Squid Proxy through VPN Client
-
Hi Y'all
Is there any possible way to route specific IPs address go out through a vpn gateway on a vlan that's using squid proxy server??
Thanks…
-
You mean because clients in that VLAN are being redirected to Squid you cannot use policy routing? Or rather if you do they by-pass Squid?
Not easily. Traffic from Squid itself will always use the default system route. You would have to change the default route to be over the VPN and then policy route everything else over the WAN.
That may not be practical if you have other clients using the Proxy or VPN.
Steve
-
Well I want those VLAN clients to keep within the proxy, but I would rather like the proxy traffic go out using a VPN client.
Thanks for your reply…
-
Well like I say the only way to do that with Squid on the firewall is to change the default system route since it will always use that.
The alternative is to run Squid off the firewall, maybe in a separate pfSense instance. Then you can policy route the traffic from Squid as it enters the firewall.
Steve
-
Hi Steve, pfSense has been constantly crashing after I've completed some pending system updates. I've the error log files where am I supposed to send them?
-
This seems unrelated. Please open a new thread in Installation and Upgrades and give us as much detail as you can about what happened.
Steve
-
@stephenw10 I tried this myself and rebooted pfsense. Result is now down with the default gateway as my openvpn connection. Seems like a loop to me since the openvpn client on pfsense needs to see the WAN in order for it to establish a tunnel, but now since the default is VPNWAN, is it looking to itself? Is it getting confused?
I wonder if the 2nd pfsense instance is the better way to go. How may I get it to see the firewall? (The first pfsense instance).
Thanks.
-
Remote VPN connections are added as static routes to the system routing via whatever interface you have chosen. So they will not try to establish the VPN over the default route if that is the VPN.
One additional thing you can actually do here is to set which interface Squid uses for outgoing queries and specify the OpenVPN address there. In the 'Custom Options (Before Auth)' field:
tcp_outgoing_address 172.21.16.211
Of course you need to know what the OpenVPN interface address will be for that which might be in issue.
Using Squid running externally allows a lot more options. Whatever it's running on should have the main firewall set as it's default gateway. It will route outgoing requests to it automatically.
Steve
-
I wonder if it's possible to route traffic depending on the user. I checked that pf has an option to filter sockets owned by the specified user, though pfSense doesn't show this option on the interface. I think It would be the case for routing squid sockets to VPN.
-
If you can set an ACL to match that clients traffic you can probably set an outgoing address for it.
That would not be in pf though, traffic going through the firewall does not use sockets owned by that user. It would require users to login to squid and a bunch of custom options.Steve
-
I meant the user that squid use for running as a process, which is also named squid on the pfSense. In this case, all the traffic from the squid process using the squid's user will go out through a VPN.
Something like this rule (I haven't tested and I'm not sure if it's a correct rule):
pass out quick proto { tcp, udp } route-to (ovpnc1 10.10.10.10) user squid label "Route squid traffic to VPN"
-
Mmm, I don't think that will work even without the user part.
You are trying to apply an outbound rule with a gateway set (route-to) but to all interfaces because you don't know where it will be leaving. But it hits that rule as it leaves an interface by which time it's too late to apply it.
You certainly can't do that in the pfSense gui for that reason. Policy routing rules have to be on the inbound interface.
Steve
-
I see. As I'm not an expert I just read the pf.conf manual regarding the user option and thought it could also be used in conjunction with route-to.
As you stated before and which is my case, knowing the VPN address is an issue as it is dynamic. Therefore the only way is to have squid off the firewall.
Thanks for the clarification.
-
Yes, running Squid off the firewall is often a better option when you need a custom setup like this. Even if that's another pfSense instance. Though there are better options for just hosting Squid, pfSense is not optimised as a server.
Steve
-
Just for the record, I've managed my case by placing static routes as I only needed Cloudflare routed to VPN. Why routing Cloudflare? Extensive threats against my clients, abusing CL as a way to evade detection by filtering either Country or VPNs.