OpenVPN: Route SquidProxy - ip

I am trying to setup a public squid proxy that routes it's traffic via a VPN server elsewhere in the world. It's running inside a docker container on a VPS host.
Using the default settings with push gateway, I can access the squidproxy on the VPS itself and it does route it's traffic via the vpn.
However, no external IPs can access the squid proxy.
I do have docker forwarding the port 3128:3128.
It is something to do with the OpenVPN routes that are created (as the Squid proxy is accessible until OpenVPN starts)
I found it is this route that seems to "block" my external traffic.
128.0.0.0/1 via 10.91.10.5 dev tun0
(10.91.10.5 is the gateway of the VPN)
If I remove it I can access squid again but then outgoing requests don't use the VPN.
I can make my external IP work by explicitly adding it like so
ip route add 203.X.X.X via 172.18.0.1 dev eth0
(172.18.0.1 is the docker gateway)
But I need it to work with any external IPs.
I have tried ip route add 0.0.0.0 via 172.18.0.1 dev eth0.
But this doesn't work as 128.0.0.0/1 is more specific so matches first.
In conclusion
1) Need any IP to access the SquidProxy (port 3128)
2) Need all outgoing SquidProxy requests (80,443) to go via the VPN
Any help would be greatly appreciated!

UPDATE:
So I have this working
1) Start OpenVPN with the below command
openvpn --route-nopull --script-security 2 --up /etc/openvpn/up.sh
This disables it from setting up the VPN routes. So all traffic in and out is using the default route not via VPN
2) In the up.sh, I run the below commands
#!/bin/sh
/sbin/ip route add 0.0.0.0/0 dev $1 table 100
/sbin/ip rule add from all fwmark 1 table 100
/sbin/iptables -A OUTPUT -t mangle -p tcp -m multiport --dports 80,443 -j MARK --set-mark 1
/sbin/iptables -t nat -A POSTROUTING -o $1 -j MASQUERADE
I have then setup Squid to only allow ports 80 & 443. Docker has port 3128 open for access to the container.
I also needed to use --sysctl net.ipv4.conf.all.rp_filter=0 in the docker run command.

Related

How do I use squid as default gateway

I have installed CentOS 6.5
my default gateway in my infrastructure is 192.168.3.1 (which is firewall IP)
I wanted to change it to the CentOS server IP So that I can limit the usage of the Internet and monitor the Websites used in my network.
I dont want to setup proxy server setting in browser
Appreciate all :)
You have two options:
First option use iptables firewall and redirect trafic from port 80 to port 3128.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3128
Second option configure squid to lisaning port 80 instead 3128
By default, Squid listens on port 3128. If you would like to use a different port, modify
/etc/squid/squid.conf
http_port 80
save
service squid restart

google cloud Forwarding rules is very slow

new to setting up a load balancer:
I am working with the google compute engine.
Set up 3 servers running on 3 different ports: 5010, 5011 and 5012.
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to-port 5010/11/12.. on each specific server
set up a health check to port 8080 . let's call it example-health-check
set up a target pool that contains the health check and all the 3 instances. let's call it example-target-pool
Set up a forwarding rule with tcp:5010-5012 and linked it target pool to the example-target-pool
when I go to the lb ip in each one of the ports the connection is very weird. it works but very slow in most of the requests but once in a while a request is very fast to pass..
any ideas ?

Linux squid proxy configuration

I have 3 virtual machines. I have Squid proxy installed on one of them which functions as a router. I need to configure it to accept HTTP requests from only one of the other 2 machines(IP - 172.16.2.2). The change I made to the squid.conf file is:
http_port 172.16.2.2:3128
I then changed the firewall rule in the route machine so that it redirects traffic from 172.16.2.2 bound for 80 (HTTP port number) to the default squid port 3128. The command is given below:
sudo iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
Machine 172.16.2.2 is connected to the router on eth1. However, whenn I am making sending a HTTP request from 172.16.2.2, I get a 403 Forbidden error. It says:
X-Squid-Error: ERR_ACCESS_DENIED 0
I can't understand it. Please help.
(edited for style)
http_port is used to configure where squid is listening for request, so if you include an ip address, it should be configured in the same machine that is listening. So, in your case 172.16.2.2 (the "other" machine) is not a correct configuration.

