Squid and OpenVPN Road Warrior
-
Tested with pfSense 2.1 with squid3-dev 3.3.10 pkg 2.2.1 no transparent (intercept) mode
pfSense permits to assign/enable tun OpenVPN interfaces without IP configuration. Like this, you have them as OPTx at LAN Rules in addition to general OpenVPN tab.
This means you can select tun interfaces at squid configuration.
When I select one of this tun OPTx at squid I have, at squid.conf:
http_port 192.168.0.1:3128 –-> LAN, physical interface
http_port 192.168.1.1:3128 –-> OPT1, tun OpenVPN interface
acl localnet src 192.168.0.0/24 0.40.0.0/0.20173389051966 –-> Strange value!The problem is not critical because I finished adding the OpenVPN subnet to permitted networks. So, I have:
http_port 192.168.0.1:3128 –-> LAN, physical interface
acl localnet src 192.168.0.0/24 –-> LAN subnet
acl allowed_subnets src 192.168.1.0/24 –-> OpenVPN subnetNote: I changed my 192.168. values to simplify the explanation.
In addition to the error configuration I'm thinking what is better for a Road Warrior. To ask LAN address for the proxy or the OpenVPN server address?
-
192.168.XXX.0 -> Server subnet
*** 192.168.XXX.1 -> OpenVPN Server (pfSense) -
192.168.XXX.2 -> OpenVPN Server Gateway (pfSense)**
-
192.168.XXX.3 -> Server Broadcast
-
192.168.XXX.4 -> First Road Warrior Subnet
*** 192.168.XXX.5 -> First Road Warrior Gateway -
192.168.XXX.6 -> First Road Warrior**
-
192.168.XXX.7 -> First Road Warrior Broadcast
-
192.168.XXX.8 -> Second Road Warrior Subnet
*** 192.168.XXX.9 -> Second Road Warrior Gateway -
192.168.XXX.10 -> Second Road Warrior**
-
192.168.XXX.11 -> Second Road Warrior Broadcast
-
-
I have the exact same issue on pfSense 2.2-RELEASE (amd64) (built on Thu Jan 22 14:03:54 CST 2015 FreeBSD 10.1-RELEASE-p4) with squid 3.4.10_2 (pkg 0.2.6).
The second number varies though, and it doesn't seem to always produce this error. I had it working for 2 weeks perfectly, but a few minutes ago my gateway went down and that led to this strange error again.For reference, my error was:
Mar 1 20:14:29 php-fpm[42821]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was '2015/03/01 20:14:29| aclParseIpData: unknown netmask '0.20173389051966' in '0.40.0.0/0.20173389051966' FATAL: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 31: acl localnet src 10.0.0.0/8 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 0.40.0.0/0.20173389051966 0.40.0.0/0.20173389670071 Squid Cache (Version 3.4.10): Terminated abnormally. CPU Usage: 0.061 seconds = 0.031 user + 0.031 sys Maximum Resident Size: 45728 KB Page faults with physical i/o: 0' Mar 1 20:14:29 squid: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 31: acl localnet src 10.0.0.0/8 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 0.40.0.0/0.20173389051966 0.40.0.0/0.20173389670071