pnproxy - Plug and Proxy is a simple home proxy for managing Internet traffic.
Features:
- work on all devices in the local network without additional settings
- proxy settings for selected sites only
- ad blocking support (like AdGuard)
Types:
- DNS proxy
- Reverse proxy for HTTP and TLS (level 4 proxy)
- HTTP anonymous proxy
- Binary - nightly.link
- Docker - alexxit/pnproxy
- Home Assistant Add-on - alexxit/hassio-addons
For example, you want to block ads and also forward all Twitter traffic through external proxy server. And want it to work on all home devices without additional configuration on each device.
- Install pnproxy on any server in your home network (ex. IP:
192.168.1.123). It is important that ports 53, 80 and 443 be free on this server. - Create
pnproxy.yamlhosts: adblock: doubleclick.net googlesyndication.com tunnel: twitter.com twimg.com t.co x.com dns: listen: ":53" rules: - name: adblock # name from hosts block action: static address 127.0.0.1 # block this sites - name: tunnel # name from hosts block action: static address 192.168.1.123 # redirect this sites to pnproxy default: action: dns server 8.8.8.8 # resolve DNS for all other sites http: listen: ":80" rules: - name: tunnel # name from hosts block action: redirect scheme https # redirect this sites from HTTP to TLS module default: action: raw_pass tls: listen: ":443" rules: - name: tunnel # name from hosts block action: proxy_pass host 123.123.123.123 port 3128 # forward this sites to external HTTP proxy default: action: raw_pass proxy: listen: ":8080" # optionally run local HTTP proxy log: level: trace # optionally increase log level (default - info)
- Setup DNS server for your home router to
192.168.1.123.
Optionally, instead of step 3, you can verify that everything works by configuring an HTTP proxy to 192.168.1.123:8080 on your PC or mobile device.
By default, the app looks for the pnproxy.yaml file in the current working directory.
pnproxy -config /config/pnproxy.yamlBy default all modules disabled and don't listen any ports.
Store lists of site domains for use in other modules.
- Name comparison includes all subdomains, you don't need to specify them separately!
- Names can be written with spaces or line breaks. Follow YAML syntax.
hosts:
list1: site1.com site2.com site3.net
list2: |
site1.com static.site1.cc
site2.com cdnsite2.com
site3.in site3.com site3.co.ukRun DNS server and act as DNS proxy.
- Can protect from MITM DNS attack using DNS over TLS or DNS over HTTPS
- Can work as AdBlock like AdGuard
Enable server:
dns:
listen: ":53"Rules action supports setting static address only:
- Useful for ad blocking.
- Useful for routing some sites traffic through pnproxy.
dns:
rules:
- name: adblocklist
action: static address 127.0.0.1
- name: list1 list2 site4.com site5.net
action: static address 192.168.1.123Default action supports DNS, DOT and DOH upstream:
- Important to use server IP-address, instead of a domain name
dns:
default:
# action - dns or dot or doh
action: dns server 8.8.8.8Support build-in providers - cloudflare, google, quad9, opendns, yandex:
- all this providers support DNS, DOH and DOT technologies.
dns:
default:
action: dot provider googleTotal config:
dns:
listen: ":53"
rules:
- name: adblocklist
action: static address 127.0.0.1
- name: list1 list2 site4.com site5.net
action: static address 192.168.1.123
default:
action: doh provider cloudflareRun HTTP server and act as reverse proxy.
Enable server:
http:
listen: ":80"Rules action supports setting redirect scheme https with optional code:
- Useful for redirect all sites traffic to TLS module.
http:
rules:
- name: list1 list2 site4.com site5.net
# code - any number (default - 307)
action: redirect scheme httpsRules action supports setting raw_pass:
http:
rules:
- name: list1 list2 site4.com site5.net
action: raw_passRules action supports setting proxy_pass:
- Useful for passing all sites traffic to additional local or remote proxy.
http:
rules:
- name: list1 list2 site4.com site5.net
# host and port - mandatory
# username and password - optional
# type - socks5 (default - http)
action: proxy_pass host 123.123.123.123 port 3128 username user1 password pasw1Default action support all rules actions:
http:
default:
action: raw_passRun TCP server and act as Layer 4 reverse proxy.
Enable server:
tls:
listen: ":443"Rules action supports setting raw_pass:
- Useful for forward HTTPS traffic to another reverse proxies with custom port.
tls:
rules:
- name: list1 list2 site4.com site5.net
# host - optional rewrite connection IP-address
# port - optional rewrite connection port
action: raw_pass host 123.123.123.123 port 10443Rules action supports setting proxy_pass:
- Useful for passing all sites traffic to additional local or remote proxy.
tls:
rules:
- name: list1 list2 site4.com site5.net
# host and port - mandatory
# username and password - optional
# type - socks5 (default - http)
action: proxy_pass host 123.123.123.123 port 3128 username user1 password pasw1Rules action supports setting split_pass:
- Can try to protect from hardware MITM HTTPS attack.
tls:
rules:
- name: list1 list2 site4.com site5.net
action: split_passDefault action support all rules actions:
tls:
default:
action: raw_passRun HTTP proxy server. This module does not have its own rules. It uses the HTTP and TLS module rules. You can choose not to run DNS, HTTP, and TLS servers and use pnproxy only as HTTP proxy server.
Enable server:
proxy:
listen: ":8080"Mikrotik DNS fail over script
- Add as System > Scheduler > Interval
00:01:00
:global server "192.168.1.123"
:do {
:resolve google.com server $server
} on-error={
:global server "8.8.8.8"
}
:if ([/ip dns get servers] != $server) do={
/ip dns set servers=$server
}
In rare cases, due to HTTP/2 connection coalescing technology, some site may not work properly when using a TCP/TLS Layer 4 proxy. In HTTP proxy mode everything works fine. Everything works fine in Safari browser (it doesn't support this technology). In Firefox, this feature can be disabled - network.http.http2.coalesce-hostnames.