy.pac\n"
    
    This is mostly untested as I have never worked with proxy.pac before, but I know that I should have fixed its support last year when someone asked me about it.
     
  3. Immunicity

    Immunicity New Around Here

    Joined:
    Aug 28, 2013
    Messages:
    2
    Location:
    Internet
    Hi

    We're from Immunicity.org and came across this thread.

    We haven't tested any router level implementations however it is interesting and something we'd consider providing support for if there is a nice way to do it.

    Just wanted to keep you informed that as long as the PAC file is updated every few weeks or so you should be fine, and that you don't need to worry about the randomly changing proxy URL, we don't remove old addresses, so it'll continue to work.

    Hope this helps you out a bit. As ever we're here to help.

    Cheers
    Immunicity :)
     
  4. majika

    majika New Around Here

    Joined:
    Aug 25, 2013
    Messages:
    4
    Location:
    UK
    Immunicity Proxy PAC intigration

    Thanks for the fast reply and great pointer's there Merlin.

    ATM, I have my head berried in the BusyBox FAQ/Help section's to learn how to interact with this whole firmware on a command line basis *and* also trying to figure out how this FW has been put together ;) really out of sheer personal interest and to get a better understanding of Linux as a whole..

    It's good to see that the Merlin Github Wiki has been updated with some really good guides/content.

    Hopefully, setting up the proposed integrated Immunicity proxy *should* turn out to be a relatively simple process to implement I hope this maybe added to the wiki once I have managed to figure everything out.

    Also, its good to know there is also a presence from the Immunicity team here on the SNB forum.. By the way thanks for your really neat service which has helped us Brits out BiG time !

    Thanks for the heads up

    Anyway once i'm more able to test my setup I will post back here to ask for advise and suggestions on how things look, etc..
     
  5. majika

    majika New Around Here

    Joined:
    Aug 25, 2013
    Messages:
    4
    Location:
    UK
    How to: implement Immunicity proxy PAC By-pass on the router level

    A quide to implement Immunicity proxy PAC By-pass on the router level.


    Tested on:

    Device: Asus rt-n66u
    F/W: 3.0.0.4.372.31_0

    I have managed to get this setup and working in a crude but yet, still in a feasible way.

    Prerequisites:
    WRT based router (Tested on a ASUS RT-N66U)
    Flashed with Merlin F/W (tested with ver. 3.0.0.4.372.31_0)
    JIFS - nvram enabled.
    SSH Enabled & WinSCP

    1) Open up the following directory:

    Code:
    /jffs/scripts/
    2) If you do not already a file called wan-start located in this directory then create it.
    WinSCP will allow your to easily manage your filesystem and create new files..

    Code:
    /jffs/scripts/wan-start
    3) Add the following into: /jffs/scripts/wan-start
    Code:
    #!/bin/sh
    
    # Immunicity Proxy PAC file loader
    # By-pass censored websites - Self-censorship :)
    
    wget -q -O "/www/ext/immunicity.pac" "http://clientconfig.immunicity.org/pacs/all.pac"
    
    4) Remember to make this file executable it can run

    Code:
    chmod +x /jffs/scripts/wan-start
    
    5) If you already have dnsmasq.conf.add script skip this step.

    Now we need to add to our dnsmasq configuration by means of a user-script.
    just like what we done in step 2) we must create the dnsmasq.conf.add file


    Code:
    /jffs/configs/dnsmasq.conf.add
    
    6) Now we are ready to input our script data.
    Note the name of the referenced .pac file (immunicity.pac) this is what is being referneced to
    from our wan-start script.

    Code:
    dhcp-option=252,"http://router.asus.com/immunicity.pac\n"
    
    7) Now, save this in the following location:

    Code:
    /jffs/configs/dnsmasq.conf.add
    

    8) Reboot your router for settings to take effect.

    Job done. Implementation of Immunicity proxy PAC By-pass on the router level !


    Things to tidy up:

    If you are having issues accessing a blocked sites which ARE already in the .PAC file you may want to
    consider the following fixes:

    For windows users who have references in their HOSTS file (C:\windows\system32\drivers\etc\hosts) which
    are already in the PAC file should remove them or comment them out by adding a "#" at the begining of the
    line entry.

    Clear your browser cache/cookies.

    Clear your windows stored DNS entrys by issuing the following from the cmd line:

    Code:
     ipconfig /flushdns 
    
    OR direcly from the start menu run line (this does the same as above):

    Code:
    cmd /k ipconfig /flushdns
    
    Read Immunicity FAQ
    This works well with DNSCrypt & OpenDNS Guide

    I will try to help with any issues or problems please if you find this useful send your feedback,
    comments or suggestions!
    (Ver 0.1)​
     
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    33,288
    Location:
    Canada
    The Wiki is open for anyone (with a Github account) to edit, so feel free to create a Wiki page for it once you are satisfied with your guide.

