Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid and OpenVPN Road Warrior

    pfSense Packages
    2
    2
    1240
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bellera
      bellera last edited by

      Tested with pfSense 2.1 with squid3-dev 3.3.10 pkg 2.2.1 no transparent (intercept) mode

      pfSense permits to assign/enable tun OpenVPN interfaces without IP configuration. Like this, you have them as OPTx at LAN Rules in addition to general OpenVPN tab.

      This means you can select tun interfaces at squid configuration.

      When I select one of this tun OPTx at squid I have, at squid.conf:

      http_port 192.168.0.1:3128 –-> LAN, physical interface
      http_port 192.168.1.1:3128 –-> OPT1, tun OpenVPN interface
      acl localnet src  192.168.0.0/24 0.40.0.0/0.20173389051966 –-> Strange value!

      The problem is not critical because I finished adding the OpenVPN subnet to permitted networks. So, I have:

      http_port 192.168.0.1:3128 –-> LAN, physical interface
      acl localnet src  192.168.0.0/24 –-> LAN subnet
      acl allowed_subnets src 192.168.1.0/24 –-> OpenVPN subnet

      Note: I changed my 192.168. values to simplify the explanation.

      In addition to the error configuration I'm thinking what is better for a Road Warrior. To ask LAN address for the proxy or the OpenVPN server address?

      @bellera:

      • 192.168.XXX.0 -> Server subnet
        *** 192.168.XXX.1 -> OpenVPN Server (pfSense)

      • 192.168.XXX.2 -> OpenVPN Server Gateway (pfSense)**

      • 192.168.XXX.3 -> Server Broadcast

      • 192.168.XXX.4 -> First Road Warrior Subnet
        *** 192.168.XXX.5 -> First Road Warrior Gateway

      • 192.168.XXX.6 -> First Road Warrior**

      • 192.168.XXX.7 -> First Road Warrior Broadcast

      • 192.168.XXX.8 -> Second Road Warrior Subnet
        *** 192.168.XXX.9 -> Second Road Warrior Gateway

      • 192.168.XXX.10 -> Second Road Warrior**

      • 192.168.XXX.11 -> Second Road Warrior Broadcast

      1 Reply Last reply Reply Quote 0
      • S
        show-p1984 last edited by

        I have the exact same issue on pfSense 2.2-RELEASE (amd64) (built on Thu Jan 22 14:03:54 CST 2015 FreeBSD 10.1-RELEASE-p4) with squid 3.4.10_2 (pkg 0.2.6).
        The second number varies though, and it doesn't seem to always produce this error. I had it working for 2 weeks perfectly, but a few minutes ago my gateway went down and that led to this strange error again.

        For reference, my error was:

        Mar 1 20:14:29	php-fpm[42821]: /pkg_edit.php: The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure -f /usr/pbi/squid-amd64/local/etc/squid/squid.conf' returned exit code '1', the output was '2015/03/01 20:14:29| aclParseIpData: unknown netmask '0.20173389051966' in '0.40.0.0/0.20173389051966' FATAL: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 31: acl localnet src 10.0.0.0/8 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 0.40.0.0/0.20173389051966 0.40.0.0/0.20173389670071 Squid Cache (Version 3.4.10): Terminated abnormally. CPU Usage: 0.061 seconds = 0.031 user + 0.031 sys Maximum Resident Size: 45728 KB Page faults with physical i/o: 0'

Mar 1 20:14:29	squid: Bungled /usr/pbi/squid-amd64/local/etc/squid/squid.conf line 31: acl localnet src 10.0.0.0/8 172.16.0.0/24 172.16.1.0/24 172.16.2.0/24 0.40.0.0/0.20173389051966 0.40.0.0/0.20173389670071

        Before you ask questions, read and understand this! -> catb.org/~esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • First post
          Last post