Using Privoxy with openVPN

Problem Description
I am trying to use privoxy while connected to freedom box via openVPN. I don’t know how to add connection in network to have both firewall set as internal and external. If I modify a connection to external I can browse the web with the VPN, but cannot use privoxy and if I set the connection to internal I cannot browse the web while on the VPN.
Steps to Reproduce

1. Login to FreedomBox.
2. Install OVPN
3. Install Privoxy
4. Add a Network connection firewall to External
5. Configure Privoxy in browser and try loading a page
6. Page show The proxy server is refusing connections

Expected Results
I was expected to have both connection active

Actual results
I cannot use VPN and privoxy at the same time

Screenshot

freedombox972×450 39.8 KB

Information

• FreedomBox version: Debian GNU/Linux 10 (buster) and FreedomBox version 20.0
• Hardware: CubieTruck
• How did you install FreedomBox?: downloading stable images from https://freedombox.org’

@Patate, thank you for detailed report.

We have been discussing this problem recently and considering enabling masquerading on Internal networks as well. We have don’t so yet due to incomplete understanding of the security consequences.

You can try doing this as follows:

firewall-cmd --zone=internal --add-masquerade
firewall-cmd --zone=internal --add-masquerade --permanent

After this, mark your Internet connection as ‘Internal’ zone. Internet browsing over OpenVPN and Privoxy service should both be accessible.

Thank you for the response!
I am using a work-around right now with a raspberry pi and pivpn. I would prefer to use only freedombox, but I don’t want to compromise the security of it. Is there a place where I can follow the progress of this issue so that I know when it’s deemed safe?

Alternatively you could add privoxy to the external zone. Does anyone know whether there is a security risk for doing this?

sudo firewall-cmd --zone=external --add-service=privoxy

If your the interfaces in external zone are connected to a Internet directly (or if your router is forwarding all traffic via DMZ or specifically privoxy port) then this is risk. It will become an open proxy on the Internet that anyone could use to browse the Internet since privoxy does not have proxy authentication.

If want to help people with their anonymity online, run a Tor relay instead.

Interesting. Thanks.

So if you have a freedombox with only 1 physical ethernet port that is marked as external and is connected with the router via DMZ would there be a way to use privoxy from inside the network ?

Or would you have to mark the physical ethernet port as internal and only forward the ports you need from the router ? (and not forward privoxy)

The pioneer freedombox comes with 1 physical ethernet port while the freedombox software seems to function from the perspective that you have one ethernet port for external traffic and one ethernet port for internal traffic.

Yes, this is one way to do this.

Most apps in FreedomBox work well with a single interface. Privoxy and a few others being the exception. We have discussed with hardware manufacturer about how for some use cases having two Ethernet interfaces is ideal. They are constrained by various factors and recommended a separate USB Ethernet device. FreedomBox should work well with additional network interfaces connected via USB. Some hardware like the APU come with many Ethernet ports.

Thanks!

If I’m understanding correctly here are a few options for the pioneer freedombox with 1 ethernet interface:

• running the ethernet interface as internal and only forward the ports you need from the router (and not forward privoxy). And use your firewall masquerade commands: Using Privoxy with openVPN Then you would be able to use privoxy+openvpn.
• running the ethernet interface as external and DMZ. Ability to use openvpn but not be able to use privoxy. And not having to manually forward ports (thanks to the DMZ).