DISCLAIMER

This tutorial will show you how to build yourself your own high-quality yet very cheap residential proxy on your home internet connection using a method called port forwarding.

This is indeed my personal setup at home that I use every day for automation.

Contrary to what most people say, you can do this securely, as explained on Raspberry PI's official site. But if you miss one tiny step in this tutorial or don't know what you're doing, or have never practiced the command line before, please don't do this.

Because doing so will expose an open port on your home connection visible from the outside internet, making any hacker able to scan for open ports and access your home router with all devices connected to it if not properly secured. So be very cautious here.

If you know what you're doing or have basic IT skills, then follow along and proceed at your own risk.

Before doing anything else, I strongly recommend you to read this tutorial in full first, then proceed through each step.

Good Luck!

What Is A Raspberry Pi?

A Raspberry Pi is a computer made by the Raspberry Pi Foundation in England. It's a non-profit

education foundation promoting learning programming for all. A Raspberry Pi is open source and

uses Linux distribution as its operating system (Raspbian Operating System). It is small in the

form factor of the size of a PCB (circuit board) card and portable.

You can connect a keyboard, and a screen, play video games, or stream videos with it too!

The Hardware

1) Raspberry PI 4 B Kit



The 4Go RAM version is enough. Same for the SD Card, 8 or 16 Go.



2) Wi-Fi Mini Router







Port forwarding has some security implications on your network. So it's wise to use an additional

router to create a separate subnet to isolate your internet-connected devices from the main

network router.

That way, your proxy will be on its own dedicated network isolated from the rest.

To do so, we will do what's called "cascading routers", simply put it just means connecting

another router plugged behind a LAN port of your main router, creating another subnetwork (subnet).

Figure 1: basic diagram of how your proxy will work on your local network.





• We will open a port in your Home router that will be forwarded to:
• ... another WIFI router to which we will forward the same port number to:
• ... the Raspberry PI

You will end up having 2 separate networks:

• the home router with your internet-connected devices
• the wifi router only for port forwarding to your Raspberry PI proxy

A good primer that doesn't hurt is to watch this video by the one and only Eli, the Computer Guy. Still valid 10 years after.

You can find those mini WIFI routers on Amazon for $30 here:

Raspberry Pi Proxy Pre-Configuration

1) SD Card Flashing with Etcher

If you bought a similar Raspberry PI 4 B Kit like the one above, they usually come with a mini USB to microSD card adapter. We will use this to facilitate the install process.

Put the SD Card in it and plug it into any USB port of your computer.



First download the Etcher image flasher for your OS here:

balenaEtcher - Flash OS images to SD cards & USB drives

Then download the Raspberry Pi OS Lite here:

Operating system images - Raspberry Pi

Finally, flash your SD Card with Etcher selecting "Flash from File" pointing to the Raspberry PI OS Lite you just downloaded before:



Once flashed, your Raspberry PI SD Card will mount on your Desktop.

Now we will create and add 2 text files at the root of the SD Card. This will allow us to configure our Raspberry Proxy 100% remotely without requiring us to connect the PI to a keyboard, mouse, and screen. All from your computer via SSH.

• Open your text editor of choice, create an empty text file, and save it without any extension to the root of the SD Card: "ssh".
• Open and create another text file you will save as "wpa_supplicant.conf" after pasting this piece of code. Just modify it with your own:

ctrl_interface=/run/wpa_supplicant
update_config=1
country=FR

network={
    ssid="internet_box_name"
    scan_ssid=1
    psk="password"
}

• replace country=by your own country (US, UK, DE, FR, etc....)
• replace ssid="internet ISP box name" (the same that pops up in your computer network prefs).
• psk="internet ISP box password"

💡 Note: be careful to keep "" for the two above lines (except country code).

Once done, save the file and copy it with the ssh file to the root of the flashed SD Card.

Finally, save both files at the root of the Raspberry PI SD Card.



