On 8/11/2012 6:15 PM, J Webster wrote:
But once the tunnel reaches the OpenVPN server, you can direct port 80
yes as the machine is a router.
<SNIP>
of course you can.
it's a basic IPTABLES rules and since openvpn uses a tunX interface
you can intercept all traffic from the tunX interface to the proxy.
but you cant force the clients to use the vpn as gateway to the whole
word but only to the VPN connection.
Regards,
Eliezer
So, I simply forward port 80 and 443 on network 10.8.00 to a transparent
squid proxy?
yes.
but for 443\ssl you will need ssl-bump which is a bit complicated.
How can I record in the squid logs which OpenVPN client certificate is
using the proxy?
you cant... unless you will build some external acl helper that will do
that for you with special openvpn api\logs and the client ip.
if you are willing to know which clients\certificate is being used you
will need to build a special cross longing analysis for squid and
openvpn logs like a "reverse ip to certificate" way.
Also, how do I do this for rtmp connections because port 80 and 443 will
have to go via the proxy but rtmp will have to bypass it somehow?
squid is a http proxy and not rtmp.
rtmp use other ports then 80\443 and cannot be used over squid(you can
if it's tcp and you allow CONNECT and unsafe ports which is not safe..
and will make the vpn connection vulnerable and maybe useless)
if you have a solid reason to do so it can be a nice project to try.
a more simple way is to assign dedicated IP for each certificate\client.
Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
