Posted by & filed under Programming & Sysadmin.

Some might say it’s a bit over-the-top “NSA like” to monitor your own home network. But honestly, if you are raising kids these days, you know that creepy people may try to get into your home, through a fiber of glass, or a twisted pair of wires, over the wifi, and into your kid’s heads. You can’t stop the creeps without turning off the Internet. And well, good luck with that.

That is the reason for monitoring, and for any types of controls you might place on access. So, with the justification out of the way, here’s the problem, and the solution.

The problem with commercial home routers is that they are designed to be as simple as possible, so that they generate very few support calls for the ISP. If you want “parental controls”, the ISP will provide that on their end, via some subscription $ervice, third party, or not at all. You can put the family PC in the living room. If you are lucky, your router may have some basic controls that allow you to block certain sites by name, or turn off the wifi at certain hours. But there’s nothing that will tell you what sites were visited, when, and how many times. You can install software on computers to monitor this stuff (bluecoat, etc), but it’s a little more difficult to monitor a couple phones, tablets, rokus, an xbox, ps3, and other devices that might attach to your wifi.

The only way to monitor those devices is with a proxy server, or using packet capture and analysis. A transparent proxy server will do this without having to configure the end user device, so that’s the approach I took, since it’s not practical to configure a proxy server on every device. Packet capture is better, but it requires more hardware than I was willing to throw at this problem.

My $dayjob is linux sysadmin, so I’m comfortable using open source router firmware and other open source tools and applications. Of course, there are a lot of different ways to put open source software together, and a lot of choices. The approach outlined here is just one way to accomplish what I wanted.

  1. Get a router that supports it, and install openwrt, an open source, and very customizable router firmware. Get it working first.
  2. Install some additional packages to openwrt: tinyproxy, luci-app-tinyproxy.
  3. If you don’t have one already, I’d recommend adding a PC to your network, configured as a linux server that can capture and analyze your proxy logs. You could probably do this right on your openwrt router, but depending on the size of the logs, it might be difficult. The PC can be any old desktop PC you have available.

Note that tinyproxy on openwrt only proxies port 80 traffic, so if you need to also proxy port 443 (ssl) traffic, then you’ll want to look at using squid instead.

To setup a transparent proxy using tinyproxy, open openwrt admin. Under tinyproxy’s configuration, set port 8123. Under Network -> Firewall -> Custom Rules, configure firewall rules to forward packets on port 80 to tinyproxy. Note that you probably do not want to proxy every device, so I’d recommend setting all devices up with static leases in the dhcp settings in openwrt. That way all devices always get the same IP and you can use that IP to select certain devices for proxying. Add the following line for each device you want to proxy. Modify as needed for your network:

iptables -t nat -A PREROUTING -i br-lan -s 192.168.1.5 -p tcp –dport 80 -j DNAT –to 192.168.1.1:8123

In the above example, 192.168.1.5 is the device you want to proxy, 192.168.1.1 is your openwrt router’s lan IP address, and 8123 is the port that tinyproxy is listening on. “br-lan” is the default name given to the lan interface on my router. Yours may be different. Test it!

If you are logging to an external linux box, you’ll need to configure openwrt. Under tinyproxy settings, check the box to “log via syslog”, then configure syslog settings under system settings so that logs are forwarded to your linux box. See “man syslog” on your linux server for how to configure it to receive logs, or google “your distro remote host logging with syslog”.

Analyzing Logs:

I couldn’t find anything free on the Internet to process the tinyproxy logs, so here’s a script I wrote that outputs a couple html tables daily via a daily cron job.

download proxy_report.tar.gz (includes some required unmodified jquery js libs)

It requires perl. An example of what the tables look like is below:

proxy report

 

 

 

11 Responses to “Home networks – A Transparent Proxy to Monitor Kids”

      • André Gonzalez

        Olá!
        Fiz as alteração recomendadas no script e instalei o perl, mas na hora de executar o script dá um erro de compilação nas linhas 10 e 11. Quando eu comento as linhas 10 e 11 o script funciona e até gera a página report.html, mas não aparece nenhuma informação. Verifiquei se meu arquivo de log esta sendo gerado com tail -f /var/log/tiniproxy.log e o mesmo é alterado quando faço acessos http. Por favor, poderia me ajudar?

        Reply
        • admin

          It sounds like you have a lighter version of perl installed (no strict.pm or warnings).
          I have tinyproxy configured to log at level INFO, and the box checked for “log to syslog”.
          I’ve only tested it on my install of perl, with tinyproxy. It seems like it may not be parsing the log correctly. If you send a few lines of your log, I’ll take a look and see if it can be fixed.

          Reply
          • André Gonzalez

            Boa tarde! Consegui resolver o problema do script! Estou usando o OpenWrt Attitude Adjustment 12.09. Quando eu executava o script era necessário ter os arquivos strict.pm e warnings.pm em /usr/lib/perl5/5.10 resolvi o problema instalando perlbase-essential via opkg.
            Agora não sei porque as informações não são importadas do meu arquivo de log para o report,html após a execução do scritp.

            Se marca a opção “Use syslog” como você indica o caminho do log no script?

  1. André Gonzalez

    Olá!
    Fiz as alterações no recomendadas no arquivo report.pl, mas quando eu vou executar o scrirpt aparece um erro nas linhas 10 e 11. Tenho o perl instalado, e meu arquivo de log está sendo gerado normalmente. O report.html só é gerado quando eu comento as linhas 10 e 11 do script report.pl, mas não faz importação do meu arquivo de log.
    Por favor, poderia me ajudar?

    Reply
  2. Cartero

    Hi, great job.
    I did exactly what you did but don’t get any url access log from tinyproxy. It seems to start correctly but does not broadcast any messages from the ip I set in the firewall’s custom rule. Is there any other config for tinyproxy or setting the port is enough?
    Thx!

    Reply
    • admin

      If the firewall rule is working correctly, the status tab for the tinyproxy service should show the number of requests increasing.

      Reply
    • André Gonzalez

      Hello!

      If you are using OpenWrt enable tinyporxy. Use netstat-tl and see if the port you configured in tinyproxy is as listen.

      You should also do port forwarding with “iptables-t nat-A PREROUTING-i -p tcp – dport 80-j REDIRECT – to-port “, where eth* is the interface that the tiniproxy will listen for requests.

      Important: The log file tinyproxy must have read permission, written by user nobody and group nogroup.

      After use “tail-f / var / log / My.Log” to see if logs are being written.

      Reply
  3. James

    Can’t seem to see any sites visited on the report. I’m sure I have everything setup correct. Report runs correctly just no data included in the report. Any help is appreciated

    Reply
    • admin

      Is tinyproxy writing log entries?
      If YES, please share a line or two of the log. Maybe it’s not being parsed properly.

      Reply

Leave a Reply

  • (will not be published)