Unofficial E2guardian package for pfSense
-
Thank you again for all your hard work, I look very forward to the update! Could you have a look at the issue with the search engine tab also? According to this : https://github.com/e2guardian/e2guardian/issues/216 issues with E2Guardian and Google Chrome should be fixed so which means I can finally enable MITM and get full protection! YAY ;) ;)
The code is not running that stable on FreeBSD. I've opened a ticket on e2guardian project and sending them information to get it stable on freebsd too.
Yeah I just saw it on Github, thanks for the amazing work once again!
However did you look into my issue? I'm unable to update pfsense after installing E2 Guardian, or do I have to uninstall it? When I try updating it just says up to date when it's a version behind the latest release.
-
Hello Again
I thought to post this as well.
Since a lot of people are interested in getting MITM working with Chrome 58, I copied the CertificateAuthority.cpp & CertificateAuthority.hpp from version 4.1 to e2guardian v3.5.1 and compiled again (replace the v3.5.1 files with the ones from V4.1)so far it is working nicely and Chrome does not complain anymore.
NOTE: While compiling on FreeBSD, I had to fix the '-lresolv' library not found problem since FreeBSD does not have this library. This is only valid when you want DNSAuthentication.
BR
How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.
Edit: I have already generated a CA and set it in the general tab.
-
How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.
Edit: I have already generated a CA and set it in the general tab.
yes, I generated a CA and then installed it office wide.
From the pfSense, I used marcelloc install script to prepare everything installing TinyProxy along the way. Not using squid yet, but plan on once I full test the setup. I really need the caching ability of squid.Configuration is a bit messy since some SSL/MITM options are not available in the GUI. I did everything I needed from the GUI i.e. blocking some site, installing blacklists…etc then went on to edit the config files manually to enable MITM.
In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'In e2guardianf1.conf, I made sure the following are configured:
reportinglevel = 3
ssldeniedrewrite = 'on'
htmltemplate = 'template.html'the sslsiteregexplist file did not exist so I Created an empty one... not sure if its needed or not.
sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'
sslmitm = on
Other than, all defaults really.
Previously, MITM was working nice in IE 11 but Chrome complained and refused to work without policy changes. So I compiled the E2G 3.5.1 with the certificate generation code from v4.1 and Chrome is happy now.BR
-
How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.
Edit: I have already generated a CA and set it in the general tab.
yes, I generated a CA and then installed it office wide.
From the pfSense, I used marcelloc install script to prepare everything installing TinyProxy along the way. Not using squid yet, but plan on once I full test the setup. I really need the caching ability of squid.Configuration is a bit messy since some SSL/MITM options are not available in the GUI. I did everything I needed from the GUI i.e. blocking some site, installing blacklists…etc then went on to edit the config files manually to enable MITM.
In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'In e2guardianf1.conf, I made sure the following are configured:
reportinglevel = 3
ssldeniedrewrite = 'on'
htmltemplate = 'template.html'the sslsiteregexplist file did not exist so I Created an empty one... not sure if its needed or not.
sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'
sslmitm = on
Other than, all defaults really.
Previously, MITM was working nice in IE 11 but Chrome complained and refused to work without policy changes. So I compiled the E2G 3.5.1 with the certificate generation code from v4.1 and Chrome is happy now.BR
Thank you very much for that detailed explanation bro. Perhaps since 4.1 isn't stable enough on FreeBSD yet, maybe Marcelloc could update his package to add the Chrome SAN patch and make it possible to fully configure SSL mitm from the GUI. However I will try enabling it manually like you did. Unfortunately, what I'm most worried about at the minute is the fact that pfsense doesn't update after installing E2G. I'm stuck on 2.3.3.
-
However I will try enabling it manually like you did. Unfortunately, what I'm most worried about at the minute is the fact that pfsense doesn't update after installing E2G. I'm stuck on 2.3.3.
Just in case you have problems to update to 2.3.4-RELEASE because of bugged pkg:
https://forum.pfsense.org/index.php?topic=130071.msg716776#msg716776
-
Hello Again
I thought to post this as well.
Since a lot of people are interested in getting MITM working with Chrome 58, I copied the CertificateAuthority.cpp & CertificateAuthority.hpp from version 4.1 to e2guardian v3.5.1 and compiled again (replace the v3.5.1 files with the ones from V4.1)I'm buiding it with these changes and 4096 max clients util 4.1 is fine on FreeBSD . Thanks for the contribution.
EDIT: Done
https://github.com/marcelloc/Unofficial-pfSense-packages/commit/36678fe4cb3868065f5f84d90796c76fe515045c -
In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'In e2guardianf1.conf, I made sure the following are configured:
reportinglevel = 3
ssldeniedrewrite = 'on'
htmltemplate = 'template.html'the sslsiteregexplist file did not exist so I Created an empty one… not sure if its needed or not.
sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'
sslmitm = on
Also included on package
https://github.com/marcelloc/Unofficial-pfSense-packages/commit/f83a44d1ef96ec2a81d785ac6695072c9aa99e8d -
However I will try enabling it manually like you did. Unfortunately, what I'm most worried about at the minute is the fact that pfsense doesn't update after installing E2G. I'm stuck on 2.3.3.
