Web content filter not working on VPN

Hi everybody,

I’m trying to use web content filter on VPN clients, but it seems it’s not possible to configure this from the GUI.

nethserver version: 6.8
OpenVPN must stay in routed mode, I don’t want to use it as bridged mode

VPN is working and option “Route all client traffic through VPN” is ticked

web content filter is in transparent mode and works for green networks

I think I tried every configuration possible to get it working but no success.

I would like to know if it’s the expected behaviour ans if it’s possible to do this (maybe with iptables but I’m not an expert, iptable -L gives a lot of entries)

Thank a lot for your help and sorry about my English.

José

Hi José,

Try this: create a firewall rule to permit access

Gateway -> Firewall rules -> Create rule at bottom:

  • Enabled: Enabled
  • Action: Accept
  • Source: Any
  • Destination: Any
  • Service: Any
  • Write to log if this rule matches: Optional
  • Description: Optional

It works for me on NS 7b2.
Should work also on NS 6.8.

BR,
Gabriel

Hello Gabriel,

thank you for the quick answer.

I tried your sugestion but no luck! It’s not working for me.

I’ll try to install the 7.2 release, there are some improvements about content filter maybe it will fix the issue ?

I’ll let you know…

José

1 Like

Hello José,

NS 7b2 has a lot of improvements!

In NS 7b2, the firewall rule should work with “Source: Role VPN”, but for me, doesn’t work in this moment (I think I should do a new clean installation; I made a lot of tests on actual installation and maybe this is the problem).

Gabriel

1 Like

So, from a fresh install 7.2 and updated, I don’t have VPN in source list. I tried allowing all to all for any services but still not working.

It works for local but not for vpn clients.

Gabriel, the vpn was configured in routed mode or bridged?

Thank you,

José

This is a known bug which should be already resolved:

Please, install the firewall package from testing :wink:

2 Likes

Hi, Giacomo,

Indeed I didn’t know it was a bug, after installing ipsec from software center I have vpn role in the source or destination.
Then I have the error if I try to apply the rule, resolved by installing the firewall package from testing.

But the problem still remaining… web content filter is not applied to OpenVPN client in routed mode,
I think it’s the “normal” behaviour of nethserver (I’m waiting Gabriel to confirm if it was working for him in routed mode)

Thanks to all

José

1 Like

Sorry @xeon33 , @giacomo for my late answer, but I have a busy day (I drove 800 Km, about 12 hours only driving, to replace a sensor in 5 minutes).
I’m pretty tired but I want to check before I will go to sleep.

So:

  • VPN: routed mode with Route all client traffic through VPN and Allow client-to-client network traffic, enabled.
  • I have installed the last packages for nethserver-firewall-base and nethserver-firewall-base-ui (3.1.0-1.4.gbd9f255).
  • I have created the firewall rule without issues (as Giacomo said) :
    Gateway -> Firewall rules -> Create rule at bottom:
  • Enabled: Enabled
  • Action: Accept
  • Source: Role VPN
  • Destination: Role RED
  • Service: Any
  • Write to log if this rule matches: Optional
  • Description: Optional

For this rule, the web content filter is not working. I can browse.

I changed “Destination” to Role GREEN, Role VPN and Firewall: I cannot browse.

I changed “Destination” to Any: I can browse (I think is near the first case: Role RED + all the others); web content filter is not working.

In any case from above, you can block something using the DPI feature.

PS:

Web proxy: Transparent with SSL

2 Likes

@GG_jr, big thanks to have take the time after your tiring day!!

@giacomo do you think it’s something that should be implemented in future release ?

If you want, and if most users don’t ask after this change, I can try to have a look, I have some skills in dev
I think a rule in iptable could do the trick.

1 Like

You can use web content filtering for VPN clients but only in manual (or authenticated) mode.

I don’t think so, since this is the first time someone request for such feature :slight_smile:
But you can implement by yourself with a simple template-custom (not tested):

mkdir -p /etc/e-smith/templates/etc/shorewall/rules
echo "REDIRECT ovpn 3129 tcp 80" >> /etc/e-smith/templates/etc/shorewall/rules/90squid_ovpn
signal-event firewall-adjust
4 Likes

@giacomo it works perfectly!! :slight_smile:
Curious that I’m the first asking for this.

Again thanks to everybody

Have a nice day

José

4 Likes