Now, eject the USB adapter from your computer, remove the SD Card and insert it into the PI.

Then plug in the Raspberry PI power supply next to your ISP router or in an isolated place to avoid its noisy fans’ annoyance.

Network Router Configuration

If you bought the mini router above, you would be able to follow these steps. The process is very similar to other router brands or if you choose to do it on your main ISP router.

First, connect to your router admin console URL. Alternatively, connecting the internal IP address 192.168.1.1 works in most cases. You will find the credential in your ISP contract papers, or sometimes typing admin:admin as login:password just works.

It's recommended to change the pass and SSID name to a custom and long secure pass and save it to a key locker like Lastpass.

For the TP-Link mini router above, you will have to:

• Connect your computer to the WIFI network of your 2nd router (the mini router we bought)
• then connect its admin panel through this URL:

Trying to configure the Router?



First, we will assign a static internal IP to our secondary router:

• Go to DHCP Settings
• Enable DHCP server
• Change Start IP address to this Subnet Class C (don't bother what a Class C subnet mask means for now): 192.168.2.100
• hit Save and reboot your mini router.

This will be the internal IP address of your 2nd router from which all the connected devices' IP will be derived, including your Raspberry PI proxy.



Go back to DHCP Settings, and you should see all your connected devices on the same network of your mini router, beginning with the internal IP address 192.168.2.xxx

Listed below is the Raspberry PI internal IP address:

Copy-paste that IP address to a text editor. We will use it in the next step.



Now we will make that internal IP address static so it will never change, no matter if your main ISP router is rebooted (if you have a Dynamic IP, i.e., your ISP IP change at each router reboot).

• Go to DHCP Settings again
• Go to Address Reservation
• Click Edit
• Keep the Raspberry Mac Address as-is, paste the IP address you copied before, and tick Enable. Hit Save.

Now your Raspberry PI proxy will have an internal static IP, and the Lease Time will consequently be "permanent", meaning your Raspberry will always be assigned the same fixed internal IP on your mini router.



Now, we will choose a defined port to open in our secondary network. This will be the fixed port of our Raspberry PI residential proxy.

You can use any port above 1023 as usual. However, most system OS ports in use are below this value. If you are unsure what port to use or check which port isn't used by your computer OS, you can do a quick check with this terminal command:

• Mac OS X:

sudo lsof -i -n -P | grep TCP

• Windows (using PuTTy):

netstat -n -a –o

In this tutorial, you can use any port between [3120-3140] safely.

Choose your proxy port that will forward to your router port.

• Go to DHCP settings again.
• Go to Edit.
• Set "Service Port" and "Internal Port" with the same value you choose above.
• Hit Save.



Last, the port forwards the same port number from your main ISP router to your mini router (cf. Fig.1 at the top of this tutorial):

• port forward from the main ISP router box -------> to the mini router
• port forward mini router --------> to Raspberry

Raspberry Pi SSH Connection

A) Using the command line (CLI).

Now let's connect to our secondary router WIFI network.

To access our Raspberry PI remotely from our secondary network, we will need a command-line tool. Depending on your computer OS, different choices are available.

If you are on Mac OS X, Terminal App will be your best friend:







On Windows, you can download PuTTy or Bitvise Client here:



PuTTy



Bitvise



Download PuTTY - a free SSH and telnet client for Windows

Download Bitvise SSH Client

If you are unfamiliar, you can check this tutorial:

How to Connect to Your Account Using PuTTY SSH Client

Note that you can also install puTTy on Mac OS X too, as it had some convenient features like easier SSH key storage, but honestly, Terminal is more than enough in most cases.

If you are unfamiliar with Bitvise, you can refer to their well-made documentation here:

B) Installing the proxy server on the Raspberry Pi.

For this tutorial, we will use 3proxy:

GitHub - 3proxy/3proxy: 3proxy - tiny free proxy server

Many other proxy servers are also popular choices among Raspberry PI enthusiasts like and .

