Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unofficial E2guardian package for pfSense

    Scheduled Pinned Locked Moved Cache/Proxy
    1.2k Posts 70 Posters 1.5m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcellocM
      marcelloc
      last edited by

      I use chrome. What chrome complains about the site?  Is the generated certificate different from the site your are trying to access?

      Treinamentos de Elite: http://sys-squad.com

      Help a community developer! ;D

      1 Reply Last reply Reply Quote 0
      • P
        pfsensation
        last edited by

        @marcelloc:

        I use chrome. What chrome complains about the site?  Is the generated certificate different from the site your are trying to access?

        Chrome complains about a missing alternative name, seems like it could be an issue relating to the way Squid forges certificates.

        Here's a link to what I found regarding this issue, seems it's related to browsers upping security. I know you can get around this for sure since they do it at my school using smoothwall.

        http://stackoverflow.com/questions/43665243/chrome-invalid-self-signed-ssl-cert-subject-alternative-name-missing

        1 Reply Last reply Reply Quote 0
        • P
          pfsensation
          last edited by

          Found a small issue, when you block a category of domains using black list. When you try to visit any domain in that category it shows categories as : N/A, instead of showing the actual category.

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            @pfsensation:

            Found a small issue, when you block a category of domains using black list. When you try to visit any domain in that category it shows categories as : N/A, instead of showing the actual category.

            Saw this while using Dansguardian in the past. Do you think it's an old bug or something with report template file?

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • P
              pfsensation
              last edited by

              @marcelloc:

              @pfsensation:

              Found a small issue, when you block a category of domains using black list. When you try to visit any domain in that category it shows categories as : N/A, instead of showing the actual category.

              Saw this while using Dansguardian in the past. Do you think it's an old bug or something with report template file?

              Maybe an old bug, because it does seem to show the category if you use phrase lists.

              1 Reply Last reply Reply Quote 0
              • marcellocM
                marcelloc
                last edited by

                e2guardian v 4.1 is stable now. I'll start updating the package for this new version.

                Looks like it will not need anymore changes on SO to allow more then 1024 clients. On current compiled version I've set it to 4096 IIRC.

                https://github.com/e2guardian/e2guardian/releases

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • E
                  exograpix
                  last edited by

                  Thanks marcelloc for your effort, if possible, please provide us exact steps to install and configure for e2guardian. guide will be highly appreciated.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfsensation
                    last edited by

                    @exograpix:

                    Thanks marcelloc for your effort, if possible, please provide us exact steps to install and configure for e2guardian. guide will be highly appreciated.

                    Basic setup is explained in OP and on Github.

                    @Marcelloc, the search engine tab is still broken in the GUI D:  However, wanted to say hats off to you man! Just got this setup in my home environment, no longer in VM. I've only got it setup basically with domain blocking now. I know phrase lists work since I tested in a virtual environment, I will set that up too when I understand how it properly works. As the algorithm of how the system decides a website is good or bad + the options available is slightly overwhelming.

                    1 Reply Last reply Reply Quote 0
                    • P
                      pfsensation
                      last edited by

                      @marcelloc:

                      e2guardian v 4.1 is stable now. I'll start updating the package for this new version.

                      Looks like it will not need anymore changes on SO to allow more then 1024 clients. On current compiled version I've set it to 4096 IIRC.

                      https://github.com/e2guardian/e2guardian/releases

                      Thank you again for all your hard work, I look very forward to the update! Could you have a look at the issue with the search engine tab also? According to this : https://github.com/e2guardian/e2guardian/issues/216 issues with E2Guardian and Google Chrome should be fixed so which means I can finally enable MITM and get full protection! YAY  ;) ;)

                      Edit: Can't seem to update PfSense after installing this. Is it something to do with the repo? PfSense says it's up to date and on the latest version (2.3.3_1) when 2.3.4 is out.

