It appears that one of the test I was doing is not correct so it can yield some hint to the problem. "-k reconfigure" didn't take effect when I made the change. So for the browser with direct proxy setting. I am able to browse correctly if not using "intercept" (ie: using SQUID server's public IP directly). Everything else is still the same as described above. So there are two issues that I can observe. 1) why intercept mode fails (do I need any special rule on my remote SQUID box?) with access denied for all requests 2) in non-intercept mode why VPN client would have the missing hostname in the request.