Feature Request - Transparent Proxy for OpenVPN Network

Feature Request - Transparent Proxy for OpenVPN Network (Maybe with a checkbox similar to the transparency on green)

It would be nice if all the traffic would going through the proxy transparent as soon as connected to Open VPN with the option Redirect-Gateway def1 at the ipfire firewall.

This is especially important as Mobile Devices like smartphones donot support proxies after connecting to Open VPN.


I am afraid this feature request is not a realistic one, primarily because a the web proxy does not work on HTTPS connections in transparent mode. To make this work, we would need to build TLS interception into it, which causes more harm than good from a security perspective. The developer team agreed on not implementing this some years ago.

Also, it does not come as a zero-configuration solution, since the clients behind IPFire would need to have a new root CA deployed, in order to not getting certificate validation errors for every destination.

In the end, this boils down to the problem on how to manage clients behind IPFire. If there is a solution for this in a certain environment (such as a MDM), deploying proxy settings itself is not an issue anymore.

Thanks, and best regards,
Peter Müller

I ment to implement the transparent proxy for the openvpn as well.
That means without https only http as it is in the normal network.
That was my idea :slight_smile:


I see.

@ummeegge: Since you are the OpenVPN expert around here, do you have an opinion on this?

Thanks, and best regards,
Peter Müller

Hi all,
we did this regular via an manual entry of the OpenVPN subnet in Squid´s “Network based access control” → wiki.ipfire.org - Network based access control which might also be a better place for a potential checkbox?! "$ovpnSettings{‘DOVPN_SUBNET}’’ from general-functions or simply “/var/ipfire/ovpn/settings” and “&Network::convert_prefix2netmask” can be the place to look/convert for the specifics.
Show/hide the checkbox in proxy.cgi style → git.ipfire.org Git - ipfire-2.x.git/blob - html/cgi-bin/proxy.cgi is also a possible solution.

In general my opinion is a good one to this feature even one is two clicks and one entry far from the same result.

Greetings and best,



Any update related to this topic?
Did it make it on the roadmap?