Using a proxy to selectively route traffic through VPN

[zelklen]

Hello, I would like to use a VPN to secure some of my internet traffic. But from what I understand, if I simply enable OpenVPN on my router, and connect to a VPN, it will route traffic through the VPN on a per machine basis.
I only want to send some of my traffic through the VPN (web browser, for example). So I though I could try to set up a proxy server on my router as well. Then I can selectively send traffic to my own proxy server, and have all of the proxy server's traffic routed through the VPN.

I don't even know if my understanding of the situation is correct. I'm been stumbling around, reading guides and articles on the subject for about ten hours now. Is my intended set up even reasonable?

I installed entware on my RT-AC66U running ASUSWRT-Merlin, and then I tried to install Privoxy. I am aware that the file system for the router is a bit different then linux would normally use, but when I try to start Privoxy I am told:
"
zelklen@RT-AC66U-04A0:/tmp/mnt/entware/entware/sbin# privoxy start
2018-06-30 13:18:50.228 2aab0310 Fatal error: can't check configuration file '/tmp/mnt/entware/entware/sbin/start': No such file or directory
"
Which makes perfect sense, because there is no start file or directory there:
"
zelklen@RT-AC66U-04A0:/tmp/mnt/entware/entware/sbin# ls
ldconfig privoxy
"
I don't know how to proceed. Currently, I tried simply touching a "config" file, and then it will let me start Privoxy, and I can see it running in top, but I can't seem to do anything with it, and it definitely doesn't show up on the clients list of the router. So I'm trying to just write a privoxy config file by hand, following what Privoxy has for documentation on their website. Maybe it will work, maybe it wont. I would love to get some help.

 

[Xentrk]

Hello, I would like to use a VPN to secure some of my internet traffic. But from what I understand, if I simply enable OpenVPN on my router, and connect to a VPN, it will route traffic through the VPN on a per machine basis.
I only want to send some of my traffic through the VPN (web browser, for example). So I though I could try to set up a proxy server on my router as well. Then I can selectively send traffic to my own proxy server, and have all of the proxy server's traffic routed through the VPN.

I don't even know if my understanding of the situation is correct. I'm been stumbling around, reading guides and articles on the subject for about ten hours now. Is my intended set up even reasonable?

I installed entware on my RT-AC66U running ASUSWRT-Merlin, and then I tried to install Privoxy. I am aware that the file system for the router is a bit different then linux would normally use, but when I try to start Privoxy I am told:
"
zelklen@RT-AC66U-04A0:/tmp/mnt/entware/entware/sbin# privoxy start
2018-06-30 13:18:50.228 2aab0310 Fatal error: can't check configuration file '/tmp/mnt/entware/entware/sbin/start': No such file or directory
"
Which makes perfect sense, because there is no start file or directory there:
"
zelklen@RT-AC66U-04A0:/tmp/mnt/entware/entware/sbin# ls
ldconfig privoxy
"
I don't know how to proceed. Currently, I tried simply touching a "config" file, and then it will let me start Privoxy, and I can see it running in top, but I can't seem to do anything with it, and it definitely doesn't show up on the clients list of the router. So I'm trying to just write a privoxy config file by hand, following what Privoxy has for documentation on their website. Maybe it will work, maybe it wont. I would love to get some help.

I recommend you review some of the posts on the Selective Routing with Asuswrt-Merlin thread first to get an overview of the techniques. There are many posts and the techniques used in some of the older posts are no longer recommended. Perhaps start with https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-25#post-289515.

You do not need a proxy to do what you want. I am in the process of updating my selective routing scripts and will be posting them on GitHub over the next few weeks. You can see the most recent iteration at this post.

The 66U model uses an older version of ipset and does not appear to support the new method of fwmark. You can get it to work, but changes will be required as @Joseph Douce did with my script here. Good reason to update to an AC86U. Plus, the CPU will provide much bdetter OpenVPN performance than your current model.

 

[zelklen]

Thank you Xentrk!

My plan is, if I can get this working as I would like, then I will upgrade to an AC86U (It is so much better then what I currently have). But if I can't get things set up, then I wont be using a VPN, and what I currently have is working just fine.

In that thread you linked, they are routing traffic based on the source IP (like OP's PS3, or a laptop), or by destination (like Netflixs), both of which are cool, but not what I am hoping to set up.

What I would really like is for my proxy server to be in my routers client list, so I can force all traffic from the proxy to a VPN. Then, I can set applications on a computer by computer basis, to use the local proxy. Which will force all of the applications traffic through the VPN, while other traffic will go the regular route out to the WAN. I know that this can be done if I dedicate a raspberry pi to it, but I am hoping for an all virtual solution on my router.

I will keep reading, and will post updates if and when I am able to figure out how to do this.

 

[zelklen]

I think that what I might be able to do is create a namespace, and inside of it, create a virtual network interface controller and a forward proxy server. I'm not sure how this will interact with the DHCP server though. I'm still trying to get the proxy server sorted out, I am still working with Privoxy. I believe the terminology for what I want the proxy to do is called a Forward Proxy.