Squid & OpenVPN Revisited

  • Hi all,

    pfSense 2.0 i386 two node cluster.  Squid, Openvpn.

    I had hoped to roll out squid to the openvpn service but I've hit some problems.  Someone else has already covered this (http://forum.pfsense.org/index.php/topic,33622.0.html), but to recap - setting up an OpenVPN server doesn't require the creation of an interface.  This means that Squid has nothing to bind to.  That's solved by adding a new interface to represent the tun adapter for OpenVPN (as I understand it).  I'm not clear whether this is an alias for all possible TUN instances, but that's not my current problem.

    That thread references this page on traffic filtering for Openvpn on 1.2.3 http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3.  It says that you should set the OpenVPN interface type to static, but leave the IP address blank.  This is an invalid combination on 2.0.  What are the implications of leaving the interface type set to 'none' instead of 'static'?


  • If you want to force squid out via VPN, try setting squid tcp_outgoing_address directive at package custom options.

  • Sorry, I wasn't clear.  I have squid enabled for the desktop LAN in transparent mode in what I would imagine is one of the most common deployment configurations.  Squid is configured for a proxy interface of 'LAN' in its configuration.  Any http request originating from our internal LAN that is destined for a public IP address will pass through Squid.  I would like the have the same functionality for clients on the OpenVPN-assigned addresses, however there is no exposed OpenVPN service network interface available on the squid configuration page.  My original post picks up from there.



  • Ok, now it's clear to me.

    You may need to edit squid.inc file and add manualy redirect rule to openvpn interface.
    At /tmp/rules.debug you can see squid rdr rule.

Log in to reply