3. Apparent package conflicts: Squid/SquidGuard vs. OpenVPN

Apparent package conflicts: Squid/SquidGuard vs. OpenVPN

  • X

    Problem:  Configuring OpenVPN causes issues with Squid/SquidGuard.

    Hardware:  Netgate Hamakua (with hard drive, not CF card)
    Version: pfSense 1.2.3 RELEASE, embedded kernel
    Installed packages:
      Cron 0.2
      OpenVPN-Enhancements 1.2
      Patch rc to leave filter-dirty 0.1
      Squid 2.7.9-3
      SquidGuard 1.3-2

    As background, I have had occasional problems updating the blacklist (from shalla.de) and subsequently reconfiguring SquidGuard in which the filters were not working.  Reboot usually fixed.  Over the last couple of months I have reinstalled the Squid and SquidGuard packages and in the process may have changed to the current version…I check occasionally and if an installed package has a newer version, I get the latest.  Long way of saying I'm not sure how long the issues have been present or what change may have precipitated them.

    A few days ago, for unrelated reasons, I did a clean install (including disk format) from the ISO for 1.2.3 release.  I used a recent backup to configure and installed the packages listed above, and downloaded and configured the current shallla.de blacklist.  I was experiencing a number of issues:  Filter not working, passing any web sites; Filter blocking ALL web sites; (in both cases, GUI settings appeared correct); pfSense entering the reinstall all packages script when going to home page (Status---->System); pfSense logon window instead of any and all web sites; inconsistent results (mix of these symptoms) upon reboot.

    I believe I have isolated much if not all of the problem to an apparent conflict with OpenVPN by doing the following, and can reproduce the symptoms:

    • backup w/o packages and restore from that backup
    • install cron, Squid, SquidGuard, patch rc to leave filter-dirty, OpenVPN enhancements
    • configure squid as transparent proxy
    • install shalla blacklist and configure SquidGuard
    • start Squidguard

    At this point, web surfing works as desired; BL'd sites are blocked and others are visible.

    Reboot.  Still normal.

    • Configure OpenVPN using PKI and TLS/Auth.

    At this point, ALL web sites are blocked by the proxy.  Reboot has no effect.

    • Stop SquidGuard (shows stopped in config page and service status page).

    All web sites still blocked.

    • Uncheck transparent proxy and save.

    Normal surfing possible, but (obviously) no filtering.

    Searched the forum and found several similar issues (that's why the "Patch rc to leave filter-dirty" pkg is there) but none mentioning OpenVPN as a possible conflict.  Some of the startup timing issues seem to be present; here's a log extract in the conflicted state (proxy and filter on, all sites blocked):

    Oct  3 14:47:23 pfsense-fw kernel: em2: link state changed to UP
Oct  3 14:47:31 pfsense-fw php: : SQUID is installed but not started.  Not installing "nat" rules.
Oct  3 14:47:31 pfsense-fw php: : SQUID is installed but not started.  Not installing "filter" rules.
.
.
.
Oct  3 14:47:34 pfsense-fw dnsmasq[810]: read /etc/hosts - 17 addresses
Oct  3 14:47:38 pfsense-fw php: : SQUID is installed but not started.  Not installing "nat" rules.
Oct  3 14:47:38 pfsense-fw php: : SQUID is installed but not started.  Not installing "filter" rules.
Oct  3 14:47:39 pfsense-fw php: : Creating rrd update script
Oct  3 14:47:39 pfsense-fw dhcpd: Internet Systems Consortium DHCP Server V3.0.7
Oct  3 14:47:39 pfsense-fw dhcpd: Copyright 2004-2008 Internet Systems Consortium.
Oct  3 14:47:39 pfsense-fw dhcpd: All rights reserved.
Oct  3 14:47:39 pfsense-fw dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Oct  3 14:47:41 pfsense-fw php: : Resyncing configuration for all packages.
Oct  3 14:47:50 pfsense-fw php: : Starting Squid
Oct  3 14:47:50 pfsense-fw squid[1400]: Squid Parent: child process 1403 started
Oct  3 14:47:55 pfsense-fw dnsmasq[810]: reading /var/dhcpd/var/db/dhcpd.leases
Oct  3 14:47:57 pfsense-fw php: : Reloading Squid for configuration sync
Oct  3 14:48:27 pfsense-fw last message repeated 5 times
Oct  3 14:48:28 pfsense-fw kernel: pid 1403 (squid), uid 62: exited on signal 6
Oct  3 14:48:28 pfsense-fw squid[1403]: The url_rewriter helpers are crashing too rapidly, need help!
Oct  3 14:48:28 pfsense-fw squid[1400]: Squid Parent: child process 1403 exited due to signal 6
Oct  3 14:48:31 pfsense-fw squid[1400]: Squid Parent: child process 1924 started
Oct  3 14:48:33 pfsense-fw php: /sajax/index.sajax.php: [DEBUG] Lock recursion detected.
Oct  3 14:48:46 pfsense-fw php: : Reloading Squid for configuration sync
Oct  3 14:48:47 pfsense-fw php: : The OpenVPN-Enhancements package is missing required dependencies and must be reinstalled.
Oct  3 14:48:47 pfsense-fw last message repeated 4 times
Oct  3 14:48:47 pfsense-fw php: : Could not locate /usr/local/pkg/ovpnenhance.inc.
Oct  3 14:48:47 pfsense-fw php: : Beginning package installation for OpenVPN-Enhancements.
Oct  3 14:48:51 pfsense-fw check_reload_status: check_reload_status is starting
Oct  3 14:48:51 pfsense-fw check_reload_status: rc.newwanip starting
Oct  3 14:48:52 pfsense-fw php: : Informational: rc.newwanip is starting fxp0.
Oct  3 14:48:52 pfsense-fw php: : rc.newwanip working with (IP address: 192.168.1.2) (interface: wan) (interface real: fxp0).
Oct  3 14:48:52 pfsense-fw check_reload_status: reloading filter

