> That line above the headers is showing the problem: > > HTTP Client local=<SQUID IP>:3130 remote=<VPN server>:65090 FD 10 > flags=1 > > local= contains the details of www.nba.com server where the request is > being fetched .... original dst IP:port from the TCP packets. > remote= contains the client src IP:port from the TCP packets. > > Your NAT is still being done at the client end of the connection before > it reaches the Squid box. This is THE problem. Move the NAT rules. > > 1) the client end of the VPN needs to contain the routing and MARK rules > from section 6.2 of that page. > > 2) the VPN tunnel needs to deliver those packets directly onto the Squid > box. Avoiding any problems ECN may cause with routing the packets. > > 2a) at this point you should still be able to browse the web without > problems. However your packets should be going over the VPN without any > browser or test tool mention of the Squid box IP. > > 3) the Squid box needs to contains the REDIRECT rule from section 6.2 on > that page, and probably the MASQUERADE rule from section 6.3. Squid > needs the "intercept" http_port option. > > 3a) at this point you should still be able to browse the web without > problems using *identical* tests to those made in (2a) when there was no > proxy used. However the traffic should be logged in Squid access.log. > > <skipping the rest of your Qs because the necessary info is already > logged in those lines above> > > Amos > > Thanks for detailed analysis. So I did some test and could not resolve the issue. First of all I moved to use EC2 instance using VPC so all my servers are under the same subnet (10.0.1.0/24) that fixes the ip route command issue but it didn't help. I went with this guide http://lartc.org/howto/lartc.cookbook.squid.html) since it's close to what I want in terms of routing and it doesn't involve NAT (I don't have additional NAT in this subnet since it can access internet directly). This guide is almost the same to the other one (same idea). Result: 1) before anything I made sure my VPN client can access the internet normally - works 2) apply policy based changes and two thing happen: 2a) no port 80 traffic is going to SQUID server 2b) client can't navigate the internet (I can ping the hostname but browser can't load the page; tshark show traffic going to the web site but there is nothing coming back; normally after DNS name resolution web server talks back to the client). Rules I used: iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 80 -j MARK --set- mark 2 echo 202 http >> /etc/iproute2/rt_tables ip rule add fwmark 2 table http ip route add default via <SQUID IP> dev eth0 table http ip route flush cache All the apps I am using on my phone still seems to works (I assume non port 80 still work fine, great). Additionally when I add the word "intercept" my curl - http://<SQUID IP>:3130 www.nba.com always return access denied (deny all requests). Thanks alot Thanks,