Unofficial E2guardian package for pfSense

jetberrocal

pfsensation:

How do you load the CA certificate to the Android devices?

Just wandering how "easy" or complicated it is.

pfsensation

@jetberrocal:

pfsensation:

How do you load the CA certificate to the Android devices?

Just wandering how "easy" or complicated it is.

Well… I used to use a captive portal that I edited and made people install from. But then with WPAD and squid not having a patch for captive portal. It semi worked. So now for all the devices in the home I've installed the CA. Guest devices rely on splice all filtering (Basically only blacklist based filtering) and I use open dns. So DNS filtering too.

Ideally I'm hoping we can get the E2 Guardian devs to add a captive portal feature where clients are asked to install it before they are able to browse and use the Internet.

marcelloc

@pfsensation:

Ideally I'm hoping we can get the E2 Guardian devs to add a captive portal feature where clients are asked to install it before they are able to browse and use the Internet.

If you change to fully report, you can point it to captive porta login. Then you create an Default acl that accepts only captive portal page.

jetberrocal

I have a Captive Portal with no authentication that does not have a submit button.  The CP page shows the instructions how to configure the proxy and where to get the certificate. Without the submit button the device cant be registered as authorized in CP.

Then I have a folder with the CA certificates served by the web server for download.  I add the certificates extension to the exceptions so they can do the download without being block by e2g.

The problem that I see now is that for Android devices the certificates are a special kind used only in the Android.  Instead of just one crt according to this link: http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones_.26_Tablets are two ('root.crt' and 'class3.crt').

Maybe someone with Android experience can shed some light.

Mr. Jingles

Hi Marcello,

I decided to try again.

Installed via package manager. Tinyproxy first, E2Guardian second. I pressed 'save' first in the blacklist-tab, then 'download', then 'apply'. GUI in the right top corner gve me 8 messages about blacklist being applied. However, in status/services, E2guardian was not running (red cross), and clicking start also doesn't make it run.

System log:

Jun 29 00:10:11                root                      /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
Jun 29 00:10:11                e2guardian        99798    Error parsing the e2guardian.conf file or other e2guardian configuration files
Jun 29 00:10:11                e2guardian        99798    Error reading filter group conf file(s).
Jun 29 00:10:11                e2guardian        99798    Error opening filter group config: /usr/local/etc/e2guardian/e2guardianf1.conf
Jun 29 00:10:11                e2guardian        99798    Error opening bannedsitelist
Jun 29 00:10:11                e2guardian        99798    Error reading file: /usr/local/etc/e2guardian/lists/bannedsitelist.g_Default
Jun 29 00:10:11                e2guardian        99798    Error opening file: /usr/local/etc/e2guardian/lists/blacklists/adult/domains
Jun 29 00:10:11                e2guardian        99798    Error reading file /usr/local/etc/e2guardian/lists/blacklists/adult/domains: No such file or directory
Jun 29 00:10:11                e2guardian        99798    Error reading /usr/local/etc/e2guardian/lists/blacklists/adult/domains. Check directory and file permissions. They should be 640 and 750: No such file or directory

I do recall vaguely there should be a 'trick' to make it work, would you happen to know it?

Thank you & bye,

marcelloc

You don't need tinyproxy anymore and maybe you  still have some files from old install.

All can be fixed via gui by reapplying blacklist under blacklist tab and then saving config then apply button.

jetberrocal

@pfsensation:

@jetberrocal:

pfsensation:

How do you load the CA certificate to the Android devices?

Just wandering how "easy" or complicated it is.

Well… I used to use a captive portal that I edited and made people install from. But then with WPAD and squid not having a patch for captive portal. It semi worked. So now for all the devices in the home I've installed the CA. Guest devices rely on splice all filtering (Basically only blacklist based filtering) and I use open dns. So DNS filtering too.

Ideally I'm hoping we can get the E2 Guardian devs to add a captive portal feature where clients are asked to install it before they are able to browse and use the Internet.

How exactly did you installed the CA to the Android devices? Can you provide me a detail procedure?

I found this to be a useful App : https://play.google.com/store/apps/details?id=at.bitfire.cadroid
Can you test it?

pfsensation

@jetberrocal:

I have a Captive Portal with no authentication that does not have a submit button.  The CP page shows the instructions how to configure the proxy and where to get the certificate. Without the submit button the device cant be registered as authorized in CP.

Then I have a folder with the CA certificates served by the web server for download.  I add the certificates extension to the exceptions so they can do the download without being block by e2g.

