Troubleshooting

If you are having problems getting clients to communicate with Squid, the likely culprit is a overzealous firewall. Due to the myriad firewall/client combinations out there, it’s impossible to create a workaround for them all, but basic troubleshooting can pinpoint the issue.

The first step would be to disable the firewall on both peers and retry the proxy. If the proxy works, turn the firewalls back on and begin modifying the rules to allow Squid to function.

The problems I’ve encountered to date are due either to 1) the firewall on the peer running Squid refusing incoming connections from any host, or 2) the host’s firewall running Squid does not allow the application to access the Internet. The former can be resolved by adding a port exception for TCP 3128 (default Squid port) and the latter by adding an exception for the Squid proxy application.

The Hamachi application is very NAT-friendly. In the vast majority of cases, creating a network is accomplished without any snags. However, there is a possibility that, upon startup, Hamachi will choose to use the browser proxy (instead of the Internet) to establish the initial connection with the Hamachi authentication servers. Since a connection must already be established to use the proxy, this results in failure.

The solution is to configure Hamachi to not use the browser’s proxy to connect to the Internet. Click on the System Menu (the “gear” button located at the bottom right of the Hamachi window. Choose Preferences, then in the Status Tab click on Detailed Configuration.

Once there, choose “Disable” in the Connecting via Proxy list, then click OK and close the Status and Configuration window (Figure 11). This will force Hamachi to access the Internet directly when communicating with the Hamachi servers.

Figure 11: Setting Hamachi to not use the proxy connection

If NAT issues prevent peers from connecting, the Detailed Configuration/Connection Preferences window also allows you to specify static ports for incoming connections, which should then be used to configure the NAT device.

Even if Squid and Hamachi are configured properly, there are situations in which a proxy may not function properly, and even stop you from using the Internet. Some schools and hotels rely on a device called a transparent proxy. This type of proxy is used to intercept all HTTP traffic and redirect the user to a page of the owner’s choosing. This is usually done to force the user to acknowledge and accept the owner’s Acceptable Use Policy (AUP) before accessing the provided resources.

Since our solution relies on encrypted traffic, the transparent proxy is unable to function, which often results in a denial of all traffic. The workaround for this is to configure the browser to bypass the proxy, then allow the initial request to be redirected. Once access to the Internet has been granted, the proxy can be reactivated.

Improvements & Conclusion

If you followed the instructions to the letter, you should have a Hamachi network with at least two peers, one of which is running Squid. This is sufficient for temporary operations, but there is potential for disruption. If someone were to close the command prompt window running Squid, the proxy would be knocked offline, leaving remote users without safe HTTP access. If, on the Squid system, the user is logged off or the system rebooted, Hamachi will not be online until the user logs on again.

This may not be an issue for an afternoon trip. But if the user is overseas, it may be days until connectivity is restored. The easiest way to mitigate these issues is through the use of services. Services are programs that run without requiring user intervention, usually in the background. By eliminating the need for user intervention, the system needs merely be turned on and connected to the Internet to work.

Hamachi Premium (the pay version, clients of which are marked with a star) grants you the option of running Hamachi as a service, and provides a trial period for basic (free) clients to upgrade. If you are traveling and predict a system reboot during your absence (Microsoft’s Patch Tuesday is an almost guaranteed reboot), it may be worthwhile to upgrade to Premium. If you choose to upgrade, the option to run as a service is found in the Preferences\Status and Configuration window, under the System tab.

Squid also has the ability to run as a service. The service is installed by running squid with the –i parameter, i.e. squid –i. After the service is installed, it can be configured for future usage by running services.msc, locating the Squid service, and choosing to start the process.

With these two measures combined, a proxy can be maintained with little intervention. Should further maintenance be necessary, I recommend allowing remote access on the peer running Squid. Remote Desktop Protocol (RDP) may come in handy should problems occur.

Hamachi is a flexible, easy-to-use VPN package. And combined with Squid, it presents a solution to a problem many users face. An operational Hamachi network can serve as a platform for the use of other services (like RDP), so if you have any ideas for a follow up article, just post them in the Comments below.

Tags: Hamachi, Proxy, Squid,

Related Articles: