OPNsense Forum

Hi,
I have installed transparent squid proxy with clamav on my opnsense, works perfect. As I use also openvpn with pia on my sense, im trying to force the squid proxy over the VPN Connection, as at the moment when the Proxy is enabled, squid take the WAN Gateway. Searched here in the Forum and tried already with parameter tcp_outgoing_address but without success till know. Seems I have somewhere an error.

Created under /usr/local/etc/squid in the Folders /post-auth and /pre-auth a custom.conf  with the following settings:


acl VPNUsers src 192.168.20.0/24 
tcp_outgoing_address (VPN IP) VPNUsers


Restarted the Fw and tested, but get the following error in squid.log

squid   kid1| commBind Cannot bind socket FD 17 to 151.x.x.x: (49) Can't assign requested address

Tried then to add just the following line to the custom.conf


tcp_outgoing_address {VPN IP}



Still get the same error.

Does someone get this to work?

Thx!

did you get this to work?  i too am trying to do the same thing.  I configured tcp_outgoing_address as the "route" for my openvpn client but it doesn't want to send any traffic to it. 

me neither..i'm trying to route squid over a multiwan with tcp_outgoing.

ok well i got it working in the end.  I was using the wrong IP address for the VPN. It needs to be the IP that actually is associated with your  ovpnc1  interface.  I was putting in the 'gateway' IP on that subnet.
Also bear in mind that that IP may change a fair bit.  If it does then your squid.conf will need updating to that new IP.
I have found a script which checks that interface and changes the squid.conf to change the tcp_outgoing address.
Just need something to trigger that script now.

Hi,

now i get it to work, with the 2 lines of code added to custom.conf in /post-auth and pre-auth folder, and with the suggested interface IP of the ovpnc1 interface:)

@thefunkygibbon would you please share the script what checks the interface ip?

Thank You!
br

Hello,

i found in the Netgate Forum the following Script related to the Issue to update the outgoing address via cron job


#!/bin/sh

# Variables
VPN_IFACE=ovpnc1
SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf

# Get current IP address of VPN interface
VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if VPN interface is up and exit if it isn't
if [ -z "$VPN_IFACE_IP" ]
then
        exit 0;
fi

# Check current IP for VPN interface in squid.conf file
VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if the config file matches the current VPN interface IP, and if so exit script
if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ]
then
        exit 0;
fi

# Replace the previous IP address in the squid.conf file with the current VPN interface address
sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE

# Force reload of the new squid.conf file
/usr/local/sbin/squid -k reconfigure



As im no developer, how can this script be implemented via Cron Job in Opnsense?

Or can this Script be implemented in a other better way?

Thx!

sorry about the delay, I've been laid up, ill for the last week :-(





# Variables
VPN_IFACE=ovpnc1
SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf

# Get current IP address of VPN interface
VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if VPN interface is up and exit if it isn't
if [ -z "$VPN_IFACE_IP" ]
then
        exit 0;
fi

# Check current IP for VPN interface in squid.conf file
VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\>

# Check if the config file matches the current VPN interface IP, and if so exit script
if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ]
then
        exit 0;
fi

# Replace the previous IP address in the squid.conf file with the current VPN interface address
sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE

# Force reload of the new squid.conf file
/usr/local/sbin/squid -k reconfigure






I run this and works fine and straight away without having to restart services afterwards too.
I've not cron'd it yet, but likely will and get it to do it ever hour or something

Hi,

thanks for the information. Can you please explain me detailed how you run the script yet?

Also how to run it via cron?

Thx!

run the script by putting it in a txt file and changing the permissions to allow it to be executable.   then run it by ./scriptname.sh or whatever its called.

cron job. not sure how its managed in opnsense as i've not looked into it. but cron is pretty simple to use anyway its just a matter of defining when you want it to run. and there are a bunch of calculators on the net to do that.

edit:  just checked and there is a cron section in the gui.   should be pretty straight foward then

Thanks, if i check the Cron Settings in the Gui, which command to use, to execute the custom script?
Thx!

Please see here

Quote from: thefunkygibbon on March 06, 2022, 11:10:40 AM
run the script by putting it in a txt file and changing the permissions to allow it to be executable.   then run it by ./scriptname.sh or whatever its called.

Would be the correct path for the Script /usr/local/etc/rc.d where the other Scripts are defined, for example clamav-freshclam, unbound and suricata? If yes, would the created script there survive future updates?
Thx!

honestly don't know how to add it as a 'custom script' in that cron menu or if you can place the script somewhere for it to be recognised in that list.  I guess someone with more knowledge will have to chime in as i have not yet attempted to do this yet but will be at some point.

if you work it out, let me know :-)

Thx, will check further if i found something.. :)

Yes, it would be great if someone else could give some advice to accomplish this...

If i figure it out, i will of course share it.., if ..;)
br

****DON'T DO THIS, CHECK NEXT POST*****
ok i sorted it , but my vpn isnt connecting so i can't test it.

edit /usr/local/opnsense/service/conf/actions.d/actions_proxy.conf

added a section 

[squidvpnproxy]
command: /root/vpnscript.sh
parameters:
type:script
message: reload proxy with vpn interface
description: VPN via Proxy script


then restarting the configd service
service configd restart
and then i could choose that from the cron job drop down.

only problem is that I have also just ran an update on my firewall and it seems to have overwritten that file.  my changes no longer exist.

i think someone cleverer might have to chime in with regards to making the changes more permanent.

ok i just did the same but created a new file instead of using an old one.  hopefully that survives a system update.

so i basically

nano /usr/local/opnsense/service/conf/actions.d/actions_custom.conf

pasted the following

[squidvpnproxy]
command: /root/vpnscript.sh
parameters:
type:script
message: reload proxy with vpn interface
description: VPN via Proxy script


, saved and restarted.
checked and the option is back again.  will remember to check it exists again next time i get a system update.

now to try to fix my vpn ....... :(

Hi,

cool that you figured it out:)

Im getting an error when executing the script


./proxyipupdate.sh: 27: Syntax error: Unterminated quoted string
./proxyipupdate.sh: 27: Syntax error: Error in command substitution


created the script

nano proxyipupdate.sh


pasted the code, and saved script

# Variables
VPN_IFACE=ovpnc1
SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf

# Get current IP address of VPN interface
VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if VPN interface is up and exit if it isn't
if [ -z "$VPN_IFACE_IP" ]
then
        exit 0;
fi

# Check current IP for VPN interface in squid.conf file
VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if the config file matches the current VPN interface IP, and if so exit script
if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ]
then
        exit 0;
fi

# Replace the previous IP address in the squid.conf file with the current VPN interface address
sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE

# Force reload of the new squid.conf file
/usr/local/sbin/squid -k reconfigure



made the script executeable

chmod 755 proxyipupdate.sh


restarted the fw, connected OpenVPN, logged in via ssh, and tried to execute ./proxyipupdate.sh again,
but still get the error on line 27 /usr/local/sbin/squid -k reconfigure

Is the Script Code for you working, did you have to change / adapt something to get it work?
Thx!

nope i didn't change anything as far as i remember.  you have created an interface for your client vpn, right? I'm not even sure what you have or haven't already done.

in system > interfaces > assignments... .do you have a vpn interface you created in there with the name ovpnc1 or something?  make sure that same name is what is referred to in the script variable at the top

just noticed you are running it as a transparent proxy.  not sure if that works differently or not.   i would hope someone else pipes in here but this forum is like pretty dead when it comes to other people helping. :(  kinda have to rely on the main dev checking out every post, which isn't fair on him really

Thanks for the Update. Yes, i have the interface for the vpn client interface created, and the vpn connection itself is working fine. I have also cross checked the name of the interface under System - Interfaces - assignements, and the name is ovpnc1 like in the script variable.

As i have created under /usr/local/etc/squid the Folders /post-auth and /pre-auth with the custom.conf with the 2 lines of code:


acl VPNUsers src 192.168.20.0/24
tcp_outgoing_address (VPN IP) VPNUsers


When i adapt the OpenVpn Interface IP manually again in the custom.conf, and restart the Squid Service, its working perfect, also with the Web Proxy in Transparent Mode.., but unfortunately the Interface IP changes often, and thats why, im really hoping to get the Script working as well...

Would be really nice, if someone else could way in here @fabian to give us some hints...

i didnt do anything with the pre/post config folders. 
i just looked again in the squid config file and it doesn't have the setting in there for sending to a specific IP interface.  but seeings as my vpn tunnel isn't actually working, I can't really test any further.  so until then i'm going to have to bow out.  I've raised a support ticket with my vpn provider as its not working on on my phone either so there is def an issue somewhere.

will come back when i can

ok managed to get it up and running again. 
if the tcp_outgoing_address line isnt already in the squid config then the script doesnt do anything.  if it is in there then it changes the ip correctly. just tested.  do you have it in there right now to start with?  i certainly don't get any errors when running the script.
not sure on which circumstances that the config file goes back to 'default' though.   again.  someone with more brains than i might hopefully explain this and the previous questions.

Hi,
do you directly add the tcp_outgoing_address with the interface address under /usr/local/etc/squid.conf  ?

I didnt try that, as the squid.conf is automatically generated, and maybe thats why it goes back to default. I red in other posts, if something needs to be added to squid, under the folders /post-auth and /pre-auth has to be a custom.conf generated, and there the tcp_outgoing_address with Interface Ip has to be added.., thats what i have...

ah ok, in that case i'll look to adding to pre/post conf files then.  will investigate.  does your squid config contain any tcp outgoing address line at all though? as if not then i suspect that it hasnt worked. and if it doesnt exist in the squid config then the script doesnt 'add' it, it only 'changes' it.

Hi,
checked again, no my squid.conf dont contain the tcp_outgoing_address. Now i tried the other way, i deleted both custom.conf Files under /post-auth /pre-auth folders and restarted the fw again.

I added now also manually tcp_outgoing_address 10.40.x.x at the bottom of squid.conf for testing.

Surfing over the Proxy and VPN IP was working correctly, then i tried again to execute the script, as now the tcp_outgoing_address parameter exist in squid.conf file. Now i get this error:


root@opn:~ # ./proxyipupdate.sh
VPN_IFACE=ovpnc1: Command not found.
SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf: Command not found.
Illegal variable name.


I hope to get this somehow working

erm, give me a screenshot of your script as it looks in nano. 
also the output of ls -la proxyipupdate.sh

Please see here

ok, honestly i don't know why that would happen.  I can only suggest that something went weird when you pasted it.

maybe just recreate the script file and paste it in again from my text.  ?

thanks, recreated the script yet several times used notepad and notepad++ same issue. Then i tried to add #!/bin/sh to the top of the Script but still not worked when executed the script

Then after hours of fustration and testing, i was shortly before to throw the opnsense firewall through the closed window...:)

I tried to execute the shell script


bash proxyipupdate.sh


And its working, it changes the tcp_outgoing_address in the squid.conf to the actual VPN Ip Interface, hurray:)

So now the next step would be, to adapt the script path, instead of looking in squid.conf for tcp_outgoing_address, the script should look in:


/usr/local/etc/squid/post-auth/custom.conf
/usr/local/etc/squid/pre-auth/custom.conf


and change / adapt in the custom.conf File the tcp_outgoing_address according to the actual VPN Interface Address, so the tcp_outgoing_address actualy set will stay permanently and survive a reboot..

Any dev help would be welcome...

Hi,
saw the other Post https://forum.opnsense.org/index.php?topic=27409.0 regarding the targets-overites to make changes in squid.conf permanet. Did you get it to work ?

i did what i put in that thread.  not had any feedback on my last comment and i don't know any different.   I'm pretty sure that it would get overwritten.  I can't say i fully understand these template things tbh.  back end hacking around of a firewall OS wasn't really what i signed up for when i chose to run this system but hey ho

thx, i red the documentation about the templates several times, but to be honest for me are the steps absolute not clear yet..:)

Could you please explain detailed what you did?


Yes, such an important Feature like this, should be already available in the Gui, and not to screw around in the FW Files .. >:(

Tested now further, and did the following @thefunkygibbonwith with your answer in the other post, dont know, if this is correct:



cd /usr/local/opnsense/service/templates/OPNsense/Proxy/


Created new File

nano customtcpoutgoing.conf


Added to the File tcp_outgoing_address 10.40.x.x

Then edit File +TARGETS File in the same Directory and added there 


customtcpoutgoing.conf:/usr/local/etc/squid/squid.conf


saved and restarted Squid

Then afterwards checking squid.conf


# tail /usr/local/etc/squid/squid.conf
tcp_outgoing_address 10.40.x.x


So the tcp_outgoing_address 10.40.x.x is set, but all other settings are overwritten...

Do i need to coppy all settings from squid.conf under /usr/local/opnsense/service/templates/OPNsense/Proxy/ to my created customtcpoutgoing.conf + tcp_outgoing_address 10.40.x.x ???

Thx!

honestly mate, I don't know any more.  i think we're both at a place where all we need to happen is to know the proper way of "adding" a line of config to the squid config using templates so that it doesn't overwrite all the other config and that it doesn't get lost in an upgrade.

its going to need someone that knows how to do this.  I don't see anything of the like mentioned in the opnsense documentation and I can't make head nor tail of the documentation for that template system.

yes, correct.. the topic here has 1500 Views already, but no one else way in here , and give us the last piece of the puzzle to move forward, this really sucks...

just had some time to play again.  looks like the cron job set up to run the script isn't actually running it. can't see anything in my logs either.  ugh... on the verges of giving up

Hi,
same here, cron job isnt running, and nothing in the logs, executing the script manually works fine

Hope someone give us a hint?

temp working solution for me executing the script every minute


nano /etc/crontab -e




*/1 * * * * root /root/vpnscript.sh


For future references, there's an alternative approach here: https://forum.opnsense.org/index.php?topic=32642.0 (https://forum.opnsense.org/index.php?topic=32642.0)

Thanks, dont want to install squid on a other pc, to get this working...

I saw that someone else asked to implement this on Github https://github.com/opnsense/core/issues/5868 but the Issue timed out automatically, as now one seemed to pick the task, unfortunately...

Hi,

I'm struggeling with the tcp_outgoing_address parameter, i cant get it to work. I have a working wireguard (road worrior setup) connection and a working squid proxy but when I add the tcp_outgoing_address parameter all the connections through the proxy time out.
Do I need any new routes or fw-rules to get this working?