Squid (Forward) Proxy - Setting Outbound Interface/Gateway



  • I've installed Squid as a forward proxy and the basic functionality is working well.

    The proxy traffic is going out my WAN currently, but I want to go out of either a Gateway Group (has 2 VPN gateways in it) I have setup, or a specific OpenVPN Interface if I cannot target a Gateway Group.

    There is no option I can see where I select the outgoing interface used for proxy requests.

    I've examined the Firewall Entries to see if I can somehow target the outgoing requests based on IP or Port, but I can't. It comes from the default pfSense IP and with a random port, nothing specific to let me target proxy-only traffic via firewall rule.

    I also considered using a virtual IP for Squid (say 192.168.1.2) with the hope that proxy requests will come from 192.168.1.2 as a result, however I'm unable to get this working. I've added the Virtual IP, and it works, I can access pfSense no problem. But, when trying to use 192.168.1.2 as the Proxy IP, no requests go through. The firewall shows the incoming request for 192.168.1.2:3128 and it is accepted, however there is no matching rule from 192.168.1.2:* to DestinationIP:Port. It's not a case of firewall logging settings either, if I use 192.168.1.1 as the proxy IP I see both the inbound and outbound proxy requests. I expect the issue here is Squid binding to LAN which is 192.168.1.1, so it doesn't catch 192.168.1.2 traffic.

    It seems I can likely achieve my goal by either:
    – Changing outbound interface for Squid to a Gateway Group or specific interface
    -- Binding Squid to 192.168.1.2
    -- Finding out how to identify Squid outbound traffic so I can target it with a firewall rule

    If anyone is able to offer a suggestion that would be amazing, thank you.



  • Small update

    I added this to the Custom Options:
    http_port 192.168.1.2:3128

    and I can now use 192.168.1.2 as the proxy IP, but it doesn't help. For example:

    My PC to Proxy:
    192.168.1.XXX:56209 192.168.1.2:3128

    pfSense to WAN:
    [My WAN IP]:59142 151.101.29.140:443

    Still no way to target the outbound request (that I can see)



  • I had the same issue. After searching I found a solution, I don't remember who posted these or I'd give them props. You'll need something like this in your Squid advanced options:

    acl vpn_clients src 192.168.1.0/24
    tcp_outgoing_address xxx.xxx.xxx.xxx vpn_clients
    

    You'll also need a way to update the outgoing address if it's not static. I have a cron job to run this:

    #!/bin/sh
    
    # Variables
    VPN_IFACE=ovpnc1
    SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf
    
    # Get current IP address of VPN interface
    VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')
    
    # Check if VPN interface is up and exit if it isn't
    if [ -z "$VPN_IFACE_IP" ]
    then
            exit 0;
    fi
    
    # Check current IP for VPN interface in squid.conf file
    VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')
    
    # Check if the config file matches the current VPN interface IP, and if so exit script
    if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ]
    then
            exit 0;
    fi
    
    # Replace the previous IP address in the squid.conf file with the current VPN interface address
    sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE
    
    # Force reload of the new squid.conf file
    /usr/local/sbin/squid -k reconfigure