VPN and the case of No Internet

Right, so had a weird scenario where I had a laptop that could not get on the Internet using the VPN connection and a proxy, but other non-laptop devices were fine, which was intriguing so I thought I would take a look, the service was a squid proxy server but any website you visited told you this:



The proxy was set as you can see here, so that was not the issue:


So, the go to tool is a IMCP Ping, which was a good call, if it was for the fact this server does not allow the ICMP protocol so that failed to prove anything:



So the next thing is a Test-ConnectionConnection of tnc:

PS > tnc GreatBear.local -Port 8080

ComputerName     : GreatBear.local
RemoteAddress    : 10.295.161.517
RemotePort       : 8080
InterfaceAlias   : Grrrr is Live
SourceAddress    : 10.295.161.636
TcpTestSucceeded : True

Right, so that test was more positive, so lets try a little wget magic to the google.co.uk with this command:

wget -uri www.google.co.uk


That should return a HTTP 200 and the contents from Google, but instead I got this from wget......

Access Denied : Access Control configuration is preventing your request from being allowed at this time.

However as Squid does not natively do https inspection so it cannot show you the actual error in the browser as it cannot incept the traffic at this stage, so you should have got this:


Right, next question how do I fix that, as the ACL on Squid is not allowing the access to the IP for the laptop, or more specifically the IP of the VPN that the laptop is using.

First login to the SSH console and then use this command:

systemctl status squid


This will give the status of the Squid proxy and other information we require, here you can see its running and the path to the configuration file, but I have also noticed an issue here as well:

● squid.service - Squid caching proxy
   Loaded: loaded (/usr/lib/systemd/system/squid.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2023-08-23 13:55:55 UTC; 16h ago
 Main PID: 12296 (squid)
   CGroup: /system.slice/squid.service
           ├─12296 /usr/sbin/squid -f /etc/squid/squid.conf
           ├─12298 (squid-1) -f /etc/squid/squid.conf
           └─12299 (logfile-daemon) /var/log/squid/access.log

Aug 23 13:55:55 greatbear systemd[1]: Starting Squid caching proxy...
Aug 23 13:55:55 greatbear squid[12296]: Squid Parent: will start 1 kids
Aug 23 13:55:55 greatbear squid[12296]: Squid Parent: (squid-1) process 12298 started
Aug 23 13:55:55 greatbear systemd[1]: Started Squid caching proxy.

While it is running this section of the status is not good squid.service; disabled this means its not going to restart on a system reboot, so lets fix that now, with the enable command:

systemctl enable squid

That will then ask you for the root password as you can see here:

==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-unit-files ===
Authentication is required to manage system service or unit files.
Authenticating as: root
Password:
==== AUTHENTICATION COMPLETE ===
Created symlink from /etc/systemd/system/multi-user.target.wants/squid.service to /usr/lib/systemd/system/squid.service.
==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ===
Authentication is required to reload the systemd state.
Authenticating as: root
Password:
==== AUTHENTICATION COMPLETE ===

Then when you run this again:

systemctl status squid

You will notice it now look like this and its not enabled:

● squid.service - Squid caching proxy
   Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2023-08-23 13:55:55 UTC; 16h ago
 Main PID: 12296 (squid)
   CGroup: /system.slice/squid.service
           ├─12296 /usr/sbin/squid -f /etc/squid/squid.conf
           ├─12298 (squid-1) -f /etc/squid/squid.conf
           └─12299 (logfile-daemon) /var/log/squid/access.log

Excellent, however that was not the original issue, so back to that, to check this we need to open the configuration file for Squid, that can been seen in the command from earlier, so we need a elevated nano text editor to check that out:

sudo nano /etc/squid/squid.conf

This will show us this, which means that only the network 10.0.0.0/8 can access the squid server:

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http

However our laptop gets the VPN address of 174.0.0.0/16 hence if cannot access the squid server as the ACL is wrong, so lets update that in the configuration file:

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 174.10.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80          # http

Now we need a restart of the Squid service which can be done with this:

systemctl stop squid
systemctl start squid

Then you have fixed the problem!
Previous Post Next Post

نموذج الاتصال