Unofficial E2guardian package for pfSense
-
Thanks marcelloc for your effort, if possible, please provide us exact steps to install and configure for e2guardian. guide will be highly appreciated.
Basic setup is explained in OP and on Github.
@Marcelloc, the search engine tab is still broken in the GUI D: However, wanted to say hats off to you man! Just got this setup in my home environment, no longer in VM. I've only got it setup basically with domain blocking now. I know phrase lists work since I tested in a virtual environment, I will set that up too when I understand how it properly works. As the algorithm of how the system decides a website is good or bad + the options available is slightly overwhelming.
-
e2guardian v 4.1 is stable now. I'll start updating the package for this new version.
Looks like it will not need anymore changes on SO to allow more then 1024 clients. On current compiled version I've set it to 4096 IIRC.
https://github.com/e2guardian/e2guardian/releases
Thank you again for all your hard work, I look very forward to the update! Could you have a look at the issue with the search engine tab also? According to this : https://github.com/e2guardian/e2guardian/issues/216 issues with E2Guardian and Google Chrome should be fixed so which means I can finally enable MITM and get full protection! YAY ;) ;)
Edit: Can't seem to update PfSense after installing this. Is it something to do with the repo? PfSense says it's up to date and on the latest version (2.3.3_1) when 2.3.4 is out.
-
Hello,
Regarding the missed up search engine tab, in pkg_e2guardian_search_acl.xml around line 100 ~ 104, the <field>is miss spilled as <felid>or something like that.
Easily fixed but have no idea how to push back the fix :(
Thanks.</felid></field> -
Hello,
Regarding the missed up search engine tab, in pkg_e2guardian_search_acl.xml around line 100 ~ 104, the <field>is miss spilled as <felid>or something like that.
Easily fixed but have no idea how to push back the fix :(
Thanks.</felid></field>Thanks, I'll push that fix. :)
https://github.com/marcelloc/Unofficial-pfSense-packages/commit/dc5984bf0d04ead4cb1ea1afcbd325cd2c0098f4
-
Thank you again for all your hard work, I look very forward to the update! Could you have a look at the issue with the search engine tab also? According to this : https://github.com/e2guardian/e2guardian/issues/216 issues with E2Guardian and Google Chrome should be fixed so which means I can finally enable MITM and get full protection! YAY ;) ;)
The code is not running that stable on FreeBSD. I've opened a ticket on e2guardian project and sending them information to get it stable on freebsd too.
-
Hello Again
I thought to post this as well.
Since a lot of people are interested in getting MITM working with Chrome 58, I copied the CertificateAuthority.cpp & CertificateAuthority.hpp from version 4.1 to e2guardian v3.5.1 and compiled again (replace the v3.5.1 files with the ones from V4.1)so far it is working nicely and Chrome does not complain anymore.
NOTE: While compiling on FreeBSD, I had to fix the '-lresolv' library not found problem since FreeBSD does not have this library. This is only valid when you want DNSAuthentication.
BR
-
Thank you again for all your hard work, I look very forward to the update! Could you have a look at the issue with the search engine tab also? According to this : https://github.com/e2guardian/e2guardian/issues/216 issues with E2Guardian and Google Chrome should be fixed so which means I can finally enable MITM and get full protection! YAY ;) ;)
The code is not running that stable on FreeBSD. I've opened a ticket on e2guardian project and sending them information to get it stable on freebsd too.
Yeah I just saw it on Github, thanks for the amazing work once again!
However did you look into my issue? I'm unable to update pfsense after installing E2 Guardian, or do I have to uninstall it? When I try updating it just says up to date when it's a version behind the latest release.
-
Hello Again
I thought to post this as well.
Since a lot of people are interested in getting MITM working with Chrome 58, I copied the CertificateAuthority.cpp & CertificateAuthority.hpp from version 4.1 to e2guardian v3.5.1 and compiled again (replace the v3.5.1 files with the ones from V4.1)so far it is working nicely and Chrome does not complain anymore.
NOTE: While compiling on FreeBSD, I had to fix the '-lresolv' library not found problem since FreeBSD does not have this library. This is only valid when you want DNSAuthentication.
BR
How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.
Edit: I have already generated a CA and set it in the general tab.
-
How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.
Edit: I have already generated a CA and set it in the general tab.
yes, I generated a CA and then installed it office wide.
From the pfSense, I used marcelloc install script to prepare everything installing TinyProxy along the way. Not using squid yet, but plan on once I full test the setup. I really need the caching ability of squid.Configuration is a bit messy since some SSL/MITM options are not available in the GUI. I did everything I needed from the GUI i.e. blocking some site, installing blacklists…etc then went on to edit the config files manually to enable MITM.
In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'In e2guardianf1.conf, I made sure the following are configured:
reportinglevel = 3
ssldeniedrewrite = 'on'
htmltemplate = 'template.html'the sslsiteregexplist file did not exist so I Created an empty one... not sure if its needed or not.
sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'
sslmitm = on
Other than, all defaults really.
Previously, MITM was working nice in IE 11 but Chrome complained and refused to work without policy changes. So I compiled the E2G 3.5.1 with the certificate generation code from v4.1 and Chrome is happy now.BR
-
How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.
Edit: I have already generated a CA and set it in the general tab.
yes, I generated a CA and then installed it office wide.
From the pfSense, I used marcelloc install script to prepare everything installing TinyProxy along the way. Not using squid yet, but plan on once I full test the setup. I really need the caching ability of squid.Configuration is a bit messy since some SSL/MITM options are not available in the GUI. I did everything I needed from the GUI i.e. blocking some site, installing blacklists…etc then went on to edit the config files manually to enable MITM.
In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'In e2guardianf1.conf, I made sure the following are configured:
reportinglevel = 3
ssldeniedrewrite = 'on'
htmltemplate = 'template.html'the sslsiteregexplist file did not exist so I Created an empty one... not sure if its needed or not.
sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'
sslmitm = on
Other than, all defaults really.
Previously, MITM was working nice in IE 11 but Chrome complained and refused to work without policy changes. So I compiled the E2G 3.5.1 with the certificate generation code from v4.1 and Chrome is happy now.BR
Thank you very much for that detailed explanation bro. Perhaps since 4.1 isn't stable enough on FreeBSD yet, maybe Marcelloc could update his package to add the Chrome SAN patch and make it possible to fully configure SSL mitm from the GUI. However I will try enabling it manually like you did. Unfortunately, what I'm most worried about at the minute is the fact that pfsense doesn't update after installing E2G. I'm stuck on 2.3.3.
-
However I will try enabling it manually like you did. Unfortunately, what I'm most worried about at the minute is the fact that pfsense doesn't update after installing E2G. I'm stuck on 2.3.3.
Just in case you have problems to update to 2.3.4-RELEASE because of bugged pkg:
https://forum.pfsense.org/index.php?topic=130071.msg716776#msg716776
-
Hello Again
I thought to post this as well.
Since a lot of people are interested in getting MITM working with Chrome 58, I copied the CertificateAuthority.cpp & CertificateAuthority.hpp from version 4.1 to e2guardian v3.5.1 and compiled again (replace the v3.5.1 files with the ones from V4.1)I'm buiding it with these changes and 4096 max clients util 4.1 is fine on FreeBSD . Thanks for the contribution.
EDIT: Done
https://github.com/marcelloc/Unofficial-pfSense-packages/commit/36678fe4cb3868065f5f84d90796c76fe515045c -
In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'In e2guardianf1.conf, I made sure the following are configured:
reportinglevel = 3
ssldeniedrewrite = 'on'
htmltemplate = 'template.html'the sslsiteregexplist file did not exist so I Created an empty one… not sure if its needed or not.
sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'
sslmitm = on
Also included on package
https://github.com/marcelloc/Unofficial-pfSense-packages/commit/f83a44d1ef96ec2a81d785ac6695072c9aa99e8d -
However I will try enabling it manually like you did. Unfortunately, what I'm most worried about at the minute is the fact that pfsense doesn't update after installing E2G. I'm stuck on 2.3.3.
Just in case you have problems to update to 2.3.4-RELEASE because of bugged pkg:
https://forum.pfsense.org/index.php?topic=130071.msg716776#msg716776
Thank you very much that small guide on fixing the issue. It's weird though, no one else seems to have reported it. I will try this out and see if my pfsense finally updates after I get back home.
-
Have you already updated the package? Would love to get Chrome working with MITM.
yes. :)
I'll start testing on my vm soon.
-
Have you already updated the package? Would love to get Chrome working with MITM.
yes. :)
I'll start testing on my vm soon.
Awesome!
Is there a way to exclude URL's and IP's? For example in Squid we can set certain URL's/IP's to bypass the proxy altogether. This is useful in situations where apps have certificate pinning enabled and will not accept any other certification other than the one the developer has baked in. Not sure if there's a way to do this already (maybe exclusions section?), but definitely need this when I do enable HTTPS MITM, since it is a home network and a lot of mobile devices will be on it.
-
So I was looking through the source code of the smoothwall block page at my college, hoping that I could play around with it and tinker it a bit to work with E2Guardian at home just for the lulz or just see how modified it is from the Dansguardian it started from.
I ended up finding a lot of interesting stuff such as how they optimise loading using base64 stuff, RegEx like code, and some interesting javascript implementations to load up a CA cert popup. In addition to that, adding code to increase compatibility with browsers and as such.
Could you have a look through it Marcello, and see if anything useful could be extracted from this and used in E2Guardian? I've already managed to try things like base64 encoding with E2G logo, it does seem slightly quicker. For organisations where many devices and block pages are presented, this may help a tonne and speed things up while reducing load on the server.Link to source: https://ybin.me/p/f3e93b53881d53d1#wDDjXNWK8ThA//iIuYtOOJLkxDRPWN3ygvRSrVJgQbo=
-
Have you already updated the package? Would love to get Chrome working with MITM.
yes. :)
I'll start testing on my vm soon.
Awesome!
Is there a way to exclude URL's and IP's?
You mean a do way to do not connect to e2guardian based on ip or hosts? If so, as package do not has a transparent proxy configuration implemented yet, you can do it on proxy configuration tab on your browser.
If you create more then one group on e2guardian, you can do an ip based authentication, and allow some source ips to do not be filtered by your proxy rules. -
Could you have a look through it Marcello, and see if anything useful could be extracted from this and used in E2Guardian?
Sure. I'll se it as soon as possible. Thank's for the contribution. :)
-
Have you already updated the package? Would love to get Chrome working with MITM.
yes. :)
I'll start testing on my vm soon.
Awesome!
Is there a way to exclude URL's and IP's?
You mean a do way to do not connect to e2guardian based on ip or hosts? If so, as package do not has a transparent proxy configuration implemented yet, you can do it on proxy configuration tab on your browser.
If you create more then one group on e2guardian, you can do an ip based authentication, and allow some source ips to do not be filtered by your proxy rules.I meant the destination IP's. For example, dropbox has SSL pinning, therefore it needs to completely bypass E2Guardian, and it's inspection. It won't accept nor work with a mimicked certificate. There's a couple more examples of certain programs I can give that won't work with SSL decryption or any type of inspection, such as Discord, Skype etc. Therefore if you can make an option to do this, that would be very helpful so those programs can connect directly to the internet.
Hope that made sense.
Thanks a lot for the continued work! :)
EDIT: Not sure if you've had a chance to take a look. But Fred B, has replied to your issue report on GitHub.