Open a terminal window and connect to your PI via SSH.

In my setup, my Raspberry PI fixed internal IP was 192.168.2.102

💡 SSH connection uses port 22 as default. Later on, we will change this port to harden security.

Type "ssh pi@your.raspberry.IP.address" (the same static IP as shown in your router) like this below:

ssh pi@192.168.2.102

Type your computer admin password :



Type "yes" to all:



Now type your Raspberry PI default admin password for the default user PI, "raspberry". We will change this default password later on for security reasons.



Update all Linux packages to keep your Raspberry OS up-to-date. This will have to be done regularly.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Edit DHCP configuration file located at /etc/dhcpd.conf with default nano editor:

sudo nano /etc/dhcpd.conf



Add this if your secondary router is a wired network:

interface eth0
static ip_address=192.168.2.102/24
static routers=192.168.2.1
static domain_name_servers=192.168.2.1

OR this below if like me you have a WIFI router only:

interface wlan0
static ip_address=192.168.2.102/24
static routers=192.168.2.1
static domain_name_servers=192.168.2.1

OR both if your router does both:

interface eth0
static ip_address=192.168.2.102/24
static routers=192.168.2.1
static domain_name_servers=192.168.2.1

interface wlan0
static ip_address=192.168.2.102/24
static routers=192.168.2.1
static domain_name_servers=192.168.2.1

Now instead of using the nano editor, we will install and use the popular Raspberry OS Joe Editor:

sudo apt-get install joe

Then we will install fail2ban, which like its name implies, will ban all unauthorized IPs from the outside who try to connect to your proxy. After few attempts, these IPs will be automatically be jailed. We will also install the most common jail rules:

sudo apt-get -y install fail2ban software-properties-common
sudo apt-get install build-essential libevent-dev libssl-dev
cd /etc
sudo wget https://github.com/z3APA3A/3proxy/archive/0.8.12.tar.gz
sudo tar zxvf 0.8.12.tar.gz
sudo mv 3proxy-0.8.12 3proxy
cd 3proxy

Then we will install 3proxy server from their Github repo:

sudo wget https://github.com/z3APA3A/3proxy/archive/0.8.12.tar.gz
sudo tar zxvf 0.8.12.tar.gz
sudo mv 3proxy-0.8.12 3proxy
cd 3proxy

Now, let's edit the proxy configuration file:

sudo joe src/proxy.h

Then add this piece of code above all the lines beginning by #define. This should be at the top.

Then hit "CTRL+K" then "CTRL+X" to save your modifications.

#define ANONYMOUS 1



Then compile and install the 3proxy with this configuration:

sudo make -f Makefile.Linux
sudo make -f Makefile.Linux install

Download 3proxy.cfg (configuration file):

sudo wget https://gettraffic.pro/docs/3proxy.cfg

Edit the 3proxy.cfg with Joe Editor:

sudo joe 3proxy.cfg

Change those lines with the desired login/pass of your proxy.

For example: if your proxy is:

http://yourproxy.com:3130:login:pass

• root will be replaced by the name you will choose for "login"
• passwd will be replaced by the password you will choose for your proxy
• proxy -p with your forwarded port number you chose as defined in your router (here 3130 or whatever port you choose)

users root:CL:passwd
...
allow root
...
proxy -p3130

Once the config file is opened, copy-paste over this whole configuration below, changing the above values according to your setup:

