Skip to content

o-x-api/internet-gateway-setup

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

59 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Internet Gateway Setup

VPS setup scripts and modules for routing all system traffic through an encrypted gateway proxy, bypassing restrictive firewalls.

Railway proxy server: o-x-api/internet-gateway


Architecture

Blocked HTTPS (discord.com, google.com, etc.)
       │
       ▼
┌─────────────────────────────┐
│  VPS (Daytona etc.)         │
│  ┌───────────────────────┐  │
│  │ MITM Proxy (:8888)    │──┼──► Railway Gateway (internet-gateway)
│  │  - intercepts HTTPS   │  │       │
│  │  - re-encrypts via CA │  │       ▼
│  │  - forwards to Railway│  │  ┌──────────┐
│  └───────────────────────┘  │  │ /raw     │──► Target (discord.com)
│                             │  │ endpoint │
│  ┌───────────────────────┐  │  └──────────┘
│  │ QEMU VMs              │  │
│  │  - use 10.0.2.2:8888 │──┼──► Host MITM (:8888) → Railway
│  └───────────────────────┘  │
└─────────────────────────────┘
  • The Railway proxy (*.up.railway.app) is whitelisted by most firewalls.
  • The VPS MITM proxy (port 8888) intercepts HTTPS via a dynamically-generated CA cert, re-encrypts, and forwards to Railway's /raw endpoint.
  • Nested QEMU VMs reach the host's MITM proxy at 10.0.2.2:8888.

Quick Start

1. Deploy the Railway Proxy

git clone https://github.com/o-x-api/internet-gateway.git
cd internet-gateway
railway login
railway up

or

Go in Railway

** Sign Up With Your GitHub Account**

Then add this repo

https://github.com/o-x-api/internet-gateway

Click Deploy and Go setting Click Generate URL enter Port 8080

Note your Railway URL: https://your-project.up.railway.app

2. Run the VPS Setup Script

On your VPS:

curl -sSL https://raw.githubusercontent.com/o-x-api/internet-gateway-setup/main/setup.sh | bash

What the Setup Script Does

Step Description
1 System update (apt update && apt upgrade)
2 Installs dependencies: openssl, curl, wget, nodejs, npm, node-forge
3 Generates a CA certificate for MITM HTTPS interception
4 Sets system-wide proxy environment variables (/etc/profile.d/, /etc/environment, .bashrc)
5 Creates and starts the MITM proxy server on port 8888
6 Configures apt to use the proxy for HTTPS
7 Creates systemd service (or rc.local fallback) for auto-start
8 Runs connectivity tests against github.com, npmjs.org, discord.com

Managing the Proxy

# Restart proxy
pkill -f "node index.js" && cd /home/daytona/mitm-proxy && nohup node index.js >> /home/daytona/mitm-proxy.log 2>&1 &

# View logs
tail -f /home/daytona/mitm-proxy.log

Nested QEMU VMs

VMs running inside the VPS via QEMU can use the host's proxy. The host's MITM proxy is reachable at 10.0.2.2:8888 (QEMU's default gateway address).

Run vm-proxy inside the VM to auto-configure proxy, CA cert, and apt in one command:

sudo vm-proxy

Or follow the manual steps below:

Permanent proxy inside the VM (runs every SSH login)

Step 1 — SSH into your VM:

# From the VPS host
ssh -p <ssh_port> root@localhost

Step 2 — Copy the CA cert from the host into the VM:

The CA cert is needed so curl can verify the MITM proxy's certificates. Two ways:

Option A — SCP from host (if QEMU networking allows it):

# Inside the VM
scp -P <ssh_port> root@10.0.2.2:/tmp/mitm-ca.pem /tmp/

Option B — Paste the cert directly (always works):

First, read the cert on the host VPS to see its content:

# Run on the HOST VPS, not inside the VM
cat /home/daytona/mitm-ca.pem

Copy the entire output (from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----). Then paste it inside the VM:

# Run inside the VM — paste the cert content between the markers
cat > /usr/local/share/ca-certificates/mitm-ca.crt << 'CERT'
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
CERT
update-ca-certificates --fresh

You can also find the cert on the host at /home/daytona/mitm-ca.pem or /tmp/mitm-ca.pem.

Step 3 — Configure proxy permanently (survives reboot):

# Proxy environment variables (applied on every login)
cat > /etc/profile.d/proxy.sh << 'EOF'
export http_proxy=http://10.0.2.2:8888
export https_proxy=http://10.0.2.2:8888
export HTTP_PROXY=http://10.0.2.2:8888
export HTTPS_PROXY=http://10.0.2.2:8888
export NO_PROXY=localhost,127.0.0.1,::1,10.0.2.2
export no_proxy=localhost,127.0.0.1,::1,10.0.2.2
EOF
chmod +x /etc/profile.d/proxy.sh
source /etc/profile.d/proxy.sh

# Install CA cert so curl works without --insecure
cp /tmp/mitm-ca.pem /usr/local/share/ca-certificates/mitm-ca.crt
update-ca-certificates --fresh

# apt proxy
mkdir -p /etc/apt/apt.conf.d
cat > /etc/apt/apt.conf.d/99proxy << 'EOF'
Acquire::http::Proxy "http://10.0.2.2:8888";
Acquire::https::Proxy "http://10.0.2.2:8888";
EOF

Step 4 — Test:

curl -sI https://discord.com | head -2

Expected output:

HTTP/1.1 200 Connection Established

The 200 Connection Established line is the proxy's CONNECT response. It means the proxy successfully intercepted and forwarded the request through the Railway gateway.

Quick test without permanent config

export http_proxy=http://10.0.2.2:8888
export https_proxy=http://10.0.2.2:8888
curl -sI --insecure https://discord.com | head -2

The --insecure flag skips CA verification (use only for testing; install the CA cert for production use).

Note: 10.0.2.2 is QEMU's default gateway — it always points to the host machine.


Updating the Gateway URL

sed -i 's|GATEWAY_URL=.*|GATEWAY_URL=https://new-url.up.railway.app|' /etc/profile.d/internet-gateway.sh
pkill -f "node index.js" && . /etc/profile.d/internet-gateway.sh && cd /home/daytona/mitm-proxy && nohup node index.js >> /home/daytona/mitm-proxy.log 2>&1 &

Files

internet-gateway-setup/
├── README.md
├── setup.sh              # VPS setup script (MITM proxy + env + auto-start)
├── internet-gateway.js   # Client-side Node.js patching module
└── railway/
    └── proxy.js          # Railway gateway deployment code

Credits

Created by ABDULLAH

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors