Posted by & filed under Programming & Sysadmin.

Some might say it’s a bit over-the-top “NSA like” to monitor your own home network. But honestly, if you are raising kids these days, you know that creepy people may try to get into your home, through a fiber of glass, or a twisted pair of wires, over the wifi, and into your kid’s heads. You can’t stop the creeps without turning off the Internet. And well, good luck with that.

That is the reason for monitoring, and for any types of controls you might place on access. So, with the justification out of the way, here’s the problem, and the solution.

The problem with commercial home routers is that they are designed to be as simple as possible, so that they generate very few support calls for the ISP. If you want “parental controls”, the ISP will provide that on their end, via some subscription $ervice, third party, or not at all. You can put the family PC in the living room. If you are lucky, your router may have some basic controls that allow you to block certain sites by name, or turn off the wifi at certain hours. But there’s nothing that will tell you what sites were visited, when, and how many times. You can install software on computers to monitor this stuff (bluecoat, etc), but it’s a little more difficult to monitor a couple phones, tablets, rokus, an xbox, ps3, and other devices that might attach to your wifi.

The only way to monitor those devices is with a proxy server, or using packet capture and analysis. A transparent proxy server will do this without having to configure the end user device, so that’s the approach I took, since it’s not practical to configure a proxy server on every device. Packet capture is better, but it requires more hardware than I was willing to throw at this problem.

My $dayjob is linux sysadmin, so I’m comfortable using open source router firmware and other open source tools and applications. Of course, there are a lot of different ways to put open source software together, and a lot of choices. The approach outlined here is just one way to accomplish what I wanted.

  1. Get a router that supports it, and install openwrt, an open source, and very customizable router firmware. Get it working first.
  2. Install some additional packages to openwrt: tinyproxy, luci-app-tinyproxy.
  3. If you don’t have one already, I’d recommend adding a PC to your network, configured as a linux server that can capture and analyze your proxy logs. You could probably do this right on your openwrt router, but depending on the size of the logs, it might be difficult. The PC can be any old desktop PC you have available.

Note that tinyproxy on openwrt only proxies port 80 traffic, so if you need to also proxy port 443 (ssl) traffic, then you’ll want to look at using squid instead.

To setup a transparent proxy using tinyproxy, open openwrt admin. Under tinyproxy’s configuration, set port 8123. Under Network -> Firewall -> Custom Rules, configure firewall rules to forward packets on port 80 to tinyproxy. Note that you probably do not want to proxy every device, so I’d recommend setting all devices up with static leases in the dhcp settings in openwrt. That way all devices always get the same IP and you can use that IP to select certain devices for proxying. Add the following line for each device you want to proxy. Modify as needed for your network:

iptables -t nat -A PREROUTING -i br-lan -s 192.168.1.5 -p tcp –dport 80 -j DNAT –to 192.168.1.1:8123

In the above example, 192.168.1.5 is the device you want to proxy, 192.168.1.1 is your openwrt router’s lan IP address, and 8123 is the port that tinyproxy is listening on. “br-lan” is the default name given to the lan interface on my router. Yours may be different. Test it!

If you are logging to an external linux box, you’ll need to configure openwrt. Under tinyproxy settings, check the box to “log via syslog”, then configure syslog settings under system settings so that logs are forwarded to your linux box. See “man syslog” on your linux server for how to configure it to receive logs, or google “your distro remote host logging with syslog”.

Analyzing Logs:

I couldn’t find anything free on the Internet to process the tinyproxy logs, so here’s a script I wrote that outputs a couple html tables daily via a daily cron job.

download proxy_report.tar.gz (includes some required unmodified jquery js libs)

It requires perl. An example of what the tables look like is below:

proxy report

 

 

 

17 Responses to “Home networks – A Transparent Proxy to Monitor Kids”

      • André Gonzalez

        Olá!
        Fiz as alteração recomendadas no script e instalei o perl, mas na hora de executar o script dá um erro de compilação nas linhas 10 e 11. Quando eu comento as linhas 10 e 11 o script funciona e até gera a página report.html, mas não aparece nenhuma informação. Verifiquei se meu arquivo de log esta sendo gerado com tail -f /var/log/tiniproxy.log e o mesmo é alterado quando faço acessos http. Por favor, poderia me ajudar?

        Reply
        • admin

          It sounds like you have a lighter version of perl installed (no strict.pm or warnings).
          I have tinyproxy configured to log at level INFO, and the box checked for “log to syslog”.
          I’ve only tested it on my install of perl, with tinyproxy. It seems like it may not be parsing the log correctly. If you send a few lines of your log, I’ll take a look and see if it can be fixed.

          Reply
          • André Gonzalez

            Boa tarde! Consegui resolver o problema do script! Estou usando o OpenWrt Attitude Adjustment 12.09. Quando eu executava o script era necessário ter os arquivos strict.pm e warnings.pm em /usr/lib/perl5/5.10 resolvi o problema instalando perlbase-essential via opkg.
            Agora não sei porque as informações não são importadas do meu arquivo de log para o report,html após a execução do scritp.

            Se marca a opção “Use syslog” como você indica o caminho do log no script?

  1. André Gonzalez

    Olá!
    Fiz as alterações no recomendadas no arquivo report.pl, mas quando eu vou executar o scrirpt aparece um erro nas linhas 10 e 11. Tenho o perl instalado, e meu arquivo de log está sendo gerado normalmente. O report.html só é gerado quando eu comento as linhas 10 e 11 do script report.pl, mas não faz importação do meu arquivo de log.
    Por favor, poderia me ajudar?

    Reply
  2. Cartero

    Hi, great job.
    I did exactly what you did but don’t get any url access log from tinyproxy. It seems to start correctly but does not broadcast any messages from the ip I set in the firewall’s custom rule. Is there any other config for tinyproxy or setting the port is enough?
    Thx!

    Reply
    • admin

      If the firewall rule is working correctly, the status tab for the tinyproxy service should show the number of requests increasing.

      Reply
    • André Gonzalez

      Hello!

      If you are using OpenWrt enable tinyporxy. Use netstat-tl and see if the port you configured in tinyproxy is as listen.

      You should also do port forwarding with “iptables-t nat-A PREROUTING-i -p tcp – dport 80-j REDIRECT – to-port “, where eth* is the interface that the tiniproxy will listen for requests.

      Important: The log file tinyproxy must have read permission, written by user nobody and group nogroup.

      After use “tail-f / var / log / My.Log” to see if logs are being written.

      Reply
  3. James

    Can’t seem to see any sites visited on the report. I’m sure I have everything setup correct. Report runs correctly just no data included in the report. Any help is appreciated

    Reply
    • admin

      Is tinyproxy writing log entries?
      If YES, please share a line or two of the log. Maybe it’s not being parsed properly.

      Reply
  4. Michael Tarbox

    I thought I had followed your instructions, except for ports to a T, however it doesn’t appear to be working and there are no log files generated. Using a modified openwrt version. Ideas?

    Reply
    • admin

      Try running the perl script manually. Does it write a file?
      Does the user running the script have permissions to write the file where you configured it to?

      Reply
      • Michael Tarbox

        Attempted that, still not generating log files.
        Running as nobody and nogroup, so permissions I think are good.
        Running on 192.168.0.254:8888, with allowed clients on 192.168.0.1/24 so maybe my port needs to be switched? BTW, complete ‘nix noob. However I do like to think I can read and comprehend directions.

        Reply
  5. Squidblacklist

    We are the worlds leading publisher of Squid ‘Native ACL’ formatted blacklists, that allow for web filtering directly with Squid proxy. Of course we also offer alternative formats for the most widely used third party plugins, such as DansGuardian and Squidguard. And while our blacklists are subscription based, they are as a result of our efforts, of a much higher degree of quality than the free alternatives.

    We hope to serve you,


    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

    Reply
  6. Brian

    Thank you for this helpful post. I’m actually in the midst of trying to set this configuration up on my own and have run into trouble. Doing a web search has lead me to this post and I hope maybe some simple guidance from you can help me.

    I’ve installed the latest appropriate version of OpenWRT on my WRT610n. After doing that the router works fine without making any changes. Then I try to follow the steps outlined here:
    http://wiki.openwrt.org/doc/howto/proxy.tinyproxy

    The install succeeds and I go through all the steps and then the router doesn’t work anymore. I can connect with a terminal to it, but it doesn’t route web traffic anymore.

    I know nothing about Linux but I have figured out how to navigate around and open files. But I don’t exactly get the bigger picture, like what files are for or where they are… So your instructions like this “Under tinyproxy’s configuration, set port 8123. Under Network -> Firewall -> Custom Rules, configure firewall rules to forward packets on port 80 to tinyproxy.” I’m not able to exactly follow. I figure “/etc/config/tinyproxy” is the tinyproxy config file… I can edit the line in the file that says “option Port ’8888′ to ’8123′” but I have no idea how to find “Network -> Firewall -> Custom Rules”. You refer to the “status” tab in one of your comments, but as far as I can tell there’s no GUI in OpenWRT in which to find a tab, unless I’m REALLY missing something. I’d really appreciate it if you could spell things out to the point of simplistic detail. :)

    Reply

Leave a Reply

  • (will not be published)