Hello guys, I'm new over here.

I'm using Squid proxy server in a Raspberry with the idea of having a transparent proxy reachable both from LAN and Internet using a 3G connection as proxy gateway, something like this:

LAN users -> home router -> squid on Raspberry -> Internet over 3G connection

Internet users -> home router port forwarding from static public IP to Raspberry IP and port -> squid on Raspberry -> Internet over 3G

I was able to make the LAN solution work but I'm unable to do it through the public IP address.

In tcpdump I see packets coming in and out as well as in the squid access log, but proxy doesn't work from outside the network.

Any idea? Any test you want me to share? thanks in advance!

you want squid to serve as a proxy for "anyone" on the internet via the 3G connection
I say "anyone" but mean, someone with passwords etc.

well, if the pi was connected to the internet via a router I would say setup port forward on the router port 3128 to the pi 3128
I'm not sure how this works with a 3G service


can I assume squid is listening on the correct net interface?
you may need to share your squid.conf and firewall setup

but really I would dig deeper into what the 3G service will let you do, and how you configure it

wait, I think something may have clicked

you want squid to be available via the public IP using its 3G connection as the connection to clearnet

This will be due to the ACL setup on squid
You will have to configure it to allow users outside your lan.

Hi Firefat, thanks for your answer. You're right, that's the idea, squid to be available via the public IP that my residential provider gives me but using 3G connection as proxy gateway.

The router config is ok as I forwarded the port 3128 to the private IP address of the Raspberry (I tried "tnc public_ip -port 3128" from Windows powershell and it shows the port is open so that's fine).

From the proxy side, I've set a temporary "http_access allow all" and I do see connections in access.log file with source IP address 192.168.1.1 (that's ok as the router is the one that sends the packets coming from Internet) but it does not work.

I have some logs from access.log file while trying to open google.com from a laptop connected to the proxy over Internet:

1571517517.340 10347 192.168.1.1 TCP_TUNNEL/200 39 CONNECT clients4.google.com:443 - HIER_DIRECT/172.217.16.238 -
1571517518.630 10658 192.168.1.1 TCP_TUNNEL/200 39 CONNECT www.google.com:443 - HIER_DIRECT/172.217.17.4 -
1571517518.670 10680 192.168.1.1 TCP_TUNNEL/200 39 CONNECT www.google.com:443 - HIER_DIRECT/172.217.17.4 -
1571517518.801 10505 192.168.1.1 TCP_TUNNEL/200 39 CONNECT www.google.com:443 - HIER_DIRECT/172.217.17.4 -
1571517518.810 10364 192.168.1.1 TCP_TUNNEL/200 39 CONNECT www.google.com:443 - HIER_DIRECT/172.217.17.4 -
1571517518.962 0 192.168.1.1 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- -
1571517518.962 0 192.168.1.1 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- -
1571517519.160 10926 192.168.1.1 TCP_TUNNEL/200 39 CONNECT s2.googleusercontent.com:443 - HIER_DIRECT/172.217.16.225 -
1571517519.540 10380 192.168.1.1 TCP_TUNNEL/200 39 CONNECT www.google.com:443 - HIER_DIRECT/172.217.17.4 -
1571517519.610 10802 192.168.1.1 TCP_TUNNEL/200 39 CONNECT www.gstatic.com:443 - HIER_DIRECT/216.58.211.35 -
1571517522.250 10380 192.168.1.1 TCP_TUNNEL/200 39 CONNECT ssl.gstatic.com:443 - HIER_DIRECT/172.217.168.163 -
1571517523.300 10158 192.168.1.1 TCP_TUNNEL/200 39 CONNECT www.google.com:443 - HIER_DIRECT/172.217.17.4 -
1571517529.230 10257 192.168.1.1 TCP_TUNNEL/200 39 CONNECT www.google.com:443 - HIER_DIRECT/172.217.17.4 -
1571517534.970 10350 192.168.1.1 TCP_TUNNEL/200 39 CONNECT www.google.com:443 - HIER_DIRECT/172.217.17.4 -
1571517534.980 10372 192.168.1.1 TCP_TUNNEL/200 39 CONNECT www.gstatic.com:443 - HIER_DIRECT/216.58.211.35 -
1571517539.220 10401 192.168.1.1 TCP_TUNNEL/200 39 CONNECT mail.google.com:443 - HIER_DIRECT/172.217.168.165 -
1571517543.010 10244 192.168.1.1 TCP_TUNNEL/200 39 CONNECT ssl.gstatic.com:443 - HIER_DIRECT/172.217.168.163 -
1571517549.600 10246 192.168.1.1 TCP_TUNNEL/200 2665 CONNECT www.google.com:443 - HIER_DIRECT/172.217.17.4 -

Given that, I assume the traffic is reaching the Raspberry and it tries to act as a proxy, but I have no clue why it's not working

it works fine for users on the lan
but fails from users connecting from outside world

this is almost certainly due to the way acl is configured

http://www.squid-cache.org/Doc/config/acl/

quick example

once you start adding external IPs you need to be mindful of the potential abuse you will be opening yourself up to.
You don't want to be running an open proxy
make sure you lock it down
Access via a VPN is probably easiest

but below that ACLs it is the line I mentioned: "http access allow localnet". I changed localnet for "all" during my tests so it should allow connections from everywhere.

I don't think it is something related to the ACLs as but thanks for your help, I'll take a look at them.

try


ifconfig.me will simply return the External IP address, which is handy for checking proxies
the -v should give you some handy debugging info