Squid Proxy Transparent + OpenVPN + tcp_outgoing_address possible?

[thefunkygibbon]

ok i just did the same but created a new file instead of using an old one.  hopefully that survives a system update.

so i basically

Code Select Expand


nano /usr/local/opnsense/service/conf/actions.d/actions_custom.conf

pasted the following

Code Select Expand


[squidvpnproxy]
command: /root/vpnscript.sh
parameters:
type:script
message: reload proxy with vpn interface
description: VPN via Proxy script


, saved and restarted.
checked and the option is back again.  will remember to check it exists again next time i get a system update.

now to try to fix my vpn ....... :(

[crissi]

Hi,

cool that you figured it out:)

Im getting an error when executing the script

Code Select Expand


./proxyipupdate.sh: 27: Syntax error: Unterminated quoted string
./proxyipupdate.sh: 27: Syntax error: Error in command substitution


created the script

Code Select Expand


nano proxyipupdate.sh


pasted the code, and saved script

Code Select Expand


# Variables
VPN_IFACE=ovpnc1
SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf

# Get current IP address of VPN interface
VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if VPN interface is up and exit if it isn't
if [ -z "$VPN_IFACE_IP" ]
then
        exit 0;
fi

# Check current IP for VPN interface in squid.conf file
VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if the config file matches the current VPN interface IP, and if so exit script
if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ]
then
        exit 0;
fi

# Replace the previous IP address in the squid.conf file with the current VPN interface address
sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE

# Force reload of the new squid.conf file
/usr/local/sbin/squid -k reconfigure



made the script executeable

Code Select Expand


chmod 755 proxyipupdate.sh


restarted the fw, connected OpenVPN, logged in via ssh, and tried to execute ./proxyipupdate.sh again,
but still get the error on line 27 /usr/local/sbin/squid -k reconfigure

Is the Script Code for you working, did you have to change / adapt something to get it work?
Thx!

[thefunkygibbon]

nope i didn't change anything as far as i remember.  you have created an interface for your client vpn, right? I'm not even sure what you have or haven't already done.

in system > interfaces > assignments... .do you have a vpn interface you created in there with the name ovpnc1 or something?  make sure that same name is what is referred to in the script variable at the top

just noticed you are running it as a transparent proxy.  not sure if that works differently or not.   i would hope someone else pipes in here but this forum is like pretty dead when it comes to other people helping. :(  kinda have to rely on the main dev checking out every post, which isn't fair on him really

[crissi]

Thanks for the Update. Yes, i have the interface for the vpn client interface created, and the vpn connection itself is working fine. I have also cross checked the name of the interface under System - Interfaces - assignements, and the name is ovpnc1 like in the script variable.

As i have created under /usr/local/etc/squid the Folders /post-auth and /pre-auth with the custom.conf with the 2 lines of code:

Code Select Expand


acl VPNUsers src 192.168.20.0/24
tcp_outgoing_address (VPN IP) VPNUsers


When i adapt the OpenVpn Interface IP manually again in the custom.conf, and restart the Squid Service, its working perfect, also with the Web Proxy in Transparent Mode.., but unfortunately the Interface IP changes often, and thats why, im really hoping to get the Script working as well...

Would be really nice, if someone else could way in here @fabian to give us some hints...

[thefunkygibbon]

i didnt do anything with the pre/post config folders. 
i just looked again in the squid config file and it doesn't have the setting in there for sending to a specific IP interface.  but seeings as my vpn tunnel isn't actually working, I can't really test any further.  so until then i'm going to have to bow out.  I've raised a support ticket with my vpn provider as its not working on on my phone either so there is def an issue somewhere.

will come back when i can

[thefunkygibbon]

ok managed to get it up and running again. 
if the tcp_outgoing_address line isnt already in the squid config then the script doesnt do anything.  if it is in there then it changes the ip correctly. just tested.  do you have it in there right now to start with?  i certainly don't get any errors when running the script.
not sure on which circumstances that the config file goes back to 'default' though.   again.  someone with more brains than i might hopefully explain this and the previous questions.

[crissi]

Hi,
do you directly add the tcp_outgoing_address with the interface address under /usr/local/etc/squid.conf  ?

I didnt try that, as the squid.conf is automatically generated, and maybe thats why it goes back to default. I red in other posts, if something needs to be added to squid, under the folders /post-auth and /pre-auth has to be a custom.conf generated, and there the tcp_outgoing_address with Interface Ip has to be added.., thats what i have...

[thefunkygibbon]

ah ok, in that case i'll look to adding to pre/post conf files then.  will investigate.  does your squid config contain any tcp outgoing address line at all though? as if not then i suspect that it hasnt worked. and if it doesnt exist in the squid config then the script doesnt 'add' it, it only 'changes' it.

[crissi]

Hi,
checked again, no my squid.conf dont contain the tcp_outgoing_address. Now i tried the other way, i deleted both custom.conf Files under /post-auth /pre-auth folders and restarted the fw again.

I added now also manually tcp_outgoing_address 10.40.x.x at the bottom of squid.conf for testing.

Surfing over the Proxy and VPN IP was working correctly, then i tried again to execute the script, as now the tcp_outgoing_address parameter exist in squid.conf file. Now i get this error:

Code Select Expand


root@opn:~ # ./proxyipupdate.sh
VPN_IFACE=ovpnc1: Command not found.
SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf: Command not found.
Illegal variable name.


I hope to get this somehow working

[thefunkygibbon]

erm, give me a screenshot of your script as it looks in nano. 
also the output of ls -la proxyipupdate.sh

[crissi]

Please see here

[thefunkygibbon]

ok, honestly i don't know why that would happen.  I can only suggest that something went weird when you pasted it.

maybe just recreate the script file and paste it in again from my text.  ?

[crissi]

thanks, recreated the script yet several times used notepad and notepad++ same issue. Then i tried to add #!/bin/sh to the top of the Script but still not worked when executed the script

Then after hours of fustration and testing, i was shortly before to throw the opnsense firewall through the closed window...:)

I tried to execute the shell script

Code Select Expand


bash proxyipupdate.sh


And its working, it changes the tcp_outgoing_address in the squid.conf to the actual VPN Ip Interface, hurray:)

So now the next step would be, to adapt the script path, instead of looking in squid.conf for tcp_outgoing_address, the script should look in:

Code Select Expand


/usr/local/etc/squid/post-auth/custom.conf
/usr/local/etc/squid/pre-auth/custom.conf


and change / adapt in the custom.conf File the tcp_outgoing_address according to the actual VPN Interface Address, so the tcp_outgoing_address actualy set will stay permanently and survive a reboot..

Any dev help would be welcome...

[crissi]

Hi,
saw the other Post https://forum.opnsense.org/index.php?topic=27409.0 regarding the targets-overites to make changes in squid.conf permanet. Did you get it to work ?

[thefunkygibbon]

i did what i put in that thread.  not had any feedback on my last comment and i don't know any different.   I'm pretty sure that it would get overwritten.  I can't say i fully understand these template things tbh.  back end hacking around of a firewall OS wasn't really what i signed up for when i chose to run this system but hey ho