#!/usr/local/bin/3proxy
daemon

pidfile /etc/3proxy/3proxy.pid

# OpenDNS IP Addresses
nserver 208.67.222.222
nserver 208.67.220.220

nscache 65536

# uncomment the line below if you want to restrict your proxies to access certain sites only:

# allow * 192.168.2.102 *facebook*,*fb*,*fbcdn*,*linkedin*,*licdn*,*instagram*,*cdninstagram*,*reddit*,*redditstatic*,*twitter*,*twimg*,*vine*,*vncdn*,*craigslist*,*pinterest*,*pinimg*,*youtube*,*ytimg*,*googleapis*,*google*,*googleusercontent*,*medium*,*quora*,*quoracdn*

timeouts 1 5 30 60 180 1800 15 60

users root:CL:yourpassword

# Disabling logs to spare SD Card space, you will have a ton of connection attemps from the outside

# log /var/log/3proxy.log D

# logformat "- +_L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"

archiver rar rar a -df -inul %A %F

rotate 30

auth strong
allow root

# add you own port number
proxy -p3130

Once done, save your modifications by hitting "CTRL + K" then "CTRL= X".



Setup Guide | OpenDNS



Now, let's change the file permission of this configuration file to make it writable and accessible only by your PI admin user:

sudo chmod 700 3proxy.cfg

Download the following proxy configuration script file:

cd /etc/3proxy/scripts/rc.d/
sudo mv proxy.sh saved-proxy.sh
sudo wget https://gettraffic.pro/docs/proxy.sh

This will simply install 3proxy autorun script below:

#!/bin/sh
#
# chkconfig: 2345 20 80
# description: 3proxy tiny proxy server
#
#
#
#

case "$1" in
   start)
       echo Starting 3Proxy

#       /etc/3proxy/bin/3proxy
       /etc/3proxy/3proxy.cfg

       RETVAL=$?
       echo
       [ $RETVAL ]
       ;;

   stop)
       echo Stopping 3Proxy
       if [ /etc/3proxy/3proxy.pid ]; then
           /bin/kill `cat /etc/3proxy/3proxy.pid`
       else
               /usr/bin/killall 3proxy
       fi

       RETVAL=$?
       echo
       [ $RETVAL ]
       ;;

   restart|reload)
       echo Reloading 3Proxy
       if [ /etc/3proxy/3proxy.pid ]; then
           /bin/kill -s USR1 `cat /etc/3proxy/3proxy.pid`
       else
               /usr/bin/killall -s USR1 3proxy
       fi
       ;;

   *)
       echo Usage: $0 "{start|stop|restart}"
       exit 1
esac
exit 0

Finally, let's start the proxy server:

sudo sh /etc/3proxy/scripts/rc.d/proxy.sh start

The output should print “Starting 3Proxy”. Otherwise, go back and check if you didn't miss any steps.

Now allow the autorun to start even after a reboot by editing

sudo joe /etc/rc.local

Then add this line above exit 0 :

sh /etc/3proxy/scripts/rc.d/proxy.sh start

It will look like this:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# To enable or disable this script, just change the execution
# bits.
#
# By default this script does nothing.

# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
  printf "My IP address is %s\n" "$_IP"
fi
sh /etc/3proxy/scripts/rc.d/proxy.sh start
exit 0

As before, to save your modifications in Joe Editor, hit "CTRL + K" then "CTRL +X".

Now reboot your PI to check if these changes stick:

sudo shutdown -r now

Dynamic DNS

Almost there? Not yet! Some of you may have a Dynamic IP assigned to your ISP router.

What does it mean?

The problem with a dynamic IP is that whenever your internet box is rebooted (manually, power outage, etc...), your home network will have a new IP.

And since our residential proxy MUST be available from the outside WAN network (the internet), you must manually make that dynamic IP accessible.

So if you cannot make it static, you can use a DNS service provider. This will allow assigning a domain to your dynamic IP, making it available to your other tools (scrapers, social media automation, etc...) even in case of IP change.

To do so, we will use the free No-IP DNS service:

Free Dynamic DNS - Managed DNS - Managed Email - Domain Registration - No-IP

• create a free account
• check your external IP address and copy/paste it on a text editor

my ip adress - Google Search

Once your email account is verified, go to your No-IP dashboard and click "Create Hostname":



• enter any hostname name and domain you want
• add the public IPv4 address you just copied the step before
• click Create Hostname



Now, we will have to install the No-IP Dynamic Update Client (DUC) on our Raspberry PI so our residential proxy can benefit from No-IP DNS Service and be accessible from the outside anytime.