                      1 Reply Last reply Reply Quote 0
                      • M
                        Morlac
                        last edited by

                        Hello,

                        Regarding the missed up search engine tab, in pkg_e2guardian_search_acl.xml around line 100 ~ 104, the <field>is miss spilled as <felid>or something like that.
                        Easily fixed but have no idea how to push back the fix :(
                        Thanks.</felid></field>

                        1 Reply Last reply Reply Quote 0
                        • marcellocM
                          marcelloc
                          last edited by

                          @Morlac:

                          Hello,

                          Regarding the missed up search engine tab, in pkg_e2guardian_search_acl.xml around line 100 ~ 104, the <field>is miss spilled as <felid>or something like that.
                          Easily fixed but have no idea how to push back the fix :(
                          Thanks.</felid></field>

                          Thanks, I'll push that fix.  :)

                          https://github.com/marcelloc/Unofficial-pfSense-packages/commit/dc5984bf0d04ead4cb1ea1afcbd325cd2c0098f4

                          Treinamentos de Elite: http://sys-squad.com

                          Help a community developer! ;D

                          1 Reply Last reply Reply Quote 0
                          • marcellocM
                            marcelloc
                            last edited by

                            @pfsensation:

                            Thank you again for all your hard work, I look very forward to the update! Could you have a look at the issue with the search engine tab also? According to this : https://github.com/e2guardian/e2guardian/issues/216 issues with E2Guardian and Google Chrome should be fixed so which means I can finally enable MITM and get full protection! YAY  ;) ;)

                            The code is not running that stable on FreeBSD. I've opened a ticket on e2guardian project and sending them information to get it stable on freebsd too.

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • M
                              Morlac
                              last edited by

                              Hello Again

                              I thought to post this as well.
                              Since a lot of people are interested in getting MITM working with Chrome 58, I copied the CertificateAuthority.cpp & CertificateAuthority.hpp from version 4.1 to e2guardian v3.5.1 and compiled again (replace the v3.5.1 files with the ones from V4.1)

                              so far it is working nicely and Chrome does not complain anymore.

                              NOTE: While compiling on FreeBSD, I had to fix the '-lresolv' library not found problem since FreeBSD does not have this library. This is only valid when you want DNSAuthentication.

                              BR

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfsensation
                                last edited by

                                @marcelloc:

                                @pfsensation:

                                Thank you again for all your hard work, I look very forward to the update! Could you have a look at the issue with the search engine tab also? According to this : https://github.com/e2guardian/e2guardian/issues/216 issues with E2Guardian and Google Chrome should be fixed so which means I can finally enable MITM and get full protection! YAY  ;) ;)

                                The code is not running that stable on FreeBSD. I've opened a ticket on e2guardian project and sending them information to get it stable on freebsd too.

                                Yeah I just saw it on Github, thanks for the amazing work once again!

                                However did you look into my issue? I'm unable to update pfsense after installing E2 Guardian, or do I have to uninstall it? When I try updating it just says up to date when it's a version behind the latest release.

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pfsensation
                                  last edited by

                                  @Morlac:

                                  Hello Again

                                  I thought to post this as well.
                                  Since a lot of people are interested in getting MITM working with Chrome 58, I copied the CertificateAuthority.cpp & CertificateAuthority.hpp from version 4.1 to e2guardian v3.5.1 and compiled again (replace the v3.5.1 files with the ones from V4.1)

                                  so far it is working nicely and Chrome does not complain anymore.

                                  NOTE: While compiling on FreeBSD, I had to fix the '-lresolv' library not found problem since FreeBSD does not have this library. This is only valid when you want DNSAuthentication.

                                  BR

                                  How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.

                                  Edit: I have already generated a CA and set it in the general tab.

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    Morlac
                                    last edited by

                                    @pfsensation:

                                    How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.

                                    Edit: I have already generated a CA and set it in the general tab.

                                    yes, I generated a CA and then installed it office wide.
                                    From the pfSense, I used marcelloc install script to prepare everything installing TinyProxy along the way. Not using squid yet, but plan on once I full test the setup. I really need the caching ability of squid.

                                    Configuration is a bit messy since some SSL/MITM options are not available in the GUI. I did everything I needed from the GUI i.e. blocking some site, installing blacklists…etc then went on to edit the config files manually to enable MITM.

                                    In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
                                    cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
                                    caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
                                    certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
                                    generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'

                                    In e2guardianf1.conf, I made sure the following are configured:
                                    reportinglevel = 3
                                    ssldeniedrewrite = 'on'
                                    htmltemplate = 'template.html'

                                    the sslsiteregexplist file did not exist so I Created an empty one... not sure if its needed or not.

