Squid leaking my IP and not routing via OpenVPN

Started by minitux, October 11, 2020, 03:42:20 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 11, 2020, 03:42:20 AM
Hi,

I have 2.4.5-RELEASE-p1 (amd64) device to which my LAN directs all traffic. OS routes all traffic via OpenVPN and works great without leaking any IP (Using unbound). I used this guide https://nguvu.org/pfsense/pfsense-multi-vpn-wan/ to set it up.

I've spent the entire night configuring Squid/Squidguard and not I find that Squid is leaking my IP as if completely ignoring OpenVPN. I have outbound NAT configured so that all LAN traffic is bound to VPN_WAN address but with Squid in operation these seem to be ignore, as if Squid took precedence over everything else.

Any suggestions on how I can stop Squid leaking my IP?

Thanks

October 11, 2020, 04:31:52 PM #1
Hello Minitux,

From what I understood your problem is that you only route the lan through the VPN gateway, Squid is not on the lan subnet but rather on localhost, so to solve this you can :
1-Seperate the proxy from the firewall by putting it on the lan on a seperate machine (OR VM).
2-Route all traffic through the VPN gateway.
hope it helps.
Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
October 11, 2020, 05:32:22 PM #2
Hi Amr,

yes, I do think its a routing problem. Option 1 is a no goer as I want to centralise both on the same machine. Option 2 is what I think i need but what I don't understand is how I tell Squid to route traffic through the VPN. I understand how Squid listens on localhost:3128 for incoming traffic from the LAN (Squid is bound to the LAN interface) but what I don't understand is how it routes outward traffic. Is it a forward routing from localhost:3128 -> VPN_WAN interface?
At the moment I have forwarding rules (Firewall->NAT->Outbound) that go from the LAN to the VPN_WAN. Squid seems to have short-circuited the forward routing process whereby it doesn't see the VPN_WAN interfaces but goes straight to the WAN interface.
October 12, 2020, 08:18:18 AM #3
hello Minitux,
QuoteIs it a forward routing from localhost:3128 -> VPN_WAN interface?
No port 3128, and 3129 are the ports that squid listens to (incoming ports), you want to route outgoing ports (http and https, I'm not entirely sure but I believe squid uses other ports too).

you can route all firewall traffic through the VPN gateway by adding a localhost -> VPN route

If you don't want to route all firewall traffic through the VPN you can try:

1-squid got an option to specify outgoing gateway  "tcp_outgoing_address" search for it but that would require that you know how to write ACL and I'm not sure where to put it as squid configuration are overwritten between updates (I believe you can use pre-auth)
2-you can try adding a rule to route all outgoing traffic which destination is HTTP(S) ports to the VPN gateway

Good luck.
Disclaimer: All advice presented is "AS IS", no warranties.
I'm not part of the opnsense team, just trying to help.
November 12, 2020, 10:54:25 AM #4 Last Edit: November 12, 2020, 03:48:43 PM by wordsmith
What a wonderful timing. I started working on the same problem yesterday. So far, my solution was what Amr has suggested: essentially, I have an LXD container connected to a VLAN with all traffic going through OpenVPN and with the proxy set up inside that container. Obviously, this solution works, but I also started to think about switching to simply using OPNsense with squid since it is already part of the system and to retire the container.

I figured I'd simply bind squid to the VPN subnet experienced the same issue as you minitux: the proxy ignores the VPN. I did look into squid.conf (I'm new to squid) and couldn't find anything of help. Then, I found https://forum.opnsense.org/index.php?topic=6516.0 and played with pre-auth and post-auth configs as per Amr's info about a "tcp_outgoing_address" directive. This is where I am blocked at the moment...

Let's say my VPN subnet is 192.168.x.0/24. I decided to create a file custom.conf and placed it once in pre-auth and once in the post-auth folder to test (for reference: login via shell, navigate to /usr/local/etc/squid/ where you find the folders in question). Inside my conf I specified an acl for the clients subnet (192.168.y.0/24) as well as the tcp outgoing address (gateway of VPN subnet) for these users:

Code Select
acl VPNUsers src 192.168.y.0/24
tcp_outgoing_address 192.168.x.1 VPNUsers

And this is where the fun stops: with the browser configured to use the proxy, the connection times out and squid's access logs show (EDIT: NONE/503) errors.

EDIT: after some additional research I decided to give up on the OPNsense/squid combo to solve this problem. My current working solution took 3-5 minutes compared to a couple of hours of research without a working solution. Would've been cool, but not worth the hassle.

Good luck to you. And if you happen to find an answer...I'm still interested ;-)
Print
Go Up Pages1
User actions