All traffic through openvpn, squid/squidguard

mj0ne

Mjew my lords

I've gotten a lot help by GruensFroeschli in this thread: http://forum.pfsense.org/index.php/topic,10093.0.html. However the main reason i want all traffic to go through the openvpn tunnel is that squid will be running in transparent mode and thus, taking on all http traffic and limiting certain hosts/networks.

I've gotten both PSK and PKI setup up and working with site-to-site connection that tunnels all traffic through the tunnel. However, the connected opvenvpn-client LAN-network clients simply doesn't use the squid proxy. But the LAN on the openvpn-server works as i should with squid.

I've been using tcpdump to find out what way the trafic takes from the tun tunnel, and the traffic simply goes from the openvpn-client LAN to the 10.0.8.6 address and then straight out on the WAN from the openvpn-server, no interaction what so ever with the squid proxy, altho it's running in transparent mode, meaning all http request will forward to it by default.

I've also added both the 10.0.8.0/24 tun network and 10.0.2.0/24 openvpn-client LAN network as ACL in squid, but no differs.

Edit: I've used my badass paint skills to draw a picture over the network

Network used for testing:

openvpn server:
LAN 192.168.1.0/24
WAN
Openvpn 10.0.8.0/24

openvpn client:
LAN 10.0.2.0/24
WAN
Openvpn 10.0.8.0/24

NOTE: I'm using two pfsense machines for testing atm, not the wrts.

Edit2: I also wonder if it's possible to use the dhcp relay to get more control over the connective clients LAN, but i think it's just easier changing to tap driver and bridging everything instead for that.

Edit3: added squid, openvpn server and client PSK/PKI confs

squid.conf

/usr/local/etc/squid/squid.conf
# Do not edit manually!
http_port 192.168.1.1:3128
http_port 127.0.0.1:80 transparent
icp_port 0

pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/English
visible_hostname localhost
cache_mgr admin@localhost

access_log /var/squid/log/access.log
cache_log /var/squid/log/cache.log
cache_store_log none
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src 192.168.1.0/255.255.255.0
uri_whitespace strip

cache_dir aufs /var/squid/cache 100 16 256
cache_mem 8 MB
maximum_object_size 10 KB
minimum_object_size 0 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
offline_mode off

# No redirector configured

# Setup some default acls
acl all src 0.0.0.0/0
acl localhost src 127.0.0.1
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535
acl sslports port 443 563 
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin \?
acl allowed_subnets src 10.0.2.0/24 10.0.8.0/24 
acl banned_hosts src "/var/squid/acl/banned_hosts.acl"
cache deny dynamic
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
reply_body_max_size 0 allow all
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow all

# These hosts are banned
http_access deny banned_hosts
# Allow local network(s) on interface(s)
http_access allow localnet
http_access allow allowed_subnets
# Default block all to be sure
http_access deny all

openvpn_server0.conf (PSK)

writepid /var/run/openvpn_server0.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
ifconfig 10.0.8.1 10.0.8.2
lport 1194
route 10.0.2.0 255.255.255.0
secret /var/etc/openvpn_server0.secret
float

openvpn_client0.conf (PSK)

writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote *.*.*.* 1194
lport 1196
ifconfig 10.0.8.2 10.0.8.1
route 192.168.1.0 255.255.255.0
secret /var/etc/openvpn_client2.secret
route 0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0
route *.*.*.* 255.255.255.255 192.168.0.1

openvpn_server1.conf (PKI)

writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-server
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
client-to-client
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn_csc
push "route 192.168.1.0 255.255.255.0"
lport 1194
route 10.0.2.0 255.255.255.0
ca /var/etc/openvpn_server1.ca
cert /var/etc/openvpn_server1.cert
key /var/etc/openvpn_server1.key
dh /var/etc/openvpn_server1.dh
comp-lzo
#ifconfig-pool-linear
push "redirect-gateway def1"

openvpn_client1.conf (PKI)

writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
dev tun
proto tcp-client
cipher BF-CBC
up /etc/rc.filter_configure
down /etc/rc.filter_configure
remote *.*.*.* 1194
client
lport 1195
ca /var/etc/openvpn_client1.ca
cert /var/etc/openvpn_client1.cert
key /var/etc/openvpn_client1.key
comp-lzo
pull

```![Untitled2.png](/public/_imported_attachments_/1/Untitled2.png)
![Untitled2.png_thumb](/public/_imported_attachments_/1/Untitled2.png_thumb)