Read this guide to learn how to install the Dynamic Update Client onto Raspberry Pi.

Open Terminal and SSH your PI like we did before, then type the following.

After each entry line, press Enter.

mkdir /home/pi/noip
cd /home/pi/noip

After creating the folders for the DUC, it is time to download the software.

wget https://www.noip.com/client/linux/noip-duc-linux.tar.gz

Within the Terminal window, type the following. After each entry, you will press “Enter”.

tar vzxf noip-duc-linux.tar.gz

Next, navigate to the directory you created to locate the downloaded files.

cd noip-2.1.9-1

Now install the program.

sudo make
sudo make install

After typing “sudo make install” you will be prompted to log in with your No-IP account username and password. This is the log/pass used to connect to your No-IP account.

• the first prompt will ask for your login, then press ENTER
• then your password

After logging into the DUC, answer the questions to proceed.

When asked how often you want the update to happen, you must choose 5 minutes intervals or more.

The interval is listed in minutes. For example, if you choose 5, the update interval will be 5 minutes. If you choose 30, the interval will be 30 minutes.

sudo /usr/local/bin/noip2

To confirm that the service is working properly you can run the following command.

sudo noip2 ­-S (Capital “S”)

You can also do the same on your secondary WI FI router and enter your No-IP DNS credentials. The good thing doing this will allow to port the whole setup (mini WI FI router + Raspberry proxy) on another primary ISP router away from home, for instance.



Proxy Testing

Now we should be all set! Time to have the final confirmation and test if your proxy is available from the outside and working.

For this, we will download and install this nifty cross-platform tool: FOGLDN Proxy tester.

FOGLDN Proxy Tester

Once installed, open the app, click "IMPORT PROXIES" and paste your proxy credential like this:

http://your-proxy-noip-dns.net:forwarded-port:login:pass

• The first part is the domain provided by No-IP we just created
• The second part is the port we choose to forward on our mini router to access the PI proxy
• The third part is the login we define earlier
• The fourth part is our proxy password

All 4 parts are separated by ":"

If all the above works as it should FOGLDN proxy tester will output "Status OK" and show the speed latency to access the destination URL, here below with LinkedIn.com.



Now you got yourself a nice, high-quality residential proxy for life! And compared to a BrightData subscription ($110/month and over depending on the monthly bandwidth), here it will only cost you the price of the Raspberry PI kit + mini router FOR LIFE ($150).

The best part is that it's easily replicable, and you can bring this proxy device anywhere, whether to access the sites you want at work or school (be careful of what you do with it) or automate all your social network personal accounts away from home.

You can also install this setup for your clients on their network. Providing their IT service allows it and helps you do so. You could also clone the SD Card install you made to another one and change only the config files to port it to create another proxy instead of doing this install every time.

Additionally, you can remote access your client device via ssh by installing a Cloud Proxy service like remote.it to create a private network and easily access your residential proxies to maintain and update them.

If you want to scale, building your own 4G proxy farm or Cloud Residential Proxies is the way to go. Companies like proxidize.com and their sister company Proxy Know can help you scale to become your own quality proxy provider and even sell those.

Last, you can also build your 4G proxies the cheap by stacking multiple Raspberry PI zero boards like described in this awesome tutorial found on Blackhat World Forum:



Raspberry Pi Security Hardening

Ok, now that we have our own private proxy, it won't hurt to harden its security, and be sure only you can access it no matter what. It has to be secure like Fort Knox.

So far, we have only installed Fail2Ban, but we can do more.

