I’ve been using OpenWrt on my TP-Link WL740N for a while now. It’s lovely and with all the additional software you can install on it it’s even better.
I’ve got for example Privoxy installed on it. Privoxy is a (non-caching) proxy with filtering capabilities. So it basically means that Privoxy can filter out malware, ads & other junk from the webpages you visit.
What I’m going to show you is:
- how to install Privoxy on OpenWrt
- how to configure the firewall on your router to make the proxy transparent
- how to feed Privoxy with AdBlock rules and automatically keep them up to date
Install Privoxy
Let’s first install Privoxy on the router:
opkg update
opkg install privoxy
cd /etc/privoxy/
Then make /etc/privoxy/config look like this:
confdir /etc/privoxy
logdir /var/log
filterfile default.filter
logfile privoxy
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
filterfile user.filter
listen-address 192.168.5.1:8118
toggle 1
enable-remote-toggle 1
enable-remote-http-toggle 0
enable-edit-actions 1
enforce-blocks 0
buffer-limit 4096
forwarded-connect-retries 0
accept-intercepted-requests 1
allow-cgi-request-crunching 0
split-large-forms 0
keep-alive-timeout 300
socket-timeout 300
permit-access 192.168.5.0/24
debug 8192 # Errors - *we highly recommended enabling this*
Make sure to replace the 192.168.5.x addresses with ones that match your network setup.
If everything is ok, start up Privoxy with /etc/init.d/privoxy start. Check if it’s running by doing ps | grep -i privoxy
And to make sure everything is running fine: tail -n20 /var/log/privoxy.log
Configure the firewall
Next up we’re going to adjust the firewall on the router so Privoxy becomes our transparent proxy.
Add this rule to /etc/config/firewall:
config redirect
option proto 'tcp'
option target 'DNAT'
option dest 'lan'
option _name 'transparent-proxy for HTTP'
option src 'lan'
option dest_port '8118'
option src_dport '80'
option dest_ip '192.168.5.1'
option src_dip '!192.168.5.1'
Again, make sure you adjust the ip addresses properly.
Next up, restart the firewall: /etc/init.d/firewall restart.
You could also do this via the OpenWrt webinterface (LuCI):
Automate fetching and updating of Adblock filters
We’re going to use a script made by Andrwe that automatically downloads and converts adblock filters to privoxy filters (their format is different).
First install the dependencies for this script:
opkg install coreutils-install wget bash sed
Then install the script itself:
cd /etc/privoxy
wget https://raw.github.com/Andrwe/privoxy-blocklist/master/privoxy-blocklist.sh --no-check-certificate
chmod +x privoxy-blocklist.sh
sed -i s/^SCRIPTCONF.*/SCRIPTCONF=\\/etc\\/privoxy\\/blocklist.conf/ privoxy-blocklist.sh
Create a configuration file for the script:
touch /etc/privoxy/blocklist.conf
And make it look like this:
# Config of privoxy-blocklist
# array of URL for AdblockPlus lists
# for more sources just add it within the round brackets
URLS=(
"https://easylist-downloads.adblockplus.org/malwaredomains_full.txt"
"https://easylist-downloads.adblockplus.org/fanboy-social.txt"
"https://easylist-downloads.adblockplus.org/easyprivacy.txt"
"https://easylist-downloads.adblockplus.org/easylist.txt"
"https://easylist-downloads.adblockplus.org/easylistdutch.txt"
# "https://easylist-downloads.adblockplus.org/easylistdutch+easylist.txt"
)
# config for privoxy initscript providing PRIVOXY_CONF, PRIVOXY_USER and PRIVOXY_GROUP
INIT_CONF="/etc/conf.d/privoxy"
# !! if the config above doesn't exist set these variables here !!
# !! These values will be overwritten by INIT_CONF !!
PRIVOXY_USER="root"
PRIVOXY_GROUP="root"
PRIVOXY_CONF="/etc/privoxy/config"
# name for lock file (default: script name)
TMPNAME="$(basename ${0})"
# directory for temporary files
TMPDIR="/tmp/${TMPNAME}"
# Debug-level
# -1 = quiet
# 0 = normal
# 1 = verbose
# 2 = more verbose (debugging)
# 3 = incredibly loud (function debugging)
DBG=0
Then run the program for the first time to check if everything is working:
/etc/privoxy/privoxy-blocklist.sh
The scripts adds actionsfile entries to the /etc/privoxy/config file. When I upgraded my OpenWrt router from Attitude Adjustment to Barrier Breaker this broke for me. That’s why I added some actionsfile entries myself:
...
actionsfile match-all.action # Actions that are applied to all sites and maybe
overruled later on.
actionsfile default.action # Main actions file
filterfile malwaredomains_full.script.filter
filterfile fanboy-social.script.filter
filterfile easyprivacy.script.filter
filterfile easylist.script.filter
filterfile easylistdutch.script.filter
filterfile user.filter
actionsfile malwaredomains_full.script.action
actionsfile fanboy-social.script.action
actionsfile easyprivacy.script.action
actionsfile easylist.script.action
actionsfile easylistdutch.script.action
actionsfile user.action
listen-address 192.168.5.1:8118
...
Restart Privoxy again and check /var/log/privoxy.log to make sure everything is still allright.
You could also check http://privoxy.org/ in your browser to see if Privoxy is running ok.
To keep your filters up to date add this to your crontab (crontab -e):
@weekly /etc/privoxy/privoxy-blocklist.sh
Via vanutsteen