Squid Proxy Transparent + OpenVPN + tcp_outgoing_address possible?

[crissi]

Hi,
I have installed transparent squid proxy with clamav on my opnsense, works perfect. As I use also openvpn with pia on my sense, im trying to force the squid proxy over the VPN Connection, as at the moment when the Proxy is enabled, squid take the WAN Gateway. Searched here in the Forum and tried already with parameter tcp_outgoing_address but without success till know. Seems I have somewhere an error.

Created under /usr/local/etc/squid in the Folders /post-auth and /pre-auth a custom.conf  with the following settings:

Code Select Expand


acl VPNUsers src 192.168.20.0/24 
tcp_outgoing_address (VPN IP) VPNUsers


Restarted the Fw and tested, but get the following error in squid.log

squid   kid1| commBind Cannot bind socket FD 17 to 151.x.x.x: (49) Can't assign requested address

Tried then to add just the following line to the custom.conf

Code Select Expand


tcp_outgoing_address {VPN IP}



Still get the same error.

Does someone get this to work?

Thx!

[thefunkygibbon]

did you get this to work?  i too am trying to do the same thing.  I configured tcp_outgoing_address as the "route" for my openvpn client but it doesn't want to send any traffic to it. 

[maclinuxfree]

me neither..i'm trying to route squid over a multiwan with tcp_outgoing.

[thefunkygibbon]

ok well i got it working in the end.  I was using the wrong IP address for the VPN. It needs to be the IP that actually is associated with your  ovpnc1  interface.  I was putting in the 'gateway' IP on that subnet.
Also bear in mind that that IP may change a fair bit.  If it does then your squid.conf will need updating to that new IP.
I have found a script which checks that interface and changes the squid.conf to change the tcp_outgoing address.
Just need something to trigger that script now.

[crissi]

Hi,

now i get it to work, with the 2 lines of code added to custom.conf in /post-auth and pre-auth folder, and with the suggested interface IP of the ovpnc1 interface:)

@thefunkygibbon would you please share the script what checks the interface ip?

Thank You!
br

[crissi]

Hello,

i found in the Netgate Forum the following Script related to the Issue to update the outgoing address via cron job

Code Select Expand


#!/bin/sh

# Variables
VPN_IFACE=ovpnc1
SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf

# Get current IP address of VPN interface
VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if VPN interface is up and exit if it isn't
if [ -z "$VPN_IFACE_IP" ]
then
        exit 0;
fi

# Check current IP for VPN interface in squid.conf file
VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if the config file matches the current VPN interface IP, and if so exit script
if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ]
then
        exit 0;
fi

# Replace the previous IP address in the squid.conf file with the current VPN interface address
sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE

# Force reload of the new squid.conf file
/usr/local/sbin/squid -k reconfigure



As im no developer, how can this script be implemented via Cron Job in Opnsense?

Or can this Script be implemented in a other better way?

Thx!

[thefunkygibbon]

sorry about the delay, I've been laid up, ill for the last week :-(

Code Select Expand





# Variables
VPN_IFACE=ovpnc1
SQUID_CONFIG_FILE=/usr/local/etc/squid/squid.conf

# Get current IP address of VPN interface
VPN_IFACE_IP=$(ifconfig $VPN_IFACE | awk '{print $2}' | egrep -o '([0-9]+\.){3}[0-9]+')

# Check if VPN interface is up and exit if it isn't
if [ -z "$VPN_IFACE_IP" ]
then
        exit 0;
fi

# Check current IP for VPN interface in squid.conf file
VPN_CONFIG_IP=$(grep -m 1 "tcp_outgoing_address" $SQUID_CONFIG_FILE | awk '{print $2}' | egrep -o '([0-9]+\>

# Check if the config file matches the current VPN interface IP, and if so exit script
if [ "$VPN_IFACE_IP" == "$VPN_CONFIG_IP" ]
then
        exit 0;
fi

# Replace the previous IP address in the squid.conf file with the current VPN interface address
sed -ie 's/'"$VPN_CONFIG_IP"'/'"$VPN_IFACE_IP"'/' $SQUID_CONFIG_FILE

# Force reload of the new squid.conf file
/usr/local/sbin/squid -k reconfigure






I run this and works fine and straight away without having to restart services afterwards too.
I've not cron'd it yet, but likely will and get it to do it ever hour or something

[crissi]

Hi,

thanks for the information. Can you please explain me detailed how you run the script yet?

Also how to run it via cron?

Thx!

[thefunkygibbon]

run the script by putting it in a txt file and changing the permissions to allow it to be executable.   then run it by ./scriptname.sh or whatever its called.

cron job. not sure how its managed in opnsense as i've not looked into it. but cron is pretty simple to use anyway its just a matter of defining when you want it to run. and there are a bunch of calculators on the net to do that.

edit:  just checked and there is a cron section in the gui.   should be pretty straight foward then

[crissi]

Thanks, if i check the Cron Settings in the Gui, which command to use, to execute the custom script?
Thx!

[crissi]

Please see here

[crissi]

run the script by putting it in a txt file and changing the permissions to allow it to be executable.   then run it by ./scriptname.sh or whatever its called.

Would be the correct path for the Script /usr/local/etc/rc.d where the other Scripts are defined, for example clamav-freshclam, unbound and suricata? If yes, would the created script there survive future updates?
Thx!

[thefunkygibbon]

honestly don't know how to add it as a 'custom script' in that cron menu or if you can place the script somewhere for it to be recognised in that list.  I guess someone with more knowledge will have to chime in as i have not yet attempted to do this yet but will be at some point.

if you work it out, let me know :-)

[crissi]

Thx, will check further if i found something.. :)

Yes, it would be great if someone else could give some advice to accomplish this...

If i figure it out, i will of course share it.., if ..;)
br

[thefunkygibbon]

****DON'T DO THIS, CHECK NEXT POST*****
ok i sorted it , but my vpn isnt connecting so i can't test it.

edit /usr/local/opnsense/service/conf/actions.d/actions_proxy.conf

added a section 

Code Select Expand


[squidvpnproxy]
command: /root/vpnscript.sh
parameters:
type:script
message: reload proxy with vpn interface
description: VPN via Proxy script


then restarting the configd service

Code Select Expand

service configd restart
and then i could choose that from the cron job drop down.

only problem is that I have also just ran an update on my firewall and it seems to have overwritten that file.  my changes no longer exist.

i think someone cleverer might have to chime in with regards to making the changes more permanent.