http://nikosapi.org/w/index.php?feed=atom&namespace=0&title=Special%3ANewPagesnikosapi.org wiki - New pages [en-ca]2026-06-15T09:33:52ZFrom nikosapi.org wikiMediaWiki 1.35.0http://nikosapi.org/w/index.php/Route_Squid_Proxy_Traffic_Through_an_OpenVPN_GatewayRoute Squid Proxy Traffic Through an OpenVPN Gateway2014-03-02T05:09:30Z<p>Nikosapi: /* iproute2 Configuration */</p>
<hr />
<div>==Problem Description==<br />
<br />
When using a VPN, the default configuration is to route all traffic over the VPN tunnel. However, there are some instances where it is useful to only route application-specific traffic instead of forcing all traffic through the VPN. This isn't always possible, but if application in question supports an HTTP proxy then we can use Squid to transparently pass that traffic off to an OpenVPN gateway.<br />
<br />
==Implementation Details==<br />
<br />
===iproute2 Configuration===<br />
Permanently add a custom routing table for OpenVPN traffic:<br />
echo "100 openvpn" >> /etc/iproute2/rt_tables<br />
<br />
The addition/deletion of the actual routes will be added by the OpenVPN up/down scripts.<br />
<br />
===Squid Configuration===<br />
Traffic which is accepted by Squid must be emitted on the OpenVPN tunnel interface in order for this to work. Since IP address for the interface is dynamic (assuming the server is not configured to provide static IP addresses) this would require updating the Squid config file every time the VPN connection is established (AFAIK, a hostname cannot be provided in place of the IP address). To get around this limitation, we will emit traffic on a random IP address and then use iptables to forward traffic to the real IP address.<br />
<br />
The following lines were added to the ''/etc/squid3/squid.conf'' config file:<br />
acl local_net src 192.168.0.0/255.255.255.0<br />
http_access allow local_net<br />
forwarded_for delete<br />
tcp_outgoing_address 10.202.101.1<br />
<br />
The first line defines my local network, the second line instructs Squid to accept connections from any computer on my local network, and the third line prevents Squid from including the X-Forwarded-For header in its outgoing connections. The last line defines the source IP address for which Squid will use to make requests on behalf of users. Note that this IP address should not belong to your local subnet or the OpenVPN subnet.<br />
<br />
===OpenVPN Client Configuration===<br />
Add the following items to the client config file:<br />
route-noexec<br />
route-up route-up.sh<br />
down down.sh<br />
<br />
The ''route-noexec'' parameter prevents the client from applying the default routing configuration which is pushed from the server. The ''route-up'' parameter must point to a script which will be used to setup the custom routing and the ''down'' parameter must point to a script that will remove the custom routing once the VPN client is stopped.<br />
<br />
The content of ''route-up.sh'' should look like this:<br />
#!/bin/bash<br />
<br />
source "`dirname $0`/vpn_config.sh" <br />
<br />
logger "OpenVPN route-up.sh: bridge if: $VPNBRIDGE_IF addr: $VPNBRIDGE_ADDR table: $VPNBRIDGE_TBL"<br />
<br />
# Add the default route to our custom 'openvpn' routing table<br />
ip route add default via $ifconfig_remote dev $dev table $VPNBRIDGE_TBL<br />
<br />
# Add new interface to act as a middleman between the fixed address used <br />
# by Squid and the dynamic address provided by OpenVPN<br />
ip tuntap add dev $VPNBRIDGE_IF mode tun<br />
ip addr add $VPNBRIDGE_ADDR dev $VPNBRIDGE_IF<br />
ip link set dev $VPNBRIDGE_IF up<br />
<br />
# All packets from Squid are passed to the custom routing table<br />
ip rule add from $VPNBRIDGE_ADDR lookup $VPNBRIDGE_TBL<br />
<br />
# Rewrite the source address to match the one provided by OpenVPN<br />
iptables -t nat -A POSTROUTING -s $VPNBRIDGE_ADDR -j SNAT --to-source $ifconfig_local<br />
