Squid Proxy through VPN Client

  • Hi Y'all

    Is there any possible way to route specific IPs address go out through a vpn gateway on a vlan that's using squid proxy server??


  • Netgate Administrator

    You mean because clients in that VLAN are being redirected to Squid you cannot use policy routing? Or rather if you do they by-pass Squid?

    Not easily. Traffic from Squid itself will always use the default system route. You would have to change the default route to be over the VPN and then policy route everything else over the WAN.

    That may not be practical if you have other clients using the Proxy or VPN.


  • Well I want those VLAN clients to keep within the proxy, but I would rather like the proxy traffic go out using a VPN client.

    Thanks for your reply…

  • Netgate Administrator

    Well like I say the only way to do that with Squid on the firewall is to change the default system route since it will always use that.

    The alternative is to run Squid off the firewall, maybe in a separate pfSense instance. Then you can policy route the traffic from Squid as it enters the firewall.


  • Hi Steve, pfSense has been constantly crashing after I've completed some pending system updates. I've the error log files where am I supposed to send them?

  • Netgate Administrator

    This seems unrelated. Please open a new thread in Installation and Upgrades and give us as much detail as you can about what happened.


  • @stephenw10 I tried this myself and rebooted pfsense. Result is now down with the default gateway as my openvpn connection. Seems like a loop to me since the openvpn client on pfsense needs to see the WAN in order for it to establish a tunnel, but now since the default is VPNWAN, is it looking to itself? Is it getting confused?

    I wonder if the 2nd pfsense instance is the better way to go. How may I get it to see the firewall? (The first pfsense instance).


  • Netgate Administrator

    Remote VPN connections are added as static routes to the system routing via whatever interface you have chosen. So they will not try to establish the VPN over the default route if that is the VPN.

    One additional thing you can actually do here is to set which interface Squid uses for outgoing queries and specify the OpenVPN address there. In the 'Custom Options (Before Auth)' field:

    Of course you need to know what the OpenVPN interface address will be for that which might be in issue.

    Using Squid running externally allows a lot more options. Whatever it's running on should have the main firewall set as it's default gateway. It will route outgoing requests to it automatically.


Log in to reply