Apparent package conflicts: Squid/SquidGuard vs. OpenVPN



  • Problem:  Configuring OpenVPN causes issues with Squid/SquidGuard.

    Hardware:  Netgate Hamakua (with hard drive, not CF card)
    Version: pfSense 1.2.3 RELEASE, embedded kernel
    Installed packages:
      Cron 0.2
      OpenVPN-Enhancements 1.2
      Patch rc to leave filter-dirty 0.1
      Squid 2.7.9-3
      SquidGuard 1.3-2

    As background, I have had occasional problems updating the blacklist (from shalla.de) and subsequently reconfiguring SquidGuard in which the filters were not working.  Reboot usually fixed.  Over the last couple of months I have reinstalled the Squid and SquidGuard packages and in the process may have changed to the current version…I check occasionally and if an installed package has a newer version, I get the latest.  Long way of saying I'm not sure how long the issues have been present or what change may have precipitated them.

    A few days ago, for unrelated reasons, I did a clean install (including disk format) from the ISO for 1.2.3 release.  I used a recent backup to configure and installed the packages listed above, and downloaded and configured the current shallla.de blacklist.  I was experiencing a number of issues:  Filter not working, passing any web sites; Filter blocking ALL web sites; (in both cases, GUI settings appeared correct); pfSense entering the reinstall all packages script when going to home page (Status---->System); pfSense logon window instead of any and all web sites; inconsistent results (mix of these symptoms) upon reboot.

    I believe I have isolated much if not all of the problem to an apparent conflict with OpenVPN by doing the following, and can reproduce the symptoms:

    • backup w/o packages and restore from that backup
    • install cron, Squid, SquidGuard, patch rc to leave filter-dirty, OpenVPN enhancements
    • configure squid as transparent proxy
    • install shalla blacklist and configure SquidGuard
    • start Squidguard

    At this point, web surfing works as desired; BL'd sites are blocked and others are visible.

    Reboot.  Still normal.

    • Configure OpenVPN using PKI and TLS/Auth.

    At this point, ALL web sites are blocked by the proxy.  Reboot has no effect.

    • Stop SquidGuard (shows stopped in config page and service status page).

    All web sites still blocked.

    • Uncheck transparent proxy and save.

    Normal surfing possible, but (obviously) no filtering.

    Searched the forum and found several similar issues (that's why the "Patch rc to leave filter-dirty" pkg is there) but none mentioning OpenVPN as a possible conflict.  Some of the startup timing issues seem to be present; here's a log extract in the conflicted state (proxy and filter on, all sites blocked):

    Oct  3 14:47:23 pfsense-fw kernel: em2: link state changed to UP
    Oct  3 14:47:31 pfsense-fw php: : SQUID is installed but not started.  Not installing "nat" rules.
    Oct  3 14:47:31 pfsense-fw php: : SQUID is installed but not started.  Not installing "filter" rules.
    .
    .
    .
    Oct  3 14:47:34 pfsense-fw dnsmasq[810]: read /etc/hosts - 17 addresses
    Oct  3 14:47:38 pfsense-fw php: : SQUID is installed but not started.  Not installing "nat" rules.
    Oct  3 14:47:38 pfsense-fw php: : SQUID is installed but not started.  Not installing "filter" rules.
    Oct  3 14:47:39 pfsense-fw php: : Creating rrd update script
    Oct  3 14:47:39 pfsense-fw dhcpd: Internet Systems Consortium DHCP Server V3.0.7
    Oct  3 14:47:39 pfsense-fw dhcpd: Copyright 2004-2008 Internet Systems Consortium.
    Oct  3 14:47:39 pfsense-fw dhcpd: All rights reserved.
    Oct  3 14:47:39 pfsense-fw dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
    Oct  3 14:47:41 pfsense-fw php: : Resyncing configuration for all packages.
    Oct  3 14:47:50 pfsense-fw php: : Starting Squid
    Oct  3 14:47:50 pfsense-fw squid[1400]: Squid Parent: child process 1403 started
    Oct  3 14:47:55 pfsense-fw dnsmasq[810]: reading /var/dhcpd/var/db/dhcpd.leases
    Oct  3 14:47:57 pfsense-fw php: : Reloading Squid for configuration sync
    Oct  3 14:48:27 pfsense-fw last message repeated 5 times
    Oct  3 14:48:28 pfsense-fw kernel: pid 1403 (squid), uid 62: exited on signal 6
    Oct  3 14:48:28 pfsense-fw squid[1403]: The url_rewriter helpers are crashing too rapidly, need help!
    Oct  3 14:48:28 pfsense-fw squid[1400]: Squid Parent: child process 1403 exited due to signal 6
    Oct  3 14:48:31 pfsense-fw squid[1400]: Squid Parent: child process 1924 started
    Oct  3 14:48:33 pfsense-fw php: /sajax/index.sajax.php: [DEBUG] Lock recursion detected.
    Oct  3 14:48:46 pfsense-fw php: : Reloading Squid for configuration sync
    Oct  3 14:48:47 pfsense-fw php: : The OpenVPN-Enhancements package is missing required dependencies and must be reinstalled.
    Oct  3 14:48:47 pfsense-fw last message repeated 4 times
    Oct  3 14:48:47 pfsense-fw php: : Could not locate /usr/local/pkg/ovpnenhance.inc.
    Oct  3 14:48:47 pfsense-fw php: : Beginning package installation for OpenVPN-Enhancements.
    Oct  3 14:48:51 pfsense-fw check_reload_status: check_reload_status is starting
    Oct  3 14:48:51 pfsense-fw check_reload_status: rc.newwanip starting
    Oct  3 14:48:52 pfsense-fw php: : Informational: rc.newwanip is starting fxp0.
    Oct  3 14:48:52 pfsense-fw php: : rc.newwanip working with (IP address: 192.168.1.2) (interface: wan) (interface real: fxp0).
    Oct  3 14:48:52 pfsense-fw check_reload_status: reloading filter
    

    Next, I restored from a backup made before configuring OpenVPN.  Web surfing, with filtering, as expected.
    System log:

    Oct  3 15:33:53 pfsense-fw php: : SQUID is installed but not started.  Not installing "nat" rules.
    Oct  3 15:33:53 pfsense-fw php: : SQUID is installed but not started.  Not installing "filter" rules.
    .
    .
    .
    Oct  3 15:33:56 pfsense-fw dnsmasq[772]: read /etc/hosts - 17 addresses
    Oct  3 15:34:00 pfsense-fw php: : SQUID is installed but not started.  Not installing "nat" rules.
    Oct  3 15:34:00 pfsense-fw php: : SQUID is installed but not started.  Not installing "filter" rules.
    Oct  3 15:34:01 pfsense-fw php: : Creating rrd update script
    Oct  3 15:34:01 pfsense-fw dhcpd: Internet Systems Consortium DHCP Server V3.0.7
    Oct  3 15:34:01 pfsense-fw dhcpd: Copyright 2004-2008 Internet Systems Consortium.
    Oct  3 15:34:01 pfsense-fw dhcpd: All rights reserved.
    Oct  3 15:34:01 pfsense-fw dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
    Oct  3 15:34:02 pfsense-fw php: : Resyncing configuration for all packages.
    Oct  3 15:34:02 pfsense-fw php: : The Cron package is missing required dependencies and must be reinstalled.
    Oct  3 15:34:02 pfsense-fw php: : The Cron package is missing required dependencies and must be reinstalled.
    Oct  3 15:34:10 pfsense-fw php: : Starting Squid
    Oct  3 15:34:10 pfsense-fw squid[1320]: Squid Parent: child process 1323 started
    Oct  3 15:34:11 pfsense-fw squid[1323]: The url_rewriter helpers are crashing too rapidly, need help!
    Oct  3 15:34:11 pfsense-fw kernel: pid 1323 (squid), uid 62: exited on signal 6
    Oct  3 15:34:11 pfsense-fw squid[1320]: Squid Parent: child process 1323 exited due to signal 6
    Oct  3 15:34:13 pfsense-fw dnsmasq[772]: reading /var/dhcpd/var/db/dhcpd.leases
    Oct  3 15:34:14 pfsense-fw squid[1320]: Squid Parent: child process 1396 started
    Oct  3 15:34:28 pfsense-fw php: : Reloading Squid for configuration sync
    Oct  3 15:34:29 pfsense-fw check_reload_status: check_reload_status is starting
    Oct  3 15:34:29 pfsense-fw check_reload_status: rc.newwanip starting
    Oct  3 15:34:30 pfsense-fw php: : Informational: rc.newwanip is starting fxp0.
    Oct  3 15:34:30 pfsense-fw php: : rc.newwanip working with (IP address: 192.168.1.2) (interface: wan) (interface real: fxp0).
    Oct  3 15:34:30 pfsense-fw check_reload_status: reloading filter
    

    Only difference I picked out is that with OpenVPN configured, it indicates that OpenVPN-Enancements is missing dependencies; when OpenVPN is not configured, same error with respect to cron.

    Finally, in both cases there are 3 instances of SquidGuard running; I don't know if this is normal, related, or unrelated:

    # ps -auxww | grep squid
    root    1400  0.0  0.2  5436  2152  ??  Is    2:47PM   0:00.00 /usr/local/sbin/squid -D
    proxy   1924  0.0  0.7 13628  6696  ??  I     2:48PM   0:00.16 (squid) -D (squid)
    proxy   2078  0.0  0.5 52072  5332  ??  I     2:48PM   0:00.13 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard)
    proxy   2079  0.0  0.5 52072  5332  ??  I     2:48PM   0:00.13 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard)
    proxy   2080  0.0  0.5 52072  5332  ??  I     2:48PM   0:00.13 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard)
    # 
    

    Regret the long post but wanted to be complete.  If this post should be in the OpenVPN forum, please move it.  Grateful for any help.



  • PS to the above:  After restoring the backup w/o OpenVPN, and doing some surfing, clicking on Status–->System ran the PHP reinstall all packages script.  ???


Log in to reply