In fact:
I have set up a local proxy server that caches the Internet traffic.
Data: IP: 192.168.178.25 Port: 13343
Now my problem:
I have configured devices such as laptops via settings so that they should use the local proxy with the corresponding IP from above.
However, if I now connect the laptop to another network (which happens quite often), I get an error message in Firefox that (more logically) the proxy is not available.
On the Internet I came up with the "solution" that you should simply add a DynDNS and release the corresponding port and then connect via the DynDNS and the released port. I think that works for sure, but since I use a Porxy that only "allows" internal IPs, I can forget about that and I mean, from a security point of view, a proxy that is openly available on the Internet is also not a hit.
Now my question:
Can I set up a VPN server on the (same) or different server that automatically connects to the proxy server?
Do you mean that the VPN server directs traffic from "outside" to "inside", but then is forced to connect to the Internet via the proxy?
(Attention! I would also like the VPN server to automatically use the proxy, even if it is not configured on the device that connects to the VPN - it should use the proxy)
Info:
Basically I can use any VPN server that is available under Linux (more precisely Debian).
Proxy Server runs Squid with SquidGuard on Ubuntu
The most important point is that the proxy is always used when connected via VPN, regardless of whether the proxy is configured on the end device or not
I'm not sure whether a proxy is worthwhile for caching in the home network. Most websites are dynamic, so a few stylesheets, scripts and a few pictures end up in the proxy cache. The caching is not so profitable.
About the VPN: Wouldn't it make sense if the proxy set up the VPN? Then the corresponding client that establishes the connection to the VPN server must be configured on the proxy.
The VPN server should also be in the local network -> so that you can access NAS etc. On the go or from another location.
And yet proxy makes sense in our case since there are 4 servers + approx. 10 other PCs in the "home network" (since there's also a company network) and it happens to those of the more open that 2 people or 2 computers need the same file at different times. Since our "home network" has 1GB / s everywhere and partially white 10GB / s (e.g. Between two switches), this is again subtly faster than if the second PC brought the file online a second time
However, since it can come from home to Corona in times of Corona, we're currently setting up a VPN server (we have now decided on OpenVPN). Since we do not want to burden the networks unnecessarily and also want to provide a correspondingly fast connection for employees, it would be ideal if the VPN server (which is located in the local network) connects directly to the Internet and only via the (also local proxy) (or also in the local network) connects.
Before a comment comes because of Corona: we're currently (except for myself) in the hourly reduction, i.e. Only I'm in attendance all other employees are currently on the said hourly reduction. Since this overtime will not last forever, we're currently setting up the requirements for home office as described above
Don't worry, comments about Corona don't come from me. Every company has to think about how to deal with the current restrictions. Home office is definitely one of the more clever options. Overtime cutbacks too, but the job needs to be done too.
The real problem: The employee should connect via VPN. The VPN terminates on a server behind the router. The router therefore needs the corresponding port release. So far it is still easy.
The employee should now access the Internet through the VPN, but only via the proxy.
This means that the MA's computer must know whether it is connected via VPN or not. If the VPN is not set up, it can go directly to the Internet (the proxy would not be reachable because it is in the company network). Once the VPN tunnel has been set up, it requires proxy configuration.
One solution would be to work with WPAD: https://de.wikipedia.org/...y_Protocol
Another solution would be a transparent proxy. Squid can also work transparently. The computer then does not require a proxy configuration. On a Linux computer, you can use iptables to redirect the data coming in via the VPN to the Squid:
iptables -t nat -A PREROUTING… -j REDIRECT --to-port 8118
A third approach uses the OpenVPN directive
push "dhcp option PROXY_HTTP 192.168.x.y 8118"
The employee's computer receives the proxy address via DHCP when setting up the VPN.
I have no opportunity to test it here, currently I have no Squid or OpenVPN in use (proxy deleted without replacement, OpenVPN replaced by Wireguard). So you just have to try out whether one of the approaches leads to the desired result. The third approach now seems to me to be the easiest.
Ok thanks for your suggestions! I'm going to try that from next week onwards.
For completeness, I post the result or how I ended up doing it again here