pfSense as VPN client with Squid as proxy

edited September 6 in Linux VPN Setup Posts: 3
(Since there isn't a *BSD subforum, I guess the Linux subforum will have to do.)

Recently I started looking into getting traffic from one or two specific programs to go through VPN. Unfortunately, Windows seems to lack this particular capability and I don't see anything helpful in ESET Smart Security's firewall settings either..

So I fired up VMware Workstation and created a virtual machine with pfSense on the computer were I want a program to go online through VPN.

pfSense is set as VPN client using this howto and some corrected settings from this page. The howto is a bit outdated though, the port and encryption cipher aren't correct anymore (see 2nd link), the rest still seems to be correct.

Judging from the output of
curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//' 
and
curl ipinfo.io/ip
the VPN connection is working.

Unfortunately, I haven't been able to get uTorrent to connect through pfSense, with the help of Squid as a proxy server. The idea was to have uTorrent connect to Squid to force the traffic through the virtual pc with pfSense. But all I'm getting are errors like this: TCP_DENIED/403, TCP_MISS_ABORTED/000 and TCP_MISS/503.

That's probably a firewall issue, which I haven't been able to solve, but since I'm new with proxy servers, it can also be some different setting that I forgot to enable (or disable).

Currently, uTorrent is using the socks5 alternative, but that connection isn't very stable. It's stable when it works, but I have to restart uTorrent after some idle time to get the connection back to work since it seems to drop out from time to time. I am guessing that has got something to do with the timeout described in https://www.privateinternetaccess.com/forum/discussion/3349/torrents-added-downloads-wont-start-unless

Now if I let pfSense handle the VPN and proxy connections, I might not have that problem, but that means getting Squid and uTorrent to cooperate together.

Has anyone ever tried a setup like this and might know what I forgot to set (or set wrong) to get error's like the ones I mentioned?

To be clear, this virtualized pfSense install is not the main router, that's a computer running IPFire. pfSense will only be used for access through VPN.
Post edited by p8632337 on

Comments

  • Posts: 219
    if VMware is still as I remember (and similar to the VM s/w I'm using these days), there is an implied firewall separate from your VM OS firewall. The 'network' (virtual ethernet) config must be set up carefully.
  • The virtual network config is set correctly, as far as I know that is.

    The VM has two network interfaces. pfSense's WAN interface is bridged with the hosts physical LAN interface (using the 192.168.1.* range), pfSense's LAN interface is set to "host only" (10.0.0.* range).

    As for the implied firewall, not a clue. I only know of 3 firewalls currently active: The one on the host (ESET Smart Security, which I already turned off to see if that one was being a pain in the .... ), pfSense of course and the one on my router-pc which is running IPFire.

    Since the log in pfSense shows those errors, traffic is getting there. Maybe it's just not getting past pfSense? I don't know...
  • Posts: 219
    okay, 'bridged', that removes any default filtering by the VM kernel. good.

    yes, i think you're right - you have evidence the traffic is reaching pfSense.  "netcat" ('nc') is a useful tool to test and probe. one instance running on the VM machine can be listening and another used to send traffic.
  • Posts: 1
    Newer releases of pfsense have default firewall settings to block connections to RFC1918 addresses (i.e. your 192 WAN address in pfsense) by default.  See if you have a default WAN block rule in place on (Firewall->Rules->WAN), and if so, edit it and check the Reserved Networks settings at the bottom.  I think it says block private networks, or something like that.  Unchecking it will allow the traffic through the firewall.

    NOTE:  I've never tested the setup you're talking about, but had the same problems with traffic passing outbound from a VM pfsense lab I had set up behind a pfsense firewall.  Obviously you'll want to test to make sure it's still working correctly after making the setting change. 
  • I know the setting you are talking about, that setting is turned off. If I hadn't done that, pfSense wouldn't have been able to go online at all and update itself and install packages. So that one is ruled out. Thanks for mentioning it though.

    (And just now I enabled email notifications, guess why there was a delay in answering...)
Sign In or Register to comment.