Topic: Forcing VPN clients to go through Proxy server

The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

ravenlost2

23 Feb 2017, 16:26

Hello,

I've got an OpenVPN server which works fine. It's using TUN interface. On the same server, I've also got a Tinyproxy server running.

My firewall permits VPN clients to access both local lan, and wan (thus, internet). All works good.

The only thing I'm missing is "how do I force all incoming VPN connections to also go though the HTTP proxy ?" Right now, Tinyproxy isn't logging anything coming from VPN connections... How can I change this ?

My OpenVPN 's FW settings :

config rule 'Allow_OpenVPN_Inbound'
    option target 'ACCEPT'
    option src '*'
    option proto 'udp'
    option dest_port '1194'
    option name 'Allow_OpenVPN_Inbound'

config zone 'vpn_corbeau'
    option name 'vpn_corbeau'
    option network 'vpn0'
    option input 'ACCEPT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'

config forwarding 'vpn_corbeau_forwarding_lan_in'
    option src 'vpn_corbeau'
    option dest 'lan'

config forwarding 'vpn_corbeau_forwarding_lan_out'
    option src 'lan'
    option dest 'vpn_corbeau'

config forwarding 'vpn_corbeau_forwarding_wan'
    option src 'vpn_corbeau'
    option dest 'wan'

and my Tinyproxy FW settings :

config redirect
    option name 'HTTP Transparent Proxy Redirect'
    option src 'lan'
    option proto 'tcp'
    option src_dport '80'
    option src_dip '!192.168.1.1'
    option dest_ip '192.168.1.1'
    option dest 'lan'
    option dest_port '8118'

My Tinyproxy is set to listen on 192.168.1.1, and I've allowed '192.168.1.0/24', '10.8.0.0/24' and '127.0.0.1' to connect to it through its config file.

My OpenVPN network is on '10.8.0.0 255.255.255.0'.

I tried doing another FW forward rule that would forward all requests from vpn_zone and having src port 80 to the proxy, like this:

config redirect                                       
        option name 'HTTP Proxy for VPN'
        option src 'vpn_corbeau'                   
        option proto 'tcp'                 
        option src_dport '80'            
        option dest_ip '192.168.1.1'             
        option dest 'lan'                        
        option dest_port '8118'                  
        option enabled '1'

but seems like the http isn't coming back.. at least, I know I can no longer go on the web with vpn clients doing so.

Any help on how I could make this work ?

Many thanks!!

Post #2

eduperez

23 Feb 2017, 21:14

Why did you use "option src_dip '!192.168.1.1'" for the LAN but "option dest_ip '192.168.1.1'" for the VPN?

Post #3

ravenlost2

24 Feb 2017, 09:43

eduperez wrote:

Why did you use "option src_dip '!192.168.1.1'" for the LAN but "option dest_ip '192.168.1.1'" for the VPN?

LAN has this :

option src_dip '!192.168.1.1'
option dest_ip '192.168.1.1'

VPN has this :

option dest_ip '192.168.1.1'

The src_dip '!192.168.1.1' in the LAN redirect rule tells the firewall NOT TO forward any HTTP requests made from host 192.168.1.1 (the router) to the proxy. Figured since the requests in the VPN Zone would come from 10.8.0.0/24, that was just pointless, even though I did try to keep it in still.

Am I wrong here ?

Post #4

eduperez

24 Feb 2017, 21:23

ravenlost2 wrote:

eduperez wrote:
Why did you use "option src_dip '!192.168.1.1'" for the LAN but "option dest_ip '192.168.1.1'" for the VPN?
LAN has this :
option src_dip '!192.168.1.1'
option dest_ip '192.168.1.1'
VPN has this :
option dest_ip '192.168.1.1'
The src_dip '!192.168.1.1' in the LAN redirect rule tells the firewall NOT TO forward any HTTP requests made from host 192.168.1.1 (the router) to the proxy. Figured since the requests in the VPN Zone would come from 10.8.0.0/24, that was just pointless, even though I did try to keep it in still.
Am I wrong here ?

Nope, I just misread your post; my mistake.

The discussion might have continued from here.

Page 1 of 1