Here we will harden our proxy security by doing:

• changing the default pi user password to a long secure password (32 characters and above) so no one can remember it, even you, and we will store it on Lastpass (or similar) encrypted pass locker. Along the process, keep a text editor open to document ALL your login/pass you used all along, then you will paste and secure it in your pass locker.
• disable root login for good
• generate and add a private encrypted key stored on our computer (hope your hard drive is already encrypted and behind your OS firewall 😉 )
• add a password to encrypt the key
• change the ssh default port 22 to something else
• install ufw firewall to filter all traffic except ssh and proxy port



We will configure and harden our Raspberry PI security following most of this guide:

Raspberry Pi Documentation - Configuration

A) Change default pi user pass

Enter our Raspberry PI options by typing this command in the terminal:

sudo raspi-config

Here, navigation is like in a computer BIOS. You will need to use up and down ↑↓ arrow keys to navigate the menus and left/right ←→ to go back or leave the menu.

First, let's change the default "pi" user password. Go to "System Options" ----> Password





Change the default pi user password by a long secure password and hit Save.

B) Make Super User Require a Password

To force sudo to require a password, enter:

sudo visudo /etc/sudoers.d/010_pi-nopasswd

Then change the pi entry (or whichever usernames have superuser rights) to:

pi ALL=(ALL) PASSWD: ALL

C) Generate Your SSH key and Encrypt it

1) Mac OS X and Linux

On your machine, open a new Terminal window, then type:

sudo ssh-keygen -t rsa

It will prompt you where you want to save the key.

The above command will create a private key saved to /home/user/.ssh/id_rsa and a public key in /home/user/.ssh/id_rsa.pub.

If you don't specify where you want to save it, it will save the key to this default path.

Alternatively, you can save to another location. However, for convenience, we will stick with the default location.

Next, it will prompt for a passphrase. While optional, it is strongly advised to put one easy to remind password that only you can know and remember without writing it down and learning it by heart?

Putting an encrypted passphrase, and each time you attempt to connect your raspberry PI via SSH, it will ask for that passphrase.

2) Windows users

For Windows users, you can follow this tutorial using PuTTy on the official ssh.com website, the inventors of the SSH protocol. No less than that 😀 .

D) Copy Your Private SSH Key to Your Raspberry PI

To securely connect our Raspberry PI using our encrypted SSH key, we will have to make a copy of our public key and upload it to our Raspberry Pi:

cat ~/.ssh/id_rsa.pub | ssh <USERNAME>@<IP-ADDRESS> 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'

So in the context of this tutorial, we will use the pi default user and install the key on our Raspberry PI, which has the following internal IP address: 192.168.2.102

cat ~/.ssh/id_rsa.pub | ssh pi@192.168.2.102 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'



E) Change SSH port

Open your sshd config file by typing this command:

sudo nano /etc/ssh/sshd_config

Uncomment the line where you see:

#Port 22

... and change it to whatever non-system or non-app reserved port (see the first part above). Let's say port 2045:

Port 2045

Like before, to save your modifications in nano editor, hit "CTRL + O" then "CTRL+X" and hit ENTER.

The next time you will connect to your PI, instead of typing ssh pi@yourRaspberryIPaddress, you will type this:

ssh -p2045 pi@192.168.2.102

... followed by our SSH key passphrase:



F) Install UFW Firewall

Let's install ufw firewall:

sudo apt install ufw

Enable ufw at boot:

sudo ufw enable

Allow our forwarded port used by our proxy (let's say 3130) and the newly open port 2045 for ssh access:

sudo ufw allow 3130

sudo ufw allow 2045

Since we changed the default port 22 for ssh access, we will now deny it and close it in ufw:

sudo ufw deny 22

G) Disable Password Authentication

Run:

sudo nano /etc/ssh/sshd_config

Then set PasswordAuthentication to "no"

PasswordAuthentication no

To make changes effective, reboot the ssh service with:

/etc/init.d/ssh restart



Sources:

Using your home IP as a residential proxy with a Raspberry - Get Traffic

Using your home IP as a residential proxy with a Raspbery

Create a proxy with a Raspberry Pi 3 (or above)