Posted by & filed under Programming & Sysadmin.

Some might say it’s a bit over-the-top “NSA like” to monitor your own home network. But honestly, if you are raising kids these days, you know that creepy people may try to get into your home, through a fiber of glass, or a twisted pair of wires, over the wifi, and into your kid’s heads. You can’t stop the creeps without turning off the Internet. And well, good luck with that.

That is the reason for monitoring, and for any types of controls you might place on access. So, with the justification out of the way, here’s the problem, and the solution.

The problem with commercial home routers is that they are designed to be as simple as possible, so that they generate very few support calls for the ISP. If you want “parental controls”, the ISP will provide that on their end, via some subscription $ervice, third party, or not at all. You can put the family PC in the living room. If you are lucky, your router may have some basic controls that allow you to block certain sites by name, or turn off the wifi at certain hours. But there’s nothing that will tell you what sites were visited, when, and how many times. You can install software on computers to monitor this stuff (bluecoat, etc), but it’s a little more difficult to monitor a couple phones, tablets, rokus, an xbox, ps3, and other devices that might attach to your wifi.

The only way to monitor those devices is with a proxy server, or using packet capture and analysis. A transparent proxy server will do this without having to configure the end user device, so that’s the approach I took, since it’s not practical to configure a proxy server on every device. Packet capture is better, but it requires more hardware than I was willing to throw at this problem.

My $dayjob is linux sysadmin, so I’m comfortable using open source router firmware and other open source tools and applications. Of course, there are a lot of different ways to put open source software together, and a lot of choices. The approach outlined here is just one way to accomplish what I wanted.

  1. Get a router that supports it, and install openwrt, an open source, and very customizable router firmware. Get an image with a web interface – Luci. Get it working first.
  2. Install some additional packages to openwrt: tinyproxy, luci-app-tinyproxy.
  3. If you don’t have one already, I’d recommend adding a PC to your network, configured as a linux server that can capture and analyze your proxy logs. You could probably do this right on your openwrt router, but depending on the size of the logs, it might be difficult. The PC can be any old desktop PC you have available.

Note that tinyproxy on openwrt only proxies port 80 traffic, so if you need to also proxy port 443 (ssl) traffic, then you’ll want to look at using squid instead.

To setup a transparent proxy using tinyproxy, open openwrt admin. Under tinyproxy’s configuration, set port 8123. Under Network -> Firewall -> Custom Rules, configure firewall rules to forward packets on port 80 to tinyproxy. Note that you probably do not want to proxy every device, so I’d recommend setting all devices up with static leases in the dhcp settings in openwrt. That way all devices always get the same IP and you can use that IP to select certain devices for proxying. Add the following line for each device you want to proxy. Modify as needed for your network:

iptables -t nat -A PREROUTING -i br-lan -s 192.168.1.5 -p tcp –dport 80 -j DNAT –to 192.168.1.1:8123

In the above example, 192.168.1.5 is the device you want to proxy, 192.168.1.1 is your openwrt router’s lan IP address, and 8123 is the port that tinyproxy is listening on. “br-lan” is the default name given to the lan interface on my router. Yours may be different. Test it!

If you are logging to an external linux box, you’ll need to configure openwrt. Under tinyproxy settings, check the box to “log via syslog”, then configure syslog settings under system settings so that logs are forwarded to your linux box. Set the IP and port. See “man syslog” on your linux server for how to configure it to receive logs, or google “your distro remote host logging with syslog”.

Analyzing Logs:

I couldn’t find anything free on the Internet to process the tinyproxy logs, so here’s a script I wrote that outputs a couple html tables daily via a daily cron job.

proxy_report.tar.gz (includes some required unmodified jquery js libs)

It requires perl. An example of what the tables look like is below:

proxy report