将VPNstream量转发到Squid代理

我实际上已经设置了这个，也花了我一些时间来设置…

如果你使用的是OpenVPN，你可以使用我的up / down脚本来打开OpenVPN / squid。 你还需要设置BIND去通过VPN：

 #!/usr/bin/env bash status="$1" ip="$5" configdir_squid="/etc/squid/proxyoff" configdir_bind="/etc/named" if [ "$status" = "up" ]; then echo "tcp_outgoing_address $ip" > "$configdir_squid/tcp_outgoing_address.conf" echo "http_access allow localnet" > "$configdir_squid/http_access.conf" echo "query-source address $ip;" > "$configdir_bind/query_source.conf" else echo "" > "$configdir_squid/tcp_outgoing_address.conf" echo "http_access deny localnet" > "$configdir_squid/http_access.conf" echo "" > "$configdir_bind/query_source.conf" fi systemctl restart named squid transmission-daemon 

然后在/ etc / squid中创build一个名为proxyoff的文件夹。 然后在OpenVPN中设置脚本：

 up "/opt/scripts/openvpn_tun1.sh up" down "/opt/scripts/openvpn_tun1.sh down" 

你需要IPtables规则来控制来自squid和绑定的通信（你需要为你的VPN提供者设置静态路由）：

 -A vyprvpn-only -o lo -j ACCEPT -A vyprvpn-only -d 192.168.1.0/24,10.8.0.0/24 ! -o tun1 -j ACCEPT -A vyprvpn-only ! -o tun1 -j REJECT --reject-with icmp-net-unreachable -A OUTPUT -m owner --gid-owner transmission -j vyprvpn-only -A OUTPUT -m owner --gid-owner squid -j vyprvpn-only -A OUTPUT -m owner --gid-owner named -j vyprvpn-only 

在squid的http_access规则的底部添加某处，但在http_access之前拒绝所有：

 include /etc/squid/proxyoff/http_access.conf 

在http_port之后或者http_access规则之后添加：

 include /etc/squid/proxyoff/tcp_outgoing_address.conf 

设置您的域名服务器，以便它们反映在LAN上的DNS服务器，该服务器将通过VPN或通过iptables规则通过DNS的互联网DNS服务器：

 dns_v4_first on dns_nameservers 8.8.8.8 8.8.4.4 

例如，我有我的dns_nameservers作为处理AD的3个Windows DNS服务器，然后将它们不知道的任何查询发回到与VPN相同的服务器上运行的BIND服务器。

在squid中为本地networking访问控制列表添加网关故障，或在脚本中重命名ACL和ACL：

 deny_info ERR_GATEWAY_FAILURE localnet 

然后，build立一个代理自动configuration：

 function FindProxyForURL(url, host) { var proxy_on = "PROXY 192.168.1.20:3128; PROXY 192.168.1.21:3128"; var proxy_off = "DIRECT"; var network = "192.168.1.0"; var subnet = "255.255.255.0"; var proxy_bypass = new Array( "pyronexus.lan", "*.pyronexus.lan", "pyronexus.com", "*.pyronexus.com", "amazon.com", "*.amazon.com", "amazon.co.uk", "*.amazon.co.uk", "channel4.com", "*.channel4.com", "c4assets.com", "*.c4assets.com", "ipv6-test.com", "*.ipv6-test.com", // Banks "tsb.co.uk", "*.tsb.co.uk", "bankofscotland.co.uk", "*.bankofscotland.co.uk", "barclays.co.uk", "*.barclays.co.uk", "halifax.co.uk", "*.halifax.co.uk", "rbs.co.uk", "*.rbs.co.uk", "natwest.com", "*.natwest.com" ); var blockedsites = new Array( "trafficstars.com", "*.trafficstars.com", "trafficfactory.biz", "*.trafficfactory.biz" ); // Blocked websites (block them in the proxy server configuration to prevent circumvention for (var i = 0; i < blockedsites.length; i++) { if (shExpMatch(host, blockedsites[i])) { return "proxy 127.0.0.1"; } } // Below here evaluates the above. // Bypass proxy for local web servers in the same subnet as the client. if (isInNet(host, network, subnet)) { return proxy_off; } // Bypass proxy for those listed under proxy_bypass. for (var i = 0; i < proxy_bypass.length; i++) { if (shExpMatch(host, proxy_bypass[i])) { return proxy_off; } } // Everything else not caught by the above, should be checked to see if it is HTTP, HTTPS or FTP // before sending to a proxy server. if (shExpMatch(url, "http:*") || shExpMatch(url, "https:*") || shExpMatch(url, "ftp:*")) { return proxy_on; } // Finally, send all other requests direct. return proxy_off; } 

将其添加到/etc/named.conf下的选项（将转发器添加到Internet DNS服务器，但删除根提示）：

 include "/etc/named/query_source.conf"; 

将VPN的IP添加到/ etc / hosts：

 209.99.22.37 uk1.vyprvpn.com 

并添加路线：

 ip route add 209.99.22.37/32 via 192.168.1.1 dev eth0 

你可以在https://pyronexus.com上看到我的其他一些关于代理的指南

你可以阅读这个：

https://www.williamjbowman.com/blog/2015/12/22/a-transparent-ad-blocking-vpn-via-softether-privoxy/

作者将所有80端口stream量redirect到privoxy，为了阻止广告，您可以将其命令改为redirect到squid。

 iptables -t nat -A PREROUTING -s YOUR.NET.ADDRESS/NETTMASK -p tcp -m multiport --dport 80 -j DNAT --to-destination 127.0.0.1:3128