Squid cache VPN



  • Hello,

    I've successfully setup Squid Proxy with caching on my pfSense. I determined that caching works very well on DHCP clients which are directly connected to the router, but doesn't work at all for clients connected to the router but running VPN (OpenVPN). Could I change something in order to cache what clients using VPN are browsing?

    Thanks



  • I think squid has an Allowed subnets field or something like that. You might have to add your OpenVPN network there.



  • I'll take a look, but there's another problem in that case. I have over 150 clients running on pfSense, almost each 10 of them use different VPN provider, some are using OpenVPN, some IKEv2, and every client has a different IP.. OpenVPN network isn't mine, I'm just using a lot of VPN networks as a client.



  • OK, I thought you meant remote clients connecting to you. I don't know if squid works in that configuration. I seem to remember reading other posts about squid and multi-WAN.



  • It doesn't seem to work. I just tried adding subnets... Nothing behind VPN gets cached, probably because of the encryption.



  • Squid also has a proxy interface selector IIRC. Have you added the OpenVPN interface along with WAN?



  • LAN and loopback are selected Interfaces. Even SSL Man in the middle filtering is enabled, but still no luck.



  • So then add the OpenVPN interface and see if squid listens on it.



  • There's nothing else to add. All machines are connected to the same LAN trough the same interface, on the same subnet. That's why I added LAN as an interface. I can cache all the traffic going trough each of those machines, even https traffic, but as soon as the machine connects to OpenVPN provider (Private Internet Access for example), caching stops. If You're referring to dialing OpenVPN directly on pfSense and passing it to squid, that doesn't work for me, cause it's essential for each machine to have unique IP.



  • You don't have an OpenVPN entry in squid's list of interfaces to listen on? You said you only had LAN and localhost. You might have to add the OpenVPN interface so tat squid knows to listen on that, and it should be in the list if you have a client connection configured.



  • I don't havi it. Only WAN is offered alongside LAN and loopback. But as I said, I don't have pfSense configured as OpenVPN client. Each linux machine is connecting to VPN provider on it's own, cause I need unique IP's. I did not see any option for adding more Interfaces in the GUI.



  • OK now I understand. No, there is no way to get squid into the flow because they're creating secure tunnels and routing everything through that.



  • @KOM Thank You for the effort. At least I know it can't be done.


Log in to reply