Project

General

Profile

Actions
Copy link

Bug #4331

closed

Issue with VPN interface within Squid 3.4 for Transparent Proxy

Added by Nev Secular almost 10 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
01/28/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:
i386

Description

I'm running pfSense 2.2 with squid 3.4.10_2

Want to include my VPN interface in transparent proxy within squid.
squid.conf does seem to treat it correctly.
ovpns1 is assigned as interface 'VPN' without any ipv4/6 configuration (In OPENVPN it's configured as 10.69.0.1)
VPN interface is included in proxy and transparent proxy interfaces within squid conf GUI. (LAN is also included and configured as 192.168.0.1)

squid.conf shows the following:

http_port 192.168.0.1:3128 <--- LAN
http_port 10.69.0.1:3128 <--- VPN

acl localnet src 192.168.0.0/24 0.0.0.0/NAN <--- first ip address is correct but not sure what second address is 0.0.0.0/NAN??

So browsing via VPN interface fails.

If I manually change the line from:
acl localnet src 192.168.0.0/24 0.0.0.0/NAN
to
acl localnet src 192.168.0.0/24 10.69.0.0/28

then transparent proxy browsing via VPN interface works

Actions
Copy link
 #1

Updated by Nev Secular almost 10 years ago

Nev Secular wrote:

I'm running pfSense 2.2 with squid 3.4.10_2

Want to include my VPN interface in transparent proxy within squid.
squid.conf doesn't seem to treat it correctly.
ovpns1 is assigned as interface 'VPN' without any ipv4/6 configuration (In OPENVPN it's configured as 10.69.0.1)
VPN interface is included in proxy and transparent proxy interfaces within squid conf GUI. (LAN is also included and configured as 192.168.0.1)

squid.conf shows the following:

http_port 192.168.0.1:3128 <--- LAN
http_port 10.69.0.1:3128 <--- VPN

acl localnet src 192.168.0.0/24 0.0.0.0/NAN <--- first ip address is correct but not sure what second address is 0.0.0.0/NAN??

So browsing via VPN interface fails.

If I manually change the line from:
acl localnet src 192.168.0.0/24 0.0.0.0/NAN
to
acl localnet src 192.168.0.0/24 10.69.0.0/28

then transparent proxy browsing via VPN interface works

Actions
Copy link
 #2

Updated by Kill Bill about 9 years ago

Patches welcome. When there's no IP, there's no IP. Relevant code here:

https://github.com/pfsense/pfsense-packages/blob/master/config/squid3/34/squid.inc#L1228

Actions
Copy link
 #3

Updated by Chris Buechler about 9 years ago

  • Affected Version changed from 2.2 to All
Actions
Copy link
 #4

Updated by Kill Bill about 9 years ago

https://github.com/pfsense/pfsense-packages/pull/1181 - this will simply ignore invalid subnets and omit those from the ACL.

Actions
Copy link
 #5

Updated by Kill Bill about 9 years ago

Fixed in 0.4.4 - invalid subnets are ignored and not added to the localnet ACL, error logged in System Logs - General.

Actions
Copy link
 #6

Updated by Chris Buechler about 9 years ago

  • Status changed from New to Resolved

thanks

Actions
Copy link

Also available in: Atom PDF