Openvpn in a VM or Container ############################ To avoid the hassle of split tunneling, but still reap the advantages, run a container or VM with your Openvpn configuration and a Squid proxy. * Create a VM or an LXC container * Install Squid, Openvpn, and an SSH server. One of these commands should work. * `apt-get install squid openvpn openssh-server` * `yum install squid openvpn openssh-server` * `dnf install squid openvpn openssh-server` * Configure your VM/LXC host. * Configure your tools as below and start them. Configuration Notes =================== * VM +-------------------+-------------------------------------------------------------------+ | Host Hypervizor | VM Configuration | +===================+===================================================================+ | Virtualbox | I recommend installing both a host-based and a bridged network. | +-------------------+-------------------------------------------------------------------+ | Vmware | Associate a network that relates to a physical NIC. | +-------------------+-------------------------------------------------------------------+ | Proxmox | Works out of the box | +-------------------+-------------------------------------------------------------------+ * LXC +-------------------+-------------------------------------------------------------------+ | Host Hypervizor | LXC Configuration | +===================+===================================================================+ | Proxmox | For a Proxmox-wide config, add to */etc/lxc/default.conf* | | | `lxc.cgroup.devices.allow = c 10:200 rwm` | +-------------------+-------------------------------------------------------------------+ | WSL | No. | +-------------------+-------------------------------------------------------------------+ Running Squid ============= Ensure Squid is a service with `systemctl enable squid` . Edit */etc/squid/squid.conf* for the following fairly open configuration. .. code-block:: squid :linenos: :caption: /etc/squid/squid.conf acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl CONNECT method CONNECT dns_v4_first on http_access allow all http_access allow localhost manager http_access deny manager http_port 0.0.0.0:3128 cache_dir ufs /var/spool/squid 100 16 256 cache_mem 8 MB minimum_object_size 0 bytes maximum_object_size 200 MB maximum_object_size_in_memory 512 KB coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 logformat squid %{%F-%H%M.%S}tl %ts.%03tu %6tr %>a:%>p %Ss/%03>Hs % ${mydir}/vpn.${myname}.log 2>&1 & .. You should get an OVPN file from your organization, but if you do not, here is a sample. Assume your domain is **example.org**, your certificate is in the file *mycertificate.p12*, your VPN server is **vpn.example.org**, your router is **10.0.0.1**, your DNS server is **10.0.0.53**, and your internal domain is **local.example.org**. .. code-block:: apache :linenos: :caption: client.ovpn tls-client client nobind dev tun proto tcp # Adjust this for multiple-tunnel problems or frequent timeouts tun-mtu 1400 remote vpn.example.org 443 pkcs12 mycertificate.p12 cipher AES-256-CBC verb 3 remote-cert-tls server verify-x509-name vpn.example.org name route 0.0.0.0 0.0.0.0 10.0.0.1 1 dhcp-option DNS 10.0.0.53 dhcp-option DOMAIN local.example.org redirect-gateway def1 ## Uncomment this block if you have before and after scripts #script-security 2 #up duringvpn.sh #down aftervpn.sh #down-pre ..