Squid Interception through VPN



  • Hi i'm new here and a PFsense new user.I been going crazy trying to do this project which ultimately led me to pfsense because debian + openvpn as + squid wasn't working out.I normally not a forum user so bare with me if my typing is not on par.

    Let me first explain my setup then what i'm trying to accomplish.
    At home I have a router with openwrt and I have a cloud vps on vultr with pfsense installed.At home I have 3 devices a Wii-u and 2 computers that connect to my home router with openwrt.Home router is connected to my cable modem which I use to connect online.Normally one of the computers (one i'm using now) connects directly to the modem but for setup reasons I connect to the router.I am trying to create vpn tunnel from my home router to my vps(pfsense) which I been able to do successfully through tun.Then my home computers to be able to use squid on pfsense through the tunnel which I am able to do if I set the proxy manually.On my home router I was able to set it up where devices behind my router are able to connect to other devices on the other side of the vpn tunnel so yes I can ping and access the pfsense server no issue using vpn.And If I manually set proxy settings to use squid on pfsense it works too, but the issue i am having is that the only way squid works for me, I need it to transparently intercept http and https and that is the problem I am having.I tried doing redirect from my router to pfsense and i'm having issues to a point I am pulling my hair out lol.Before using pfsense I tried setting up a debian vps with openvpn as and squid and kept getting forwarding loops with interception even tho if I set proxy manually again that works so I keep having trouble doing interception.I'm not a linux expert and I been trying to figure it out by googling and closest thing I found is this
    https://forum.pfsense.org/index.php?topic=110498.0
    either I am not doing it right or it not working right for me, but keeps trying force every request to web gui page and keeps spiting squid errors so not sure if it's intercepting right at all.

    So as I described above this is my setup
    3 devices
    computer a- 192.168.1.100
    computer b-192.168.1.101 (one i'm using now)
    wii-u-192.168.1.102

    Router
    openwrt router-192.168.1.1 (lan),192.168.0.2(wan)

    (since modem is not relevant to my setup I'll leave those details out)

    openwrt router is using chaos calmer (old router) using openvpn 2.3

    redirect rules(port forwards)
    Squid HTTP
    IPv4-tcp
    From any host in lan
    Via any router IP at port 80
    IP 10.0.0.1, port 80 in vpn

    Squid HTTPS
    IPv4-tcp
    From any host in lan
    Via any router IP at port 443
    IP 10.0.0.1, port 443 in vpn

    (even tried redirecting to 10.0.0.1:3129, 10.0.0.1:3130 respectivly and didn't work)

    Openvpn tunnel
    openwrt router-10.0.0.2 –-----> pfsense-10.0.0.1

    pfsense setup
    using 2.4.2-RELEASE-p1 (amd64)
    3 interfaces-wan-x.x.x.x,lan-192.168.0.1(not being used actively),opt1-10.0.0.1(openvpn)
    ipv4 only,ipv6 disabled
    webgui using https on 443 (tried changing this to 8080 and still didn't work)

    firewall rules
    wan- allow 80tcp,443tcp,1194udp (web gui access on wan allow for now),deny everything else
    lan-allow all
    opt1-allow all
    openvpn-allow all

    nat is empty, tried using what was said as a solution in https://forum.pfsense.org/index.php?topic=110498.0 but removed it as it didn't work

    as I mentioned I was able to get vpn tunnel working the way I want but here is my settings anyway
    openvpn settings
    mode: remote access (ssl/tls)
    protocol: ipv4-udp
    device mode: tun
    interface: wan
    port: 1194
    ipv4 tunnel network: 10.0.0.0/24
    IPv4 Local network(s): 192.168.0.0/24
    Inter-client communication: checked

    squid settings
    interfaces: LAN,OPT1,loopback
    port: 3129
    Allow Users on Interface: checked
    Transparent HTTP Proxy: checked
    Transparent Proxy Interface(s): LAN,OPT1
    HTTPS/SSL Interception: checked
    SSL Intercept Interface(s): LAN,OPT1
    SSL Proxy Port: 3130
    Custom Options (Before Auth): http_port 3128

    So what am I doing wrong? what do I need to do?



  • seems this topic is not interesting, very well then.
    There seems to be a bug anyway in how web config writes the squid config.If you enable interception on a particular interface in my cast opt1 it write the config for loopback.I had to  afterwards go edit the conf file and change 127.0.0.1 with 10.0.0.1 then I had to short non ssl port to just https_port 10.0.0.1:3129 intercept as it didn't need ssl bump stuff for it only https_port needs that.I adjusted the port forwards on my router to point at 10.0.0.1:3129 and 10.0.0.1:3130 respectivly.
    I restarted the squid service and now interception works but only problem is I keep getting squid access denied error page even tho 10.0.0.0/24 is in allowed as acl and subnet.Some pages just come up as ssl error even tho the ca cert is installed as a trusted root.Seems like I'm almost there but not quite.. more hair pulling to do.zzz



  • crickets
    nothing? no help? I pinpointed my issue more towards router iptables anyway.
    I was told the brightest people on this subject would know how to get this going I guess they were wrong, either that or people too lazy to read a long thorough post instead of guessing the setup and giving wrong replies.


Log in to reply