Connecting to Softether VPN via Proxy

[Near]

---

## Hello!

I have a VPS server running Ubuntu. I connect to it from a Windows client machine.

### Goal

I want to implement the following connection scheme:

* First, the client (on Windows) connects to a **Squid proxy**, which is installed on my VPS.
* All traffic should then be routed through the **SoftEther VPN Client**, also running on the same VPS.
* Ultimately, the connection should work through the browser using the proxy, and all traffic should be routed through the VPN tunnel.

### Why I'm Doing This

This is the only way I can connect my browser to the VPN — via proxy — **without using additional servers, software, or tools**.

### What I've Done So Far

1. Installed and configured **Squid** on my VPS.
2. On the Windows client, I configured the browser to use the proxy (VPS IP + port 3128).
3. I expect that all browser traffic will go through Squid, then out via the VPN interface (which is connected using SoftEther VPN Client).
4. Therefore, the final external IP address (visible to websites) should be the **VPN IP**, not the VPS IP.

---

### The Problem

At the moment, I'm not entirely sure what I'm doing wrong. I’ve written these instructions myself, and I may have made some mistakes.

I want to go step-by-step, checking results after each stage. But I feel like something is still off — I’d appreciate if someone could point me in the right direction.

Below is a connection diagram and the steps I’ve written. Please review it and let me know if the logic is correct:

```
[Browser on Client]
---> [Squid Proxy on VPS]
---> [SoftEther VPN Client (connected to external VPN)]
---> [VPN Server or VPN Provider]
---> [Internet]
```

---

## Installing Squid

On Debian/Ubuntu:

```bash
sudo apt update
sudo apt install squid -y
```

Edit the config file:

`/etc/squid/squid.conf`

```conf
# Port Squid listens on
http_port 3128

# Allow all clients (CAUTION: use restricted IP ranges in production)
acl allowed_clients src 0.0.0.0/0
http_access allow allowed_clients

# Disable caching (optional)
cache deny all
cache_mem 0 MB
maximum_object_size 0 KB
access_log none

# Hide proxy information
via off
forwarded_for off

# Allow all headers to pass through
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all

# Use IPv4 DNS first
dns_v4_first on
```

---

## Check which user Squid runs as

```bash
ps aux | grep squid
```

Example output:

```bash
proxy 1234 0.0 1.2 ... /usr/sbin/squid -sYC
```

So the user is `proxy`.

---

## Configure Policy-Based Routing

Add a new routing table:

```bash
echo "200 vpnroute" | sudo tee -a /etc/iproute2/rt_tables
```

Add a default route to that table via the VPN interface:

```bash
sudo ip route add default dev vpn_vpn table vpnroute
```

Create a rule to use this table for marked traffic:

```bash
sudo ip rule add fwmark 1 table vpnroute
```

---

## Mark Traffic from Squid

```bash
sudo iptables -t mangle -A OUTPUT -m owner --uid-owner proxy -j MARK --set-mark 1
```

---

## Restart Squid

```bash
sudo systemctl restart squid
```

---

Let me know if you'd like me to improve or automate this with a script.

[solo]

Use Squid's tcp_outgoing_address directive.

[Near]

Use Squid's tcp_outgoing_address directive.

It says that the proxy server refuses to accept the connection, so I enter the status and the log

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Wed Oct 1 10:15:28 2025 from 10.8.0.124
root@Threadbare-Bid:~# sudo systemctl status squid
● squid.service - Squid Web Proxy Server
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; preset:
enabled)
Active: active (running) since Wed 2025-10-01 10:13:59 BST; 5min ago
Docs: man:squid(8)
Process: 570 ExecStartPre=/usr/sbin/squid --foreground -z (code=exited, status=0/SUCCESS)
Main PID: 623 (squid)
Tasks: 3 (limit: 629145)
Memory: 29.1M (peak: 29.4M)
CPU: 275ms
CGroup: /system.slice/squid.service
├─623 /usr/sbin/squid --foreground -sYC
├─635 "(squid-1)" --kid squid-1 --foreground -sYC
└─641 "(pinger)"

