Re: [squid-users] Put all port 80, 443 http https rtmp connections from openvpn through squid?

From: Alex Crow <>
Date: Sat, 11 Aug 2012 17:14:29 +0100

On 11/08/12 14:27, Eliezer Croitoru wrote:
> On 8/11/2012 2:57 PM, J Webster wrote:
>> But once the tunnel reaches the OpenVPN server, you can direct port 80
>> and 443 traffic from it via the proxy server can't you?
>> Once it gets to the OpenVPN server (where you would also have the proxy
>> server), isn't it decrypted?
>> Lots of companies have VPN tunnels and then route web traffic through a
>> proxy so it must be possible somehow.
>> On 11/08/12 13:54, Alex Crow wrote:
>>> On 11/08/12 08:20, J Webster wrote:
>>>> Is there a way to push all openvpn connections using http ports
>>>> through a transparent squid and how?
>>>> Also, can I log which openvpn certificate/client is accessing which
>>>> pages in this way?
>>>> I assume I would have to use an alternative port or use firewall
>>>> rules to only allow squid connections from the network 10.8.x.x
>>> Squid is an HTTP proxy, so no.
>>> You can't really proxy OpenVPN as it's end-to-end encrypted with SSL.
>>> If you issued the certs from your CA it might be possible to MITM it
>>> but that may be illegal in many jurisdictions.
>>> Alex
> of course you can.
> it's a basic IPTABLES rules and since openvpn uses a tunX interface
> you can intercept all traffic from the tunX interface to the proxy.
> but you cant force the clients to use the vpn as gateway to the whole
> word but only to the VPN connection.
> Regards,
> Eliezer

I thought the OP was referring to proxying the SSL connection through
Squid. That of course won't work, but indeed you can redirect or forward
the packets at the gateway with iptables depending on which interface or
address range they arrive on.

Apologies to J Webster!

Received on Sat Aug 11 2012 - 16:14:32 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 11 2012 - 12:00:03 MDT