Apparent package conflicts: Squid/SquidGuard vs. OpenVPN
-
Problem: Configuring OpenVPN causes issues with Squid/SquidGuard.
Hardware: Netgate Hamakua (with hard drive, not CF card)
Version: pfSense 1.2.3 RELEASE, embedded kernel
Installed packages:
Cron 0.2
OpenVPN-Enhancements 1.2
Patch rc to leave filter-dirty 0.1
Squid 2.7.9-3
SquidGuard 1.3-2As background, I have had occasional problems updating the blacklist (from shalla.de) and subsequently reconfiguring SquidGuard in which the filters were not working. Reboot usually fixed. Over the last couple of months I have reinstalled the Squid and SquidGuard packages and in the process may have changed to the current version…I check occasionally and if an installed package has a newer version, I get the latest. Long way of saying I'm not sure how long the issues have been present or what change may have precipitated them.
A few days ago, for unrelated reasons, I did a clean install (including disk format) from the ISO for 1.2.3 release. I used a recent backup to configure and installed the packages listed above, and downloaded and configured the current shallla.de blacklist. I was experiencing a number of issues: Filter not working, passing any web sites; Filter blocking ALL web sites; (in both cases, GUI settings appeared correct); pfSense entering the reinstall all packages script when going to home page (Status---->System); pfSense logon window instead of any and all web sites; inconsistent results (mix of these symptoms) upon reboot.
I believe I have isolated much if not all of the problem to an apparent conflict with OpenVPN by doing the following, and can reproduce the symptoms:
- backup w/o packages and restore from that backup
- install cron, Squid, SquidGuard, patch rc to leave filter-dirty, OpenVPN enhancements
- configure squid as transparent proxy
- install shalla blacklist and configure SquidGuard
- start Squidguard
At this point, web surfing works as desired; BL'd sites are blocked and others are visible.
Reboot. Still normal.
- Configure OpenVPN using PKI and TLS/Auth.
At this point, ALL web sites are blocked by the proxy. Reboot has no effect.
- Stop SquidGuard (shows stopped in config page and service status page).
All web sites still blocked.
- Uncheck transparent proxy and save.
Normal surfing possible, but (obviously) no filtering.
Searched the forum and found several similar issues (that's why the "Patch rc to leave filter-dirty" pkg is there) but none mentioning OpenVPN as a possible conflict. Some of the startup timing issues seem to be present; here's a log extract in the conflicted state (proxy and filter on, all sites blocked):
Oct 3 14:47:23 pfsense-fw kernel: em2: link state changed to UP Oct 3 14:47:31 pfsense-fw php: : SQUID is installed but not started. Not installing "nat" rules. Oct 3 14:47:31 pfsense-fw php: : SQUID is installed but not started. Not installing "filter" rules. . . . Oct 3 14:47:34 pfsense-fw dnsmasq[810]: read /etc/hosts - 17 addresses Oct 3 14:47:38 pfsense-fw php: : SQUID is installed but not started. Not installing "nat" rules. Oct 3 14:47:38 pfsense-fw php: : SQUID is installed but not started. Not installing "filter" rules. Oct 3 14:47:39 pfsense-fw php: : Creating rrd update script Oct 3 14:47:39 pfsense-fw dhcpd: Internet Systems Consortium DHCP Server V3.0.7 Oct 3 14:47:39 pfsense-fw dhcpd: Copyright 2004-2008 Internet Systems Consortium. Oct 3 14:47:39 pfsense-fw dhcpd: All rights reserved. Oct 3 14:47:39 pfsense-fw dhcpd: For info, please visit http://www.isc.org/sw/dhcp/ Oct 3 14:47:41 pfsense-fw php: : Resyncing configuration for all packages. Oct 3 14:47:50 pfsense-fw php: : Starting Squid Oct 3 14:47:50 pfsense-fw squid[1400]: Squid Parent: child process 1403 started Oct 3 14:47:55 pfsense-fw dnsmasq[810]: reading /var/dhcpd/var/db/dhcpd.leases Oct 3 14:47:57 pfsense-fw php: : Reloading Squid for configuration sync Oct 3 14:48:27 pfsense-fw last message repeated 5 times Oct 3 14:48:28 pfsense-fw kernel: pid 1403 (squid), uid 62: exited on signal 6 Oct 3 14:48:28 pfsense-fw squid[1403]: The url_rewriter helpers are crashing too rapidly, need help! Oct 3 14:48:28 pfsense-fw squid[1400]: Squid Parent: child process 1403 exited due to signal 6 Oct 3 14:48:31 pfsense-fw squid[1400]: Squid Parent: child process 1924 started Oct 3 14:48:33 pfsense-fw php: /sajax/index.sajax.php: [DEBUG] Lock recursion detected. Oct 3 14:48:46 pfsense-fw php: : Reloading Squid for configuration sync Oct 3 14:48:47 pfsense-fw php: : The OpenVPN-Enhancements package is missing required dependencies and must be reinstalled. Oct 3 14:48:47 pfsense-fw last message repeated 4 times Oct 3 14:48:47 pfsense-fw php: : Could not locate /usr/local/pkg/ovpnenhance.inc. Oct 3 14:48:47 pfsense-fw php: : Beginning package installation for OpenVPN-Enhancements. Oct 3 14:48:51 pfsense-fw check_reload_status: check_reload_status is starting Oct 3 14:48:51 pfsense-fw check_reload_status: rc.newwanip starting Oct 3 14:48:52 pfsense-fw php: : Informational: rc.newwanip is starting fxp0. Oct 3 14:48:52 pfsense-fw php: : rc.newwanip working with (IP address: 192.168.1.2) (interface: wan) (interface real: fxp0). Oct 3 14:48:52 pfsense-fw check_reload_status: reloading filter
Next, I restored from a backup made before configuring OpenVPN. Web surfing, with filtering, as expected.
