Feature Request - Transparent Proxy for OpenVPN Network

adminpg · 8 September 2021 12:24

Feature Request - Transparent Proxy for OpenVPN Network (Maybe with a checkbox similar to the transparency on green)

It would be nice if all the traffic would going through the proxy transparent as soon as connected to Open VPN with the option Redirect-Gateway def1 at the ipfire firewall.

adminpg · 17 March 2022 09:38

This is especially important as Mobile Devices like smartphones donot support proxies after connecting to Open VPN.

pmueller · 22 March 2022 09:33

Hi,

I am afraid this feature request is not a realistic one, primarily because a the web proxy does not work on HTTPS connections in transparent mode. To make this work, we would need to build TLS interception into it, which causes more harm than good from a security perspective. The developer team agreed on not implementing this some years ago.

Also, it does not come as a zero-configuration solution, since the clients behind IPFire would need to have a new root CA deployed, in order to not getting certificate validation errors for every destination.

In the end, this boils down to the problem on how to manage clients behind IPFire. If there is a solution for this in a certain environment (such as a MDM), deploying proxy settings itself is not an issue anymore.

Thanks, and best regards,
Peter Müller

adminpg · 22 March 2022 09:49

I ment to implement the transparent proxy for the openvpn as well.
That means without https only http as it is in the normal network.
That was my idea

pmueller · 22 March 2022 09:51

Hi,

I see.

@ummeegge: Since you are the OpenVPN expert around here, do you have an opinion on this?

Thanks, and best regards,
Peter Müller

ummeegge · 22 March 2022 15:00

Hi all,
we did this regular via an manual entry of the OpenVPN subnet in Squid´s “Network based access control” → wiki.ipfire.org - Network based access control which might also be a better place for a potential checkbox?! "$ovpnSettings{‘DOVPN_SUBNET}’’ from general-functions or simply “/var/ipfire/ovpn/settings” and “&Network::convert_prefix2netmask” can be the place to look/convert for the specifics.
Show/hide the checkbox in proxy.cgi style → git.ipfire.org Git - ipfire-2.x.git/blob - html/cgi-bin/proxy.cgi is also a possible solution.

In general my opinion is a good one to this feature even one is two clicks and one entry far from the same result.

Greetings and best,

Erik

adminpg · 27 July 2022 11:27

Any update related to this topic?
Did it make it on the roadmap?