What's new

Challange: Help to embed & automate Immunicity Proxy PAC settings

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

majika

Occasional Visitor
Hi,

This is my first post here so, firstly, I just like to say a Huge thank you to Merlin for the excellent work which is being carried out on WRT FW.
Secondly, this forum is a huge melting pot of ideas and a great way to exchange ideas and express your thoughts not just individually but also directly with the FW author/tweaker, tinkerer Merlin and with the community at large. **Great stuff**

Anyway, I have been forced to make use of the Immunicity project which in its normal usage is a simple enough process to use and it works fine.

Simply configure your browser proxy server settings just by pointing to the Proxy PAC url address to bypass the censored/blocked addresses.

I would like to know if there is a way to embed this PAC url into the router. I would also like to figure out how to tell my router to automatically check at a specific time (daily) and then update itself.

Would it then be possible to get the bypass information out of the Immunicity PAC URL and have the router manage my traffic according to the information obtained from the PAC file.

In other words instead of setting up the proxy settings for each browser / device connected to the network individually but rather just set it up once from a central location; this central location being the ASUS RT-N66U Router.


My idea would be to:

1) Setup a script to load either inside init-start or dhcpc-event to trigger wget to fetch the PAC url file and save this info to a temp. directory inside the router file-system.

2) Then, if required parse the PAC Proxy bypass list into a manageable format which the router will understand.

3) Next, append the parsed proxy PAC file data from our ../tmp/file ready to be imported into the routing iptable or depending on the best way maybe an OPTWARE/ENTWARE Proxy package maybe able to do this job by itself -> fetch PAC file URL and implement it according to PAC file information.

4) I don't know how or where to put the CRON job for wget to fetch out the the PAC file and do all the parsing or how to update the proxy?


Possible Problems:

This is the URL for the PAC file: http://clientconfig.immunicity.org/pacs/all.pac

However inside the PAC file it states that the Proxy server name and URL are randomly generated (extract from the PAC file):

Code:
function FindProxyForURL(url, host) {
    // Our proxy server name and port
    // This is randomly generated and changes each time you request the PAC file
    var proxyserver = 'gateway-***********.cloud.immunicity.net:8080';
]


Any help or suggestions or ideas would be greatly appreciated..

Thanks
 
I'm no expert on PAC, but I could think of two ways to handle things:

1) Have dnsmasq (which serves as DHCP server) point to the provider's PAC URL
2) Put your own PAC file on the router, and tell dnsmasq to point at it

You can provide the router with your own proxy.pac by copying it to this location:

Code:
/www/ext/proxy.pac

Use a user script to copy the file (such as init-start or wan-start).

For the DHCP option, this is configurable through dnsmasq.conf.add:

Code:
dhcp-option=252,"http://router.asus.com/proxy.pac\n"

This is mostly untested as I have never worked with proxy.pac before, but I know that I should have fixed its support last year when someone asked me about it.
 
Hi

We're from Immunicity.org and came across this thread.

We haven't tested any router level implementations however it is interesting and something we'd consider providing support for if there is a nice way to do it.

Just wanted to keep you informed that as long as the PAC file is updated every few weeks or so you should be fine, and that you don't need to worry about the randomly changing proxy URL, we don't remove old addresses, so it'll continue to work.

Hope this helps you out a bit. As ever we're here to help.

Cheers
Immunicity :)
 
Immunicity Proxy PAC intigration

Thanks for the fast reply and great pointer's there Merlin.

ATM, I have my head berried in the BusyBox FAQ/Help section's to learn how to interact with this whole firmware on a command line basis *and* also trying to figure out how this FW has been put together ;) really out of sheer personal interest and to get a better understanding of Linux as a whole..

It's good to see that the Merlin Github Wiki has been updated with some really good guides/content.

Hopefully, setting up the proposed integrated Immunicity proxy *should* turn out to be a relatively simple process to implement I hope this maybe added to the wiki once I have managed to figure everything out.

Also, its good to know there is also a presence from the Immunicity team here on the SNB forum.. By the way thanks for your really neat service which has helped us Brits out BiG time !

don't need to worry about the randomly changing proxy URL
Thanks for the heads up

Anyway once i'm more able to test my setup I will post back here to ask for advise and suggestions on how things look, etc..
 
How to: implement Immunicity proxy PAC By-pass on the router level

A quide to implement Immunicity proxy PAC By-pass on the router level.


Tested on:

Device: Asus rt-n66u
F/W: 3.0.0.4.372.31_0

I have managed to get this setup and working in a crude but yet, still in a feasible way.

Prerequisites:
WRT based router (Tested on a ASUS RT-N66U)
Flashed with Merlin F/W (tested with ver. 3.0.0.4.372.31_0)
JIFS - nvram enabled.
SSH Enabled & WinSCP

1) Open up the following directory:

Code:
/jffs/scripts/

2) If you do not already a file called wan-start located in this directory then create it.
WinSCP will allow your to easily manage your filesystem and create new files..

Code:
/jffs/scripts/wan-start

3) Add the following into: /jffs/scripts/wan-start
Code:
#!/bin/sh

# Immunicity Proxy PAC file loader
# By-pass censored websites - Self-censorship :)

wget -q -O "/www/ext/immunicity.pac" "http://clientconfig.immunicity.org/pacs/all.pac"

4) Remember to make this file executable it can run

Code:
chmod +x /jffs/scripts/wan-start

5) If you already have dnsmasq.conf.add script skip this step.

Now we need to add to our dnsmasq configuration by means of a user-script.
just like what we done in step 2) we must create the dnsmasq.conf.add file


Code:
/jffs/configs/dnsmasq.conf.add

6) Now we are ready to input our script data.
Note the name of the referenced .pac file (immunicity.pac) this is what is being referneced to
from our wan-start script.

Code:
dhcp-option=252,"http://router.asus.com/immunicity.pac\n"

7) Now, save this in the following location:

Code:
/jffs/configs/dnsmasq.conf.add


8) Reboot your router for settings to take effect.

Job done. Implementation of Immunicity proxy PAC By-pass on the router level !


Things to tidy up:

If you are having issues accessing a blocked sites which ARE already in the .PAC file you may want to
consider the following fixes:

For windows users who have references in their HOSTS file (C:\windows\system32\drivers\etc\hosts) which
are already in the PAC file should remove them or comment them out by adding a "#" at the begining of the
line entry.

Clear your browser cache/cookies.

Clear your windows stored DNS entrys by issuing the following from the cmd line:

Code:
 ipconfig /flushdns

OR direcly from the start menu run line (this does the same as above):

Code:
cmd /k ipconfig /flushdns

Read Immunicity FAQ
This works well with DNSCrypt & OpenDNS Guide

I will try to help with any issues or problems please if you find this useful send your feedback,
comments or suggestions!
(Ver 0.1)​
 
The Wiki is open for anyone (with a Github account) to edit, so feel free to create a Wiki page for it once you are satisfied with your guide.

At first glance your guide seems technically sound. Good work :)
 
Last edited:
Awesome, thanks for doing this. We've tweeted the link.

While we don't currently have the capacity to test it, if it works, you can use it. :)

As you're probably aware, we've only really focused on configuring major browsers, but we're looking to expand and this is in the right direction.
 
Help: not working on my rt-n66u

Thank you guys for putting this useful information together. I have a pac file, which enables me watch videos that has IP address restriction if I configure the pac file in browsers.

When I noticed this, I was amazed by such brilliant idea. I followed the instructions carefully, but it seems it does not work for me. Is there any other thing I have to set on the router side to make it work?

My router: Asus RT-N66U
Firmware: 3.0.0.4.374.32 (Merlin build)

Thanks again for help.
:p


A quide to implement Immunicity proxy PAC By-pass on the router level.


Tested on:

Device: Asus rt-n66u
F/W: 3.0.0.4.372.31_0

I have managed to get this setup and working in a crude but yet, still in a feasible way.

Prerequisites:
WRT based router (Tested on a ASUS RT-N66U)
Flashed with Merlin F/W (tested with ver. 3.0.0.4.372.31_0)
JIFS - nvram enabled.
SSH Enabled & WinSCP

1) Open up the following directory:

Code:
/jffs/scripts/

2) If you do not already a file called wan-start located in this directory then create it.
WinSCP will allow your to easily manage your filesystem and create new files..

Code:
/jffs/scripts/wan-start

3) Add the following into: /jffs/scripts/wan-start
Code:
#!/bin/sh

# Immunicity Proxy PAC file loader
# By-pass censored websites - Self-censorship :)

wget -q -O "/www/ext/immunicity.pac" "http://clientconfig.immunicity.org/pacs/all.pac"

4) Remember to make this file executable it can run

Code:
chmod +x /jffs/scripts/wan-start

5) If you already have dnsmasq.conf.add script skip this step.

Now we need to add to our dnsmasq configuration by means of a user-script.
just like what we done in step 2) we must create the dnsmasq.conf.add file


Code:
/jffs/configs/dnsmasq.conf.add

6) Now we are ready to input our script data.
Note the name of the referenced .pac file (immunicity.pac) this is what is being referneced to
from our wan-start script.

Code:
dhcp-option=252,"http://router.asus.com/immunicity.pac\n"

7) Now, save this in the following location:

Code:
/jffs/configs/dnsmasq.conf.add


8) Reboot your router for settings to take effect.

Job done. Implementation of Immunicity proxy PAC By-pass on the router level !


Things to tidy up:

If you are having issues accessing a blocked sites which ARE already in the .PAC file you may want to
consider the following fixes:

For windows users who have references in their HOSTS file (C:\windows\system32\drivers\etc\hosts) which
are already in the PAC file should remove them or comment them out by adding a "#" at the begining of the
line entry.

Clear your browser cache/cookies.

Clear your windows stored DNS entrys by issuing the following from the cmd line:

Code:
 ipconfig /flushdns

OR direcly from the start menu run line (this does the same as above):

Code:
cmd /k ipconfig /flushdns

Read Immunicity FAQ
This works well with DNSCrypt & OpenDNS Guide

I will try to help with any issues or problems please if you find this useful send your feedback,
comments or suggestions!
(Ver 0.1)​
 
A quide to implement Immunicity proxy PAC By-pass on the router level.


3) Add the following into: /jffs/scripts/wan-start
Code:
#!/bin/sh

# Immunicity Proxy PAC file loader
# By-pass censored websites - Self-censorship :)

wget -q -O "/www/ext/immunicity.pac" "http://clientconfig.immunicity.org/pacs/all.pac"
I think I know why users complains it's not working. Take a look at syslog: DHCP server starts earlier then internet connection. It means immunicity.pac will be downloaded later then PC request it.

Solution? Keep a copy of immunicity.pac in JFFS partition and refresh it at wan-start.
 
First I think
dhcp-option=252,"http://router.asus.com/immunicity.pac\n"
should be
dhcp-option=252,"http://router.asus.com/ext/immunicity.pac\n"

And there's another issue that if PC A login into the router, PC B can not access router/ext at the same time. It will show an error.
 
I put a copy at /jffs/configs/proxy.pac

and then add a line in the wan-start script

cp /jffs/configs/proxy.pac /www/ext/proxy.pac

It seems that it still does not honor the pac file.

I think I know why users complains it's not working. Take a look at syslog: DHCP server starts earlier then internet connection. It means immunicity.pac will be downloaded later then PC request it.

Solution? Keep a copy of immunicity.pac in JFFS partition and refresh it at wan-start.
 
A little bit of confusion here.

Can you give more details on why there is a limitation on read a pac file at the same time from PC A machine and PC B machine?

Thanks.

First I think

should be


And there's another issue that if PC A login into the router, PC B can not access router/ext at the same time. It will show an error.
 
Works fine

Hi,
This works fine for me.

I am able to use the immunicity service for all devices connected to the LAN *Without* the need to manually enter immunicity pac URL into each browser of each devices connected to the network, which was the main aim of this implementation..

I have tested this setup with multiple devices all connected to the LAN; which include: Andriod GSM devices, ASUS Ultrabook and Workstation and my main server - All operated with desired reults.

All lookup requests made to access "Blocked" sites are requested from various devices on the LAN through the N66U router. One central location for by-passing blocked sites are made from a locally held PAC file location, this being the ASUS N66U router.

At least in my case, device requests on the lan-side to access censored websites are handled via the embedded PAC file on the ASUS Router as opposed to the browser manually looking up request via the immunicity proxy service URL are now handled by the router instead..

I may have misunderstood your problem(s) but Why do you need to access the PAC file held on the router *directly* anyway? if, this is the reason for using this then you may as well just not bother using this and revert back to making your lookups using the original immunicity service method per each browser via the supplied PAC URL location..

I will be glad for some specific feedback on exactly what it is that you trying to achieve.

I hope this helps to give a better idea of what it is I wanted this implementation to achieve. :)
 
Anybody else got this working? In my router I can see that dhcp-option=252,"http://router.asus.com/etc/proxy.pac\n" is added to the end of /tmp/etc/dnsmasq.conf but it is just not working. Anybody have any idea?

Thanks.
 
Last edited:
Anybody else got this working? In my router I can see that dhcp-option=252,"http://router.asus.com/etc/proxy.pac\n" is added to the end of /tmp/etc/dnsmasq.conf but it is just not working. Anybody have any idea?

Thanks.

I finally got this working.
I want to add that after you copy the proxy.pac file to /www/ext/ add the line below it in the wan-start file:

service restart_dnsmasq

I am still not sure this will work for mobile devices but it does work on my Windows 7 box.

I am using it to forward PCs on my network through the Privoxy adblockplus filter.

Enjoy.

[edit] Nevermind it's still not working as intended. I didn't realize that I had forwarded port 80 traffic to the proxy for my laptop. Upon reboot of the asuswrt router I lost the proxy features.
 
Last edited by a moderator:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top