Back to Blog
RUENZHESARPTDEFRJAKOITTRIDVIFAHI

Transparent Proxy on OpenWrt Router via TPROXY: Complete Setup for Your Entire Network

Setting up a transparent proxy using TPROXY on OpenWrt allows all network traffic to pass through the proxy server without manual configuration on each device.

📅June 6, 2026

If you want all traffic on your network to go through a proxy—without manual configuration on each laptop, smartphone, or server—a transparent proxy on an OpenWrt router via the TPROXY mechanism is exactly what you need. In this guide, we will cover the complete configuration: from installing the necessary packages to iptables rules and checking functionality.

What is TPROXY and why is it needed

TPROXY (Transparent Proxy) is a Linux kernel mechanism that allows intercepting TCP and UDP traffic without changing the destination IP address in the packet. Unlike classic NAT redirection (REDIRECT), TPROXY preserves the original recipient address, which is critically important for the proper functioning of the proxy client: it "sees" exactly where the device in the network is trying to connect.

Why is this needed in practice? Imagine you have an office or home lab with dozens of devices—computers, smartphones, IoT devices, test virtual machines. Manually configuring the proxy on each of them is hours of work and a constant headache when changing the proxy server. A transparent proxy on the router solves the problem centrally: all network traffic automatically goes through the proxy, and the devices are none the wiser.

Typical use cases for TPROXY on OpenWrt:

  • Routing all traffic through residential or mobile proxies to bypass geo-blocks
  • Centralized monitoring and filtering of traffic in a corporate network
  • Testing applications through proxies from different regions without changing settings on client machines
  • Automatic IP substitution for all devices connected to the router
  • Working with anti-detect browsers (Dolphin Anty, AdsPower, GoLogin) through a single gateway

The key advantage of TPROXY over regular REDIRECT: UDP support. This is important for modern protocols (QUIC, DNS over UDP, gaming traffic), which REDIRECT simply cannot handle correctly.

How a transparent proxy works in OpenWrt

The operation scheme of TPROXY on OpenWrt looks as follows:

  1. A device in the network sends a packet to an external IP address (for example, 93.184.216.34:443).
  2. The router intercepts the packet with the iptables TPROXY rule still in the PREROUTING chain—before a routing decision is made.
  3. The packet is marked with a special fwmark and redirected to the local socket of the proxy client (for example, to port 7893).
  4. The proxy client (redsocks, Xray, sing-box) "sees" the original destination address through the IP_TRANSPARENT mechanism and establishes a connection through the remote proxy server.
  5. The response is returned to the device—transparently, without any changes on the client side.

💡 Important Note

TPROXY works only in the PREROUTING chain of the mangle table. This means that only transit traffic (from network devices) is intercepted, but not the traffic of the router itself. To intercept the router's traffic, additional configuration through OUTPUT and routing through loopback will be required.

Requirements: router, firmware, packages

Before proceeding with the setup, make sure your configuration meets the minimum requirements.

Router Requirements

Parameter Minimum Recommended
RAM 64 MB 256 MB and above
Flash / Storage 16 MB 128 MB and above
CPU Architecture MIPS, ARM ARM Cortex-A7/A53 and above
OpenWrt Version 21.02 23.05 or snapshot
Linux Kernel 5.4 with TPROXY 5.15 / 6.1

Well-proven models for this task: GL.iNet GL-MT6000 (Flint 2), Xiaomi AX3000T, Banana Pi BPi-R3, Raspberry Pi 4 with OpenWrt, as well as any x86 router with sufficient RAM.

Checking TPROXY Support in the Kernel

Connect to the router via SSH and execute: 

zcat /proc/config.gz | grep TPROXY

You should see the line CONFIG_NETFILTER_XT_TARGET_TPROXY=y or =m. If the output is empty—the kernel does not support TPROXY and recompilation or firmware change will be required.

