Unofficial E2guardian package for pfSense
-
Just thinking a vage idea. Maybe you can make all your Android devices to connect to a specific subnet. Then you can authenticate by that subnet in a Group. This way you can filter with block list and content.
Maybe you can have one Wireless Router with DHCP relay assigning IPs by the subnet segment with a password only fro Android users.
The hardway is to have a MAC roster file with each Android device, then assign IPs reservations from a subnet pool.
But for mitm to work you have to use the CA.
Someone may have a better defined idea to this.
Just had another idea that maybe doable.
Let say we enable a SSH Server in the network and create a VPN connection from the Android devices to the SSH Server. Then the SSH server is sent to the e2guardian/squid traffic. The Android devices will get IPs from the VPN subnet, The traffic then can be filtered through the VPN with blocklist and content. The authentication/group can be done by the subnet.
I dont know if pfsense can be the VPN Server in this scheme but might be also doable.
This is away to do SSH Tunneling but requires rooting:
https://www.howtogeek.com/121698/how-to-route-all-your-android-traffic-through-a-secure-tunnel/Maybe there is away to do it without rooting. The link says that it needs rooting for Global Proxy, but we may not need this for our purpose.
Sorry I cant test this with my pfsense. What I have is a VM inside my PC with many Host only VMs that connect to outside world through the virtual pfsense. Maybe I can if I found an Android VM.
-
pfsensation:
How do you load the CA certificate to the Android devices?
Just wandering how "easy" or complicated it is.
-
pfsensation:
How do you load the CA certificate to the Android devices?
Just wandering how "easy" or complicated it is.
Well… I used to use a captive portal that I edited and made people install from. But then with WPAD and squid not having a patch for captive portal. It semi worked. So now for all the devices in the home I've installed the CA. Guest devices rely on splice all filtering (Basically only blacklist based filtering) and I use open dns. So DNS filtering too.
Ideally I'm hoping we can get the E2 Guardian devs to add a captive portal feature where clients are asked to install it before they are able to browse and use the Internet.
-
Ideally I'm hoping we can get the E2 Guardian devs to add a captive portal feature where clients are asked to install it before they are able to browse and use the Internet.
If you change to fully report, you can point it to captive porta login. Then you create an Default acl that accepts only captive portal page.
-
I have a Captive Portal with no authentication that does not have a submit button. The CP page shows the instructions how to configure the proxy and where to get the certificate. Without the submit button the device cant be registered as authorized in CP.
Then I have a folder with the CA certificates served by the web server for download. I add the certificates extension to the exceptions so they can do the download without being block by e2g.
The problem that I see now is that for Android devices the certificates are a special kind used only in the Android. Instead of just one crt according to this link: http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones_.26_Tablets are two ('root.crt' and 'class3.crt').
Maybe someone with Android experience can shed some light.
-
Hi Marcello,
I decided to try again.
Installed via package manager. Tinyproxy first, E2Guardian second. I pressed 'save' first in the blacklist-tab, then 'download', then 'apply'. GUI in the right top corner gve me 8 messages about blacklist being applied. However, in status/services, E2guardian was not running (red cross), and clicking start also doesn't make it run.
System log:
Jun 29 00:10:11 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
Jun 29 00:10:11 e2guardian 99798 Error parsing the e2guardian.conf file or other e2guardian configuration files
Jun 29 00:10:11 e2guardian 99798 Error reading filter group conf file(s).
Jun 29 00:10:11 e2guardian 99798 Error opening filter group config: /usr/local/etc/e2guardian/e2guardianf1.conf
Jun 29 00:10:11 e2guardian 99798 Error opening bannedsitelist
Jun 29 00:10:11 e2guardian 99798 Error reading file: /usr/local/etc/e2guardian/lists/bannedsitelist.g_Default
Jun 29 00:10:11 e2guardian 99798 Error opening file: /usr/local/etc/e2guardian/lists/blacklists/adult/domains
Jun 29 00:10:11 e2guardian 99798 Error reading file /usr/local/etc/e2guardian/lists/blacklists/adult/domains: No such file or directory
Jun 29 00:10:11 e2guardian 99798 Error reading /usr/local/etc/e2guardian/lists/blacklists/adult/domains. Check directory and file permissions. They should be 640 and 750: No such file or directoryI do recall vaguely there should be a 'trick' to make it work, would you happen to know it?
Thank you & bye,
-
You don't need tinyproxy anymore and maybe you still have some files from old install.
All can be fixed via gui by reapplying blacklist under blacklist tab and then saving config then apply button.
-
pfsensation:
How do you load the CA certificate to the Android devices?
Just wandering how "easy" or complicated it is.
Well… I used to use a captive portal that I edited and made people install from. But then with WPAD and squid not having a patch for captive portal. It semi worked. So now for all the devices in the home I've installed the CA. Guest devices rely on splice all filtering (Basically only blacklist based filtering) and I use open dns. So DNS filtering too.
Ideally I'm hoping we can get the E2 Guardian devs to add a captive portal feature where clients are asked to install it before they are able to browse and use the Internet.
How exactly did you installed the CA to the Android devices? Can you provide me a detail procedure?
I found this to be a useful App : https://play.google.com/store/apps/details?id=at.bitfire.cadroid
Can you test it? -
I have a Captive Portal with no authentication that does not have a submit button. The CP page shows the instructions how to configure the proxy and where to get the certificate. Without the submit button the device cant be registered as authorized in CP.
Then I have a folder with the CA certificates served by the web server for download. I add the certificates extension to the exceptions so they can do the download without being block by e2g.
The problem that I see now is that for Android devices the certificates are a special kind used only in the Android. Instead of just one crt according to this link: http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones_.26_Tablets are two ('root.crt' and 'class3.crt').
Maybe someone with Android experience can shed some light.
AFAIK Android does not require special certificates. Just the one root CA to be installed. That's how it is with smoothwall also, you can just install one certificate for both Android and ios devices and have it working.
But you keep missing my point. On android the proxy needs to be set explicitly in settings so that https works through the proxy. You can't just NAT it but it seems somehow it can be done… Smoothwall just works without any extra settings needed at all. No explicit proxy setup. This is really what I want. I want all clients to go through the proxy.
I'm really not sure what trickery they use, but it just works. End users don't need to fumble around in proxy settings on android.
-
pfsensation:
How do you load the CA certificate to the Android devices?
Just wandering how "easy" or complicated it is.
Well… I used to use a captive portal that I edited and made people install from. But then with WPAD and squid not having a patch for captive portal. It semi worked. So now for all the devices in the home I've installed the CA. Guest devices rely on splice all filtering (Basically only blacklist based filtering) and I use open dns. So DNS filtering too.
Ideally I'm hoping we can get the E2 Guardian devs to add a captive portal feature where clients are asked to install it before they are able to browse and use the Internet.
How exactly did you installed the CA to the Android devices? Can you provide me a detail procedure?
I found this to be a useful App : https://play.google.com/store/apps/details?id=at.bitfire.cadroid
Can you test it?I just threw the certificates into the WWW folder of the pfsense box. So then using the android devices I just navigated to my pfsense url and downloaded and installed via usual certificate installer in android.
I tested the app. It's useless for me. It requires you to input the url anyways, so why not just install it from the browser? Then you don't need another apk to be installed on all devices.
-
Without HTTPS MITM I've had E2Guardian working fine for a day. I've enabled it again and straight away I'm getting errors and crashes. How can I fix this once and for all? I still also somehow have tiny proxy showing in service status, despite not installing it. Perhaps some script needs to be added to wipe out all old files.
Here's the logs I got :
Jun 29 14:22:02 php-fpm 32691 /pkg.php: Restarting e2g by sending -Q action to e2g binaries Jun 29 14:22:03 php-fpm 37116 /pkg.php: Restarting e2g by sending -Q action to e2g binaries Jun 29 14:22:08 e2guardian 36929 I seem to be running already! Jun 29 14:22:19 check_reload_status Syncing firewall Jun 29 14:22:19 php-fpm 37907 /pkg_edit.php: [E2guardian] - Save settings package call pr:1 bp: rpc:no Jun 29 14:22:19 check_reload_status Syncing firewall Jun 29 14:22:20 check_reload_status Syncing firewall Jun 29 14:22:24 php-fpm 43118 /pkg.php: Restarting e2g by sending -Q action to e2g binaries Jun 29 14:22:30 e2guardian 53036 I seem to be running already! Jun 29 14:22:34 e2guardian 56913 I seem to be running already! Jun 29 14:22:34 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jun 29 14:22:36 e2guardian 57016 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:22:36 check_reload_status Syncing firewall Jun 29 14:22:36 php-fpm 55051 /pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no Jun 29 14:22:36 check_reload_status Syncing firewall Jun 29 14:22:37 check_reload_status Syncing firewall Jun 29 14:22:39 php-fpm 66155 /pkg.php: Starting E2guardian Jun 29 14:22:40 php-fpm 73552 /pkg.php: Restarting e2g by sending -Q action to e2g binaries Jun 29 14:22:45 e2guardian 73840 I seem to be running already! Jun 29 14:22:47 e2guardian 80263 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/E7/68/28/ Jun 29 14:22:55 e2guardian 12393 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:00 