Oct 01 10:13:59 Threadbare-Bid.com squid[635]: Finished loading MIME types and icons.
Oct 01 10:13:59 Threadbare-Bid.com squid[635]: HTCP Disabled.
Oct 01 10:13:59 Threadbare-Bid.com squid[635]: Pinger socket opened on FD 13
Oct 01 10:13:59 Threadbare-Bid.com squid[635]: Squid plugin modules loaded: 0
Oct 01 10:13:59 Threadbare-Bid.com squid[635]: Adaptation support is off.
Oct 01 10:13:59 Threadbare-Bid.com squid[635]: Accepting HTTP Socket connections at conn3 local=[::]:3128 remote=[::] FD 10 flags=9
listening port: 3128
Oct 01 10:13:59 Threadbare-Bid.com squid[635]: Accepting HTTP Socket connections at conn5 local=[::]:3128 remote=[::] FD 11 flags=9
listening port: 3128
Oct 01 10:13:59 Threadbare-Bid.com systemd[1]: Started squid.service - Squid Web Proxy Server.
Oct 01 10:13:59 Threadbare-Bid.com squid[635]: ERROR: listen(..., 256) system call failed: (98) Address already in use
listening port: 3128
Oct 01 10:14:00 Threadbare-Bid.com squid[635]: storeLateRelease: released 0 objects
root@Threadbare-Bid:~#


Logs


listening port: 3128
Oct 01 10:14:00 Threadbare-Bid.com squid[635]: storeLateRelease: released 0 objects
root@Threadbare-Bid:~# ^C
root@Threadbare-Bid:~# sudo tail -n 30 /var/log/squid/access.log
sudo tail -n 30 /var/log/squid/cache.log
1759229279.405 1 10.8.0.125 NONE_NONE/400 3851 - / - HIER_NONE/- text/html
1759229279.694 0 10.8.0.125 TCP_HIT/200 11702 GET http://threadbare-bid.com:3128/squid-in ... ons/SN.png - HIER_NONE/- image/png
1759229279.787 0 10.8.0.125 NONE_NONE/400 3873 - /favicon.ico - HIER_NONE/- text/html
1759229284.851 0 10.8.0.125 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1759229288.010 0 10.8.0.125 NONE_NONE/400 3681 - error:invalid-request - HIER_NONE/- text/html
1759229288.187 0 10.8.0.125 NONE_NONE/400 3681 - error:invalid-request - HIER_NONE/- text/html
1759229394.548 0 10.8.0.125 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1759230268.085 0 10.8.0.125 NONE_NONE/400 3851 - / - HIER_NONE/- text/html
1759230272.633 0 10.8.0.125 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1759230682.719 315 127.0.0.1 TCP_MISS/200 1633 GET http://example.com/ - HIER_DIRECT/23.220.75.232 text/html
1759230706.094 29 127.0.0.1 TCP_MISS/301 889 GET http://google.com/ - HIER_DIRECT/172.217.23.206 text/html
1759230743.425 60 127.0.0.1 TCP_MISS/200 20932 GET http://www.google.com/ - HIER_DIRECT/142.250.179.132 text/html
1759231372.042 318 192.168.203.113 TCP_MISS/200 248 GET http://get-my-ip.ddns.softether-network ... tmyip.ashx? - HIER_DIRECT/54.70.59.22 text/plain
1759231372.819 709 192.168.203.113 TCP_TUNNEL/200 2785 CONNECT x1.xd.servers.ddns.softether-network.net:443 - HIER_DIRECT/103.41.63.66 -
1759231442.446 0 10.8.0.125 NONE_NONE/400 3851 - / - HIER_NONE/- text/html
2025/10/01 10:13:59 kid1| With 1024 file descriptors available
2025/10/01 10:13:59 kid1| Initializing IP Cache...
2025/10/01 10:13:59 kid1| DNS IPv6 socket created at [::], FD 8
2025/10/01 10:13:59 kid1| DNS IPv4 socket created at 0.0.0.0, FD 9
2025/10/01 10:13:59 kid1| Adding nameserver 127.0.0.53 from /etc/resolv.conf
2025/10/01 10:13:59 kid1| Adding domain . from /etc/resolv.conf
2025/10/01 10:13:59 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2025/10/01 10:13:59 kid1| Store logging disabled
2025/10/01 10:13:59 kid1| Swap maxSize 0 + 0 KB, estimated 0 objects
2025/10/01 10:13:59 kid1| Target number of buckets: 0
2025/10/01 10:13:59 kid1| Using 8192 Store buckets
2025/10/01 10:13:59 kid1| Max Mem size: 0 KB
2025/10/01 10:13:59 kid1| Max Swap size: 0 KB
2025/10/01 10:13:59 kid1| Using Least Load store dir selection
2025/10/01 10:13:59 kid1| Set Current Directory to /var/spool/squid
2025/10/01 10:13:59 kid1| Finished loading MIME types and icons.
2025/10/01 10:13:59 kid1| HTCP Disabled.
2025/10/01 10:13:59 kid1| Pinger socket opened on FD 13
2025/10/01 10:13:59 kid1| Squid plugin modules loaded: 0
2025/10/01 10:13:59 kid1| Adaptation support is off.
2025/10/01 10:13:59 kid1| Accepting HTTP Socket connections at conn3 local=[::]:3128 remote=[::] FD 10 flags=9
listening port: 3128
2025/10/01 10:13:59 kid1| Accepting HTTP Socket connections at conn5 local=[::]:3128 remote=[::] FD 11 flags=9
listening port: 3128
2025/10/01 10:13:59 kid1| ERROR: listen(..., 256) system call failed: (98) Address already in use
listening port: 3128
2025/10/01 10:13:59 pinger| Initialising ICMP pinger ...
2025/10/01 10:13:59 pinger| ICMP socket opened.
2025/10/01 10:13:59 pinger| ICMPv6 socket opened
2025/10/01 10:14:00 kid1| storeLateRelease: released 0 objects
root@Threadbare-Bid:~#
http/https : 194.5.97.179:3128 this i writtein for coneection
Here config

