Last updated on 2021-09-22, Wed, 12:00 AM

Motivation

I’ve been preparing my blog recently, as well as learning how to use Linux.

Thus, I was wondering if I could install a Linux VM where I could store the blog source along with my GPG Keys. Meanwhile, a proxy should be online for this instance all the time.

Environment

Guest

Ubuntu 20.04 on VMware Workstation 15

Host

Windows 10 2004

1st Try: Built-in System Proxy

The guest VM and the host are in the same LAN, I thought, they can share one proxy. What I need to do is to set the proxy in guest’s settings.

But some programs refused to follow the setting, and that couldn’t proxy UDP requests either. So I have to desert this idea.

2nd Try: `Qv2ray` + `cgproxy`

Then I tried running proxy inside the guest. Qv2ray seemed o be a good choice.

The proxy provider enabled http_simple for Shadowsocks, so I have to use a plugin. But the http_simple plugin for Qv2ray doesn’t work, so I use a compatible alternative ShadowsocksR for this.

According to this and this, I configured cgproxy but doesn’t work for snap.

The cgproxy log showed: [no proxy] snap…

I had to give up this.

3rd Try: `mellow-io/mellow`

I knew mellow-io before. But it seemed not to be very popular since it is relatively new. I didn’t find anyone sharing their experience configuring this.

According to its readme

Mellow is a rule-based global transparent proxy client for Windows, macOS and Linux. Also a Proxifier alternative.

The repository has detailed configuration samples.

It’s quite simple to configure a global proxy.

xxx.conf

[Endpoint]
Dns-Out, builtin, dns
Socks-Out, builtin, socks, address=192.168.27.1, port=1080

[RoutingRule]
GEOIP, private, DIRECT
FINAL, Socks-Out

[Dns]
hijack = Dns-Out

[DnsServer]
1.1.1.1
8.8.8.8, 53, Remote
8.8.4.4

I assigned a static IP 192.168.27.1 to the host machine so that the guest can always reach it.

Auto Launch in the menu did not not work as expected. So I added the appimage to system startup applications.

2021-06-10 Update

DNS queries are really slow. I found mellow was to blame for improper DNS Hijacking strategy. So I just stopped discriminating UDP -p53.

[Endpoint]
Socks-Out, builtin, socks, address=192.168.27.1, port=1080

[RoutingRule]
GEOIP, private, DIRECT
FINAL, Socks-Out

2021-08-26 Update

Hijacking DNS to Socks-Out also works.

[Endpoint]
Socks-Out, builtin, socks, address=192.168.27.1, port=1080
DIRECT, builtin, freedom, domainStrategy=UseIP
Dns-Out, builtin, dns

[RoutingRule]
GEOIP, private, DIRECT
FINAL, Socks-Out

[Dns]
hijack = Socks-Out

2021-09-22 Update

Add iptables rules to prevent potential leaks.

Some processes, tdesktop, for example, may attempt to impose their connection requests directly on the outbound network card.

So, I have to intercept them at the final outbound.

Here $INTERFACE refers to the network card that you use to connect to external network.

#!/bin/bash

iptables -F 
iptables -X 
iptables -Z 

# Create new chain
iptables -t mangle -N V2RAY

# Add IP addresses that you want to bypass
iptables -t mangle -A V2RAY -d $IP_CIDR_TO_BYPASS -j RETURN

# Bypass reserved addresses and block all other connections
iptables -t mangle -A V2RAY -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A V2RAY -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A V2RAY -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY -d 240.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY -d 0.0.0.0/0 -o $INTERFACE -j DROP

# Apply this rule on POSTROUTING chain
iptables -t mangle -A POSTROUTING -j V2RAY

# Save thr rule for iptables
iptables-save >> iptables.rules
systemctl reload iptables

Then I modified mellow‘s configuration file in this way:

[Endpoint] 
Socks-Out, builtin, socks, address=127.0.0.1, port=7891
Direct, builtin, freedom, domainStrategy=UseIP
Reject, builtin, blackhole

[RoutingRule]
PROCESS-NAME, trojan-go, Direct
GEOIP, private, Direct
FINAL, Socks-Out

[Dns]
hijack = Socks-Out

And I added a forward proxy for trojan-go like this:

"forward_proxy": {
    "enabled": true,
    "proxy_addr": "192.168.27.1",
    "proxy_port": 3989,
    "username": "",
    "password": ""
},

And I set up a socks5 server on the host:

{
  "log": {
    "loglevel": "debug"
  },
  "inbounds": [
    {
      "port": 3989,
      "listen": "192.168.27.1",
      "protocol": "socks",
      "settings": {
        "auth": "noauth",
        "udp": true
    }
  }],
  "outbounds": [{
    "protocol": "freedom",
    "settings": {},
    "tag": "direct"
  }
  ]
}

Work as expected.

Summary

Not a good solution, but that’s enough for me to use.

Anyway, it works.

#Ubuntu #Linux #Proxy

Set up Global Proxy for Linux VM

https://blog.h3a.moe/en/src/d07096/

Author

H3arn

Posted on

2020-12-18, Fri, 12:00 AM

Updated on

2021-09-22, Wed, 12:00 AM

Licensed under

Set the Font Size for Gnome's modal-dialog Previous