    Next, I restored from a backup made before configuring OpenVPN.  Web surfing, with filtering, as expected.
    System log:

    Oct  3 15:33:53 pfsense-fw php: : SQUID is installed but not started.  Not installing "nat" rules.
Oct  3 15:33:53 pfsense-fw php: : SQUID is installed but not started.  Not installing "filter" rules.
.
.
.
Oct  3 15:33:56 pfsense-fw dnsmasq[772]: read /etc/hosts - 17 addresses
Oct  3 15:34:00 pfsense-fw php: : SQUID is installed but not started.  Not installing "nat" rules.
Oct  3 15:34:00 pfsense-fw php: : SQUID is installed but not started.  Not installing "filter" rules.
Oct  3 15:34:01 pfsense-fw php: : Creating rrd update script
Oct  3 15:34:01 pfsense-fw dhcpd: Internet Systems Consortium DHCP Server V3.0.7
Oct  3 15:34:01 pfsense-fw dhcpd: Copyright 2004-2008 Internet Systems Consortium.
Oct  3 15:34:01 pfsense-fw dhcpd: All rights reserved.
Oct  3 15:34:01 pfsense-fw dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Oct  3 15:34:02 pfsense-fw php: : Resyncing configuration for all packages.
Oct  3 15:34:02 pfsense-fw php: : The Cron package is missing required dependencies and must be reinstalled.
Oct  3 15:34:02 pfsense-fw php: : The Cron package is missing required dependencies and must be reinstalled.
Oct  3 15:34:10 pfsense-fw php: : Starting Squid
Oct  3 15:34:10 pfsense-fw squid[1320]: Squid Parent: child process 1323 started
Oct  3 15:34:11 pfsense-fw squid[1323]: The url_rewriter helpers are crashing too rapidly, need help!
Oct  3 15:34:11 pfsense-fw kernel: pid 1323 (squid), uid 62: exited on signal 6
Oct  3 15:34:11 pfsense-fw squid[1320]: Squid Parent: child process 1323 exited due to signal 6
Oct  3 15:34:13 pfsense-fw dnsmasq[772]: reading /var/dhcpd/var/db/dhcpd.leases
Oct  3 15:34:14 pfsense-fw squid[1320]: Squid Parent: child process 1396 started
Oct  3 15:34:28 pfsense-fw php: : Reloading Squid for configuration sync
Oct  3 15:34:29 pfsense-fw check_reload_status: check_reload_status is starting
Oct  3 15:34:29 pfsense-fw check_reload_status: rc.newwanip starting
Oct  3 15:34:30 pfsense-fw php: : Informational: rc.newwanip is starting fxp0.
Oct  3 15:34:30 pfsense-fw php: : rc.newwanip working with (IP address: 192.168.1.2) (interface: wan) (interface real: fxp0).
Oct  3 15:34:30 pfsense-fw check_reload_status: reloading filter

    Only difference I picked out is that with OpenVPN configured, it indicates that OpenVPN-Enancements is missing dependencies; when OpenVPN is not configured, same error with respect to cron.

    Finally, in both cases there are 3 instances of SquidGuard running; I don't know if this is normal, related, or unrelated:

    # ps -auxww | grep squid
root    1400  0.0  0.2  5436  2152  ??  Is    2:47PM   0:00.00 /usr/local/sbin/squid -D
proxy   1924  0.0  0.7 13628  6696  ??  I     2:48PM   0:00.16 (squid) -D (squid)
proxy   2078  0.0  0.5 52072  5332  ??  I     2:48PM   0:00.13 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard)
proxy   2079  0.0  0.5 52072  5332  ??  I     2:48PM   0:00.13 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard)
proxy   2080  0.0  0.5 52072  5332  ??  I     2:48PM   0:00.13 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard)
#

    Regret the long post but wanted to be complete.  If this post should be in the OpenVPN forum, please move it.  Grateful for any help.

    0
  • X

    PS to the above:  After restoring the backup w/o OpenVPN, and doing some surfing, clicking on Status–->System ran the PHP reinstall all packages script.  ???

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy