Idea

There’s a computer connected to the WiFi router as a client. This computer has access to internet and shares that connection over HTTP proxy. This also provides ad-blocking.
Clients connected to the WiFi router shouldn’t have to configure HTTP proxy server settings, nor should they have access to the computer running the proxy server. This is done via unbridged guest VAP with “client isolation” and “net isolation”.

The idea is the same as OpenVPN client setting, or rather like Matsuri proxy toolchain on Android.

The only answers I found talked about redirecting port 80 traffic to HTTP proxy via iptables, but that’s not what I want. It would also only work for web traffic I believe, since it’s just redirecting it to proxy, and not issuing CONNECT requests.

Specific use case

So… my phone has mobile data. It is also connected to VPN and uses NextDNS for (not only) ad-blocking. In Termux, I setup tinyproxy and also null-routed access to private IP ranges and CG-NAT:

...
#Here I am attempting to null route local IP address ranges by pointing upstream proxy option to 0.0.0.0:0 as described in tinyproxy.conf man page.
#IPv4 localhost
Upstream http 0.0.0.0:0 "127.0.0.1/8"
#IPv4 private adresses
Upstream http 0.0.0.0:0 "10.0.0.0/8"
Upstream http 0.0.0.0:0 "172.16.0.0/12"
Upstream http 0.0.0.0:0 "192.168.0.0/16"
#IPv4 CG-NAT (I am not sure this helps anything, but it doesn't hurt either)
Upstream http 0.0.0.0:0 "100.64.0.0/10"
#IPv4 link-local
Upstream http 0.0.0.0:0 "169.254.0.0/16"
#IPv6 localhost
Upstream http 0.0.0.0:0 "::1"
#IPv6 Unique Local Addresses
Upstream http 0.0.0.0:0 "fc00::/8"
#IPv6 private addresses (excl. ULA)
Upstream http 0.0.0.0:0 "fd00::/8"
#IPv6 link-local addresses
Upstream http 0.0.0.0:0 "fe80::/10"

This is fine if the phone is accessible to other hosts and setting up proxy on each host isn’t a problem. For example, it’s useful on a school network.
But that’s not the case here.

Purpose

Forcing all users to use VPN, be subject to my blocking, and provide larger range than phone’s hotspot.
Fun fact: The first thing can be achieved via hotspot on devices running PixelExperience custom ROM.

Not so possible solution

Running OpenVPN server on the phone. DD-WRT already has OpenVPN client. Unfortunately, this would require root, it seems.

Partial solution

The partial solution is connecting the router to VPN somewhat directly and also setting it to use NextDNS.

I was trying to write a guide here, but it was getting unnecessarily long.
So just TL;DR:
Setting up the router to use OpenVPN but replacing IP and port with phone’s desired options, setting up the router to use only NextDNS, connecting phone to both WiFi and mobile data, forcing it to use mobile data for internet, doing port forwarding to the actual OpenVPN server using socat in Termux.

This has flaws though. I either have to setup split-tunelling for Termux, or end up with VPN-over-VPN if I also want VPN on the phone. Secondly, whatever VPN you’re using may only allow limited number of clients per user.

Other use cases

Simple internet access in network where only internet access is via HTTP proxy (e.g.: campus network), connection via Tor using its HTTP proxy.


If you have any ideas, thanks. If not, still thanks as you read at least a part of this.