Sunday, October 25, 2015

OpenVPN + VPN Gate + Squid

OK, so I need a VPN tunnel for my Internet connection at home. I don't want client-to-site VPN as it will isolate all my traffic (e.g. not only HTTP/S) to the Internet. I want only my HTTP/S traffic to go to the VPN tunnel.

So I setup Ubuntu server with OpenVPN client and Squid Proxy. This server has got 2 vNICs. One is facing the Internet and the other want is facing the internal network. The goal is to have this server establishes OpenVPN connection to VPN Gate from its primary interface and listen to the proxy connection on the secondary interface.

This way, I can use my browser to use Squid proxy and my Internet traffic is going through the VPN tunnel

Install OpenVPN client
Install OpenVPN with the following command

#> sudo apt-get install openvpn curl unzip dnsmasq-base wget

Download VPN Gate .ovpn file
Go to and download OpenVPN Config File. This can be TCP or UDP. Save this file to /etc/openvpn/ and change its extension from .ovpn to be .conf

Install Squid
Install Squid3 with the following command

#> sudo apt-get install squid3

Modify Squid.Conf
This modification is to set Squid to use google DNS servers for its resolution instead of using OpenVPN Client auto configuration

#> sudo vi /etc/squid3/squid.conf

find dns_nameservers and change it to:

Restart Squid
Restart Squid daemon to make the change

#> sudo service squid3 restart

Launch OpenVPN Client
Start VPN client connection to VPN Gate using the file downloaded earlier

#> sudo openvpn /etc/openvpn/vpngate.conf

The reason changing the .ovpn to .conf, is because by default if you put any file in the /etc/openvpn/ folder with .conf, it will be treated as configuration file by OpenVPN and it will launch itself every time the server is restarted

Browser Proxy
Now you can set your browser proxy to us the internal IP address of this server and port number 3128 as the proxy server and the traffic will be tunnelled to the VPN tunnel



Willie Aames said...

I just installed this week a pfSense server for my company to handle the edge services. However, I hit a huge stumbling block with OpenVPN. We have about 10 branches as well as 20 employees who work from home. I want to get them connected via OpenVPN so they can share network resources as well as be under the protective umbrella of all of the UTM. However, I cannot seem to get the remote devices to route through the Squid/SquidGuard/HAVP stack. They get assigned an IP address correctly on the OpenVPN subnet (192.168.1.x), I have enabled the "Force all traffic through Australia VPN" option and the "transparent proxy" option, and have added the OpenVPN subnet into the Squid Allowed ACL. I have a NAT Outbound rule set up for that subnet so it routes to the WAN. Basically, I'm at a lost. Any advice here?

Zubair Hussain Khan said...

The very nice article,
I am VPN user and usually use VPN for Kodi because in my region many Kodi add-ons are geo-restricted. I am using ExpressVPN on my Kodi and no doubt it is aweosme.