System log:Oct 3 15:33:53 pfsense-fw php: : SQUID is installed but not started. Not installing "nat" rules. Oct 3 15:33:53 pfsense-fw php: : SQUID is installed but not started. Not installing "filter" rules. . . . Oct 3 15:33:56 pfsense-fw dnsmasq[772]: read /etc/hosts - 17 addresses Oct 3 15:34:00 pfsense-fw php: : SQUID is installed but not started. Not installing "nat" rules. Oct 3 15:34:00 pfsense-fw php: : SQUID is installed but not started. Not installing "filter" rules. Oct 3 15:34:01 pfsense-fw php: : Creating rrd update script Oct 3 15:34:01 pfsense-fw dhcpd: Internet Systems Consortium DHCP Server V3.0.7 Oct 3 15:34:01 pfsense-fw dhcpd: Copyright 2004-2008 Internet Systems Consortium. Oct 3 15:34:01 pfsense-fw dhcpd: All rights reserved. Oct 3 15:34:01 pfsense-fw dhcpd: For info, please visit http://www.isc.org/sw/dhcp/ Oct 3 15:34:02 pfsense-fw php: : Resyncing configuration for all packages. Oct 3 15:34:02 pfsense-fw php: : The Cron package is missing required dependencies and must be reinstalled. Oct 3 15:34:02 pfsense-fw php: : The Cron package is missing required dependencies and must be reinstalled. Oct 3 15:34:10 pfsense-fw php: : Starting Squid Oct 3 15:34:10 pfsense-fw squid[1320]: Squid Parent: child process 1323 started Oct 3 15:34:11 pfsense-fw squid[1323]: The url_rewriter helpers are crashing too rapidly, need help! Oct 3 15:34:11 pfsense-fw kernel: pid 1323 (squid), uid 62: exited on signal 6 Oct 3 15:34:11 pfsense-fw squid[1320]: Squid Parent: child process 1323 exited due to signal 6 Oct 3 15:34:13 pfsense-fw dnsmasq[772]: reading /var/dhcpd/var/db/dhcpd.leases Oct 3 15:34:14 pfsense-fw squid[1320]: Squid Parent: child process 1396 started Oct 3 15:34:28 pfsense-fw php: : Reloading Squid for configuration sync Oct 3 15:34:29 pfsense-fw check_reload_status: check_reload_status is starting Oct 3 15:34:29 pfsense-fw check_reload_status: rc.newwanip starting Oct 3 15:34:30 pfsense-fw php: : Informational: rc.newwanip is starting fxp0. Oct 3 15:34:30 pfsense-fw php: : rc.newwanip working with (IP address: 192.168.1.2) (interface: wan) (interface real: fxp0). Oct 3 15:34:30 pfsense-fw check_reload_status: reloading filter
Only difference I picked out is that with OpenVPN configured, it indicates that OpenVPN-Enancements is missing dependencies; when OpenVPN is not configured, same error with respect to cron.
Finally, in both cases there are 3 instances of SquidGuard running; I don't know if this is normal, related, or unrelated:
# ps -auxww | grep squid root 1400 0.0 0.2 5436 2152 ?? Is 2:47PM 0:00.00 /usr/local/sbin/squid -D proxy 1924 0.0 0.7 13628 6696 ?? I 2:48PM 0:00.16 (squid) -D (squid) proxy 2078 0.0 0.5 52072 5332 ?? I 2:48PM 0:00.13 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard) proxy 2079 0.0 0.5 52072 5332 ?? I 2:48PM 0:00.13 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard) proxy 2080 0.0 0.5 52072 5332 ?? I 2:48PM 0:00.13 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.conf (squidGuard) #
Regret the long post but wanted to be complete. If this post should be in the OpenVPN forum, please move it. Grateful for any help.
-
PS to the above: After restoring the backup w/o OpenVPN, and doing some surfing, clicking on Status–->System ran the PHP reinstall all packages script. ???