Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    All traffic through openvpn, squid/squidguard

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 10.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mj0ne
      last edited by

      Mjew my lords

      I've gotten a lot help by GruensFroeschli in this thread: http://forum.pfsense.org/index.php/topic,10093.0.html. However the main reason i want all traffic to go through the openvpn tunnel is that squid will be running in transparent mode and thus, taking on all http traffic and limiting certain hosts/networks.

      I've gotten both PSK and PKI setup up and working with site-to-site connection that tunnels all traffic through the tunnel. However, the connected opvenvpn-client LAN-network clients simply doesn't use the squid proxy. But the LAN on the openvpn-server works as i should with squid.

      I've been using tcpdump to find out what way the trafic takes from the tun tunnel, and the traffic simply goes from the openvpn-client LAN to the 10.0.8.6 address and then straight out on the WAN from the openvpn-server, no interaction what so ever with the squid proxy, altho it's running in transparent mode, meaning all http request will forward to it by default.

      I've also added both the 10.0.8.0/24 tun network and 10.0.2.0/24 openvpn-client LAN network as ACL in squid, but no differs.

      Edit: I've used my badass paint skills to draw a picture over the network

      Network used for testing:

      openvpn server:
      LAN 192.168.1.0/24
      WAN
      Openvpn 10.0.8.0/24

      openvpn client:
      LAN 10.0.2.0/24
      WAN
      Openvpn 10.0.8.0/24

      NOTE: I'm using two pfsense machines for testing atm, not the wrts.

      Edit2: I also wonder if it's possible to use the dhcp relay to get more control over the connective clients LAN, but i think it's just easier changing to tap driver and bridging everything instead for that.

      Edit3: added squid, openvpn server and client PSK/PKI confs

      squid.conf

      
      /usr/local/etc/squid/squid.conf
      # Do not edit manually!
      http_port 192.168.1.1:3128
      http_port 127.0.0.1:80 transparent
      icp_port 0
      
      pid_filename /var/run/squid.pid
      cache_effective_user proxy
      cache_effective_group proxy
      error_directory /usr/local/etc/squid/errors/English
      visible_hostname localhost
      cache_mgr admin@localhost
      
      access_log /var/squid/log/access.log
      cache_log /var/squid/log/cache.log
      cache_store_log none
      shutdown_lifetime 3 seconds
      # Allow local network(s) on interface(s)
      acl localnet src 192.168.1.0/255.255.255.0
      uri_whitespace strip
      
      cache_dir aufs /var/squid/cache 100 16 256
      cache_mem 8 MB
      maximum_object_size 10 KB
      minimum_object_size 0 KB
      cache_replacement_policy heap LFUDA
      memory_replacement_policy heap GDSF
      offline_mode off
      
      # No redirector configured
      
      # Setup some default acls
      acl all src 0.0.0.0/0
      acl localhost src 127.0.0.1
      acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535
      acl sslports port 443 563 
      acl manager proto cache_object
      acl purge method PURGE
      acl connect method CONNECT
      acl dynamic urlpath_regex cgi-bin \?
      acl allowed_subnets src 10.0.2.0/24 10.0.8.0/24 
      acl banned_hosts src "/var/squid/acl/banned_hosts.acl"
      cache deny dynamic
      http_access allow manager localhost
      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !safeports
      http_access deny CONNECT !sslports
      
      # Always allow localhost connections
      http_access allow localhost
      
      request_body_max_size 0 KB
      reply_body_max_size 0 allow all
      delay_pools 1
      delay_class 1 2
      delay_parameters 1 -1/-1 -1/-1
      delay_initial_bucket_level 100
      delay_access 1 allow all
      
      # These hosts are banned
      http_access deny banned_hosts
      # Allow local network(s) on interface(s)
      http_access allow localnet
      http_access allow allowed_subnets
      # Default block all to be sure
      http_access deny all
      
      

      openvpn_server0.conf (PSK)

      
      writepid /var/run/openvpn_server0.pid
      #user nobody
      #group nobody
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      dev tun
      proto tcp-server
      cipher BF-CBC
      up /etc/rc.filter_configure
      down /etc/rc.filter_configure
      ifconfig 10.0.8.1 10.0.8.2
      lport 1194
      route 10.0.2.0 255.255.255.0
      secret /var/etc/openvpn_server0.secret
      float
      
      

      openvpn_client0.conf (PSK)

      
      writepid /var/run/openvpn_client2.pid
      #user nobody
      #group nobody
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      dev tun
      proto tcp-client
      cipher BF-CBC
      up /etc/rc.filter_configure
      down /etc/rc.filter_configure
      remote *.*.*.* 1194
      lport 1196
      ifconfig 10.0.8.2 10.0.8.1
      route 192.168.1.0 255.255.255.0
      secret /var/etc/openvpn_client2.secret
      route 0.0.0.0 128.0.0.0
      route 128.0.0.0 128.0.0.0
      route *.*.*.* 255.255.255.255 192.168.0.1
      
      

      openvpn_server1.conf (PKI)

      
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      dev tun
      proto tcp-server
      cipher BF-CBC
      up /etc/rc.filter_configure
      down /etc/rc.filter_configure
      client-to-client
      server 10.0.8.0 255.255.255.0
      client-config-dir /var/etc/openvpn_csc
      push "route 192.168.1.0 255.255.255.0"
      lport 1194
      route 10.0.2.0 255.255.255.0
      ca /var/etc/openvpn_server1.ca
      cert /var/etc/openvpn_server1.cert
      key /var/etc/openvpn_server1.key
      dh /var/etc/openvpn_server1.dh
      comp-lzo
      #ifconfig-pool-linear
      push "redirect-gateway def1"
      
      

      openvpn_client1.conf (PKI)

      
      writepid /var/run/openvpn_client1.pid
      #user nobody
      #group nobody
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      dev tun
      proto tcp-client
      cipher BF-CBC
      up /etc/rc.filter_configure
      down /etc/rc.filter_configure
      remote *.*.*.* 1194
      client
      lport 1195
      ca /var/etc/openvpn_client1.ca
      cert /var/etc/openvpn_client1.cert
      key /var/etc/openvpn_client1.key
      comp-lzo
      pull
      
      ```![Untitled2.png](/public/_imported_attachments_/1/Untitled2.png)
      ![Untitled2.png_thumb](/public/_imported_attachments_/1/Untitled2.png_thumb)
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.