tranquivox69 21 Posted ... Ok, what I did... I modified the last version of your script like this: #!/bin/bash PORT=$1 if [ "$PORT" = "" ]; then PORT=3128; fi # helper function token () { N=$1 shift eval echo \$${N} } echo echo === scanning routing table to set VPN gateway variables ... # determine VPN gateway IPv4 address and interface name ip -4 route show ROUTE4=`ip -4 route show 0.0.0.0/1` #echo ROUTE4=$ROUTE4 GATEWAY_IF=`token 3 $ROUTE4` echo GATEWAY_IF=$GATEWAY_IF # determine VPN local IPv4 address ip -4 addr show dev $GATEWAY_IF ADDR4=`ip -4 addr show dev $GATEWAY_IF | grep global` GATEWAY_LOCAL4=`token 2 $ADDR4` GATEWAY_LOCAL4=${GATEWAY_LOCAL4%%/*} echo GATEWAY_LOCAL4=$GATEWAY_LOCAL4 ip -6 addr show dev $GATEWAY_IF # determine VPN local IPv6 address ADDR6=`ip -6 addr show dev $GATEWAY_IF | grep global` GATEWAY_LOCAL6=`token 2 $ADDR6` GATEWAY_LOCAL6=${GATEWAY_LOCAL6%%/*} echo GATEWAY_LOCAL6=$GATEWAY_LOCAL6 NAME=squid_vpn_${PORT} mkdir -p ~/Documents/VPNscripts/squid_service/tmp > /dev/null cat <<EOF >~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf tcp_outgoing_address $GATEWAY_LOCAL4 tcp_outgoing_address $GATEWAY_LOCAL6 udp_outgoing_address $GATEWAY_LOCAL4 udp_outgoing_address $GATEWAY_LOCAL6 # quad9 DNS dns_nameservers 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9 # Cloudflare DNS #dns_nameservers 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 # Google DNS #dns_nameservers 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 http_port 127.0.0.1:${PORT} pid_filename $HOME/Documents/VPNscripts/squid_service/tmp/${NAME}.pid acl localnet src 127.0.0.1 http_access allow localnet shutdown_lifetime 1 seconds buffered_logs off cache deny all access_log none cache_store_log none cache_log /dev/null netdb_filename none via off forwarded_for delete EOF echo echo === contents of squid configuration file ... cat ~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf echo echo === starting squid ... pushd ~/Documents/VPNscripts/squid_service/tmp > /dev/null SQUID_BIN=/usr/sbin/squid echo SQUID_RUN=$SQUID_BIN $SQUID_BIN -f ~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf -N -k kill $SQUID_BIN -f ~/Documents/VPNscripts/squid_service/tmp/${NAME}.conf -N -n SQUID${PORT} popd > /dev/null echo echo === ... squid has stopped Adding options to avoid logging, not even in background. I call this script at the end of vpn_gateway_route, so once the VPN is up the proxy starts. I remmed out the first instruction to kill squid because (see here) I put that at the end of vpn_gateway_show (hardcoded, as variables are not available, in any case I have no intention of changing the port, no big deal). In Eddie I have three Events configured. Session Start - launches vpn_gateway_hide VPN Up - launches vpn_gateway_ route (which ends by calling the proxy script above, activating squid proxy) Session End - launches vpn_gateway_show (which ends by killing the squid process) In process monitor I see squid starting once the VPN is up and closing once the VPN is down. Together with the proxy extension on Firefox this is now pretty much seamless. I couldn't have done anything without your help, nothing at all... so I remain immensely grateful. Thanks! One thing that I'm pretty sure about is that this configuration leaks DNS requests somehow. If I don't set any DNS at all in Eddie (DNS Switch mode disabled) I see my home router DNS there. If I set DNS in Eddie (Automatic switch mode, while adding quad9 DNS addresses), I see in IPleak a mix of DNS addresses from my country and from the VPN's exit point country. Not my home router DNS (which I set to Cloudflare to avoid confusion in the analysis). Thought it was worth mentioning. But again: thank you! Quote Share this post Link to post
NaDre 147 Posted ... On 4/12/2023 at 5:35 AM, tranquivox69 said: ... One thing that I'm pretty sure about is that this configuration leaks DNS requests somehow. If I don't set any DNS at all in Eddie (DNS Switch mode disabled) I see my home router DNS there. If I set DNS in Eddie (Automatic switch mode, while adding quad9 DNS addresses), I see in IPleak a mix of DNS addresses from my country and from the VPN's exit point country. Not my home router DNS (which I set to Cloudflare to avoid confusion in the analysis). Thought it was worth mentioning. But again: thank you! EDIT: I know now that this leak is coming from Firefox. Not SQUID. If you set "DNS over HTTPS" to "https://dns.google/dns-query" while everything else points somewhere else, then the "leak" is to Google. So Firefox is doing DNS look ups without relying on SQUID. Yeah. I think the binding to the specified UDP outgoing address, which is used for DNS, is not fully respected by the DNS module in squid. At some point it makes a DNS look up request in the usual way which will use the default DNS server. I didn't want to put you off. I don't see this as a big issue. Particularly if you set the default DNS for your system to Cloudflare, Google or Quad9. That is actually why I suggested it. If I feel energetic sometime I will chase it down. But then I would have to compile squid myself. I doubt I would ever convince the development team to incorporate some fix I offered. I will look at the scripts to see if I can make the scanning for addresses more bullet-proof. I don't like that these work with Eddie but not openvpn or wq-quick. I would like to believe they will work with any VPN client/wrapper. Quote Share this post Link to post
