All traffic through openvpn, squid/squidguard



  • Mjew my lords

    I've gotten a lot help by GruensFroeschli in this thread: http://forum.pfsense.org/index.php/topic,10093.0.html. However the main reason i want all traffic to go through the openvpn tunnel is that squid will be running in transparent mode and thus, taking on all http traffic and limiting certain hosts/networks.

    I've gotten both PSK and PKI setup up and working with site-to-site connection that tunnels all traffic through the tunnel. However, the connected opvenvpn-client LAN-network clients simply doesn't use the squid proxy. But the LAN on the openvpn-server works as i should with squid.

    I've been using tcpdump to find out what way the trafic takes from the tun tunnel, and the traffic simply goes from the openvpn-client LAN to the 10.0.8.6 address and then straight out on the WAN from the openvpn-server, no interaction what so ever with the squid proxy, altho it's running in transparent mode, meaning all http request will forward to it by default.

    I've also added both the 10.0.8.0/24 tun network and 10.0.2.0/24 openvpn-client LAN network as ACL in squid, but no differs.

    Edit: I've used my badass paint skills to draw a picture over the network

    Network used for testing:

    openvpn server:
    LAN 192.168.1.0/24
    WAN
    Openvpn 10.0.8.0/24

    openvpn client:
    LAN 10.0.2.0/24
    WAN
    Openvpn 10.0.8.0/24

    NOTE: I'm using two pfsense machines for testing atm, not the wrts.

    Edit2: I also wonder if it's possible to use the dhcp relay to get more control over the connective clients LAN, but i think it's just easier changing to tap driver and bridging everything instead for that.

    Edit3: added squid, openvpn server and client PSK/PKI confs

    squid.conf

    
    /usr/local/etc/squid/squid.conf
    # Do not edit manually!
    http_port 192.168.1.1:3128
    http_port 127.0.0.1:80 transparent
    icp_port 0
    
    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_directory /usr/local/etc/squid/errors/English
    visible_hostname localhost
    cache_mgr admin@localhost
    
    access_log /var/squid/log/access.log
    cache_log /var/squid/log/cache.log
    cache_store_log none
    shutdown_lifetime 3 seconds
    # Allow local network(s) on interface(s)
    acl localnet src 192.168.1.0/255.255.255.0
    uri_whitespace strip
    
    cache_dir aufs /var/squid/cache 100 16 256
    cache_mem 8 MB
    maximum_object_size 10 KB
    minimum_object_size 0 KB
    cache_replacement_policy heap LFUDA
    memory_replacement_policy heap GDSF
    offline_mode off
    
    # No redirector configured
    
    # Setup some default acls
    acl all src 0.0.0.0/0
    acl localhost src 127.0.0.1
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535
    acl sslports port 443 563 
    acl manager proto cache_object
    acl purge method PURGE
    acl connect method CONNECT
    acl dynamic urlpath_regex cgi-bin \?
    acl allowed_subnets src 10.0.2.0/24 10.0.8.0/24 
    acl banned_hosts src "/var/squid/acl/banned_hosts.acl"
    cache deny dynamic
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    http_access allow localhost
    
    request_body_max_size 0 KB
    reply_body_max_size 0 allow all
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow all
    
    # These hosts are banned
    http_access deny banned_hosts
    # Allow local network(s) on interface(s)
    http_access allow localnet
    http_access allow allowed_subnets
    # Default block all to be sure
    http_access deny all
    
    

    openvpn_server0.conf (PSK)

    
    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    ifconfig 10.0.8.1 10.0.8.2
    lport 1194
    route 10.0.2.0 255.255.255.0
    secret /var/etc/openvpn_server0.secret
    float
    
    

    openvpn_client0.conf (PSK)

    
    writepid /var/run/openvpn_client2.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-client
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    remote *.*.*.* 1194
    lport 1196
    ifconfig 10.0.8.2 10.0.8.1
    route 192.168.1.0 255.255.255.0
    secret /var/etc/openvpn_client2.secret
    route 0.0.0.0 128.0.0.0
    route 128.0.0.0 128.0.0.0
    route *.*.*.* 255.255.255.255 192.168.0.1
    
    

    openvpn_server1.conf (PKI)

    
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    client-to-client
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    push "route 192.168.1.0 255.255.255.0"
    lport 1194
    route 10.0.2.0 255.255.255.0
    ca /var/etc/openvpn_server1.ca
    cert /var/etc/openvpn_server1.cert
    key /var/etc/openvpn_server1.key
    dh /var/etc/openvpn_server1.dh
    comp-lzo
    #ifconfig-pool-linear
    push "redirect-gateway def1"
    
    

    openvpn_client1.conf (PKI)

    
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-client
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    remote *.*.*.* 1194
    client
    lport 1195
    ca /var/etc/openvpn_client1.ca
    cert /var/etc/openvpn_client1.cert
    key /var/etc/openvpn_client1.key
    comp-lzo
    pull
    
    ```![Untitled2.png](/public/_imported_attachments_/1/Untitled2.png)
    ![Untitled2.png_thumb](/public/_imported_attachments_/1/Untitled2.png_thumb)

Log in to reply