Local transparent proxy
From https://wiki.archlinux.org/index.php/User:Grawity/Adding_a_trusted_CA_certificate
Currently Arch Linux uses p11-kit from Fedora, which has more features (e.g. explicit distrusts) than the older scripts from Debian. To import a trust anchor using p11-kit, do:
Run trust anchor --store myCA.crt
as root.
The certificate will be written to /etc/ca-certificates/trust-source/myCA.p11-kit
and the "legacy" directories automatically updated.
If you get "no configured writable location" or a similar error, import the CA manually:
Copy the certificate to the /etc/ca-certificates/trust-source/anchors
directory.
Run update-ca-trust
as root.
"wine control" > Internet Settings > Content > Publisher > Trusted Publishers > Import
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy_user --dport 443 -j REDIRECT --to-port 8080
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy_user --dport 80 -j REDIRECT --to-port 8080
sudo ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy_user --dport 443 -j REDIRECT --to-port 8080
sudo ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy_user --dport 80 -j REDIRECT --to-port 8080
Run Burp / mitmproxy with transparent proxy mode as proxy_user
- Works better with some wine apps
- Only apps in namespace get proxified
ip netns add proxified
ip netns exec proxified ip addr add 127.0.0.1/8 dev lo
ip netns exec proxified ip link set lo up
ip link add proxy0 type veth peer name proxy1
ip link set proxy0 up
ip link set proxy1 netns proxified up
ip netns exec proxified ip addr add 10.200.200.2/24 dev proxy1
ip netns exec proxified ip route add default via 10.200.200.1 dev proxy1
ip addr add 10.200.200.1/24 dev proxy0
# Adapt "en+" to match NIC
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o en+ -j MASQUERADE
mkdir -p /etc/netns/proxified
echo 'nameserver 1.1.1.1' > /etc/netns/proxified/resolv.conf
sysctl -w net.ipv4.ip_forward=1
# sysctl -w net.ipv6.conf.all.forwarding=1
# Local
iptables -t nat -A PREROUTING -i proxy0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i proxy0 -p tcp --dport 443 -j REDIRECT --to-port 8080
Run Burp / mitmproxy as transparent proxy, listening on 10.200.200.1:8080
Test :
mitmproxy --mode transparent --showhost --listen-host 10.200.200.1
sudo -E ip netns exec proxified sudo -E -u #1000 -g #1000 -- curl --cacert /home/olivier/.mitmproxy/mitmproxy-ca-cert.pem "https://www.google.com"
# Remote
iptables -t nat -A PREROUTING -i proxy0 -p tcp --dport 80 -j DNAT --to 192.168.1.x:8080
iptables -t nat -A PREROUTING -i proxy0 -p tcp --dport 443 -j DNAT --to 192.168.1.x:8080
- Root Device / Install Magisk
- Use ProxyDroid to force traffic going through proxy using iptables (some apps refuse to use System proxy)
- Install User CA
- Better to use our own Certificate as Certificate generated with Burp has a long validity period (can raise issues).
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout pk.key -out certificate.crt
openssl pkcs12 -export -out certificate.p12 -inkey pk.key -certfile certificate.crt -in certificate.crt
# password required for Burp
-
Install CA in Burp (.p12) using "Import/export CA Certificate"
-
Export as ".cer" file (or on newer Android,
adb push certificate.crt /sdcard/
) , import for "VPN and App" -
Make it System CA using movecert Magisk module
-
Reboot to apply
-
We might still have to deal with SSL Pinning. This can be bypassed using Frida (dynamic bypass) / Repacking apk (static bypass). This Frida script might help : https://gist.github.com/olivierlemoal/e21b0e3693ee4ef6c70a81d6be09b9ec
-
For better results, cut Mobile Data + disable IPv6 (ProxyDroid won't forward IPv6 traffic)
ip -6 a flush