{"id":22052715,"url":"https://github.com/jrhrmsll/openvpn-plus-squid","last_synced_at":"2026-05-10T19:05:14.828Z","repository":{"id":150276560,"uuid":"353173836","full_name":"jrhrmsll/openvpn-plus-squid","owner":"jrhrmsll","description":"A proof of concept for an intermediary solution on the way to Zero Trust Networking; based on OpenVPN and Squid Proxy.","archived":false,"fork":false,"pushed_at":"2021-04-09T00:16:26.000Z","size":1405,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-28T21:45:11.005Z","etag":null,"topics":["networking","openvpn","security","squid","zero-trust-network"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jrhrmsll.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-31T00:04:33.000Z","updated_at":"2021-08-25T08:03:40.000Z","dependencies_parsed_at":"2023-05-04T23:03:05.311Z","dependency_job_id":null,"html_url":"https://github.com/jrhrmsll/openvpn-plus-squid","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jrhrmsll%2Fopenvpn-plus-squid","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jrhrmsll%2Fopenvpn-plus-squid/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jrhrmsll%2Fopenvpn-plus-squid/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jrhrmsll%2Fopenvpn-plus-squid/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jrhrmsll","download_url":"https://codeload.github.com/jrhrmsll/openvpn-plus-squid/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245122720,"owners_count":20564361,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["networking","openvpn","security","squid","zero-trust-network"],"created_at":"2024-11-30T15:14:02.590Z","updated_at":"2026-05-10T19:05:14.762Z","avatar_url":"https://github.com/jrhrmsll.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenVPN + Squid, an intermediary solution in the way to Zero Trust Networking\n\nThis project is a proof of concept for an intermediary solution on the way to Zero Trust Networking; based on OpenVPN\nand Squid Proxy.\n\n## The Problem\n\nToday, many enterprises employ a VPN to secure users access from external networks; but when inside, no other controls \nare enforced and trust is based on the perimeter only. In this model, a compromise device could be used to gain access \nto internal resources, directly or by lateral movement; with disastrous consequences for the business.\n\nThe Zero Trust model try to mitigate these problems replacing the perimeter security by access controls based on the\nuser's identity, devices state and context (e.g. geolocation).\n\nThere are multiple ways to implement a Zero Trust Networking Architecture, as cited in\n[NIST SP 800-207](https://www.nist.gov/publications/zero-trust-architecture). One approach is the Google model, known as\n[Beyond Corp](https://beyondcorp.com/).\n\nIn some cases, depending on the number of users and assets to protect, the transition to this new form cannot be done \nat once. Therefore, a compromise solution would be useful; providing some benefits while the migration is taking place.\n\nWhat follows, attempt to be this **intermediary solution**, taking as advantage the VPN presence.\n\n## Interlude\n\nThe core of this solution is the use of OpenVPN and Squid Proxy together, allowing to combine the perimeter based model\nwith and Identity Aware Access Proxy, but keeping the majority of infrastructure resources _as is_.\n\n### Components\n\n- OpenVPN: listening in the external network interface.\n\n- Squid Proxy: configured to listen in the internal network.\n\n- Redis: use as key value database.\n\n### Flow\n\nA user with a valid certificate connect to the OpenVPN server. After the user connection the server store the pair\n(ip, user) in Redis.\n\ne.g.\n```\n#!/usr/bin/env bash\n\nredis-cli set ${ifconfig_pool_remote_ip} ${common_name}\n```\n\nThe user SHOULD configure the internal VPN interface as the HTTP(S) proxy, only accessible after receiving the\nproper _route_ from the VPN server. When the user requests an internal HTTP(S) resource, the Squid use the VPN user's IP\nto get the corresponding identity (_common_name_) from Redis. Then, the identity is combine with some basic access \ncontrol list allow/deny the access.\n\ne.g.\n```\nexternal_acl_type identity_program children-startup=10 children-max=100 ttl=0 %SRC /usr/local/bin/identity.sh\nacl identity external identity_program\n\nacl block_users ext_user guess-01\nacl block_ips dst 172.16.0.5\nhttp_access deny identity block_users block_ips\n```\n\nThe above fragments correspond to the next testing scenario, but for a production deployment another external acl could\nbe used as **decision engine**; allowing more dynamic configurations based on \"user groups\", \"url categories\", etc.\n\n## Running It\n\nThis testing scenario is conceived to run in a local environment, using VirtualBox and Vagrant. It's composed by four\nvirtual machines with Ubuntu 18.04 LTS, as follows:\n\n- **openvpn**: the VPN server with OpenVPN 2.4.4 and squid 3.5, with three networks interfaces:\n  * Host-only, with IP address `192.168.10.5`\n  * Internal Network, with IP address `172.31.0.5`\n\n- **gateway**: a router between the networks `172.31.0.0/24` and `172.16.0.0/24`, with two networks interfaces:\n  * Internal Network, with IP address `172.31.0.100`\n  * Internal Network, with IP address `172.16.0.100`\n\n- **nginx**: a http server with nginx\n  * Internal Network, with IP address `172.16.0.5`\n\n- **apache2**: a http server with apache2\n  * Internal Network, with IP address `172.16.0.10`\n\nAfter cloning the repository go to each directory and run:\n\n```\nvagrant up\n```\n\nWhen ready, access to th local [OpenVPN Management Console](http://192.168.10.5/ovpnphp) and logging with:\n\n```\nusername: ovpnphp\npassword: ovpnphp\n```\n\nGo to [Clients](http://192.168.10.5/ovpnphp/clients) menu and add two users:\n- _guess-01_\n- _guess-02_\n\nDownload the corresponding clients configurations files (`\u003cuser\u003e.tar.gz`) and add them to the VPN client.\n\nConnect to the VPN with _guess-01_ and check it in [Connections](http://192.168.10.5/ovpnphp/connections) menu.\n\nBefore test the solution, configure the browser to use the proxy `172.31.0.5:3128` for HTTP access.\n\nThen, go to the _nginx_ http server on IP address `172.16.0.5`, the request will be **denied**; but **allowed** if the\n_apache2_ http server on `172.16.0.10` is accessed.\n\nBy connecting with user _guess-02_ the access to both http servers will be allowed.\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjrhrmsll%2Fopenvpn-plus-squid","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjrhrmsll%2Fopenvpn-plus-squid","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjrhrmsll%2Fopenvpn-plus-squid/lists"}