VPN client blocked through squid server


I have a computer running debian between the local network and the load balancer who connects to the internet. Everything is fine, that computer has a Squid running inside, BUT we have a problem with VPNs, everyone inside the office can't reach the VPN server, when we remove that computer between the load balancer and the local network everything is fine.

Our debian machine is running squid in transparent mode with bridged configuration to bypass all the data from the load balancer who acts a router too.

I think I need some iptables rule to forward the VPN data

root@squid:~# iptables -vnL
Chain INPUT (policy ACCEPT 225K packets, 182M bytes)
 pkts bytes target     prot opt in     out     source               destination
0 0 ACCEPT udp -- eth1 * udp spts:67:68 dpts:67:68 0 0 ACCEPT udp -- eth0 * udp spts:67:68 dpts:67:68

Chain FORWARD (policy ACCEPT 193K packets, 77M bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 240K packets, 185M bytes) pkts bytes target prot opt in out source destination

root@squid:~# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 7172 packets, 1019K bytes)
 pkts bytes target     prot opt in     out     source               destination
2585 151K REDIRECT tcp -- br0 * tcp dpt:80 redir ports 3128 0 0 REDIRECT tcp -- eth0 * tcp dpt:80 redir ports 3128 0 0 REDIRECT tcp -- eth1 * tcp dpt:80 redir ports 3128 0 0 REDIRECT tcp -- br0 * tcp dpt:80 redir ports 3128

Chain POSTROUTING (policy ACCEPT 8621 packets, 1092K bytes) pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0

Chain OUTPUT (policy ACCEPT 1625 packets, 97780 bytes) pkts bytes target prot opt in out source destination

root@squid:~# cat /etc/squid/squid.conf
cache_effective_user squid
cache_effective_user squid
http_port 3128 transparent

cache_dir ufs /home/bridge/squid/cache 2000 16 256

cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none

emulate_httpd_log on

cache_mem 16 MB

hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? asp aspx jsp no_cache deny QUERY

hosts_file /etc/hosts

refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 40% 4320

acl all src

Define your network below

acl mynetwork src acl manager proto cache_object acl localhost src acl to_localhost dst acl purge method PURGE acl CONNECT method CONNECT

acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https

acl Safe_ports port 1025-65535 #unregistered ports

acl SSL_ports port 443 563

http_access allow manager localhost http_access allow manager http_access allow purge localhost http_access allow purge http_access allow !Safe_ports http_access allow CONNECT !SSL_ports

http_access allow localhost http_access allow mynetwork http_access allow all http_reply_access allow all icp_access allow mynetwork

icp_access deny all

visible_hostname bridge

coredump_dir /etc/squid

Best Answer

I resolved my problem adding a simple iptables rule:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE