[Privoxy-users] Privoxy on router firmwares poses a huge security risk

[Lee]

On 12/31/19, Ian Silvester <iansilvester at fastmail.fm> wrote:
> Thanks for the heads-up to this community and for discussing the issue on
> the dd-wrt forums. Clearly it's a side-effect of that specific configuration
> so there's no change required (or possible) to Privoxy to correct the
> problem.
>
> Just out of curiosity, what is the advantage of running policy based routing
> for your VPN?

I think the desire is to have all http traffic filtered through privoxy.
(ie. redirect all tcp port 80 traffic to privoxy)

The problem is that privoxy is running on the router and it's only
traffic coming into the router, destined for the internet, that gets
sent out the vpn.  Traffic sourced by the router goes to either the
internal network or the ISP -- and since privoxy is running on the
router, none of the output from privoxy goes out the vpn.

What the OP needs to do is figure out how to do pbr on traffic coming
from privoxy so that traffic not for the internal network goes out via
the vpn.  But I don't know if it's possible to have a pbr rule that
applies only to packets coming from one specific service on the router
:(

Lee


> Cheers,
>
> Ian
>
> On Mon, 30 Dec 2019, at 13:37, tolis81 at protonmail.com wrote:
>> Enable OVPN with PBR. Enable privoxy. Check any http ip leak test page
>> like dnsleak.com or whatismyipv6.com
>>
>> This is happening since when enabling Policy Based Routing the router
>> is not on VPN and since privoxy relies on router, intercepting http
>> traffic from these sites exposes your real IP.
>>
>> Applies on any open source router firmware.
>>
>> https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322517&start=0
>>
>> This is actually very difficult to find out since more ipleak test
>> sites are on https but you are actually exposed with the combination of
>> PBR & privoxy.
>>
>> I bet a lot of people are already fully exposed and not even knowing about
>> it...
>>