Installing the Necessary Packages

To operate TPROXY on OpenWrt, several packages will be required. Connect via SSH and update the package list: 

opkg update

Install the necessary components: 

# Kernel module for TPROXY
opkg install kmod-nft-tproxy

# If using iptables (old stack)
opkg install iptables-mod-tproxy

# ip rule / ip route utilities
opkg install ip-full

# Additionally for working with fwmark
opkg install kmod-ipt-tproxy

Depending on the chosen proxy client, install one of the following packages:

Proxy Client OpenWrt Package TPROXY Support
redsocks redsocks TCP (UDP via redsocks2)
Xray-core xray-core TCP + UDP (natively)
sing-box sing-box TCP + UDP (natively)
mihomo (Clash Meta) mihomo TCP + UDP (natively)

For most tasks, we recommend sing-box or mihomo—they support TPROXY natively, including UDP, and have a convenient configuration format.

Configuring iptables and ip rule

This is a key step. We need to do three things: mark the necessary packets with fwmark, configure a special routing table, and add a TPROXY rule in iptables.

Step 1: Create the routing table

# Add a special route: marked packets go to loopback
ip rule add fwmark 1 table 100
ip route add local default dev lo table 100

This tells the kernel: "consider all packets with fwmark=1 as local and deliver them to loopback." This is how the proxy client will be able to accept them through its socket.

Step 2: iptables rules (mangle/PREROUTING)

# Create a chain for TPROXY
iptables -t mangle -N TPROXY_RULES

# Exclude local addresses (do not proxy them)
iptables -t mangle -A TPROXY_RULES -d 0.0.0.0/8 -j RETURN
iptables -t mangle -A TPROXY_RULES -d 10.0.0.0/8 -j RETURN
iptables -t mangle -A TPROXY_RULES -d 127.0.0.0/8 -j RETURN
iptables -t mangle -A TPROXY_RULES -d 169.254.0.0/16 -j RETURN
iptables -t mangle -A TPROXY_RULES -d 172.16.0.0/12 -j RETURN
iptables -t mangle -A TPROXY_RULES -d 192.168.0.0/16 -j RETURN
iptables -t mangle -A TPROXY_RULES -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A TPROXY_RULES -d 240.0.0.0/4 -j RETURN

# Redirect TCP to the proxy client's port (7893)
iptables -t mangle -A TPROXY_RULES -p tcp \
  -j TPROXY --on-port 7893 --on-ip 127.0.0.1 --tproxy-mark 1

# Redirect UDP to the proxy client's port (7893)
iptables -t mangle -A TPROXY_RULES -p udp \
  -j TPROXY --on-port 7893 --on-ip 127.0.0.1 --tproxy-mark 1

# Apply the chain to transit traffic
iptables -t mangle -A PREROUTING -j TPROXY_RULES

📌 Port 7893

Port 7893 is the port on which the proxy client (sing-box, mihomo, Xray) listens in tproxy mode. Make sure it matches your client's settings.

Step 3: Saving rules on reboot

Create an autostart script in /etc/init.d/tproxy or add commands to /etc/rc.local. For OpenWrt 23.05 with nftables instead of iptables, use similar rules in nft syntax: 

nft add table ip tproxy_table
nft add chain ip tproxy_table prerouting \
  '{ type filter hook prerouting priority mangle; policy accept; }'
nft add rule ip tproxy_table prerouting \
  ip daddr { 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } return
nft add rule ip tproxy_table prerouting \
  tcp tproxy to 127.0.0.1:7893 meta mark set 1
nft add rule ip tproxy_table prerouting \
  udp tproxy to 127.0.0.1:7893 meta mark set 1

Proxy Client Configuration: redsocks, Xray, sing-box

The proxy client on the router is a program that receives intercepted traffic and sends it through a remote proxy server. Let's look at the configuration for the most popular options.