Just in case you have problems to update to 2.3.4-RELEASE because of bugged pkg:
https://forum.pfsense.org/index.php?topic=130071.msg716776#msg716776
Thank you very much that small guide on fixing the issue. It's weird though, no one else seems to have reported it. I will try this out and see if my pfsense finally updates after I get back home.
-
Have you already updated the package? Would love to get Chrome working with MITM.
yes. :)
I'll start testing on my vm soon.
-
Have you already updated the package? Would love to get Chrome working with MITM.
yes. :)
I'll start testing on my vm soon.
Awesome!
Is there a way to exclude URL's and IP's? For example in Squid we can set certain URL's/IP's to bypass the proxy altogether. This is useful in situations where apps have certificate pinning enabled and will not accept any other certification other than the one the developer has baked in. Not sure if there's a way to do this already (maybe exclusions section?), but definitely need this when I do enable HTTPS MITM, since it is a home network and a lot of mobile devices will be on it.
-
So I was looking through the source code of the smoothwall block page at my college, hoping that I could play around with it and tinker it a bit to work with E2Guardian at home just for the lulz or just see how modified it is from the Dansguardian it started from.
I ended up finding a lot of interesting stuff such as how they optimise loading using base64 stuff, RegEx like code, and some interesting javascript implementations to load up a CA cert popup. In addition to that, adding code to increase compatibility with browsers and as such.
Could you have a look through it Marcello, and see if anything useful could be extracted from this and used in E2Guardian? I've already managed to try things like base64 encoding with E2G logo, it does seem slightly quicker. For organisations where many devices and block pages are presented, this may help a tonne and speed things up while reducing load on the server.Link to source: https://ybin.me/p/f3e93b53881d53d1#wDDjXNWK8ThA//iIuYtOOJLkxDRPWN3ygvRSrVJgQbo=
-
Have you already updated the package? Would love to get Chrome working with MITM.
yes. :)
I'll start testing on my vm soon.
Awesome!
Is there a way to exclude URL's and IP's?
You mean a do way to do not connect to e2guardian based on ip or hosts? If so, as package do not has a transparent proxy configuration implemented yet, you can do it on proxy configuration tab on your browser.
If you create more then one group on e2guardian, you can do an ip based authentication, and allow some source ips to do not be filtered by your proxy rules. -
Could you have a look through it Marcello, and see if anything useful could be extracted from this and used in E2Guardian?
Sure. I'll se it as soon as possible. Thank's for the contribution. :)
-
Have you already updated the package? Would love to get Chrome working with MITM.
yes. :)
I'll start testing on my vm soon.
Awesome!
Is there a way to exclude URL's and IP's?
You mean a do way to do not connect to e2guardian based on ip or hosts? If so, as package do not has a transparent proxy configuration implemented yet, you can do it on proxy configuration tab on your browser.
If you create more then one group on e2guardian, you can do an ip based authentication, and allow some source ips to do not be filtered by your proxy rules.I meant the destination IP's. For example, dropbox has SSL pinning, therefore it needs to completely bypass E2Guardian, and it's inspection. It won't accept nor work with a mimicked certificate. There's a couple more examples of certain programs I can give that won't work with SSL decryption or any type of inspection, such as Discord, Skype etc. Therefore if you can make an option to do this, that would be very helpful so those programs can connect directly to the internet.
Hope that made sense.
Thanks a lot for the continued work! :)
EDIT: Not sure if you've had a chance to take a look. But Fred B, has replied to your issue report on GitHub.
-
I am getting an error on the logs:
Error reading file /usr/local/usr/local/etc/e2guardian/lists/sslsiteregexplist.g_Default: No such file or directory
Error opening sslsiteregexplistusr/local/etc/e2guardian/lists/sslsiteregexplist.g_Default do exist but /usr/local/usr/local does not exist.
What should I do?
-
What should I do?
It's an error on config file. I've fixed it. Thanks for the feedback
To get the fixed file, under console exec this:
fetch -o /usr/local/pkg/e2guardianfx.conf.template https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian/files/usr/local/pkg/e2guardianfx.conf.template
-
Instead of getting the denied access page I am getting "The proxy server is refusing connections".
I loaded shallalist. Default ACL I selected all categories to be denied. I have must off the settings in defaults including to use the html template.I added Google as an exception.
I search for pfsense and loaded pfsense web page successfully. Search for "porn" and selected the first item, then get the error expressed above.
I am using squid.
-
Instead of getting the denied access page I am getting "The proxy server is refusing connections".
this is the message you see when squid is the front end that denies and ssl page without interception enabled.
-
What should I do?
It's an error on config file. I've fixed it. Thanks for the feedback
To get the fixed file, under console exec this:
fetch -o /usr/local/pkg/e2guardianfx.conf.template https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian/files/usr/local/pkg/e2guardianfx.conf.template
I already did the fetch, but maybe I am doing something wrong because still giving me the same erroro. I restarted the service and did a click save on general tab, but still had the error.
Should I have to do the fetch in a particular folder? I am doing it in the /root folder.
-
Instead of getting the denied access page I am getting "The proxy server is refusing connections".
this is the message you see when squid is the front end that denies and ssl page without interception enabled.
Thanks. Do you know a non ssl web site that should be block by shalla list?
Edit:
I added my web site to the Banned Config and test it (my site is not ssl).It work correctly.