How to establish a VPN connection through a HTTP Proxy

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ProggerPete
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 22, 2012 6:30 am

How to establish a VPN connection through a HTTP Proxy

Post by ProggerPete » Thu Mar 22, 2012 6:34 am

'm trying to connect to a VPN server on my home network from work. The server is running on port 443 and I have verified that I can connect to it from another home PC using my internet IP and port 443.

I'm now trying to connect from work and am having trouble getting it going.

My ovpn file has
client
remote *INTERNETIP* 443
proto tcp

http-proxy *PROXYIP* 80 "C:\\proxyauth.txt" ntlm
...
The proxyauth.txt file looks like
username@domain
password
When I try and connect I get
Attempting to establish TCP connection with *PROXYIP*:80
TCP connection established with *PROXYIP*:80
Send to HTTP proxy: 'CONNECT *INTERNETIP*:443 HTTP/1.0'
Attempting NTLM Proxy-Authorization phase 1
recv_line: TCP port read failed on recv()
TCP/UDP: Closing socket
I've tried to avoid what seems like an auth issue by using CNTLM as a proxy proxy.
http-proxy 127.0.0.1 3228
I've verified this proxy works by making Firefox route it's traffic through it.

When I try and connect through it I get
Attempting to establish TCP connection with 127.0.0.1:3228
TCP connection established with 127.0.0.1:3228
Sent to HTTP proxy: 'CONNECT *INTERNETIP*:443 HTTP/1.0'
HTTP proxy returned 'HTTP/1.1 503 Service Unavailable'
HTTP proxy returned bad status
TCP/UDP: Closing socket
Any tips on where I should look next to get this up and running?

Cheers,
Peter

User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: How to establish a VPN connection through a HTTP Proxy

Post by maikcat » Thu Mar 22, 2012 12:58 pm

do you know what proxy server is used?

AFAIK ISA has some issues...

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: How to establish a VPN connection through a HTTP Proxy

Post by janjust » Thu Mar 22, 2012 2:53 pm

the log lines
Sent to HTTP proxy: 'CONNECT *INTERNETIP*:443 HTTP/1.0'
HTTP proxy returned 'HTTP/1.1 503 Service Unavailable'
suggest that the proxy CONNECT method is not configured/allowed on the proxy server itself.

ProggerPete
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 22, 2012 6:30 am

Re: How to establish a VPN connection through a HTTP Proxy

Post by ProggerPete » Fri Mar 23, 2012 12:01 am

Isn't CONNECT required for https? I can definitely browse https web pages.

From the cntlm logs I'd say the proxy is webwasher?

Here are the logs from cntlm when trying to connect with openvpn client and below that successful CONNECT to https website.
Default config file opened successfully
cntlm: Proxy listening on 127.0.0.1:3228
cntlm: Resolving proxy *PROXYIP*...
cntlm: Workstation name used: *HOSTNAME*
cntlm: Using following NTLM hashes: NTLMv2(0) NT(2) LM(0)
cntlm: PID 9684: Cntlm ready, staying in the foreground
cntlm: PID 9684: Connection accepted from 127.0.0.1:1841
Thread processing...

******* Round 1 C: 4, S: 5 *******!
Reading headers...
HEAD: POST http://*LOCALMACHINEIP*:2864/ HTTP/1.1
Content-Length => 472
Content-Type => text/xml
Cache-Control => no-cache
Pragma => no-cache
User-Agent => Java/1.6.0_21
Host => 10.167.12.38:2864
Accept => text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection => keep-alive
NTLM Request:
Domain: *DOMAIN*
Hostname: *HOSTNAME*
Flags: 0xA208B207