Redirect all the traffic from router to proxy server

I don't know if the question is related to the topics on stackoverflow so, if not sorry in advance.
I have the following problem that I'm trying to solve :
I am connected to my university network that requires me to configure my browser to use a proxy. I want to set up a router in my house ( D-Link Dir-300 with Firmware: DD-WRT v24-sp2) and because I am using multiple Android devices that are not rooted ( I can't use global proxy apps ) I was thinking about the following solution :
Question Can I make my router redirect all the traffic from my wireless network to the proxy server that I'm using ( allowing the devices not to configure a proxy server) ?
I have a HTTP redirect tool available on the router configuration page
I looked up the destination IP address from the proxy URL that I was using and I get 4 IP addresses for that node, I tried to use two of them with the source network set to 192.168.1.0 but it didn't work -my browser on the android devices doesn't work without setting up the proxy.
____________________________________ EDIT ____________________________
After looking some more I found this link
#!/bin/sh
PROXY_IP=[IP]
PROXY_PORT=[PORT]
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`
iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d ! $LAN_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -A POSTROUTING -o br0 -s $PROXY_IP -p tcp -d $LAN_NET -j SNAT --to $PROXY_IP
iptables -A FORWARD -i vlan1 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT
How can I modify it to redirect all the traffic udp/tcp etc coming from all the ports?
Easy option is to configure your proxy on your android device. When setting up the wireless connection select advanced options and enter your proxy settings, on older android devices it's somewhat hidden but I managed to do it on a 2.3 one.
For iOS you can add it later to your wifi settings.
If you router is not the main entry point for internet (if it's secondary) you can configure it to route to your PC/laptop. Configure a static IP op your PC/laptop, share internet over there, and configure that IP as gateway on your router.
You can install a proxy tool (charles proxy for example) on your PC and configure it to forward your traffic to the internet-proxy. On your devices you still need to setup the proxy, but this time it's your PC's proxy (gateway+8080).

Forwarding within local network to same network

I have X-Wrt based on OpenWrt 8.09 on my router
I have home LAN of few computers on which I have some network servers (SVN, web, etc). For each of service I made forwarding on my router (Linksys wrt54gl) to access it from the Internet (<my_external_ip>:<external_port> -> <some_internal_ip>:<internal_port>)
But within my local network this resources by above request is unreachable (so I need make some reconfiguration <some_internal_ip>:<internal_port> to access).
I added some line to my /etc/hosts
<my_external_ip> localhost
So now all requests from local network to <my_external_ip> forwards to my router but further redirection to appropriate port not works.
Advise proper redirection please.
You need to install an IP redirect for calls going out of the internal network and directed to the public IP. Normally these packets get discarded. You want to reroute them, DNATting to the destination server, but also masqueraded so that the server, seeing as you, its client, are in its same network, doesn't respond directly to you with its internal IP (which you, the client, not having sent the packet there, would discard).
I found this on OpenWRT groups:
iptables -t nat -A prerouting_rule -d YOURPUBLICIP -p tcp --dport PORT -j DNAT --to YOURSERVER
iptables -A forwarding_rule -p tcp --dport PORT -d YOURSERVER -j ACCEPT
iptables -t nat -A postrouting_rule -s YOURNETWORK -p tcp --dport PORT -d YOURSERVER -j MASQUERADE
https://forum.openwrt.org/viewtopic.php?id=4030
If I remember correctly OpenWrt allows you to define custom DNS entries. So maybe simply give a proper local names to your sources (ie. svnserver.local) and map them to specific local IPs. This way you do not even need to go through router to access local resources from local network.

Resources