# iOS: Settings → Wi-Fi → [network] → Configure DNS → Manual → 8.8.8.8
# Android: Settings → Network → Private DNS → dns.google
# Windows: Network adapter settings → IPv4 → DNS servers → 8.8.8.8
# iOS: Settings → Wi-Fi → [network] → Configure DNS → Manual → 8.8.8.8
# Android: Settings → Network → Private DNS → dns.google
# Windows: Network adapter settings → IPv4 → DNS servers → 8.8.8.8
# iOS: Settings → Wi-Fi → [network] → Configure DNS → Manual → 8.8.8.8
# Android: Settings → Network → Private DNS → dns.google
# Windows: Network adapter settings → IPv4 → DNS servers → 8.8.8.8
about:config → network.trr.mode = 2
[Client] → [iptables REDIRECT] → [Squid proxy] → [Category filter] → [Internet] ↑ Cannot bypass: traffic physically redirected by kernel
[Client] → [iptables REDIRECT] → [Squid proxy] → [Category filter] → [Internet] ↑ Cannot bypass: traffic physically redirected by kernel
[Client] → [iptables REDIRECT] → [Squid proxy] → [Category filter] → [Internet] ↑ Cannot bypass: traffic physically redirected by kernel
# Redirect all HTTP to transparent Squid port
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ ! -d 192.168.1.1 -j REDIRECT --to-port 3128 # Block direct HTTPS bypassing the proxy
# (Squid handles HTTPS via CONNECT in explicit mode)
# Force all clients to use explicit proxy for HTTPS:
iptables -A FORWARD -p tcp --dport 443 -j DROP
# Redirect all HTTP to transparent Squid port
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ ! -d 192.168.1.1 -j REDIRECT --to-port 3128 # Block direct HTTPS bypassing the proxy
# (Squid handles HTTPS via CONNECT in explicit mode)
# Force all clients to use explicit proxy for HTTPS:
iptables -A FORWARD -p tcp --dport 443 -j DROP
# Redirect all HTTP to transparent Squid port
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ ! -d 192.168.1.1 -j REDIRECT --to-port 3128 # Block direct HTTPS bypassing the proxy
# (Squid handles HTTPS via CONNECT in explicit mode)
# Force all clients to use explicit proxy for HTTPS:
iptables -A FORWARD -p tcp --dport 443 -j DROP
192.168.1.1:3128
FORWARD DROP
# /etc/squid/squid.conf url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 5
# /etc/squid/squid.conf url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 5
# /etc/squid/squid.conf url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 5
# /etc/squidguard/squidGuard.conf dbhome /var/lib/squidguard/db
logdir /var/log/squidguard dest adult { domainlist adult/domains urllist adult/urls
} dest anonymizers { domainlist anonymizers/domains
} acl { default { pass !adult !anonymizers all redirect http://192.168.1.1/blocked.html }
}
# /etc/squidguard/squidGuard.conf dbhome /var/lib/squidguard/db
logdir /var/log/squidguard dest adult { domainlist adult/domains urllist adult/urls
} dest anonymizers { domainlist anonymizers/domains
} acl { default { pass !adult !anonymizers all redirect http://192.168.1.1/blocked.html }
}
# /etc/squidguard/squidGuard.conf dbhome /var/lib/squidguard/db
logdir /var/log/squidguard dest adult { domainlist adult/domains urllist adult/urls
} dest anonymizers { domainlist anonymizers/domains
} acl { default { pass !adult !anonymizers all redirect http://192.168.1.1/blocked.html }
}
anonymizers
CONNECT www.adult-site.com:443 HTTP/1.1
Host: www.adult-site.com:443
CONNECT www.adult-site.com:443 HTTP/1.1
Host: www.adult-site.com:443
CONNECT www.adult-site.com:443 HTTP/1.1
Host: www.adult-site.com:443
acl adult_ssl ssl::server_name_regex -i "/etc/squid/adult_domains.txt"
http_access deny CONNECT adult_ssl
acl adult_ssl ssl::server_name_regex -i "/etc/squid/adult_domains.txt"
http_access deny CONNECT adult_ssl
acl adult_ssl ssl::server_name_regex -i "/etc/squid/adult_domains.txt"
http_access deny CONNECT adult_ssl
# /etc/ipsec.conf — StrongSwan full-tunnel VPN
conn family-devices keyexchange=ikev2 leftsubnet=0.0.0.0/0 # Route all traffic through tunnel rightsourceip=10.9.0.0/24 rightdns=192.168.1.1 # Internal DNS auto=add
# /etc/ipsec.conf — StrongSwan full-tunnel VPN
conn family-devices keyexchange=ikev2 leftsubnet=0.0.0.0/0 # Route all traffic through tunnel rightsourceip=10.9.0.0/24 rightdns=192.168.1.1 # Internal DNS auto=add
# /etc/ipsec.conf — StrongSwan full-tunnel VPN
conn family-devices keyexchange=ikev2 leftsubnet=0.0.0.0/0 # Route all traffic through tunnel rightsourceip=10.9.0.0/24 rightdns=192.168.1.1 # Internal DNS auto=add
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array> <dict> <key>Action</key> <string>Connect</string> <!-- Connect on any network --> </dict>
</array>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array> <dict> <key>Action</key> <string>Connect</string> <!-- Connect on any network --> </dict>
</array>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array> <dict> <key>Action</key> <string>Connect</string> <!-- Connect on any network --> </dict>
</array>
# Update squidGuard category database
0 3 * * * /usr/bin/squidGuard -C all && /usr/bin/squid -k reconfigure
# Update squidGuard category database
0 3 * * * /usr/bin/squidGuard -C all && /usr/bin/squid -k reconfigure
# Update squidGuard category database
0 3 * * * /usr/bin/squidGuard -C all && /usr/bin/squid -k reconfigure - Firefox: uses Cloudflare DoH by default (about:config → network.trr.mode = 2)
- Windows 11: DoH supported natively, configurable without admin rights
- Chrome: uses DoH when the configured DNS server supports it - Free community-maintained lists (variable quality, manual -weight: 500;">update)
- Commercial subscription databases (higher coverage, automated updates)
