Archiv der Kategorie: Debian

[EN] Tunnel traffic from VPN through Server to enable Internet Access and use Squid as Transparent Proxy

You want to create OpenVPN or PPTD-VPN enabled server with your VPN or Dedicated Server?
It’s not so hard to do it, heres the manual way (may be improved later to do it in an automatic way)

  1. Install pptpd-vpn as shown HERE
    • # apt-get install squidguard squid3 pptpd-vpn  openvpn
      • or OpenVPN as shown HEREI prefere pptpd-vpn as it’s really easy to setup!
  • Try to connect, but at the moment you wont be able to use the Internet until
    • script on the next Step has been executed (and then reconnect)
    • or you use the Proxy
    • do the next steps:
      # nano /root/

#TUN+ devices are used by OpenVPN
#TAP+ devices are used by PPP-VPN
# <- are Comments, leave it as is

# IP-Range i.e.: or or whatever

# CIDR Without / (Slash)
# Usally: is /24 with
# Usally: is /16 with
# Usally: is /16 with


#Primary Ethernet Card (Usally, Eth0)

# OpenVPN (Firewall Port Opening)
iptables -A INPUT -i $eth-nic -m state –state NEW -p udp –dport $OPVPN-PORT0 -j ACCEPT

# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o $eth-nic -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $eth-nic -o tun+ -m state –state RELATED,ESTABLISHED -j ACCEPT

# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -o $eth-nic -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $eth-nic -o tap+ -m state –state RELATED,ESTABLISHED -j ACCEPT
# NAT the VPN client traffic to the internet
iptables -t nat -A POSTROUTING -s $NAT-NETWORK/$NAT-NETMASK -o $eth-nic -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A OUTPUT -o tap+ -j ACCEPT

# Pre-Route trough Proxy
# Support for OpenVPN and PPP-VPN
iptables -t nat -A PREROUTING -i ppp+ -p tcp –dport 80 -j REDIRECT –to-ports $PROXY-PORT1
iptables -t nat -A PREROUTING -i tap+ -p tcp –dport 80 -j REDIRECT –to-ports $PROXY-PORT2

echo done.

  • # chmod 700 /root/
  • # ./root/ #needs only to be runned on time per reboot.

The Reason why we use ppp+ and tap+ is, that we support more then one connection with this. I Also use 2 different Ports on Squid for having a easier handling, but you can also use the same ports.



2. Squid-Config:

  • # nano /etc/squid3/squid.conf

#requires SquidGuard
#url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
#url_rewrite_children 5

# TAG: auth_param
# you may beed to use locate pam_auth to find the correct path
# i use physically existing user to aquire logon rights
auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 5
auth_param basic realm Protected server Area
auth_param basic credentialsttl 12 hours
auth_param basic casesensitive off
#auth_param digest program /usr/lib/squid3/digest_pw_auth -c /etc/squid3/passwords
#auth_param digest realm proxy

acl checkpw proxy_auth REQUIRED
http_access allow checkpw all

acl manager proto cache_object
acl localhost src ::1
acl to_localhost dst ::1
acl localnet src # RFC1918 possible internal network
acl Safe_ports port 1-65535 # unregistered ports
follow_x_forwarded_for deny all
http_access allow manager localhost localnet
http_access deny manager
http_access deny to_localhost

#change here the ports you need
http_port 6777
http_port 6778 transparent
http_port 6779 transparent
http_port 3128
http_port 3129 transparent


cache_mem 2048 MB
maximum_object_size_in_memory 4096 KB
memory_replacement_policy heap GSDF
cache_dir aufs /var/spool/squid3 1000 512 256
store_dir_select_algorithm round-robin
max_open_disk_fds 10000
minimum_object_size 1 KB
maximum_object_size 64000 KB
cache_swap_low 90
cache_swap_high 95
minimum_expiry_time 300 seconds
store_avg_object_size 512 KB
store_objects_per_bucket 80
quick_abort_min 16 KB
quick_abort_max 32 KB
quick_abort_pct 95
read_ahead_gap 32 KB
access_log /var/log/squid3/access.log squid
cache_store_log /var/log/squid3/store.log
logfile_rotate 9
log_ip_on_direct on
pid_filename /var/run/
cache_log /var/log/squid3/cache.log
diskd_program /usr/lib/squid3/diskd
unlinkd_program /usr/lib/squid3/unlinkd
refresh_pattern ^http: 1440 20% 10000
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 600 10% 60000
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
refresh_pattern . 600 30% 64320
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 3600 90% 43200 refresh-ims
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 refresh-ims
refresh_pattern -i \.(html|htm|css|js|json)$ 1440 80% 40320 ignore-no-store
positive_dns_ttl 12 hours
negative_dns_ttl 19 seconds

