Using Fedora for a network pass-through VM

phant5 · February 25, 2021, 3:22am

Is there a proxy server or something that I can easily set up on a Fedora VM on a Fedora host in order to use this VM as a HTTP proxy (for VPN traffic and such). I want certain programs and browsers using one VPN service, others using another and the rest using nothing and I figure this is an easy and compartmentalized way of doing it.

I gave it squid a try but it seems hit or miss. Sometimes I can connect to it, sometimes the connection times out in the host web browser I’m using to test, and I also can’t figure out how to stop squid from inserting its own headers.

Is there a better service for this or should I stick with trying to make squid do this? Thx

vgaetera · February 25, 2021, 7:12am

You should probably move apps/tasks to separate network namespaces/containers/VMs.
Squid should work, but can be tricky to set up and troubleshoot for anything other than plain HTTP.

phant5 · February 26, 2021, 12:33am

Thanks for the suggestion, but it’d be a bit of an effort to set things up again in their own VM. The way I’m doing it now is one thing at a time with the appropriate VPN turned on via NetworkManager, and some of these tasks already use more data than I’d be comfortable sticking in a massive .vdi file.

Running things in the VM one way or another looks extra enticing since I could run the VPN apps sandboxed and make use of killswitch and other options. I don’t feel comfortable running VPN company’s proprietary code directly on the host system

It seems a transparent proxy is what I need. Gonna give this a try https://www.ivankristianto.com/howto-install-and-configure-squid-as-transparent-proxy/ tho it seems it might be out of date. I was really hoping there was an out-of-the-box solution

vgaetera · February 26, 2021, 4:56am

Transparent proxy is even more problematic since it relies on MITM to intercept HTTPS.
It may not work properly with HSTS, so this is the last method you should resort to.

Moreover, TCP is the most that you can feed to a proxy, and usually it is limited to HTTP/HTTPS.
Many other protocols including UDP and ICMP can leak your real IP since they cannot be proxied.

phant5 · February 27, 2021, 6:21pm

Hmm I guess that’s not what I need then. I just don’t want squid tacking on headers with the VirtualBox host IP and such, which it’s currently doing.