Connecting to Softether VPN via Proxy
Posted: Tue Sep 30, 2025 2:50 pm
---
## Hello!
I have a VPS server running Ubuntu. I connect to it from a Windows client machine.
### Goal
I want to implement the following connection scheme:
* First, the client (on Windows) connects to a **Squid proxy**, which is installed on my VPS.
* All traffic should then be routed through the **SoftEther VPN Client**, also running on the same VPS.
* Ultimately, the connection should work through the browser using the proxy, and all traffic should be routed through the VPN tunnel.
### Why I'm Doing This
This is the only way I can connect my browser to the VPN — via proxy — **without using additional servers, software, or tools**.
### What I've Done So Far
1. Installed and configured **Squid** on my VPS.
2. On the Windows client, I configured the browser to use the proxy (VPS IP + port 3128).
3. I expect that all browser traffic will go through Squid, then out via the VPN interface (which is connected using SoftEther VPN Client).
4. Therefore, the final external IP address (visible to websites) should be the **VPN IP**, not the VPS IP.
---
### The Problem
At the moment, I'm not entirely sure what I'm doing wrong. I’ve written these instructions myself, and I may have made some mistakes.
I want to go step-by-step, checking results after each stage. But I feel like something is still off — I’d appreciate if someone could point me in the right direction.
Below is a connection diagram and the steps I’ve written. Please review it and let me know if the logic is correct:
```
[Browser on Client]
---> [Squid Proxy on VPS]
---> [SoftEther VPN Client (connected to external VPN)]
---> [VPN Server or VPN Provider]
---> [Internet]
```
---
## Installing Squid
On Debian/Ubuntu:
```bash
sudo apt update
sudo apt install squid -y
```
Edit the config file:
`/etc/squid/squid.conf`
```conf
# Port Squid listens on
http_port 3128
# Allow all clients (CAUTION: use restricted IP ranges in production)
acl allowed_clients src 0.0.0.0/0
http_access allow allowed_clients
# Disable caching (optional)
cache deny all
cache_mem 0 MB
maximum_object_size 0 KB
access_log none
# Hide proxy information
via off
forwarded_for off
# Allow all headers to pass through
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
# Use IPv4 DNS first
dns_v4_first on
```
---
## Check which user Squid runs as
```bash
ps aux | grep squid
```
Example output:
```bash
proxy 1234 0.0 1.2 ... /usr/sbin/squid -sYC
```
So the user is `proxy`.
---
## Configure Policy-Based Routing
Add a new routing table:
```bash
echo "200 vpnroute" | sudo tee -a /etc/iproute2/rt_tables
```
Add a default route to that table via the VPN interface:
```bash
sudo ip route add default dev vpn_vpn table vpnroute
```
Create a rule to use this table for marked traffic:
```bash
sudo ip rule add fwmark 1 table vpnroute
```
---
## Mark Traffic from Squid
```bash
sudo iptables -t mangle -A OUTPUT -m owner --uid-owner proxy -j MARK --set-mark 1
```
---
## Restart Squid
```bash
sudo systemctl restart squid
```
---
Let me know if you'd like me to improve or automate this with a script.
## Hello!
I have a VPS server running Ubuntu. I connect to it from a Windows client machine.
### Goal
I want to implement the following connection scheme:
* First, the client (on Windows) connects to a **Squid proxy**, which is installed on my VPS.
* All traffic should then be routed through the **SoftEther VPN Client**, also running on the same VPS.
* Ultimately, the connection should work through the browser using the proxy, and all traffic should be routed through the VPN tunnel.
### Why I'm Doing This
This is the only way I can connect my browser to the VPN — via proxy — **without using additional servers, software, or tools**.
### What I've Done So Far
1. Installed and configured **Squid** on my VPS.
2. On the Windows client, I configured the browser to use the proxy (VPS IP + port 3128).
3. I expect that all browser traffic will go through Squid, then out via the VPN interface (which is connected using SoftEther VPN Client).
4. Therefore, the final external IP address (visible to websites) should be the **VPN IP**, not the VPS IP.
---
### The Problem
At the moment, I'm not entirely sure what I'm doing wrong. I’ve written these instructions myself, and I may have made some mistakes.
I want to go step-by-step, checking results after each stage. But I feel like something is still off — I’d appreciate if someone could point me in the right direction.
Below is a connection diagram and the steps I’ve written. Please review it and let me know if the logic is correct:
```
[Browser on Client]
---> [Squid Proxy on VPS]
---> [SoftEther VPN Client (connected to external VPN)]
---> [VPN Server or VPN Provider]
---> [Internet]
```
---
## Installing Squid
On Debian/Ubuntu:
```bash
sudo apt update
sudo apt install squid -y
```
Edit the config file:
`/etc/squid/squid.conf`
```conf
# Port Squid listens on
http_port 3128
# Allow all clients (CAUTION: use restricted IP ranges in production)
acl allowed_clients src 0.0.0.0/0
http_access allow allowed_clients
# Disable caching (optional)
cache deny all
cache_mem 0 MB
maximum_object_size 0 KB
access_log none
# Hide proxy information
via off
forwarded_for off
# Allow all headers to pass through
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
# Use IPv4 DNS first
dns_v4_first on
```
---
## Check which user Squid runs as
```bash
ps aux | grep squid
```
Example output:
```bash
proxy 1234 0.0 1.2 ... /usr/sbin/squid -sYC
```
So the user is `proxy`.
---
## Configure Policy-Based Routing
Add a new routing table:
```bash
echo "200 vpnroute" | sudo tee -a /etc/iproute2/rt_tables
```
Add a default route to that table via the VPN interface:
```bash
sudo ip route add default dev vpn_vpn table vpnroute
```
Create a rule to use this table for marked traffic:
```bash
sudo ip rule add fwmark 1 table vpnroute
```
---
## Mark Traffic from Squid
```bash
sudo iptables -t mangle -A OUTPUT -m owner --uid-owner proxy -j MARK --set-mark 1
```
---
## Restart Squid
```bash
sudo systemctl restart squid
```
---
Let me know if you'd like me to improve or automate this with a script.
