Squid Interception through VPN
-
Hi i'm new here and a PFsense new user.I been going crazy trying to do this project which ultimately led me to pfsense because debian + openvpn as + squid wasn't working out.I normally not a forum user so bare with me if my typing is not on par.
Let me first explain my setup then what i'm trying to accomplish.
At home I have a router with openwrt and I have a cloud vps on vultr with pfsense installed.At home I have 3 devices a Wii-u and 2 computers that connect to my home router with openwrt.Home router is connected to my cable modem which I use to connect online.Normally one of the computers (one i'm using now) connects directly to the modem but for setup reasons I connect to the router.I am trying to create vpn tunnel from my home router to my vps(pfsense) which I been able to do successfully through tun.Then my home computers to be able to use squid on pfsense through the tunnel which I am able to do if I set the proxy manually.On my home router I was able to set it up where devices behind my router are able to connect to other devices on the other side of the vpn tunnel so yes I can ping and access the pfsense server no issue using vpn.And If I manually set proxy settings to use squid on pfsense it works too, but the issue i am having is that the only way squid works for me, I need it to transparently intercept http and https and that is the problem I am having.I tried doing redirect from my router to pfsense and i'm having issues to a point I am pulling my hair out lol.Before using pfsense I tried setting up a debian vps with openvpn as and squid and kept getting forwarding loops with interception even tho if I set proxy manually again that works so I keep having trouble doing interception.I'm not a linux expert and I been trying to figure it out by googling and closest thing I found is this
https://forum.pfsense.org/index.php?topic=110498.0
either I am not doing it right or it not working right for me, but keeps trying force every request to web gui page and keeps spiting squid errors so not sure if it's intercepting right at all.So as I described above this is my setup
3 devices
computer a- 192.168.1.100
computer b-192.168.1.101 (one i'm using now)
wii-u-192.168.1.102Router
openwrt router-192.168.1.1 (lan),192.168.0.2(wan)(since modem is not relevant to my setup I'll leave those details out)
openwrt router is using chaos calmer (old router) using openvpn 2.3
redirect rules(port forwards)
Squid HTTP
IPv4-tcp
From any host in lan
Via any router IP at port 80
IP 10.0.0.1, port 80 in vpnSquid HTTPS
IPv4-tcp
From any host in lan
Via any router IP at port 443
IP 10.0.0.1, port 443 in vpn(even tried redirecting to 10.0.0.1:3129, 10.0.0.1:3130 respectivly and didn't work)
Openvpn tunnel
openwrt router-10.0.0.2 –-----> pfsense-10.0.0.1pfsense setup
using 2.4.2-RELEASE-p1 (amd64)
3 interfaces-wan-x.x.x.x,lan-192.168.0.1(not being used actively),opt1-10.0.0.1(openvpn)
ipv4 only,ipv6 disabled
webgui using https on 443 (tried changing this to 8080 and still didn't work)firewall rules
wan- allow 80tcp,443tcp,1194udp (web gui access on wan allow for now),deny everything else
lan-allow all
opt1-allow all
openvpn-allow allnat is empty, tried using what was said as a solution in https://forum.pfsense.org/index.php?topic=110498.0 but removed it as it didn't work
as I mentioned I was able to get vpn tunnel working the way I want but here is my settings anyway
openvpn settings
mode: remote access (ssl/tls)
protocol: ipv4-udp
device mode: tun
interface: wan
port: 1194
ipv4 tunnel network: 10.0.0.0/24
IPv4 Local network(s): 192.168.0.0/24
Inter-client communication: checkedsquid settings
interfaces: LAN,OPT1,loopback
port: 3129
Allow Users on Interface: checked
Transparent HTTP Proxy: checked
Transparent Proxy Interface(s): LAN,OPT1
HTTPS/SSL Interception: checked
SSL Intercept Interface(s): LAN,OPT1
SSL Proxy Port: 3130
Custom Options (Before Auth): http_port 3128So what am I doing wrong? what do I need to do?
-
seems this topic is not interesting, very well then.
There seems to be a bug anyway in how web config writes the squid config.If you enable interception on a particular interface in my cast opt1 it write the config for loopback.I had to afterwards go edit the conf file and change 127.0.0.1 with 10.0.0.1 then I had to short non ssl port to just https_port 10.0.0.1:3129 intercept as it didn't need ssl bump stuff for it only https_port needs that.I adjusted the port forwards on my router to point at 10.0.0.1:3129 and 10.0.0.1:3130 respectivly.
I restarted the squid service and now interception works but only problem is I keep getting squid access denied error page even tho 10.0.0.0/24 is in allowed as acl and subnet.Some pages just come up as ssl error even tho the ca cert is installed as a trusted root.Seems like I'm almost there but not quite.. more hair pulling to do.zzz -
crickets
nothing? no help? I pinpointed my issue more towards router iptables anyway.
I was told the brightest people on this subject would know how to get this going I guess they were wrong, either that or people too lazy to read a long thorough post instead of guessing the setup and giving wrong replies.