Softether VPN - How to setup Squid proxy without switching off SecureNAT DHCP?

Question

I have a Softether VPN server running and configured to use DHCP (SecureNAT) instead of local bridging as I couldn't figure out how to do it (despite reading all available tutorials on the internet). So I thought I'd just ditch this whole thing.

Now how can I redirect all traffic through a squid installation (not installed now) and let it handle all traffic as it should?

Answer 1

Setup the local bridge. Run sudo vpncmd and return to the administrator menu. Disable SecureNAT if you enabled is previously:

VPN Server/DEFAULT>SecureNatDisable
SecureNatDisable command - Disable the Virtual NAT and DHCP Server
Function (SecureNat Function)
The command completed successfully.

VPN Server/DEFAULT>

Now we create a bridge device. We will create a tap device rather than bridge with an existing device, as this seems to simplify the transparent proxy setup. I assume you call the bridge device soft, but this choice is arbitrary. The prefix tap_ will be added to this name automatically. We use the command BridgeCreate which takes the hub DEFAULT, the named argument /DEVICE with the name of the device soft, and the named argument /TAP with value yes.

VPN Server/DEFAULT>BridgeCreate DEFAULT /DEVICE:soft /TAP:yes
BridgeCreate command - Create Local Bridge Connection

....

The command completed successfully.

VPN Server/DEFAULT>BridgeList
BridgeList command - Get List of Local Bridge Connection
Number|Virtual Hub Name|Network Adapter or Tap Device Name|Status
------+----------------+----------------------------------+---------
1     |DEFAULT         |soft                              |Operating
The command completed successfully.

VPN Server/DEFAULT>exit

Now we enable a DHCP server for the VPN subnet. I configured /etc/dhcpd.conf as follows. The important bit is for subnet 10.10.1.0.

/etc/dhcpd.conf

# /etc/dhcpd.conf

# option definitions common to all supported networks...
option domain-name "xxx";
# DNS servers
option domain-name-servers 8.8.8.8, 8.8.4.4;

default-lease-time 600;
max-lease-time 7200;

# Use this to enable / disable dynamic dns updates globally.
ddns-update-style none;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

subnet $PUBLIC_IP netmask 255.255.255.0 {
}

subnet $PRIVATE_IP netmask 255.255.128.0 {
}

subnet 10.10.1.0 netmask 255.255.255.0 {
  option subnet-mask 255.255.255.0;
  option routers 10.10.1.1;
  range 10.10.1.47 10.10.1.57;
}

Next we start the tap device and the DHCP server:

sudo systemctl start network@tap_soft
sudo systemctl start dhcpd4@tap_soft

It would be wise to add these as dependencies to softethervpn-server.service. This can be done by installing the following override: /etc/systemd/system/softethervpn-server.service.d/dhcpd.conf

# /etc/systemd/system/softethervpn-server.service.d/dhcpd.conf
[Unit]
Before=dhcpd4@tap_soft.service network@tap_soft.service
Requires=dhcpd4@tap_soft.service network@tap_soft.service

Before we setup traffic forwarding for the VPN, we must ensure ipv4 forwarding is enabled in the kernel. Create the following override file, then run sysctl --system. /etc/sysctl.d/ipv4_forwarding.conf

# /etc/sysctl.d/ipv4_forwarding.conf
net.ipv4.ip_forward = 1

Finally, we must forward traffic from the tap device to the internet device. You can issue the following commands with iptables or configure ufw to add them on startup.

First, accept all traffic coming from the VPN:

sudo iptables -A INPUT -s 10.10.1.1/24 -m state --state NEW -j ACCEPT
sudo iptables -A OUTPUT -s 10.10.1.1/24 -m state --state NEW -j ACCEPT
sudo iptables -A FORWARD -s 10.10.1.1/24 -m state --state NEW -j ACCEPT

Also accept all traffice from established connections:

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Finally, forward all traffic from the tap device to the internet interface. If you use a static IP address on the server, use this command:

sudo iptables -t nat -A POSTROUTING -s 10.10.1.1/24 -j SNAT --to-source $PUBLIC_IP

If your public IP address is not static, use this command:

sudo iptables -t nat -A POSTROUTING -s 10.10.1.1/24 -o eth0 -j MASQUERADE

Transparent Proxying

To proxy HTTP connections (squid or whatever), setup transparent proxying. All HTTP requires coming from the VPN will automagically be proxied through the proxy.

First, we need one more iptables rule. This rule forwards all traffic from the VPN with destination port 80 to the proxy, using dynamic NAT to handle multiplexing.

iptables -t nat -A PREROUTING -s 10.10.1.1/24 -p tcp -m multiport --dport 80 -j DNAT --to-destination $PRIVATE_IP:8118

Where 8118 is the port of your proxy server.

This was taken from https://www.williamjbowman.com/blog/2015/12/22/a-transparent-ad-blocking-vpn-via-softether-privoxy/

Hope this helps.