    At first glance your guide seems technically sound. Good work :)
     
    Last edited: Aug 28, 2013
  7. Immunicity

    Immunicity New Around Here

    Joined:
    Aug 28, 2013
    Messages:
    2
    Location:
    Internet
    Awesome, thanks for doing this. We've tweeted the link.

    While we don't currently have the capacity to test it, if it works, you can use it. :)

    As you're probably aware, we've only really focused on configuring major browsers, but we're looking to expand and this is in the right direction.
     
  8. lbd.patrician

    lbd.patrician Occasional Visitor

    Joined:
    Sep 3, 2013
    Messages:
    10
    Help: not working on my rt-n66u

    Thank you guys for putting this useful information together. I have a pac file, which enables me watch videos that has IP address restriction if I configure the pac file in browsers.

    When I noticed this, I was amazed by such brilliant idea. I followed the instructions carefully, but it seems it does not work for me. Is there any other thing I have to set on the router side to make it work?

    My router: Asus RT-N66U
    Firmware: 3.0.0.4.374.32 (Merlin build)

    Thanks again for help.
    :p


     
  9. ryzhov_al

    ryzhov_al Very Senior Member

    Joined:
    Jul 23, 2012
    Messages:
    645
    Location:
    Russia
    I think I know why users complains it's not working. Take a look at syslog: DHCP server starts earlier then internet connection. It means immunicity.pac will be downloaded later then PC request it.

    Solution? Keep a copy of immunicity.pac in JFFS partition and refresh it at wan-start.
     
  10. maxduke

    maxduke Occasional Visitor

    Joined:
    Sep 2, 2013
    Messages:
    13
    First I think
    should be
    And there's another issue that if PC A login into the router, PC B can not access router/ext at the same time. It will show an error.
     
  11. lbd.patrician

    lbd.patrician Occasional Visitor

    Joined:
    Sep 3, 2013
    Messages:
    10
    I put a copy at /jffs/configs/proxy.pac

    and then add a line in the wan-start script

    cp /jffs/configs/proxy.pac /www/ext/proxy.pac

    It seems that it still does not honor the pac file.

     
  12. lbd.patrician

    lbd.patrician Occasional Visitor

    Joined:
    Sep 3, 2013
    Messages:
    10
    A little bit of confusion here.

    Can you give more details on why there is a limitation on read a pac file at the same time from PC A machine and PC B machine?

    Thanks.

     
  13. maxduke

    maxduke Occasional Visitor

    Joined:
    Sep 2, 2013
    Messages:
    13
  14. majika

    majika New Around Here

    Joined:
    Aug 25, 2013
    Messages:
    4
    Location:
    UK
    Works fine

    Hi,
    This works fine for me.

    I am able to use the immunicity service for all devices connected to the LAN *Without* the need to manually enter immunicity pac URL into each browser of each devices connected to the network, which was the main aim of this implementation..

    I have tested this setup with multiple devices all connected to the LAN; which include: Andriod GSM devices, ASUS Ultrabook and Workstation and my main server - All operated with desired reults.

    All lookup requests made to access "Blocked" sites are requested from various devices on the LAN through the N66U router. One central location for by-passing blocked sites are made from a locally held PAC file location, this being the ASUS N66U router.

    At least in my case, device requests on the lan-side to access censored websites are handled via the embedded PAC file on the ASUS Router as opposed to the browser manually looking up request via the immunicity proxy service URL are now handled by the router instead..

    I may have misunderstood your problem(s) but Why do you need to access the PAC file held on the router *directly* anyway? if, this is the reason for using this then you may as well just not bother using this and revert back to making your lookups using the original immunicity service method per each browser via the supplied PAC URL location..

    I will be glad for some specific feedback on exactly what it is that you trying to achieve.

    I hope this helps to give a better idea of what it is I wanted this implementation to achieve. :)
     
  15. zhumingvictor

    zhumingvictor New Around Here

    Joined:
    Nov 9, 2013
    Messages:
    1
    Anybody else got this working? In my router I can see that dhcp-option=252,"http://router.asus.com/etc/proxy.pac\n" is added to the end of /tmp/etc/dnsmasq.conf but it is just not working. Anybody have any idea?

    Thanks.
     
    Last edited: Nov 9, 2013
  16. daurwid

    daurwid Guest

    I finally got this working.
    I want to add that after you copy the proxy.pac file to /www/ext/ add the line below it in the wan-start file:

    I am still not sure this will work for mobile devices but it does work on my Windows 7 box.

    I am using it to forward PCs on my network through the Privoxy adblockplus filter.

    Enjoy.

    [edit] Nevermind it's still not working as intended. I didn't realize that I had forwarded port 80 traffic to the proxy for my laptop. Upon reboot of the asuswrt router I lost the proxy features.
     
    Last edited by a moderator: May 8, 2014