Openvpn in a VM or Container

To avoid the hassle of split tunneling, but still reap the advantages, run a container or VM with your Openvpn configuration and a Squid proxy.

  • Create a VM or an LXC container

  • Install Squid, Openvpn, and an SSH server. One of these commands should work.

    • apt-get install squid openvpn openssh-server

    • yum install squid openvpn openssh-server

    • dnf install squid openvpn openssh-server

  • Configure your VM/LXC host.

  • Configure your tools as below and start them.

Configuration Notes

  • VM

Host Hypervizor

VM Configuration

Virtualbox

I recommend installing both a host-based and a bridged network.

Vmware

Associate a network that relates to a physical NIC.

Proxmox

Works out of the box

  • LXC

Host Hypervizor

LXC Configuration

Proxmox
For a Proxmox-wide config, add to /etc/lxc/default.conf

lxc.cgroup.devices.allow = c 10:200 rwm

WSL

No.

Running Squid

Ensure Squid is a service with systemctl enable squid .

Edit /etc/squid/squid.conf for the following fairly open configuration.

/etc/squid/squid.conf
 1acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
 2acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
 3acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
 4acl localnet src fc00::/7       # RFC 4193 local private network range
 5acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
 6acl SSL_ports port 443
 7acl CONNECT method CONNECT
 8dns_v4_first on
 9http_access allow all
10http_access allow localhost manager
11http_access deny manager
12http_port 0.0.0.0:3128
13cache_dir ufs /var/spool/squid 100 16 256
14cache_mem 8 MB
15minimum_object_size 0 bytes
16maximum_object_size 200 MB
17maximum_object_size_in_memory 512 KB
18coredump_dir /var/spool/squid
19refresh_pattern ^ftp:        1440    20%    10080
20refresh_pattern ^gopher:    1440    0%    1440
21refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
22refresh_pattern .        0    20%    4320
23logformat squid %{%F-%H%M.%S}tl %ts.%03tu %6tr %>a:%>p %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A:%<p %mt

Do not forgot to restart it with systemctl restart squid .

Running Openvpn

For all things a wrapper script and a wrapper script for all things.

vpn.sh
 1#!/bin/bash
 2mydir=`dirname ${0}`
 3myname=`basename ${0}`
 4cd ${mydir}
 5# In case we do not have the right device present
 6sudo mkdir /dev/net
 7sudo mknod /dev/net/tun c 10 200
 8sudo chmod 666 /dev/net/tun
 9sudo ip addr flush dev tun0
10sudo openvpn ${mydir}/client.ovpn > ${mydir}/vpn.${myname}.log 2>&1 &

You should get an OVPN file from your organization, but if you do not, here is a sample.

Assume your domain is example.org, your certificate is in the file mycertificate.p12, your VPN server is vpn.example.org, your router is 10.0.0.1, your DNS server is 10.0.0.53, and your internal domain is local.example.org.

client.ovpn
 1tls-client
 2client
 3nobind
 4dev tun
 5proto tcp
 6# Adjust this for multiple-tunnel problems or frequent timeouts
 7tun-mtu 1400
 8remote vpn.example.org 443
 9pkcs12 mycertificate.p12
10cipher AES-256-CBC
11verb 3
12remote-cert-tls server
13verify-x509-name vpn.example.org name
14route 0.0.0.0 0.0.0.0 10.0.0.1 1
15dhcp-option DNS 10.0.0.53
16dhcp-option DOMAIN local.example.org
17redirect-gateway def1
18## Uncomment this block if you have before and after scripts
19#script-security 2
20#up duringvpn.sh
21#down aftervpn.sh
22#down-pre