Sending auth request...
Content-Type => text/xml
Cache-Control => no-cache
Pragma => no-cache
User-Agent => Java/1.6.0_21
Host => *LOCALMACHINEIP*:2864
Accept => text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection => Keep-Alive
Connection => Keep-Alive
Proxy-Authorization => NTLM TlRMTVNTUAABAAAAB7IIogUABQAoAAAACAAIACAAAABHQlBDMDk4OUE1MDA3
Reading auth response...
HEAD: HTTP/1.1 407 Proxy Authentication Required
Content-Length => 28
Proxy-Authenticate => NTLM TlRMTVNTUAACAAAAAAAAAAAAAAAHsokCuMxb6VB1mRkAAAAAAAAAAAQAAAA4AAAAAAAAAAAAAAAAAAAA
Proxy-Connection => keep-alive
Got 28 too many bytes.
NTLM Challenge:
Challenge: B8CC5BE950759919 (len: 60)
Flags: 0x289B207
TBofs: 56
TBlen: 0
ttype: 0
NTLM Response:
Hostname: '*HOSTNAME*'
Domain: '*DOMAIN*'
Username: '*USERNAME*'
Response: '4E4146CBBF876D72C7EFF0E05E78702C85C8BF5B07194B3B' (24)
Response: 'C5E6F01880CFB12C00000000000000000000000000000000' (24)
Sending headers...
Content-Length => 472
Content-Type => text/xml
Cache-Control => no-cache
Pragma => no-cache
User-Agent => Java/1.6.0_21
Host => *LOCALMACHINEIP*:2864
Accept => text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection => Keep-Alive
Connection => Keep-Alive
Proxy-Authorization => NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgAAAAAoACgBAAAAADgAOAEoAAAAQABAAWAAAAAAAAACYAAAAB7KJAkEANQAwADAANwB0AG0AcABjAGEAcAAxAEcAQ
gBQAEMAMAA5ADgAOQDF5vAYgM+xLAAAAAAAAAAAAAAAAAAAAABOQUbLv4dtcsfv8OBeeHAshci/WwcZSzs=
Body included. Lenght: 472
data_send: read 472 of 472 / 472 of 472 (errno = ok)
data_send: wrote 472 of 472
Body sent.

******* Round 2 C: 4, S: 5 *******!
Reading headers...
HEAD: HTTP/1.1 200 OK
Content-Length => 121
Content-Type => text/xml
Proxy-Connection => keep-alive
Server => Apache XML-RPC 1.0
Via => 1.1 webwasher (Webwasher 6.8.7.9396)
Sending headers...
Body included. Lenght: 121
data_send: read 121 of 121 / 121 of 121 (errno = ok)
data_send: wrote 121 of 121
Body sent.

******* Round 1 C: 4, S: 5 *******!
Reading headers...
cntlm: PID 9684: Connection accepted from 127.0.0.1:1869
Thread processing...

******* Round 1 C: 6, S: 7 *******!
Reading headers...
HEAD: CONNECT *OPENVPNSERVERIP*:443 HTTP/1.0
Host => *OPENVPNSERVERIP*
NTLM Request:
Domain: *DOMAIN*
Hostname: *HOSTNAME*
Flags: 0xA208B207

Sending auth request...
Host => *OPENVPNSERVERIP*
Proxy-Connection => Keep-Alive
Proxy-Authorization => NTLM TlRMTVNTUAABAAAAB7IIogUABQAoAAAACAAIACAAAABHQlBDMDk4OUE1MDA3
Reading auth response...
HEAD: HTTP/1.1 407 Proxy Authentication Required
Content-Length => 28
Proxy-Authenticate => NTLM TlRMTVNTUAACAAAAAAAAAAAAAAAHsokCRZD8jlFmcosAAAAAAAAAAAQAAAA4AAAAAAAAAAAAAAAAAAAA
Proxy-Connection => keep-alive
Got 28 too many bytes.
NTLM Challenge:
Challenge: 4590FC8E5166728B (len: 60)
Flags: 0x289B207
TBofs: 56
TBlen: 0
ttype: 0
NTLM Response:
Hostname: '*HOSTNAME*'
Domain: '*DOMAIN*'
Username: '*USERNAME*'
Response: '950E332C01D614D856783DACF2DF7AA6699104C61ECAE95A' (24)
Response: 'B77A64557959A81900000000000000000000000000000000' (24)
Sending headers...
Host => *OPENVPNSERVERIP*
Proxy-Connection => Keep-Alive
Proxy-Authorization => NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgAAAAAoACgBAAAAADgAOAEoAAAAQABAAWAAAAAAAAACYAAAAB7KJAkEANQAwADAANwB0AG0AcABjAGEAcAAxAEcAQ
gBQAEMAMAA5ADgAOQC3emRVeVmoGQAAAAAAAAAAAAAAAAAAAACVDjMsAdYU2FZ4Pazy33qmaZEExh7K6Vo=
No body.

******* Round 2 C: 6, S: 7 *******!
Reading headers...
HEAD: HTTP/1.1 503 Service Unavailable
Content-Length => 1041
Content-Type => text/html
Date => Thu, 22 Mar 2012 23:40:12 GMT
Expires => Thu, 22 Mar 2012 23:40:12 GMT
Proxy-Connection => close
Server => squid/2.6.STABLE21
X-Squid-Error => ERR_CONNECT_FAIL 113
Sending headers...
Body included. Lenght: 1041
data_send: read 1041 of 1041 / 1041 of 1041 (errno = ok)
data_send: fds 6:7 warning -999 (connection closed)
Could not send whole body

Thread finished.
Joining thread 268707168; rc: 0
Successful connect from FireFox to forums.openvpn.net
******* Round 1 C: 4, S: 5 *******!
Reading headers...
HEAD: CONNECT forums.openvpn.net:443 HTTP/1.1
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Proxy-Connection => keep-alive
Host => forums.openvpn.net
NTLM Request:
Domain: *DOMAIN*
Hostname: *HOSTNAME*
Flags: 0xA208B207

Sending auth request...
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Proxy-Connection => Keep-Alive
Host => forums.openvpn.net
Proxy-Authorization => NTLM TlRMTVNTUAABAAAAB7IIogUABQAoAAAACAAIACAAAABHQlBDMDk4OUE1MDA3
Reading auth response...
HEAD: HTTP/1.1 407 Proxy Authentication Required
Content-Length => 28
Proxy-Authenticate => NTLM TlRMTVNTUAACAAAAAAAAAAAAAAAHsokC2PILSRHUB3gAAAAAAAAAAAQAAAA4AAAAAAAAAAAAAAAAAAAA
Proxy-Connection => keep-alive
Got 28 too many bytes.
NTLM Challenge:
Challenge: D8F20B4911D40778 (len: 60)
Flags: 0x289B207
TBofs: 56
TBlen: 0
ttype: 0
NTLM Response:
Hostname: '*HOSTNAME*'
Domain: '*DOMAIN*'
Username: '*USERNAME*'
Response: '031A28AF0F310C11F06A8FE9EF4DB320988BBE65409975F1' (24)
Response: 'B992DD196CEE256400000000000000000000000000000000' (24)
Sending headers...
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Proxy-Connection => Keep-Alive
Host => forums.openvpn.net
Proxy-Authorization => NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgAAAAAoACgBAAAAADgAOAEoAAAAQABAAWAAAAAAAAACYAAAAB7KJAkEANQAwADAANwB0AG0AcABjAGEAcAAxAEcAQ
gBQAEMAMAA5ADgAOQC5kt0ZbO4lZAAAAAAAAAAAAAAAAAAAAAADGiivDzEMEfBqj+nvTbMgmIu+ZUCZdfE=
No body.

******* Round 2 C: 4, S: 5 *******!
Reading headers...
HEAD: HTTP/1.0 200 Connection established
*************************
CL: (null), C: (null), CT: (null), TE: (null)
Sending headers...
Ok CONNECT response. Tunneling...
tunnel: select cli: 4, srv: 5
cntlm: PID 9684: Connection accepted from 127.0.0.1:4074
Thread processing...

******* Round 1 C: 6, S: 7 *******!
Reading headers...
HEAD: CONNECT forums.openvpn.net:443 HTTP/1.1
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Proxy-Connection => keep-alive
Host => forums.openvpn.net
NTLM Request:
Domain: *DOMAIN*
Hostname: *HOSTNAME*
Flags: 0xA208B207

Sending auth request...
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Proxy-Connection => Keep-Alive
Host => forums.openvpn.net
Proxy-Authorization => NTLM TlRMTVNTUAABAAAAB7IIogUABQAoAAAACAAIACAAAABHQlBDMDk4OUE1MDA3
Reading auth response...
HEAD: HTTP/1.1 407 Proxy Authentication Required
Content-Length => 28
Proxy-Authenticate => NTLM TlRMTVNTUAACAAAAAAAAAAAAAAAHsokCighrcUlbrT0AAAAAAAAAAAQAAAA4AAAAAAAAAAAAAAAAAAAA
Proxy-Connection => keep-alive
Got 28 too many bytes.
NTLM Challenge:
Challenge: 8A086B71495BAD3D (len: 60)
Flags: 0x289B207
TBofs: 56
TBlen: 0
ttype: 0
NTLM Response:
Hostname: '*HOSTNAME*'
Domain: '*DOMAIN*'
Username: '*USERNAME*'
Response: 'AA728EB9710A7C556D7348CD75437A56E22F351230C637EE' (24)
Response: '9D21A728F059CA5700000000000000000000000000000000' (24)
Sending headers...
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Proxy-Connection => Keep-Alive
Host => forums.openvpn.net
Proxy-Authorization => NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgAAAAAoACgBAAAAADgAOAEoAAAAQABAAWAAAAAAAAACYAAAAB7KJAkEANQAwADAANwB0AG0AcABjAGEAcAAxAEcAQ
gBQAEMAMAA5ADgAOQCdIaco8FnKVwAAAAAAAAAAAAAAAAAAAACqco65cQp8VW1zSM11Q3pW4i81EjDGN+4=
No body.

******* Round 2 C: 6, S: 7 *******!
Reading headers...
HEAD: HTTP/1.0 200 Connection established
*************************
CL: (null), C: (null), CT: (null), TE: (null)
Sending headers...
Ok CONNECT response. Tunneling...
tunnel: select cli: 6, srv: 7
cntlm: PID 9684: Connection accepted from 127.0.0.1:4077
Thread processing...

******* Round 1 C: 8, S: 9 *******!
Reading headers...
HEAD: CONNECT forums.openvpn.net:443 HTTP/1.1
cntlm: PID 9684: Connection accepted from 127.0.0.1:4080
Thread processing...
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
cntlm: PID 9684: Connection accepted from 127.0.0.1:4081Proxy-Connection => keep-alive

Host => forums.openvpn.net
NTLM Request:

Thread processing...
******* Round 1 C: 10, S: 11 *******!
Reading headers...
Domain: *DOMAIN*
cntlm: PID 9684: Connection accepted from 127.0.0.1:4082
Hostname: *HOSTNAME*
Flags: 0xA208B207


******* Round 1 C: 12, S: 13 *******!
Thread processing..Thread processing...
Sending auth request...
cntlm: PID 9684: Connection accepted from 127.0.0.1:4085
HEAD: CONNECT forums.openvpn.net:443 HTTP/1.1
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Proxy-Connection => Keep-Alive
Host => forums.openvpn.net

******* Round 1 C: 14, S: 16 *******!
Reading headers...
Proxy-Authorization => NTLM TlRMTVNTUAABAAAAB7IIogUABQAoAAAACAAIACAAAABHQlBDMDk4OUE1MDA3
Reading auth response...
HEAD: CONNECT forums.openvpn.net:443 HTTP/1.1
HEAD: CONNECT forums.openvpn.net:443 HTTP/1.1
HEAD: HTTP/1.1 407 Proxy Authentication Required
Thread processing...
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Proxy-Connection => keep-alive
Host => forums.openvpn.net
NTLM Request:
Domain: *DOMAIN*

******* Round 1 C: 15, S: 17 *******!
Reading headers...
Hostname: *HOSTNAME*
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Flags: 0xA208B207

roxy-Connection => keep-alive

Sending auth request...
Host => forums.openvpn.net
NTLM Request:
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Domain: *DOMAIN*
Proxy-Connection => Keep-Alive
Content-Length => 28
Hostname: *HOSTNAME*
Host => forums.openvpn.net
Proxy-Authenticate => NTLM TlRMTVNTUAACAAAAAAAAAAAAAAAHsokC3tJuN8Z6ZLkAAAAAAAAAAAQAAAA4AAAAAAAAAAAAAAAAAAAA
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Flags: 0xA208B207

EAD: CONNECT forums.openvpn.net:443 HTTP/1.1

Proxy-Authorization => NTLM TlRMTVNTUAABAAAAB7IIogUABQAoAAAACAAIACAAAABHQlBDMDk4OUE1MDA3
Proxy-Connection => keep-alive
Proxy-Connection => keep-alive
Reading auth response...
ot 28 too many bytes.
Reading auth response...
Host => forums.openvpn.net
NTLM Request:
:
NTLM Request:
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Challenge: DED26E37C67A64B9 (len: 60)
Domain: *DOMAIN*
Proxy-Connection => Keep-Alive
Flags: 0x289B207
Hostname: *HOSTNAME*
Host => forums.openvpn.net
TBofs: 56
TBlen: 0
ttype: 0
TLM Response:
208B207

TLM Response:
Proxy-Authorization => NTLM TlRMTVNTUAABAAAAB7IIogUABQAoAAAACAAIACAAAABHQlBDMDk4OUE1MDA3

HEAD: HTTP/1.1 407 Proxy Authentication Required
Reading auth response...
Sending auth request...Sending auth request...
Domain: '*DOMAIN*'
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Username: '*USERNAME*'
Proxy-Connection => Keep-Alive
Response: '9A759A4BC928422D6D4CB460C7D0E90D60DF302720CF2963' (24)
Host => forums.openvpn.net
Response: '7F8E6B3780D7127700000000000000000000000000000000' (24)
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Sending headers...
Proxy-Authorization => NTLM TlRMTVNTUAABAAAAB7IIogUABQAoAAAACAAIACAAAABHQlBDMDk4OUE1MDA3
HEAD: HTTP/1.1 407 Proxy Authentication Required
Proxy-Connection => keep-alive
Reading auth response...
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Host => forums.openvpn.net
NTLM Request:
on => Keep-Alive
NTLM Request:
Host => forums.openvpn.net
Domain: *DOMAIN*
Proxy-Authorization => NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgAAAAAoACgBAAAAADgAOAEoAAAAQABAAWAAAAAAAAACYAAAAB7KJAkEANQAwADAANwB0AG0AcABjAGEAcAAxAEcAQ
gBQAEMAMAA5ADgAOQB/jms3gNcSdwAAAAAAAAAAAAAAAAAAAACadZpLyShCLW1MtGDH0OkNYN8wJyDPKWM=
Hostname: *HOSTNAME*
o body.
s: 0xA208B207

o body.

Sending auth request...
HEAD: HTTP/1.1 407 Proxy Authentication Required

******* Round 2 C: 8, S: 9 *******!
Reading headers...
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Proxy-Connection => Keep-Alive
Host => forums.openvpn.net
Content-Length => 28
Proxy-Authorization => NTLM TlRMTVNTUAABAAAAB7IIogUABQAoAAAACAAIACAAAABHQlBDMDk4OUE1MDA3
Proxy-Authenticate => NTLM TlRMTVNTUAACAAAAAAAAAAAAAAAHsokCk4U9FWiNnzcAAAAAAAAAAAQAAAA4AAAAAAAAAAAAAAAAAAAA
Proxy-Connection => keep-alive
Reading auth response...
Got 28 too many bytes.
NTLM Challenge:
Challenge: 93853D15688D9F37 (len: 60)
Flags: 0x289B207
TBofs: 56
TBlen: 0
ttype: 0
NTLM Response:
Hostname: '*HOSTNAME*'
Domain: '*DOMAIN*'
Username: '*USERNAME*'
Response: '4A5A26E56F5D8B8B8034260F40C7FF04E3706AEB89CC33F2' (24)
Response: 'C69DB002453E702200000000000000000000000000000000' (24)
Sending headers...
Proxy Authentication Required
Sending headers...
Content-Length => 28
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Proxy-Authenticate => NTLM TlRMTVNTUAACAAAAAAAAAAAAAAAHsokC0Wei1HaDKdwAAAAAAAAAAAQAAAA4AAAAAAAAAAAAAAAAAAAA
Proxy-Connection => Keep-Alive
Proxy-Connection => keep-alive
Host => forums.openvpn.net
Got 28 too many bytes.
NTLM Challenge:
ion => NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgAAAAAoACgBAAAAADgAOAEoAAAAQABAAWAAAAAAAAACYAAAAB7KJAkEANQAwADAANwB0AG0AcABjAGEAcAAxAEcAQgBQAEMAMAA5ADgAO
QDGnbACRT5wIgAAAAAAAAAAAAAAAAAAAABKWiblb12Li4A0Jg9Ax/8E43Bq64nMM/I=
NTLM Challenge:
Challenge: D167A2D4768329DC (len: 60)
o body.
s: 0x289B207
No body.
TBofs: 56
TBlen: 0
ttype: 0
NNTLM Response:
******* Round 2 C: 10, S: 11 *******!
Reading headers...
Content-Length => 28
Hostname: '*HOSTNAME*'
Proxy-Authenticate => NTLM TlRMTVNTUAACAAAAAAAAAAAAAAAHsokCOUckC0LdYI8AAAAAAAAAAAQAAAA4AAAAAAAAAAAAAAAAAAAA
Domain: '*DOMAIN*'
Proxy-Connection => keep-alive
Username: '*USERNAME*'
Got 28 too many bytes.
TLM Challenge:
BB07B43197F2924D62ADC16A1E5EF760B1E2415A8A04D' (24)
NTLM Challenge:
Response: '5366E72974358E6800000000000000000000000000000000' (24)
ending headers...
B42DD608F (len: 60)
Sending headers...
Flags: 0x289B207
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
TBofs: 56
TBlen: 0
ttype: 0
NTLM Response:
n => Keep-Alive
NTLM Response:
Content-Length => 28
Host => forums.openvpn.net
Hostname: '*HOSTNAME*'
Proxy-Authenticate => NTLM TlRMTVNTUAACAAAAAAAAAAAAAAAHsokCOlIp0279z+gAAAAAAAAAAAQAAAA4AAAAAAAAAAAAAAAAAAAA
Proxy-Authorization => NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgAAAAAoACgBAAAAADgAOAEoAAAAQABAAWAAAAAAAAACYAAAAB7KJAkEANQAwADAANwB0AG0AcABjAGEAcAAxAEcAQ
gBQAEMAMAA5ADgAOQBTZucpdDWOaAAAAAAAAAAAAAAAAAAAAABle7B7Qxl/KSTWKtwWoeXvdgseJBWooE0=
Domain: '*DOMAIN*'
Proxy-Connection => keep-alive
Username: '*USERNAME*'
No body.
Got 28 too many bytes.
TLM Challenge:
40AE83856052E42728DBC756242887EFCB691BF5CABBB' (24)
NTLM Challenge:

******* Round 2 C: 12, S: 13 *******!
Reading headers...
Response: 'E7825C424B9FA75100000000000000000000000000000000' (24)
ending headers...
36EFDCFE8 (len: 60)
Sending headers...
Flags: 0x289B207
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
TBofs: 56
TBlen: 0
ttype: 0
NTLM Response:
n => Keep-Alive
NTLM Response:
Host => forums.openvpn.net
Hostname: '*HOSTNAME*'
Proxy-Authorization => NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgAAAAAoACgBAAAAADgAOAEoAAAAQABAAWAAAAAAAAACYAAAAB7KJAkEANQAwADAANwB0AG0AcABjAGEAcAAxAEcAQ
gBQAEMAMAA5ADgAOQDnglxCS5+nUQAAAAAAAAAAAAAAAAAAAAAmJAroOFYFLkJyjbx1YkKIfvy2kb9cq7s=
Domain: '*DOMAIN*'
Username: '*USERNAME*'
Response: 'FD3DB5579EDB2CBCB2677C8372949D94F33BDEBBF0F1D983' (24)
No body.
Response: 'CC963326795C836F00000000000000000000000000000000' (24)

Sending headers...
******* Round 2 C: 14, S: 16 *******!
Reading headers...
User-Agent => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 ( .NET CLR 3.5.30729; .NET4.0E)
Proxy-Connection => Keep-Alive
Host => forums.openvpn.net
Proxy-Authorization => NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgAAAAAoACgBAAAAADgAOAEoAAAAQABAAWAAAAAAAAACYAAAAB7KJAkEANQAwADAANwB0AG0AcABjAGEAcAAxAEcAQ
gBQAEMAMAA5ADgAOQDMljMmeVyDbwAAAAAAAAAAAAAAAAAAAAD9PbVXntssvLJnfINylJ2U8zveu/Dx2YM=
No body.