                                    sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'

                                    sslmitm = on

                                    Other than, all defaults really.
                                    Previously, MITM was working nice in IE 11 but Chrome complained and refused to work without policy changes. So I compiled the E2G 3.5.1 with the certificate generation code from v4.1 and Chrome is happy now.

                                    BR

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      pfsensation
                                      last edited by

                                      @Morlac:

                                      @pfsensation:

                                      How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.

                                      Edit: I have already generated a CA and set it in the general tab.

                                      yes, I generated a CA and then installed it office wide.
                                      From the pfSense, I used marcelloc install script to prepare everything installing TinyProxy along the way. Not using squid yet, but plan on once I full test the setup. I really need the caching ability of squid.

                                      Configuration is a bit messy since some SSL/MITM options are not available in the GUI. I did everything I needed from the GUI i.e. blocking some site, installing blacklists…etc then went on to edit the config files manually to enable MITM.

                                      In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
                                      cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
                                      caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
                                      certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
                                      generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'

                                      In e2guardianf1.conf, I made sure the following are configured:
                                      reportinglevel = 3
                                      ssldeniedrewrite = 'on'
                                      htmltemplate = 'template.html'

                                      the sslsiteregexplist file did not exist so I Created an empty one... not sure if its needed or not.

                                      sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'

                                      sslmitm = on

                                      Other than, all defaults really.
                                      Previously, MITM was working nice in IE 11 but Chrome complained and refused to work without policy changes. So I compiled the E2G 3.5.1 with the certificate generation code from v4.1 and Chrome is happy now.

                                      BR

                                      Thank you very much for that detailed explanation bro. Perhaps since 4.1 isn't stable enough on FreeBSD yet, maybe Marcelloc could update his package to add the Chrome SAN patch and make it possible to fully configure SSL mitm from the GUI. However I will try enabling it manually like you did. Unfortunately,  what I'm most worried about at the minute is the fact that pfsense doesn't update after installing E2G. I'm stuck on 2.3.3.

                                      1 Reply Last reply Reply Quote 0
                                      • BismarckB
                                        Bismarck
                                        last edited by

                                        @pfsensation:

                                        However I will try enabling it manually like you did. Unfortunately,  what I'm most worried about at the minute is the fact that pfsense doesn't update after installing E2G. I'm stuck on 2.3.3.

                                        Just in case you have problems to update to 2.3.4-RELEASE because of bugged pkg:

                                        https://forum.pfsense.org/index.php?topic=130071.msg716776#msg716776

                                        1 Reply Last reply Reply Quote 0
                                        • marcellocM
                                          marcelloc
                                          last edited by

                                          @Morlac:

                                          Hello Again

                                          I thought to post this as well.
                                          Since a lot of people are interested in getting MITM working with Chrome 58, I copied the CertificateAuthority.cpp & CertificateAuthority.hpp from version 4.1 to e2guardian v3.5.1 and compiled again (replace the v3.5.1 files with the ones from V4.1)

                                          I'm buiding it with these changes and 4096 max clients util 4.1 is fine on FreeBSD . Thanks for the contribution.

                                          EDIT: Done
                                          https://github.com/marcelloc/Unofficial-pfSense-packages/commit/36678fe4cb3868065f5f84d90796c76fe515045c

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          • marcellocM
                                            marcelloc
                                            last edited by

                                            @Morlac:

                                            In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
                                            cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
                                            caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
                                            certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
                                            generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'

                                            In e2guardianf1.conf, I made sure the following are configured:
                                            reportinglevel = 3
                                            ssldeniedrewrite = 'on'
                                            htmltemplate = 'template.html'

                                            the sslsiteregexplist file did not exist so I Created an empty one… not sure if its needed or not.

                                            sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'

                                            sslmitm = on

                                            Also included on package
                                            https://github.com/marcelloc/Unofficial-pfSense-packages/commit/f83a44d1ef96ec2a81d785ac6695072c9aa99e8d

                                            Treinamentos de Elite: http://sys-squad.com

                                            Help a community developer! ;D

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.