Monthly Archives: May 2015

Transparent Reverse Proxy

This is for the version of Pen in Git, and 0.29.0 when it is released.

With the exception of Direct Server Return, Pen works as a proxy: a client connects to Pen and Pen opens a new connection to an available server. A side effect of this is that the server can’t see the original client IP address.

For http, and for https where Pen also does SSL termination, the X-Forwarded-For header can be used to communicate the address. It is activated by the -H option and adds the header to the request if it isn’t already there. But this is a web-specific solution and doesn’t work for e.g. mail, where you also want to preserve the client address.

Now there is another solution to the problem. The transparent option makes Pen “spoof” the client’s IP address in its outgoing connection to the backend server.

Here, debian2 is the client with IP and debian3 is the server with IP Pen sits in between with IP addresses and Debian2 and debian3 have static routes set up so they can reach each other through the host running Pen.

There is a bunch of network configuration that needs to be done on the Pen host in order to get the return traffic go where it should. First some firewall rules:

root@debian:~# iptables -t mangle -N DIVERT
root@debian:~# iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
root@debian:~# iptables -t mangle -A DIVERT -j MARK --set-mark 1
root@debian:~# iptables -t mangle -A DIVERT -j ACCEPT

And then a few special routes:

root@debian:~# ip rule add fwmark 1 lookup 100
root@debian:~# ip route add local dev lo table 100

The Pen command like looks like this:

sudo ./pen -df -O transparent



The server sees the original client IP address


Pen 0.28.0 released

Available here:

And also here:

Pen 0.28.0 brings Direct Server Return on Linux and FreeBSD.

It also brings the Windows code up to speed.

Full list of changes from 0.27.5:

150520 Released 0.28.0.

150513 Numerous updates to support the madness that is Windows.

150501 Fix from Vincent Bernat: segfault when not using SSL.

150427 DSR support using Netmap on FreeBSD.
Unbroke DSR on Linux.

150424 Replaced all calls to perror with debug(…, strerror(errno);
Updated penlog and penlogd to use diag.[ch].

150422 More refactoring: broke out conn.[ch], client.[ch], server.[ch],
Made a hash index such that the load balancer may balance load.

150420 Broke out Windows code from pen.c into windows.c. Added windows.h.

150419 Broke out public definitions for dsr into dsr.h.
Broke out memory management into memory.[ch].
Broke out dignostic and logging functions into diag.[ch].
Broke out settings into settings.[ch].
Broke out access lists into acl.[ch].
Broke out event initialization into event.[ch].
Added pen_epoll.h, pen_kqueue.h, pen_poll.h, pen_select.h.
Broke out pen_aton et al into netconv.[ch].

150416 Added dsr.c


Installing Window 10 on the Raspberry Pi

For once, not a post about Pen. Although, Pen does run on Windows and yes, Pen will run on Windows on the Pi.

Installing Windows was a bit of a challenge because of DISM.EXE, the tool used to write the image to the SD card. The problem is that the version in Windows 8.1 – the most recent supported version of Windows – is too old! According to the installation instructions, Windows 10 must first be installed on a PC; an absurd requirement which is fortunately incorrect. Instead, Windows Assessment and Deployment Kit for Windows 10 can be installed and includes a newer release of the tool.

With that hurdle out of the way, the rest of the installation was easy. Microsoft seems to regard the Pi not as a self-hosted environment but rather as a kind of Arduino to which you deploy “apps”. We’ll see how well that is received.