tranquivox69 21 Posted ... 1 hour ago, NaDre said: I didn't want to put you off. I don't see this as a big issue. Particularly if you set the default DNS for your system to Cloudflare, Google or Quad9. That is actually why I suggested it. Oh, don't worry! It's in my nature to try to understand things, so I investigate and report. That doesn't have to lead to any action. Considering the huge amount of time you've dedicated to help me... I feel the least I can do is test stuff thoroughly. I have to say I'm quite proud of the current solution I have, which wouldn't have been possible without your huge help and coding. Looking at the code, the thing that stopped me from getting the gateways in an automated way was solved through %%/* Is that a regular expression or something similar? Next step, I'll try by myself, is seeing whether I can do something similar when using Wireguard protocol from Eddie. But that's not "urgent" (nothing was but still...). Edit: also thanks for Quad9, which I wasn't familiar with. Seems ideal for VPN use. Quote Share this post Link to post
NaDre 147 Posted ... 1 hour ago, tranquivox69 said: ... Looking at the code, the thing that stopped me from getting the gateways in an automated way was solved through %%/* Is that a regular expression or something similar? ... Yes. String manipulation. Drops "/" and anything following it from the end of the string. squid did not like having the subnet mask. It is a bash-ism. A bash extension from what a POSIX compliant shell needs to provide. Do "man bash". For background scripts I usually try to use "/bin/sh" rather than "/bin/bash". Bash is huge. All kinds of bells and whistles. But I could not remember how to do that string trick in "/bin/sh". I will probably look at how to use "/bin/sh" in that script too. 1 tranquivox69 reacted to this Quote Share this post Link to post
NaDre 147 Posted ... 44 minutes ago, NaDre said: ... It is a bash-ism. ... Oops. I lied. %% is not a bash-ism. But "pushd" used in that script is. So I will change that in order to use "/bin/sh". Quote Share this post Link to post
tranquivox69 21 Posted ... 22 hours ago, tranquivox69 said: I remmed out the first instruction to kill squid because I put that at the end of vpn_gateway_show A partial mistake. The instruction needs to stay there, because, if Eddie has to switch server, things get messed up for the proxy. It stays there but, at the same time, I leave it at the end of vpn_gateway_show, so as not to leave a useless process if I close the VPN. I modified that post and linked to this one for explanation. Quote Share this post Link to post
tranquivox69 21 Posted ... 16 hours ago, NaDre said: Drops "/" and anything following it from the end of the string. squid did not like having the subnet mask. Yeah, I got that squid did not want that there... I simply did not know how to manipulate the string 😕 Edit: also... a day has passed, finally a good night of sleep and... god, these few days, your huge help, brought me back to the days when the internet was an incredible and wonderful place. It can still be and you showed me that. Thanks for that too. Quote Share this post Link to post
NaDre 147 Posted ... 3 hours ago, tranquivox69 said: ... brought me back to the days when the internet was an incredible and wonderful place. ... Hacking can be a good hobby. Just don't try doing it for a living. It won't be as much fun. 1 tranquivox69 reacted to this Quote Share this post Link to post
tranquivox69 21 Posted ... On 4/12/2023 at 5:42 PM, tranquivox69 said: Next step, I'll try by myself, is seeing whether I can do something similar when using Wireguard protocol from Eddie. But that's not "urgent" (nothing was but still...). Ended up not even trying Wireguard, as with the current OpenVPN based setup my gigabit bandwidth gets saturated anyway. I'm astonished at the speed improvement brought by Linux when compared to Windows. Even more so considering I'm using a far less powerful processor. Quote Share this post Link to post
Not connected, Your IP: 3.238.111.130
Online: 13115 users - 126380 Mbit/s total BW