# Порт для прослушивания
http_port 3128

# Разрешить доступ клиентам (здесь указана вся сеть — осторожно!)
acl allowed_clients src 0.0.0.0/0
http_access allow allowed_clients

# Отключение кэширования (опционально)
cache deny all
cache_mem 0 MB
maximum_object_size 0 KB
access_log none

# Скрытие информации о прокси
via off
forwarded_for off

# Разрешить все заголовки (обфускация)
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all

# Разрешить DNS-запросы по IPv4
dns_v4_first on

# Использовать IP VPN-интерфейса для исходящего трафика
tcp_outgoing_address 10.8.0.1






# WELCOME TO SQUID 6.13
# ----------------------------
#
# This is the documentation for the Squid configuration file.
# This documentation can also be found online at:
# http://www.squid-cache.org/Doc/config/
#
# You may wish to look at the Squid home page and wiki for the
# FAQ and other documentation: .....

[solo]

Oct 01 10:13:59 Threadbare-Bid.com squid[635]: ERROR: listen(..., 256) system call failed: (98) Address already in use
listening port: 3128

Start there but we must stop here. There is no SoftEther issue.

[Near]

Oct 01 10:13:59 Threadbare-Bid.com squid[635]: ERROR: listen(..., 256) system call failed: (98) Address already in use
listening port: 3128

Start there but we must stop here. There is no SoftEther issue.

Hi, in general, in your personal account, you can configure port forwarding to local ports in the VPS system, that is, there are bullet ports -> local ports until you write here, the traffic will not go accordingly, the proxy will not work in general, thank you