Squid non-transparent blocks VPN address



  • Hi guys,

    As the title says:

    I have a squid nontransparent proxy working in my localnet (192.168.11.0/24) working good, i also have a VPN IPSEC Tunnel to another location (172.16.0.0/16) if the users from (192.168.11.0/24) tries to reach any address at remote location (172.16.0.0/16) squid shows host remote down.

    Any idea ?

    Some time ago, i use to bypass the network 172.16.0.0/16 when i was using transparent proxy, but after we move to non-transparent the bypass option is not working.



  • By default, squid uses the default gateway so it won't be able to access anything via the VPN. How are your clients accessing the proxy? Are you using WPAD autoconfigure or pushing a group policy to them or just manually setting them? You can usually specify per client what is considered local traffic and therefore direct as opposed to proxied.



  • @KOM said in Squid non-transparent blocks VPN address:

    WPAD autoconfigure

    Hi, im using WPAD autoconfigure



  • And what does it have in it? Are you conditionally directing traffic based on network? For example, below is my wpad.dat:

    function FindProxyForURL(url,host)
    {
    // If the requested website is hosted within the internal network, send direct.
        if (isPlainHostName(host) ||
            shExpMatch(host, "*.local") ||
            isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
            isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
            isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
            isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
            return "DIRECT";
    // Else use the proxy
        return "PROXY 10.10.4.1:3128";
    }
    

    Traffic will only go to the proxy if the destination is not a local domain or RFC918 IP space.



  • Hi KOM,

    I've checked and the file was showing:

    function FindProxyForURL(url,host)
    {
    return "PROXY ip_firewall:3128";
    }

    So, maybe thats the problem, i will do the necessary and let you know if worked.

    Thanks for your support.



  • Another question, there is a way to validate if the wpad setup is working properly ?



  • Yes. Open your browser and go to wpad.yourdomain.whatever/wpad.dat. Your browser should prompt you to open or download the wpad.dat file.



  • So, i did the changes and it worked.

    Thanks a lot man!


Log in to reply