e2guardian 15840 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:10 e2guardian 23274 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:19 e2guardian 28640 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:23:25 e2guardian 35412 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:30 e2guardian 37220 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:23:39 e2guardian 43103 I seem to be running already! Jun 29 14:23:40 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jun 29 14:23:41 e2guardian 43759 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:23:50 e2guardian 74335 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:24:02 e2guardian 79051 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:24:03 check_reload_status Syncing firewall Jun 29 14:24:03 php-fpm 74469 /pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no Jun 29 14:24:03 check_reload_status Syncing firewall Jun 29 14:24:04 check_reload_status Syncing firewall Jun 29 14:24:06 php-fpm 89221 /pkg.php: Restarting e2g by sending -Q action to e2g binaries Jun 29 14:24:06 php-fpm 84621 /pkg.php: Restarting e2g by sending -Q action to e2g binaries Jun 29 14:24:16 e2guardian 97443 I seem to be running already! Jun 29 14:24:16 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jun 29 14:24:16 check_reload_status Syncing firewall Jun 29 14:24:16 php-fpm 97885 /pkg_edit.php: [E2guardian] - Save settings package call pr:1 bp: rpc:no Jun 29 14:24:17 check_reload_status Syncing firewall Jun 29 14:24:17 e2guardian 97688 I seem to be running already! Jun 29 14:24:17 e2guardian 98266 I seem to be running already! Jun 29 14:24:18 e2guardian 99780 I seem to be running already! Jun 29 14:24:18 root /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian Jun 29 14:24:18 check_reload_status Syncing firewall Jun 29 14:24:19 php-fpm 97885 /pkg.php: Restarting e2g by sending -Q action to e2g binaries Jun 29 14:24:20 php-fpm 12405 /pkg.php: Restarting e2g by sending -Q action to e2g binaries Jun 29 14:24:25 e2guardian 12333 I seem to be running already!Maybe this is some permission issue? Shouldn't be the case since E2 Guardian runs as root.
-
Every time you see a -Q on logs, means that you applied the configuration and e2guardian.inc is executing what you defined on daemon tab
Jun 29 14:22:19 check_reload_status Syncing firewall Jun 29 14:22:03 php-fpm 37116 /pkg.php: Restarting e2g by sending -Q action to e2g binaries Jun 29 14:22:08 e2guardian 36929 I seem to be running already!When this occurs, means that watchdog script started e2guardian while e2guardian.inc was executing the apply config. Not exactly an error because e2guardian is up and running but creates these alerts on logs.
Jun 29 14:22:47 e2guardian 80263 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/E7/68/28/ Jun 29 14:22:55 e2guardian 12393 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:00 e2guardian 15840 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:10 e2guardian 23274 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:19 e2guardian 28640 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:23:25 e2guardian 35412 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:30 e2guardian 37220 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:23:41 e2guardian 43759 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:23:50 e2guardian 74335 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:24:02 e2guardian 79051 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/Check if /usr/local/etc/e2guardian/ssl/generatedcerts exists and what permissions it has
This is the dir MITM save the generated certs. Few versions behind I was removing it on uninstall. -
Every time you see a -Q on logs, means that you applied the configuration and e2guardian.inc is executing what you defined on daemon tab
Jun 29 14:22:19 check_reload_status Syncing firewall Jun 29 14:22:03 php-fpm 37116 /pkg.php: Restarting e2g by sending -Q action to e2g binaries Jun 29 14:22:08 e2guardian 36929 I seem to be running already!When this occurs, means that watchdog script started e2guardian while e2guardian.inc was executing the apply config. Not exactly an error because e2guardian is up and running but creates these alerts on logs.
Jun 29 14:22:47 e2guardian 80263 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/E7/68/28/ Jun 29 14:22:55 e2guardian 12393 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:00 e2guardian 15840 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:10 e2guardian 23274 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:19 e2guardian 28640 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:23:25 e2guardian 35412 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/ Jun 29 14:23:30 e2guardian 37220 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:23:41 e2guardian 43759 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:23:50 e2guardian 74335 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/ Jun 29 14:24:02 e2guardian 79051 error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/Check if /usr/local/etc/e2guardian/ssl/generatedcerts exists and what permissions it has
This is the dir MITM save the generated certs. Few versions behind I was removing it on uninstall.The permissions the folder "/usr/local/etc/e2guardian/ssl/generatedcerts" has is 644. However since I have MITM off right now, the directory is empty inside. Do you want me to delete this folder and let everything reinstall and regenerate?
EDIT: Enabled MITM for my group again and it seems the certs folder is empty. Which means it isn't generating the certs at all.
-
EDIT: Enabled MITM for my group again and it seems the certs folder is empty. Which means it isn't generating the certs at all.
check or set it to clamav:nobody
chown -R clamav:nobody /usr/local/etc/e2guardian/ssl/my permissions on these dirs are 755
-
All can be fixed via gui by reapplying blacklist under blacklist tab and then saving config then apply button.
I'm afraid not, Marcello :-[
I tried both a reinstall, and an uninstall + install.
Go to blacklist tab: save, download list, reapply list, save.
Go to daemon tab: save, apply.Please see attached pics.
Thank you :)
-
EDIT: Enabled MITM for my group again and it seems the certs folder is empty. Which means it isn't generating the certs at all.
check or set it to clamav:nobody
chown -R clamav:nobody /usr/local/etc/e2guardian/ssl/my permissions on these dirs are 755
Run those commands, now no SSL certs are being created at all. Let me try a reinstall, these issues are getting very annoying.
EDIT: Reinstalled now I got MITM back!! :D E2Guardian is correctly creating the certs again. Strangely enough : /usr/local/etc/e2guardian/ssl/generatedcerts still comes up as empty on FTP. Even though I connect as root.
The above issue is something I'm getting with HTTPS connections and it stops some services working. For now I have excluded some URL's in order to make some services such as Instagram work. Why is it failing to negotiate SSL connections? Is this due to SSL pinning?The URL in the screenshot is just an example, I have ads already blocked.
-
@Mr.:
All can be fixed via gui by reapplying blacklist under blacklist tab and then saving config then apply button.
I'm afraid not, Marcello :-[
I tried both a reinstall, and an uninstall + install.
Go to blacklist tab: save, download list, reapply list, save.
Go to daemon tab: save, apply.Please see attached pics.
Thank you :)
[/quote]I had the same issues, try setting permissions to 777. And see if it works, I'm glad that I'm not the only one facing issues. However I am a bit curious as to how everyone else doesn't have these problems.
-
@Mr.:
All can be fixed via gui by reapplying blacklist under blacklist tab and then saving config then apply button.
I'm afraid not, Marcello :-[
I tried both a reinstall, and an uninstall + install.
Go to blacklist tab: save, download list, reapply list, save.
Go to daemon tab: save, apply.Please see attached pics.
Thank you :)
[/quote]I had the same issues, try setting permissions to 777. And see if it works, I'm glad that I'm not the only one facing issues. However I am a bit curious as to how everyone else doesn't have these problems.
Thank you, pfsensation :)
Of course, by now I have no clue which directories ;D
Would you know?
Thank you.
-
EDIT: Enabled MITM for my group again and it seems the certs folder is empty. Which means it isn't generating the certs at all.
check or set it to clamav:nobody
chown -R clamav:nobody /usr/local/etc/e2guardian/ssl/my permissions on these dirs are 755
Run those commands, now no SSL certs are being created at all. Let me try a reinstall, these issues are getting very annoying.
EDIT: Reinstalled now I got MITM back!! :D E2Guardian is correctly creating the certs again. Strangely enough : /usr/local/etc/e2guardian/ssl/generatedcerts still comes up as empty on FTP. Even though I connect as root.
The above issue is something I'm getting with HTTPS connections and it stops some services working. For now I have excluded some URL's in order to make some services such as Instagram work. Why is it failing to negotiate SSL connections? Is this due to SSL pinning?The URL in the screenshot is just an example, I have ads already blocked.
Is e2g blocking the connection? Sometimes ads are seen by e2g as bad stuff? Do you see a corresponding line in the e2g log to the logs your showing? If there is a corresponding line maybe the e2g log gives you the reason to the block and you can refine the e2g config.
-
Is e2g blocking the connection? Sometimes ads are seen by e2g as bad stuff? Do you see a corresponding line in the e2g log to the logs your showing? If there is a corresponding line maybe the e2g log gives you the reason to the block and you can refine the e2g config.
It's failing to negotiate ssl to the client and consequently denying access to a page it can't connect. It show a green icon because the html return code is 200 instead a 50x. But that error was specifically related to a cert dir permission.