<br />
logger "OpenVPN route-up.sh: local: $ifconfig_local remote: $ifconfig_remote device: $dev"<br />
<br />
The content of ''down.sh'' should look like this:<br />
#!/bin/bash<br />
<br />
source "`dirname $0`/vpn_config.sh"<br />
<br />
logger "OpenVPN down.sh: bridge if: $VPNBRIDGE_IF addr: $VPNBRIDGE_ADDR table: $VPNBRIDGE_TBL openvpn local: $ifconfig_local"<br />
<br />
ip rule del from $VPNBRIDGE_ADDR lookup $VPNBRIDGE_TBL<br />
iptables -t nat -D POSTROUTING -s $VPNBRIDGE_ADDR -j SNAT --to-source $ifconfig_local<br />
ip tuntap del dev $VPNBRIDGE_IF mode tun<br />
<br />
Finally, the common configurable parameters for both of these scripts is found in another script named ''vpn_config.sh''. Its contents should look like this:<br />
#!/bin/bash<br />
<br />
export VPNBRIDGE_IF=vpnbridge0<br />
export VPNBRIDGE_ADDR=10.202.101.1<br />
export VPNBRIDGE_TBL=openvpn<br />
<br />
These three scripts should be placed in the same directory and must be marked as executable (chmod +x).<br />
<br />
==Theory of Operation==<br />
This solution is probably overcomplicated, but this is the best I could do with the limited networking skills I have. That being said, I'll attempt to explain the method here.<br />
<br />
The ''route-up.sh'' script creates a new virtual tunnel network interface (named vpnbridge0) with the IP address which was provided for the tcp_outgoing_address parameter in the Squid configuration file (10.202.101.1). Additionally, the script instructs the kernel to route any traffic from that address to the custom 'openvpn' routing table. So when traffic is emitted from the proxy, it gets passed to the openvpn routing table but since the source IP address doesn't match the dynamic address provided by the VPN server, the request fails. To get around this, iptables NAT feature is used to rewrite the source address of the traffic to match that of the VPN client's local IP address. This makes the VPN software happy, and the traffic can flow!<br />
<br />
As far as I can tell, this is how the traffic ends up flowing:<br />
* A client sends a request to Squid.<br />
* Squid binds to 10.202.101.1 and emits the request.<br />
* The kernel's routing chain prepares to send the traffic to the route defined in the custom 'openvpn' routing table.<br />
* The iptables POSTROUTING chain notices the packet has a source address of 10.202.101.1, so it rewrites it to match the $ifconfig_local address.<br />
* The traffic is put onto the VPN's virtual network interface and VPN server handles the rest.</div>Nikosapihttp://nikosapi.org/w/index.php/Main_PageMain Page2013-09-14T02:13:57Z<p>Nikosapi: </p>
<hr />
<div><big>'''Welcome to nikosapi.org'''</big><br />
<br />
This site is a place for me ([[User:Nikosapi|nikosapi]]) to put up stuff I find interesting or don't want to forget.<br />
<br />
The wiki is currently closed for editing due to the massive amount of spam which was being added on a daily basis. If you'd like to edit something email me and I'll provide you with an account.<br />
<br />
----<br />
<br />
'''Quick Links:''' <br /><br />
<br />
<!-- Thank you ablomen! --><br />
<div style=" position: relative; height: 150px; overflow: hidden;"><br />
<div style="position: absolute; top: 0px; left: 0px;"><br />
<div style="float: left"><br />
<imagemap><br />
Image:Software.png|150px<br />
default [[Software]]<br />
desc none<br />
</imagemap><br />
</div><br />
<div style="float: left"><br />
<imagemap><br />
Image:Hardware.png|150px<br />
default [[Hardware]]<br />
desc none<br />
</imagemap><br />
</div><br />
<div style="float: left;"><br />
<imagemap><br />
Image:blog.png|150px<br />
default [http://nikosapi.org/blog]<br />
desc none<br />
</imagemap><br />
</div><br />
</div><br />
</div></div>MediaWiki default