Transparent Proxy With No SSL or WPAD

[manjeet]

Hey Guys, I have OPNsense configured as gateway in my 50 users network. I want to use Cache server only and only for Linux and Windows update, No web filter (HTTP or HTTPS). Is there any way i can do it without SSL inspection in transparent mode. I do not want to break authenticity of packet due to SSL MITM.

Many users take laptops to home so can not configure proxy explicit. I am not able to setup WPAD so if any one has very stright forward settings guide for WPAD, i will be greatful. I have one Internal network (LAN) and one OpenVPN setup for 10 users.

Also i have opnsense configured on different ports for login of HTTPS and SSH.

[mimugmail]

Fabian wrote a howto.
Please read from start to end before you start confguring .. then you'll understand the logic behind:

https://github.com/opnsense/docs/blob/master/source/manual/how-tos/pac.rst

[manjeet]

I have already followed this tutorial, I don't know what i am doing wrong but it doesn't work for me. I have created the rules as per steps as in guide. Enabled all options one by one for auto discovery and even enabled all 4 of them but nothing works.

Are these rules default for any basic network or just the reference. My opnsense is my DHCP, Secondary DNS. I checked it by using single dns i.e. opnsense as primary dns. nothing works..

[mimugmail]

And your clients are actively searching for wpad.yourdomain.com?

[manjeet]

Yes, they are. I mean i have enabled the "Auto detect proxy" in web browser. Do i need to add it somewhere else in OS.

[mimugmail]

Can you do a tcpdump on your lan and check if wpad works in general? (dns resolution, query the webserver for PAC etc.)

[hbc]

Hi,

Also i have opnsense configured on different ports for login of HTTPS and SSH

wpad via DNS expects the wpad.dat to be found via http - means on port 80 (See note on: https://docs.microsoft.com/en-us/previous-versions/tn-archive/ee658143(v=technet.10)). If you disabled opnsense login on port 80 or configured a different port, the builtin webserver will not listen on port 80 any more and thus the wpad.dat cannot be delivered.

You can either use dhcp option 252 (Enable Web Proxy Auto Discovery in dhcp options) which will create an additional dhcp entry with an url that points to your configured port or setup a local webserver on port 80 (that is what I did).

The webserver on port 80 is the better solution, since not all clients use dhcp option 252.

I used this tutorial https://wiki.opnsense.org/manual/how-tos/nginx_hosting.html to set up nginx on port 80 and made a symbolic link to /usr/local/www/wpad.dat

Thus you can use the gui frontend to edit the wpad.dat file, the file is accessible via port 80 to clients and the login page can be resricted to the admin ip.

IMHO a perfect solution