client_lifetime 1 day
cache_mgr root
httpd_suppress_version_string on

dns_timeout 1 minutes
hosts_file /etc/hosts
dns_v4_first on
ipcache_size 4096
fqdncache_size 4096
memory_pools on

memory_pools_limit 2048 MB
forwarded_for off

cachemgr_passwd 8527045 all
client_db on
# refresh_all_ims off
maximum_single_addr_tries 3
retry_on_error on
pipeline_prefetch on

max_filedescriptors 100000

http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all

via off
vary_ignore_expire on

#things that might interest you but dont need for work

#netdb_filename /var/log/squid3/netdb.state
# offline_mode off
# ipcache_low 90
# ipcache_high 95



## Enable only if you want a totaly anonmise your Proxy-Server

## Remind, that it could decraise your Internet-Expirence
# request_header_access Allow allow all
# request_header_access Authorization allow all
# request_header_access WWW-Authenticate allow all
# request_header_access Proxy-Authorization allow all
# request_header_access Proxy-Authenticate allow all
# request_header_access Cache-Control allow all
# request_header_access Content-Encoding allow all
# request_header_access Content-Length allow all
# request_header_access Content-Type allow all
# request_header_access Date allow all
# request_header_access Expires allow all
# request_header_access Host allow all
# request_header_access If-Modified-Since allow all
# request_header_access Last-Modified allow all
# request_header_access Location allow all
# request_header_access Pragma allow all
# request_header_access Accept allow all
# request_header_access Accept-Charset allow all
# request_header_access Accept-Encoding allow all
# request_header_access Accept-Language allow all
# request_header_access Content-Language allow all
# request_header_access Mime-Version allow all
# request_header_access Retry-After allow all
# request_header_access Title allow all
# request_header_access Connection allow all
# request_header_access All deny all

# reply_header_access From deny all
# reply_header_access Referer deny all
# reply_header_access Server deny all
# reply_header_access User-Agent deny all
# reply_header_access WWW-Authenticate deny all
# reply_header_access Link deny all
# reply_header_access Allow allow all
# reply_header_access Authorization allow all
# reply_header_access WWW-Authenticate allow all
# reply_header_access Proxy-Authorization allow all
# reply_header_access Proxy-Authenticate allow all
# reply_header_access Cache-Control allow all
# reply_header_access Content-Encoding allow all
# reply_header_access Content-Length allow all
# reply_header_access Content-Type allow all
# reply_header_access Date allow all
# reply_header_access Expires allow all
# reply_header_access Host allow all
# reply_header_access If-Modified-Since allow all
# reply_header_access Last-Modified allow all
# reply_header_access Location allow all
# reply_header_access Pragma allow all
# reply_header_access Accept allow all
# reply_header_access Accept-Charset allow all
# reply_header_access Accept-Encoding allow all
# reply_header_access Accept-Language allow all
# reply_header_access Content-Language allow all
# reply_header_access Mime-Version allow all
# reply_header_access Retry-After allow all
# reply_header_access Title allow all
# reply_header_access Connection allow all
# reply_header_access All deny all


3. Using the Proxy

On this Setup, i used PAM for Auth, this means that i prefer existing users on the System to auth against the Proxy.

  1. run the following commands after doing the change above
    • # /etc/init.d/squid3 restart
    • # /etc/init.d/pptpd restart
    • # /etc/init.d/openvpn restart
  2. adduser mynewproxyuser
    • in Case you want to create a new one
  3. adduser mynewproxyuser proxy
    • Allow „mynewproxyuser“ to use the proxy
  4. Try to connect to your proxy via Port: 3128
    • If you can auth Successfully, then you are a lucky guy
      • Check, if you can open any other site, like,,
        • OK? GOOD
        • NOK? BAD > Check Logs. And add your question to the Comments
  5. IF you can connect to your Proxie and can use the Internet, fine
  6. IF NOT
    1. Check if the Service is running
      1. ps auxwww | grep squid
      2. check logs
      3. run squid in non deamon mode for testing
        1. # squid3 -N
      4. remember to let squid on the first time of run create the Local Cache
        1. # squid3 -z

If everything got fine, you are now able to use your Server as a Proxy and a VPN-tunnel.

[EN] howto use mount to bind directories

You want to bind i.e /home/username/folder1 to /home/username/folder2 and your not want to use hardlink for some reasons?


it’s easy:

sudo mount -o bind /home/username/folder1 /home/username/folder2

Please remind, that folder2 needs to exists, else it will fail