All traffic through openvpn, squid/squidguard
-
Mjew my lords
I've gotten a lot help by GruensFroeschli in this thread: http://forum.pfsense.org/index.php/topic,10093.0.html. However the main reason i want all traffic to go through the openvpn tunnel is that squid will be running in transparent mode and thus, taking on all http traffic and limiting certain hosts/networks.
I've gotten both PSK and PKI setup up and working with site-to-site connection that tunnels all traffic through the tunnel. However, the connected opvenvpn-client LAN-network clients simply doesn't use the squid proxy. But the LAN on the openvpn-server works as i should with squid.
I've been using tcpdump to find out what way the trafic takes from the tun tunnel, and the traffic simply goes from the openvpn-client LAN to the 10.0.8.6 address and then straight out on the WAN from the openvpn-server, no interaction what so ever with the squid proxy, altho it's running in transparent mode, meaning all http request will forward to it by default.
I've also added both the 10.0.8.0/24 tun network and 10.0.2.0/24 openvpn-client LAN network as ACL in squid, but no differs.
Edit: I've used my badass paint skills to draw a picture over the network
Network used for testing:
openvpn server:
LAN 192.168.1.0/24
WAN
Openvpn 10.0.8.0/24openvpn client:
LAN 10.0.2.0/24
WAN
Openvpn 10.0.8.0/24NOTE: I'm using two pfsense machines for testing atm, not the wrts.
Edit2: I also wonder if it's possible to use the dhcp relay to get more control over the connective clients LAN, but i think it's just easier changing to tap driver and bridging everything instead for that.
Edit3: added squid, openvpn server and client PSK/PKI confs
squid.conf
/usr/local/etc/squid/squid.conf # Do not edit manually! http_port 192.168.1.1:3128 http_port 127.0.0.1:80 transparent icp_port 0 pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_directory /usr/local/etc/squid/errors/English visible_hostname localhost cache_mgr admin@localhost access_log /var/squid/log/access.log cache_log /var/squid/log/cache.log cache_store_log none shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.1.0/255.255.255.0 uri_whitespace strip cache_dir aufs /var/squid/cache 100 16 256 cache_mem 8 MB maximum_object_size 10 KB minimum_object_size 0 KB cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF offline_mode off # No redirector configured # Setup some default acls acl all src 0.0.0.0/0 acl localhost src 127.0.0.1 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535 acl sslports port 443 563 acl manager proto cache_object acl purge method PURGE acl connect method CONNECT acl dynamic urlpath_regex cgi-bin \? acl allowed_subnets src 10.0.2.0/24 10.0.8.0/24 acl banned_hosts src "/var/squid/acl/banned_hosts.acl" cache deny dynamic http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections http_access allow localhost request_body_max_size 0 KB reply_body_max_size 0 allow all delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow all # These hosts are banned http_access deny banned_hosts # Allow local network(s) on interface(s) http_access allow localnet http_access allow allowed_subnets # Default block all to be sure http_access deny all
openvpn_server0.conf (PSK)
writepid /var/run/openvpn_server0.pid #user nobody #group nobody daemon keepalive 10 60 ping-timer-rem persist-tun persist-key dev tun proto tcp-server cipher BF-CBC up /etc/rc.filter_configure down /etc/rc.filter_configure ifconfig 10.0.8.1 10.0.8.2 lport 1194 route 10.0.2.0 255.255.255.0 secret /var/etc/openvpn_server0.secret float
openvpn_client0.conf (PSK)
writepid /var/run/openvpn_client2.pid #user nobody #group nobody daemon keepalive 10 60 ping-timer-rem persist-tun persist-key dev tun proto tcp-client cipher BF-CBC up /etc/rc.filter_configure down /etc/rc.filter_configure remote *.*.*.* 1194 lport 1196 ifconfig 10.0.8.2 10.0.8.1 route 192.168.1.0 255.255.255.0 secret /var/etc/openvpn_client2.secret route 0.0.0.0 128.0.0.0 route 128.0.0.0 128.0.0.0 route *.*.*.* 255.255.255.255 192.168.0.1
openvpn_server1.conf (PKI)
writepid /var/run/openvpn_server1.pid #user nobody #group nobody daemon keepalive 10 60 ping-timer-rem persist-tun persist-key dev tun proto tcp-server cipher BF-CBC up /etc/rc.filter_configure down /etc/rc.filter_configure client-to-client server 10.0.8.0 255.255.255.0 client-config-dir /var/etc/openvpn_csc push "route 192.168.1.0 255.255.255.0" lport 1194 route 10.0.2.0 255.255.255.0 ca /var/etc/openvpn_server1.ca cert /var/etc/openvpn_server1.cert key /var/etc/openvpn_server1.key dh /var/etc/openvpn_server1.dh comp-lzo #ifconfig-pool-linear push "redirect-gateway def1"
openvpn_client1.conf (PKI)
writepid /var/run/openvpn_client1.pid #user nobody #group nobody daemon keepalive 10 60 ping-timer-rem persist-tun persist-key dev tun proto tcp-client cipher BF-CBC up /etc/rc.filter_configure down /etc/rc.filter_configure remote *.*.*.* 1194 client lport 1195 ca /var/etc/openvpn_client1.ca cert /var/etc/openvpn_client1.cert key /var/etc/openvpn_client1.key comp-lzo pull ```![Untitled2.png](/public/_imported_attachments_/1/Untitled2.png) ![Untitled2.png_thumb](/public/_imported_attachments_/1/Untitled2.png_thumb)