Re: [squid-users] Put all port 80, 443 http https rtmp connections from openvpn through squid?

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Sat, 11 Aug 2012 20:18:43 +0300

On 8/11/2012 6:15 PM, J Webster wrote:
> But once the tunnel reaches the OpenVPN server, you can direct port 80
yes as the machine is a router.
<SNIP>
>> of course you can.
>> it's a basic IPTABLES rules and since openvpn uses a tunX interface
>> you can intercept all traffic from the tunX interface to the proxy.
>> but you cant force the clients to use the vpn as gateway to the whole
>> word but only to the VPN connection.
>>
>> Regards,
>> Eliezer
>>
>
> So, I simply forward port 80 and 443 on network 10.8.00 to a transparent
> squid proxy?
yes.
but for 443\ssl you will need ssl-bump which is a bit complicated.

> How can I record in the squid logs which OpenVPN client certificate is
> using the proxy?
you cant... unless you will build some external acl helper that will do
that for you with special openvpn api\logs and the client ip.
if you are willing to know which clients\certificate is being used you
will need to build a special cross longing analysis for squid and
openvpn logs like a "reverse ip to certificate" way.

> Also, how do I do this for rtmp connections because port 80 and 443 will
> have to go via the proxy but rtmp will have to bypass it somehow?
squid is a http proxy and not rtmp.
rtmp use other ports then 80\443 and cannot be used over squid(you can
if it's tcp and you allow CONNECT and unsafe ports which is not safe..
and will make the vpn connection vulnerable and maybe useless)

if you have a solid reason to do so it can be a nice project to try.

a more simple way is to assign dedicated IP for each certificate\client.

Regards,
Eliezer

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
Received on Sat Aug 11 2012 - 17:19:03 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 11 2012 - 12:00:03 MDT