Web content filter not working on VPN

xeon33 · October 2, 2016, 10:19am

Hi everybody,

I’m trying to use web content filter on VPN clients, but it seems it’s not possible to configure this from the GUI.

nethserver version: 6.8
OpenVPN must stay in routed mode, I don’t want to use it as bridged mode

VPN is working and option “Route all client traffic through VPN” is ticked

web content filter is in transparent mode and works for green networks

I think I tried every configuration possible to get it working but no success.

I would like to know if it’s the expected behaviour ans if it’s possible to do this (maybe with iptables but I’m not an expert, iptable -L gives a lot of entries)

Thank a lot for your help and sorry about my English.

José

GG_jr · October 2, 2016, 3:35pm

Hi José,

Try this: create a firewall rule to permit access

Gateway -> Firewall rules -> Create rule at bottom:

Enabled: Enabled
Action: Accept
Source: Any
Destination: Any
Service: Any
Write to log if this rule matches: Optional
Description: Optional

It works for me on NS 7b2.
Should work also on NS 6.8.

BR,
Gabriel

xeon33 · October 2, 2016, 5:05pm

Hello Gabriel,

thank you for the quick answer.

I tried your sugestion but no luck! It’s not working for me.

I’ll try to install the 7.2 release, there are some improvements about content filter maybe it will fix the issue ?

I’ll let you know…

José

GG_jr · October 2, 2016, 5:16pm

Hello José,

NS 7b2 has a lot of improvements!

In NS 7b2, the firewall rule should work with “Source: Role VPN”, but for me, doesn’t work in this moment (I think I should do a new clean installation; I made a lot of tests on actual installation and maybe this is the problem).

Gabriel

xeon33 · October 2, 2016, 8:09pm

So, from a fresh install 7.2 and updated, I don’t have VPN in source list. I tried allowing all to all for any services but still not working.

It works for local but not for vpn clients.

Gabriel, the vpn was configured in routed mode or bridged?

Thank you,

José

giacomo · October 3, 2016, 6:58am

This is a known bug which should be already resolved:

github.com/NethServer/dev

Firewall: can't create a rule with "vpn" role

opened 09:22AM - 29 Sep 16 UTC

closed 10:33AM - 04 Oct 16 UTC

gsanchietti

bug verified

The user can't create any firewall rule involving the "vpn" role as source or de…stination. _Steps to reproduce_ - Install nethserver-openvpn and nethserver-ipsec - Create a firewall like: ACCPET vpn -> red _Expected behavior_ - The rule must be applied _Actual behavior_ - The system raises the error: > ERROR: Unknown source zone (lvpn) /etc/shorewall/rules (line 76) Thanks to @dz00te for the bug report! Reference: http://community.nethserver.org/t/openvpn-route-problem-on-ns7b2/4525

Please, install the firewall package from testing

xeon33 · October 3, 2016, 10:26am

Hi, Giacomo,

Indeed I didn’t know it was a bug, after installing ipsec from software center I have vpn role in the source or destination.
Then I have the error if I try to apply the rule, resolved by installing the firewall package from testing.

But the problem still remaining… web content filter is not applied to OpenVPN client in routed mode,
I think it’s the “normal” behaviour of nethserver (I’m waiting Gabriel to confirm if it was working for him in routed mode)

Thanks to all

José

GG_jr · October 3, 2016, 8:04pm

Sorry @xeon33 , @giacomo for my late answer, but I have a busy day (I drove 800 Km, about 12 hours only driving, to replace a sensor in 5 minutes).
I’m pretty tired but I want to check before I will go to sleep.

So:

VPN: routed mode with Route all client traffic through VPN and Allow client-to-client network traffic, enabled.
I have installed the last packages for nethserver-firewall-base and nethserver-firewall-base-ui (3.1.0-1.4.gbd9f255).
I have created the firewall rule without issues (as Giacomo said) :
Gateway -> Firewall rules -> Create rule at bottom:
Enabled: Enabled
Action: Accept
Source: Role VPN
Destination: Role RED
Service: Any
Write to log if this rule matches: Optional
Description: Optional

For this rule, the web content filter is not working. I can browse.

I changed “Destination” to Role GREEN, Role VPN and Firewall: I cannot browse.

I changed “Destination” to Any: I can browse (I think is near the first case: Role RED + all the others); web content filter is not working.

In any case from above, you can block something using the DPI feature.

PS:

Web proxy: Transparent with SSL

xeon33 · October 3, 2016, 9:16pm

@GG_jr, big thanks to have take the time after your tiring day!!

@giacomo do you think it’s something that should be implemented in future release ?

If you want, and if most users don’t ask after this change, I can try to have a look, I have some skills in dev
I think a rule in iptable could do the trick.

giacomo · October 4, 2016, 7:09am

You can use web content filtering for VPN clients but only in manual (or authenticated) mode.

I don’t think so, since this is the first time someone request for such feature
But you can implement by yourself with a simple template-custom (not tested):

mkdir -p /etc/e-smith/templates/etc/shorewall/rules
echo "REDIRECT ovpn 3129 tcp 80" >> /etc/e-smith/templates/etc/shorewall/rules/90squid_ovpn
signal-event firewall-adjust

xeon33 · October 4, 2016, 9:00am

@giacomo it works perfectly!!
Curious that I’m the first asking for this.

Again thanks to everybody

Have a nice day

José