The problem that I see now is that for Android devices the certificates are a special kind used only in the Android.  Instead of just one crt according to this link: http://wiki.cacert.org/FAQ/ImportRootCert#Android_Phones_.26_Tablets are two ('root.crt' and 'class3.crt').

Maybe someone with Android experience can shed some light.

AFAIK Android does not require special certificates. Just the one root CA to be installed. That's how it is with smoothwall also, you can just install one certificate for both Android and ios devices and have it working.

But you keep missing my point. On android the proxy needs to be set explicitly in settings so that https works through the proxy. You can't just NAT it but it seems somehow it can be done… Smoothwall just works without any extra settings needed at all. No explicit proxy setup. This is really what I want. I want all clients to go through the proxy.

I'm really not sure what trickery they use, but it just works. End users don't need to fumble around in proxy settings on android.

pfsensation

@jetberrocal:

@pfsensation:

@jetberrocal:

pfsensation:

How do you load the CA certificate to the Android devices?

Just wandering how "easy" or complicated it is.

Well… I used to use a captive portal that I edited and made people install from. But then with WPAD and squid not having a patch for captive portal. It semi worked. So now for all the devices in the home I've installed the CA. Guest devices rely on splice all filtering (Basically only blacklist based filtering) and I use open dns. So DNS filtering too.

Ideally I'm hoping we can get the E2 Guardian devs to add a captive portal feature where clients are asked to install it before they are able to browse and use the Internet.

How exactly did you installed the CA to the Android devices? Can you provide me a detail procedure?

I found this to be a useful App : https://play.google.com/store/apps/details?id=at.bitfire.cadroid
Can you test it?

I just threw the certificates into the WWW folder of the pfsense box. So then using the android devices I just navigated to my pfsense url and downloaded and installed via usual certificate installer in android.

I tested the app. It's useless for me. It requires you to input the url anyways, so why not just install it from the browser? Then you don't need another apk to be installed on all devices.

pfsensation

@Marcelloc

Without HTTPS MITM I've had E2Guardian working fine for a day. I've enabled it again and straight away I'm getting errors and crashes. How can I fix this once and for all? I still also somehow have tiny proxy showing in service status, despite not installing it. Perhaps some script needs to be added to wipe out all old files.

Here's the logs I got :

Jun 29 14:22:02	php-fpm	32691	/pkg.php: Restarting e2g by sending -Q action to e2g binaries
Jun 29 14:22:03	php-fpm	37116	/pkg.php: Restarting e2g by sending -Q action to e2g binaries
Jun 29 14:22:08	e2guardian	36929	I seem to be running already!
Jun 29 14:22:19	check_reload_status		Syncing firewall
Jun 29 14:22:19	php-fpm	37907	/pkg_edit.php: [E2guardian] - Save settings package call pr:1 bp: rpc:no
Jun 29 14:22:19	check_reload_status		Syncing firewall
Jun 29 14:22:20	check_reload_status		Syncing firewall
Jun 29 14:22:24	php-fpm	43118	/pkg.php: Restarting e2g by sending -Q action to e2g binaries
Jun 29 14:22:30	e2guardian	53036	I seem to be running already!
Jun 29 14:22:34	e2guardian	56913	I seem to be running already!
Jun 29 14:22:34	root		/usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
Jun 29 14:22:36	e2guardian	57016	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:22:36	check_reload_status		Syncing firewall
Jun 29 14:22:36	php-fpm	55051	/pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no
Jun 29 14:22:36	check_reload_status		Syncing firewall
Jun 29 14:22:37	check_reload_status		Syncing firewall
Jun 29 14:22:39	php-fpm	66155	/pkg.php: Starting E2guardian
Jun 29 14:22:40	php-fpm	73552	/pkg.php: Restarting e2g by sending -Q action to e2g binaries
Jun 29 14:22:45	e2guardian	73840	I seem to be running already!
Jun 29 14:22:47	e2guardian	80263	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/E7/68/28/
Jun 29 14:22:55	e2guardian	12393	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:00	e2guardian	15840	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:10	e2guardian	23274	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:19	e2guardian	28640	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:23:25	e2guardian	35412	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:30	e2guardian	37220	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:23:39	e2guardian	43103	I seem to be running already!
Jun 29 14:23:40	root		/usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
Jun 29 14:23:41	e2guardian	43759	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:23:50	e2guardian	74335	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:24:02	e2guardian	79051	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:24:03	check_reload_status		Syncing firewall
Jun 29 14:24:03	php-fpm	74469	/pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no
Jun 29 14:24:03	check_reload_status		Syncing firewall
Jun 29 14:24:04	check_reload_status		Syncing firewall
Jun 29 14:24:06	php-fpm	89221	/pkg.php: Restarting e2g by sending -Q action to e2g binaries
Jun 29 14:24:06	php-fpm	84621	/pkg.php: Restarting e2g by sending -Q action to e2g binaries
Jun 29 14:24:16	e2guardian	97443	I seem to be running already!
Jun 29 14:24:16	root		/usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
Jun 29 14:24:16	check_reload_status		Syncing firewall
Jun 29 14:24:16	php-fpm	97885	/pkg_edit.php: [E2guardian] - Save settings package call pr:1 bp: rpc:no
Jun 29 14:24:17	check_reload_status		Syncing firewall
Jun 29 14:24:17	e2guardian	97688	I seem to be running already!
Jun 29 14:24:17	e2guardian	98266	I seem to be running already!
Jun 29 14:24:18	e2guardian	99780	I seem to be running already!
Jun 29 14:24:18	root		/usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
Jun 29 14:24:18	check_reload_status		Syncing firewall
Jun 29 14:24:19	php-fpm	97885	/pkg.php: Restarting e2g by sending -Q action to e2g binaries
Jun 29 14:24:20	php-fpm	12405	/pkg.php: Restarting e2g by sending -Q action to e2g binaries
Jun 29 14:24:25	e2guardian	12333	I seem to be running already!

Maybe this is some permission issue? Shouldn't be the case since E2 Guardian runs as root.

marcelloc

Every time you see a -Q on logs, means that you applied the configuration and e2guardian.inc is executing what you defined on daemon tab

Jun 29 14:22:19	check_reload_status		Syncing firewall
Jun 29 14:22:03	php-fpm	37116	/pkg.php: Restarting e2g by sending -Q action to e2g binaries
Jun 29 14:22:08	e2guardian	36929	I seem to be running already!

When this occurs, means that watchdog script started e2guardian while e2guardian.inc was executing the apply config. Not exactly an error because e2guardian is up and running but creates these alerts on logs.

Jun 29 14:22:47	e2guardian	80263	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/E7/68/28/
Jun 29 14:22:55	e2guardian	12393	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:00	e2guardian	15840	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:10	e2guardian	23274	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:19	e2guardian	28640	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:23:25	e2guardian	35412	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:30	e2guardian	37220	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:23:41	e2guardian	43759	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:23:50	e2guardian	74335	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:24:02	e2guardian	79051	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/

Check if /usr/local/etc/e2guardian/ssl/generatedcerts exists and what permissions it has
This is the dir MITM save the generated certs. Few versions behind I was removing it on uninstall.

pfsensation

@marcelloc:

Every time you see a -Q on logs, means that you applied the configuration and e2guardian.inc is executing what you defined on daemon tab

Jun 29 14:22:19	check_reload_status		Syncing firewall
Jun 29 14:22:03	php-fpm	37116	/pkg.php: Restarting e2g by sending -Q action to e2g binaries
Jun 29 14:22:08	e2guardian	36929	I seem to be running already!

When this occurs, means that watchdog script started e2guardian while e2guardian.inc was executing the apply config. Not exactly an error because e2guardian is up and running but creates these alerts on logs.

Jun 29 14:22:47	e2guardian	80263	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/E7/68/28/
Jun 29 14:22:55	e2guardian	12393	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:00	e2guardian	15840	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:10	e2guardian	23274	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:19	e2guardian	28640	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:23:25	e2guardian	35412	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/
Jun 29 14:23:30	e2guardian	37220	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:23:41	e2guardian	43759	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:23:50	e2guardian	74335	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/24/23/4C/
Jun 29 14:24:02	e2guardian	79051	error creating certificate sub-directory: /usr/local/etc/e2guardian/ssl/generatedcerts/47/50/89/

Check if /usr/local/etc/e2guardian/ssl/generatedcerts exists and what permissions it has
This is the dir MITM save the generated certs. Few versions behind I was removing it on uninstall.

The permissions the folder "/usr/local/etc/e2guardian/ssl/generatedcerts" has is 644. However since I have MITM off right now, the directory is empty inside. Do you want me to delete this folder and let everything reinstall and regenerate?

EDIT: Enabled MITM for my group again and it seems the certs folder is empty. Which means it isn't generating the certs at all.

marcelloc

@pfsensation:

EDIT: Enabled MITM for my group again and it seems the certs folder is empty. Which means it isn't generating the certs at all.

check or set it to clamav:nobody

chown -R clamav:nobody /usr/local/etc/e2guardian/ssl/

my permissions on these dirs are 755

Mr. Jingles

@marcelloc:

All can be fixed via gui by reapplying blacklist under blacklist tab and then saving config then apply button.

I'm afraid not, Marcello  :-[

I tried both a reinstall, and an uninstall + install.

Go to blacklist tab: save, download list, reapply list, save.
Go to daemon tab: save, apply.

Please see attached pics.

Thank you  :)

pfsensation

@marcelloc:

@pfsensation:

EDIT: Enabled MITM for my group again and it seems the certs folder is empty. Which means it isn't generating the certs at all.

check or set it to clamav:nobody

chown -R clamav:nobody /usr/local/etc/e2guardian/ssl/

my permissions on these dirs are 755

Run those commands, now no SSL certs are being created at all. Let me try a reinstall, these issues are getting very annoying.

EDIT: Reinstalled now I got MITM back!! :D  E2Guardian is correctly creating the certs again. Strangely enough : /usr/local/etc/e2guardian/ssl/generatedcerts still comes up as empty on FTP.  Even though I connect as root.

The above issue is something I'm getting with HTTPS connections and it stops some services working. For now I have excluded some URL's in order to make some services such as Instagram work. Why is it failing to negotiate SSL connections? Is this due to SSL pinning?

The URL in the screenshot is just an example, I have ads already blocked.

pfsensation

@Mr.:

@marcelloc:

All can be fixed via gui by reapplying blacklist under blacklist tab and then saving config then apply button.

I'm afraid not, Marcello  :-[

I tried both a reinstall, and an uninstall + install.

Go to blacklist tab: save, download list, reapply list, save.
Go to daemon tab: save, apply.

Please see attached pics.

Thank you  :)
[/quote]

I had the same issues, try setting permissions to 777. And see if it works, I'm glad that I'm not the only one facing issues. However I am a bit curious as to how everyone else doesn't have these problems.

Mr. Jingles

@pfsensation:

@Mr.:

@marcelloc:

All can be fixed via gui by reapplying blacklist under blacklist tab and then saving config then apply button.

I'm afraid not, Marcello  :-[

I tried both a reinstall, and an uninstall + install.

Go to blacklist tab: save, download list, reapply list, save.
Go to daemon tab: save, apply.

Please see attached pics.

Thank you  :)
[/quote]

I had the same issues, try setting permissions to 777. And see if it works, I'm glad that I'm not the only one facing issues. However I am a bit curious as to how everyone else doesn't have these problems.

Thank you, pfsensation  :)

Of course, by now I have no clue which directories  ;D

Would you know?

Thank you.

jetberrocal

@pfsensation:

@marcelloc:

@pfsensation:

EDIT: Enabled MITM for my group again and it seems the certs folder is empty. Which means it isn't generating the certs at all.

check or set it to clamav:nobody

chown -R clamav:nobody /usr/local/etc/e2guardian/ssl/

my permissions on these dirs are 755

Run those commands, now no SSL certs are being created at all. Let me try a reinstall, these issues are getting very annoying.

EDIT: Reinstalled now I got MITM back!! :D  E2Guardian is correctly creating the certs again. Strangely enough : /usr/local/etc/e2guardian/ssl/generatedcerts still comes up as empty on FTP.  Even though I connect as root.

The above issue is something I'm getting with HTTPS connections and it stops some services working. For now I have excluded some URL's in order to make some services such as Instagram work. Why is it failing to negotiate SSL connections? Is this due to SSL pinning?

The URL in the screenshot is just an example, I have ads already blocked.

Is e2g blocking the connection?  Sometimes ads are seen by e2g as bad stuff?  Do you see a corresponding line in the e2g log to the logs your showing? If there is a corresponding line maybe the e2g log gives you the reason to the block and you can refine the e2g config.

marcelloc

@jetberrocal:

Is e2g blocking the connection?  Sometimes ads are seen by e2g as bad stuff?  Do you see a corresponding line in the e2g log to the logs your showing? If there is a corresponding line maybe the e2g log gives you the reason to the block and you can refine the e2g config.

It's failing to negotiate ssl to the client and consequently denying access to a page it can't connect. It show a green icon because the html return code is 200 instead a 50x. But that error was specifically related to a cert dir permission.

marcelloc

The latest e2guardian code updates fixed most crashed with ssl connections. I've pushed it to Unofficial repo right now.

If you want to update bsd package under console exec on console:

pkg install -f e2guardian

This will update binaries to 4.1.1_12 version. check with

pkg info | grep -i e2g

After that, save and apply config on GUI.