Option 1: redsocks (simple, TCP only)

Suitable for basic tasks with SOCKS5 proxy. The configuration file /etc/redsocks.conf: 

base {
    log_debug = off;
    log_info = on;
    log = "file:/var/log/redsocks.log";
    daemon = on;
    redirector = tproxy;
}

redsocks {
    local_ip = 127.0.0.1;
    local_port = 7893;

    // Address of your SOCKS5 proxy
    ip = 185.220.101.50;
    port = 1080;
    type = socks5;

    // If the proxy requires authentication:
    login = "your_login";
    password = "your_password";
}

Option 2: sing-box (recommended—TCP + UDP)

sing-box supports TPROXY natively and works with most types of proxies: SOCKS5, HTTP, Shadowsocks, VLESS, Trojan. Example configuration /etc/sing-box/config.json: 

{
  "inbounds": [
    {
      "type": "tproxy",
      "listen": "127.0.0.1",
      "listen_port": 7893,
      "tcp_fast_open": false,
      "udp_fragment": true,
      "sniff": true
    }
  ],
  "outbounds": [
    {
      "type": "socks",
      "tag": "proxy-out",
      "server": "185.220.101.50",
      "server_port": 1080,
      "version": "5",
      "username": "your_login",
      "password": "your_password"
    },
    {
      "type": "direct",
      "tag": "direct"
    }
  ],
  "route": {
    "rules": [
      {
        "geoip": ["private"],
        "outbound": "direct"
      }
    ],
    "final": "proxy-out"
  }
}

Start sing-box and add it to autostart: 

/etc/init.d/sing-box enable
/etc/init.d/sing-box start

Option 3: mihomo / Clash Meta

mihomo is a fork of Clash with extended capabilities. In the tproxy-port section, specify the port for interception: 

mixed-port: 7890
tproxy-port: 7893
allow-lan: false
mode: rule
log-level: info

proxies:
  - name: "my-socks5"
    type: socks5
    server: 185.220.101.50
    port: 1080
    username: your_login
    password: your_password
    udp: true

proxy-groups:
  - name: "PROXY"
    type: select
    proxies:
      - my-socks5

rules:
  - IP-CIDR,192.168.0.0/16,DIRECT
  - IP-CIDR,10.0.0.0/8,DIRECT
  - MATCH,PROXY

Protection Against DNS Leaks

A transparent proxy without proper DNS configuration is a serious vulnerability. If DNS queries go directly through the provider instead of through the proxy, the real location is revealed despite the IP substitution. This is critical for tasks where anonymity or geo-substitution is important.

Method 1: Intercept DNS via TPROXY

Add a rule to intercept UDP traffic on port 53: 

# Intercept DNS queries from network devices
iptables -t mangle -A TPROXY_RULES -p udp --dport 53 \
  -j TPROXY --on-port 7893 --on-ip 127.0.0.1 --tproxy-mark 1

Method 2: DNS via sing-box / mihomo

sing-box and mihomo can handle DNS queries themselves and send them through the proxy. In the sing-box config, add a DNS section: 

"dns": {
  "servers": [
    {
      "tag": "remote",
      "address": "8.8.8.8",
      "detour": "proxy-out"
    },
    {
      "tag": "local",
      "address": "192.168.1.1",
      "detour": "direct"
    }
  ],
  "rules": [
    {
      "geoip": ["private"],
      "server": "local"
    }
  ],
  "final": "remote",
  "independent_cache": true
}

Method 3: dnsmasq with upstream through proxy

If you are not using sing-box/mihomo, configure dnsmasq (the standard DNS server for OpenWrt) to forward requests to an encrypted DNS server. In the file /etc/dnsmasq.conf: 

# Disable the use of DNS from the provider
no-resolv

# Use DoH/DoT through local resolver
server=127.0.0.1#5335

# Prevent devices from using external DNS directly
# (iptables rule to block direct DNS queries)
# iptables -t nat -A PREROUTING -p udp --dport 53 ! -d 192.168.1.1 -j DNAT --to 192.168.1.1

Testing and Debugging

After configuration, be sure to check the correct operation of the transparent proxy. Here’s a step-by-step checklist.

