[Solved] OpenVPN behind the proxy

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
User avatar
jodamaster
OpenVPN User
Posts: 32
Joined: Mon Oct 06, 2014 9:39 pm

[Solved] OpenVPN behind the proxy

Post by jodamaster » Fri Feb 24, 2017 3:25 pm

I've had my OpenVPN setup for 3 years and everything worked as charm. I am using Debian. Recently I think there was an upgrade of proxy in my dorm and few days after that my vpn stopped working. Because all the ports are filtered and 443 is open at the dorm proxy I've setup my vpn to go through 443 and than I have a port forwarding at my server from 443 to 1194. First what I've tried is to telnet to proxy server and do CONNECT to my vpn server but I got a massage that that IP is blocked. After that I've tried to do ssh to my server and everything went fine so I concluded (maybe I am wrong) that they've only blocked my ip through 443 port. I've opened another port and tried to connect to the sever but the same thing again, and that's what is confusing to me. I've searched through /var/log/daemon.log and found this error massage:

Code: Select all

Feb 24 15:38:46 abukva nm-openvpn[2027]: SIGTERM[hard,init_instance] received, process exiting
Feb 24 15:38:43  nm-openvpn[2027]: SIGUSR1[soft,init_instance] received, process restarting
Feb 24 15:38:43  nm-openvpn[2027]: HTTP proxy returned bad status
Feb 24 15:38:43  nm-openvpn[2027]: TCP connection established with [AF_INET]172.16.0.3:8080
Feb 24 15:38:42  nm-openvpn[2027]: Attempting to establish TCP connection with [AF_INET]172.16.0.3:8080 [nonblock]
Feb 24 15:38:42  nm-openvpn[2027]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.16.0.3:8080
Third from the top lined led me to the conclusion that the problem is with proxy. I've googled to try to solve the problem and found on one forum suggestion to use http-proxy-option to mask my request so the proxy let it through. I've added this to my client config file:

Code: Select all

http-proxy-option AGENT user-agent Mozilla/7.0+ (compatible; MSIE 4.01; windows NT 5.0)
http-proxy-option VERSION 1.0
After I've added this there was no more bad status message now I have this:

Code: Select all

Feb 24 15:56:54 abukva nm-openvpn[6895]: SIGTERM[hard,init_instance] received, process exiting
Feb 24 15:56:47  nm-openvpn[6895]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 24 15:56:47  nm-openvpn[6895]: Connection reset, restarting [0]
Feb 24 15:56:47  nm-openvpn[6895]: TCP_CLIENT link remote: [AF_INET]172.16.0.3:8080
Feb 24 15:56:47  nm-openvpn[6895]: TCP_CLIENT link local: (not bound)
Feb 24 15:56:45  nm-openvpn[6895]: TCP connection established with [AF_INET]172.16.0.3:8080
Feb 24 15:56:44  nm-openvpn[6895]: Attempting to establish TCP connection with [AF_INET]172.16.0.3:8080 [nonblock]
Feb 24 15:56:44  nm-openvpn[6895]: TCP/UDP: Preserving recently used remote address: [AF_INET]172.16.0.3:8080
I had my friend try to connect from his home and everything went well, so that is another pointer to the proxy. Here are my client and sever config files.

(generated by network manager):
Client
id=My VPN
type=vpn
autoconnect=false
ca=~.vpnkeys/ca.crt
cert=~.vpnkeys/client1.crt
cert-pass-flags=1
comp-lzo=yes
connection-type=tls
key=~.vpnkeys/client1.key
port=443
proto-tcp=yes
proxy-port=8080
proxy-server=172.16.0.3
proxy-type=http
http-proxy-option AGENT user-agent Mozilla/7.0+ (compatible; MSIE 4.01; windows NT 5.0)
http-proxy-option VERSION 1.0
remote=MY SERVER IP
service-type=org.freedesktop.NetworkManager.openvpn
no-secret=true
method=auto
addr-gen-mode=stable-privacy
ip6-privacy=0
method=auto
Server
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
push "redirect-gateway def1 local"
push "dhcp-option DNS DNS IP"
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN behind the proxy

Post by TinCanTech » Fri Feb 24, 2017 4:46 pm

jodamaster wrote:I've setup my vpn to go through 443
jodamaster wrote:Server
port 1194
:geek:
Top
User avatar
jodamaster
OpenVPN User
Posts: 32
Joined: Mon Oct 06, 2014 9:39 pm

Re: OpenVPN behind the proxy

Post by jodamaster » Fri Feb 24, 2017 5:04 pm

jodamaster wrote: Because all the ports are filtered and 443 is open at the dorm proxy I've setup my vpn to go through 443 and than I have a port forwarding at my server from 443 to 1194.
Top
User avatar
jodamaster
OpenVPN User
Posts: 32
Joined: Mon Oct 06, 2014 9:39 pm

Re: OpenVPN behind the proxy

Post by jodamaster » Sun Feb 26, 2017 11:26 am

I've resolved the problem. As it turns out my dorm proxy is filtering all the ports except 22. So I've tried to install sslh on my server changed ssh port to something else and run sslh on 22 and let it forward my openvpn request to 1194 on my server. But is seems that dorm proxy is also doing DPI so it blocked my openvpn requests. At the end I've created a ssh tunnel and run openvpn through it. There is a small downgrade in performance but at least it works now. If anyone else has the same issue this is how I've setup tunnel.
Top
Post Reply

Return to “Configuration”