OpenVPN and Squid

Posted on: Wed, 01/24/2007 - 01:12 By: dae
Tags
howto

Today I cannot access my blog site from my home because of the [bad behavior] module that block malicious request. It is blocked because my home IP (dynamically determined) is listed in CBL(Composite Blocking List) because someone who used this IP a week ago seems to have lots of trojan and spam bot installed in his/her machine.

My solution is that I need another proxy and the best one out there is my own. I Installed squid in my server. However, I don't want to share this proxy with anyone else. So, this are what I have to do.

  1. setup a secure channel from my home to my server
  2. setup squid to accept only the connection from my server (itself).

The first task can be done very easily by my good old tools, OpenVPN.

  1. Install openvpn on the server and the client

  2. Setup the config file for the server, modifying the following value

     port [put port number here]
 ca easy-rsa/keys/ca.crt
 cert easy-rsa/keys/server.crt
 key easy-rsa/keys/server.key  
 dh easy-rsa/keys/dh1024.pem

  3. run the following command in the server (in directory /etc/openvpn/easy-rsa).

     . ./vars
 ./clean-all
 ./build-ca
 ./build-key-server server

    The final step will build the certificate key for openvpn. It will request some information where default value would do nicely. When the script asks for a passphrase, I simply use blank. The Yes/No questions are positive. After that, I have to build a certificate for the client by

     ./build-key client1

    With the same information used in the server. Finally, build the Diffie-Hellman parameters.

     ./build-dh

  4. After that, I take the following files to my home PC.

     ca.crt
 client1.crt
 client1.key

  5. Set up the config file for the client (home PC), modifying the following values

     remote [my.server.ip.address] [my port]

That's all.

Now, the next step is to config the squid, setting up the acl (access control list) of the squid as follows.

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255     10.8.0.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535 280 488 591 777
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

These acl simply allow only http access from the localhost (which include openvpn server at 10.8.0.1) and deny the rest.