Redirect OpenVPN gateway traffic to Privoxy

iptables proxy openvpn squid privoxy

6,266

Solution 1

You can push proxy configuration to the OpenVPN clients.

From the OpenVPN Access Server web interface go to Advanced VPN Settings → Server Config Directives and enter the following directive with your proxy ip/port info.

push "dhcp-option PROXY_HTTP 111.222.333.44 8118"

I am not sure if all OpenVPN clients support this config. But on IOS it works well.

Solution 2

Set up privoxy to listen on an address on the tunnel interface, for example 172.26.0.1, then just redirect VPN traffic to it:

sudo iptables -t nat -A PREROUTING --source 172.26.0.0/16 -p tcp -m tcp --dport 80 -j DNAT --to 172.26.0.1:8118

Solution 3

Privoxy is an HTTP proxy. What you're trying to do is feed it intact network packets, which I'm 99% sure it's not going to accept that without some very complex mangle rules in iptables. Instead you should expose the proxy to the VPN (seems like it is already), and push it as a DHCP option to your VPN clients.

Instructions for doing that via OpenVPN can be found here https://forums.openvpn.net/topic14829.html and it can be done on a client-by-client basis using the ccd directory if you have that set up.

6,266

Max Rother

Updated on September 18, 2022

Comments

Max Rother over 1 year
I would like to redirect the traffic that goes through my OpenVPN gateway to Privoxy, like so:

OpenVPN client->Internet->OpenVPN gateway->Privoxy->Internet->Webserver (and vice versa)

So far I managed to get the OpenVPN gateway working fine. Connecting to the Privoxy proxy appears to be working aswell. But redirecting port 80 traffic via iptables just won't work (external webservers are unreachable). What would my iptables config file have to look like?

Thanks in advance

PS: This is what I came up with so far...
```
iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.0/24 -j MASQUERADE

iptables -I FORWARD -i tap0 -j ACCEPT
iptables -I FORWARD -o tap0 -j ACCEPT

# No success with the following line
iptables -t nat -A PREROUTING -i tap0 -p tcp --dport 80 -j REDIRECT --to-port 8118
```
- user2751502 over 12 years
  
  What does your iptables configuration look like now? Show us what you've tried.
- Giovanni Toraldo over 12 years
  
  Is accept-intercepted-requests enabled? By default it's disabled: privoxy.org/user-manual/config.html#ACCEPT-INTERCEPTED-REQUE‌STS
- Max Rother over 12 years
  
  @GiovanniToraldo yes, sorry forgot to mention it!
- Max Rother over 12 years
  
  @larsks edited the first post!
- Max Rother about 12 years
  
  Still no luck. Also tried Squid now. :(
- shshank over 10 years
  
  @MaxRother I am having a similar problem. Please help. serverfault.com/questions/543981/…