April 10, 2025 6 minutes minutes read Admin

Transparent Proxy with HAProxy as a VPN Alternative

This post shows how to set up a simple, yet powerful transparent proxy using nothing but HAProxy on a clean Ubuntu VPS. This solution:

  1. Doesn't require VPN clients
  2. Works perfectly with HTTPS
  3. Keeps your real IP hidden
  4. Maintains full browsing speed

The Basic Concept

The idea is simple:

  1. Point specific domains to your VPS's IP using your local hosts file
  2. Configure HAProxy on your VPS to act as a "man in the middle"
  3. HAProxy forwards your traffic to the real websites
  4. The websites see requests coming from your VPS IP, not your actual IP

The beauty of this approach? Your local PC thinks it's talking directly to the websites, but your traffic gets laundered through the VPS first.

Step 1: Local Machine Setup

On your local PC, modify your hosts file to point target domains to your VPS:

Windows: C:\Windows\System32\drivers\etc\hosts Linux/Mac: /etc/hosts

Add entries like:

YOUR_VPS_IP   facebook.com
YOUR_VPS_IP   google.com
YOUR_VPS_IP   twitter.com

That's it for your local machine. Now all requests to these domains will be sent to your VPS instead.

Step 2: VPS Configuration - The Fun Part

SSH into your VPS and let's get to work:

Install HAProxy

sudo apt update
sudo apt install haproxy -y

Configure HAProxy

Edit the config file:

sudo nano /etc/haproxy/haproxy.cfg

Replace everything with this magnificent piece of wizardry:

global
    log /dev/log local0
    maxconn 100000
    tune.ssl.default-dh-param 2048

    # DNS resolvers
    resolvers mydns
        nameserver dns1 8.8.8.8:53
        nameserver dns2 1.1.1.1:53
        resolve_retries 3
        timeout resolve 2s
        timeout retry 1s

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5s
    timeout client  30s
    timeout server  30s

# HTTP frontend (port 80)
frontend http_front
    bind *:80
    mode http

    # Capture the Host header
    http-request capture req.hdr(Host) len 100

    # Resolve the real IP for the Host and set destination
    http-request do-resolve(txn.host_ip,mydns,ipv4) req.hdr(Host)
    http-request set-dst var(txn.host_ip)

    # Use the http backend
    use_backend http_backend

# HTTPS frontend (port 443)
frontend https_front
    bind *:443
    mode tcp
    option tcplog

    # Inspect SSL handshake to extract SNI
    tcp-request inspect-delay 5s
    tcp-request content capture req.ssl_sni len 50

    # Resolve the real IP for the SNI and set destination
    tcp-request content do-resolve(txn.sni_ip,mydns,ipv4) req.ssl_sni
    tcp-request content set-dst var(txn.sni_ip)

    # Use the https backend
    use_backend https_backend

# HTTP backend
backend http_backend
    mode http
    server dummy_server 0.0.0.0:80

# HTTPS backend
backend https_backend
    mode tcp
    server dummy_server 0.0.0.0:443

This configuration is doing some clever magic:

  1. For HTTP traffic, it captures the Host header (which tells which website you want)
  2. For HTTPS traffic, it reads the SNI (Server Name Indication) during the TLS handshake
  3. It resolves the actual IP address of the requested website
  4. It forwards your traffic to that IP, making it look like the request came from your VPS

Enable IP Forwarding

echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Start HAProxy

sudo systemctl restart haproxy
sudo systemctl enable haproxy

That's it! Your VPS is now ready to handle your proxied traffic.

Let's Test It!

From your local machine, open a browser and go to one of the websites you configured in your hosts file.

For example, if you added YOUR_VPS_IP facebook.com to your hosts, visit https://facebook.com.

The site should load normally, but if you check your IP (using a site like ipinfo.io), you'll see it's your VPS IP address!

What's Actually Happening?

When you type facebook.com in your browser:

  1. Your PC checks its hosts file and sends the request to your VPS
  2. Your VPS receives the request
  3. HAProxy extracts the domain from the HTTP Host header or HTTPS SNI
  4. HAProxy resolves the real IP of facebook.com
  5. HAProxy forwards your request to the actual Facebook servers
  6. Facebook responds to your VPS
  7. Your VPS forwards the response back to your PC

The genius part? Facebook only sees your VPS IP, not your real IP.

Limitations

Let's be honest - this approach has some limitations:

  1. Transparent proxy is NOT a VPN replacement (common sense)
  2. You need to modify your hosts file for each domain you want to proxy
  3. DNS resolution happens on your VPS, not your local machine
  4. Your VPS provider can still see your traffic

But for many use cases, these tradeoffs are absolutely worth it for the simplicity and reliability.