Step 1: Check iptables rules

# View the TPROXY_RULES chain
iptables -t mangle -L TPROXY_RULES -v -n

# Check routing table 100
ip rule show
ip route show table 100

Step 2: Check that the proxy client is listening on the port

ss -tlnp | grep 7893
# or
netstat -tlnp | grep 7893

You should see the process of sing-box, mihomo, or redsocks listening on 127.0.0.1:7893.

Step 3: Check IP from the client device

Connect to the router from any device on the network and open in the browser ifconfig.me or 2ip.ru. The displayed IP should match the IP of your proxy server, not the real IP of the provider.

Step 4: Check for DNS leaks

Go to dnsleaktest.com and perform an extended test. The DNS servers in the results should belong to your proxy provider or the selected DoH server, but not to your internet provider.

Typical Issues and Their Solutions

Symptom Cause Solution
Internet does not work at all Proxy client is not running Check the service status, client logs
IP does not change iptables rules were not applied Check iptables -t mangle -L -v
UDP does not work redsocks does not support UDP Switch to sing-box or mihomo
Routing loop Traffic from the proxy client is also intercepted Exclude the UID or cgroup of the proxy client from the rules
TPROXY target error Kernel module not loaded modprobe xt_TPROXY

Which Type of Proxy is Suitable for TPROXY on OpenWrt

The choice of proxy type critically affects the outcome. Not all options are suitable for a transparent proxy on the router—it is important to consider the protocol, connection stability, and task.

SOCKS5 Proxy

The most versatile option for TPROXY. Supports TCP and UDP (when using sing-box/mihomo). Suitable for most tasks: bypassing geo-blocks, IP substitution for the entire network, working with marketplaces. Datacenter proxies in SOCKS5 format provide high speed and stability—optimal choice if speed is prioritized over disguising as a real user.

Residential Proxies

Residential proxies use IP addresses of real home users. When routing through TPROXY on the router, this means that all traffic from your network will appear as traffic from a regular home internet user from the desired country. Ideal for:

  • Price monitoring on foreign marketplaces (Amazon, eBay, Zalando)
  • Testing advertisements from different regions
  • Working with platforms that actively block datacenter IPs
  • Tasks requiring maximum disguise as a real user

Mobile Proxies

Mobile proxies operate through the IPs of mobile network operators (4G/5G). They have the highest level of trust from platforms—Facebook, Instagram, TikTok rarely block mobile IPs since thousands of real users can stand behind one address. When used through TPROXY on the router, all traffic from your network receives a mobile IP, which is critically important for:

  • Traffic arbitration through Facebook Ads and TikTok Ads
  • Account farming on social networks
  • Working with anti-detect browsers (Dolphin Anty, AdsPower, GoLogin) through a single gateway
Proxy Type Speed Platform Trust Best Scenario
Datacenter ⚡ High ★★☆☆☆ Parsing, price monitoring
Residential ⚡⚡ Medium ★★★★☆ Geo-testing, e-commerce
Mobile ⚡ Medium ★★★★★ Social networks, traffic arbitration

Conclusion

A transparent proxy via TPROXY on OpenWrt is a powerful tool for centralized traffic management across the entire network. The main advantages of this approach: no need to configure the proxy on each device separately, support for both TCP and UDP traffic, and flexible configuration that scales for any tasks—from home use to corporate infrastructure.

Key steps we covered: checking TPROXY support in the OpenWrt kernel, installing the necessary packages, configuring iptables/nftables rules with the correct fwmark, configuring the proxy client (redsocks, sing-box, or mihomo), and protecting against DNS leaks. Each of these steps is important—skipping any will lead to incorrect operation or leakage of the real IP.

If your task is to route all network traffic through a proxy with the highest level of trust from platforms (Facebook, Instagram, TikTok, foreign marketplaces), we recommend using residential proxies—they provide real home IPs from the desired country and minimal risk of blocks when working through a transparent proxy on the router.