Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid Proxy through VPN Client

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 5 Posters 5.9k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      vikaskundu
      last edited by

      Hi Steve, pfSense has been constantly crashing after I've completed some pending system updates. I've the error log files where am I supposed to send them?

      Vikas

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        This seems unrelated. Please open a new thread in Installation and Upgrades and give us as much detail as you can about what happened.

        Steve

        1 Reply Last reply Reply Quote 0
        • K Offline
          KR @stephenw10
          last edited by KR

          @stephenw10 I tried this myself and rebooted pfsense. Result is now down with the default gateway as my openvpn connection. Seems like a loop to me since the openvpn client on pfsense needs to see the WAN in order for it to establish a tunnel, but now since the default is VPNWAN, is it looking to itself? Is it getting confused?

          I wonder if the 2nd pfsense instance is the better way to go. How may I get it to see the firewall? (The first pfsense instance).

          Thanks.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Remote VPN connections are added as static routes to the system routing via whatever interface you have chosen. So they will not try to establish the VPN over the default route if that is the VPN.

            One additional thing you can actually do here is to set which interface Squid uses for outgoing queries and specify the OpenVPN address there. In the 'Custom Options (Before Auth)' field:
            tcp_outgoing_address 172.21.16.211

            Of course you need to know what the OpenVPN interface address will be for that which might be in issue.

            Using Squid running externally allows a lot more options. Whatever it's running on should have the main firewall set as it's default gateway. It will route outgoing requests to it automatically.

            Steve

            1 Reply Last reply Reply Quote 0
            • L Offline
              lemonsieur
              last edited by

              I wonder if it's possible to route traffic depending on the user. I checked that pf has an option to filter sockets owned by the specified user, though pfSense doesn't show this option on the interface. I think It would be the case for routing squid sockets to VPN.

              stephenw10S 1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator @lemonsieur
                last edited by

                If you can set an ACL to match that clients traffic you can probably set an outgoing address for it.
                That would not be in pf though, traffic going through the firewall does not use sockets owned by that user. It would require users to login to squid and a bunch of custom options.

                Steve

                1 Reply Last reply Reply Quote 0
                • L Offline
                  lemonsieur
                  last edited by lemonsieur

                  I meant the user that squid use for running as a process, which is also named squid on the pfSense. In this case, all the traffic from the squid process using the squid's user will go out through a VPN.

                  Something like this rule (I haven't tested and I'm not sure if it's a correct rule):

                  pass out quick proto { tcp, udp } route-to (ovpnc1 10.10.10.10) user squid label "Route squid traffic to VPN"
                  
                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by stephenw10

                    Mmm, I don't think that will work even without the user part.

                    You are trying to apply an outbound rule with a gateway set (route-to) but to all interfaces because you don't know where it will be leaving. But it hits that rule as it leaves an interface by which time it's too late to apply it.

                    You certainly can't do that in the pfSense gui for that reason. Policy routing rules have to be on the inbound interface.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • L Offline
                      lemonsieur
                      last edited by

                      I see. As I'm not an expert I just read the pf.conf manual regarding the user option and thought it could also be used in conjunction with route-to.

                      As you stated before and which is my case, knowing the VPN address is an issue as it is dynamic. Therefore the only way is to have squid off the firewall.

                      Thanks for the clarification.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Yes, running Squid off the firewall is often a better option when you need a custom setup like this. Even if that's another pfSense instance. Though there are better options for just hosting Squid, pfSense is not optimised as a server.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • L Offline
                          lemonsieur
                          last edited by

                          Just for the record, I've managed my case by placing static routes as I only needed Cloudflare routed to VPN. Why routing Cloudflare? Extensive threats against my clients, abusing CL as a way to evade detection by filtering either Country or VPNs.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.