******* Round 2 C: 15, S: 17 *******!
Reading headers...
HEAD: HTTP/1.0 200 Connection established
*************************
CL: (null), C: (null), CT: (null), TE: (null)
Sending headers...
Ok CONNECT response. Tunneling...
tunnel: select cli: 8, srv: 9
HEAD: HTTP/1.0 200 Connection established
*************************
CL: (null), C: (null), CT: (null), TE: (null)
Sending headers...
Ok CONNECT response. Tunneling...
tunnel: select cli: 10, srv: 11
HEAD: HTTP/1.0 200 Connection established
*************************
CL: (null), C: (null), CT: (null), TE: (null)
Sending headers...
Ok CONNECT response. Tunneling...
tunnel: select cli: 12, srv: 13
HEAD: HTTP/1.0 200 Connection established
*************************
CL: (null), C: (null), CT: (null), TE: (null)
Sending headers...
Ok CONNECT response. Tunneling...
tunnel: select cli: 14, srv: 16
HEAD: HTTP/1.0 200 Connection established
*************************
CL: (null), C: (null), CT: (null), TE: (null)
Sending headers...
Ok CONNECT response. Tunneling...
tunnel: select cli: 15, srv: 17

ProggerPete
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 22, 2012 6:30 am

Re: How to establish a VPN connection through a HTTP Proxy

Post by ProggerPete » Fri Mar 23, 2012 12:12 am

A hunt for obvious diffence between the successful https firefox connection and the unsuccessful openvpn client connection shows that.

1. Firefox passes a domain name, openvpn passes an ip.

I tried using the IP in firefox and it works, so I guess that's not the problem.

2. Firefox uses HTTP/1.1 and openvpn uses HTTP/1.0

Can I tell openvpn to use HTTP/1.1?

3. Firefox species a User Agent, openvpn does not.

Tried specifying the firefox useragent string in openvpn. Doesn't help.

4. Firefox specifies Proxy-Connection => keep-alive.

Can I do this in openvpn?

Maybe one of these differences is the cause of my problem?

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: How to establish a VPN connection through a HTTP Proxy

Post by janjust » Fri Mar 23, 2012 10:04 am

Can I tell openvpn to use HTTP/1.1?
Use

Code: Select all

http-proxy-option VERSION 1.1
4. Firefox specifies Proxy-Connection => keep-alive.
If you read your openvpn log carefully I think you'll see that openvpn also does this

NTLM auth support in openvpn is not as well tested as we'd like; it could be that you're running into a bug there. Can you test it without NTML auth?

ProggerPete
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 22, 2012 6:30 am

Re: How to establish a VPN connection through a HTTP Proxy

Post by ProggerPete » Fri Mar 23, 2012 11:58 am

Cheers for the input.

I'm trying to side step the ntlm issue by using cntlm as my proxy rather than talking direct to the real proxy. The cntlm proxy does not need authentication.

I'll try the HTTP 1.1 thing on Monday.

ProggerPete
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 22, 2012 6:30 am

Re: How to establish a VPN connection through a HTTP Proxy

Post by ProggerPete » Mon Mar 26, 2012 12:47 am

The 1.1 version hasn't fixed things. However I'm now getting TCP port read timeout expired, which makes me wonder if my vpn can actually be reached from the web.

I can still establish a VPN connection from my local network using the internet ip. However a port check on 443 tells me that 443 is not open. (I used http://www.canyouseeme.org/ for the port check.)

Would you expect this port to reported as open?

Is there a way I can be check that my vpn in accessible from the web without actually carting my pc to someone else's house?

Cheers,
Peter

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: How to establish a VPN connection through a HTTP Proxy

Post by janjust » Mon Mar 26, 2012 7:38 am

a port scan of port 443 should do the trick; alternatively, if you give me the IP address and auth info in private I can test it for you.

ProggerPete
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 22, 2012 6:30 am

Re: How to establish a VPN connection through a HTTP Proxy

Post by ProggerPete » Mon Mar 26, 2012 8:15 am

I thought I'd added another reply after this. The port was not previously open, but now is. I'm getting tantalisingly close. I'm now using http-connect (http://http-tunnel.sourceforge.net/) to create a tunnel from work to my home pc.

Over this tunnel I can see connection attempts in the VPN Server logs. However they all fail the TLS handshake.
Mar 26 00:47:00 ubuntu ovpn-server[6967]: MULTI: multi_create_instance called
Mar 26 00:47:00 ubuntu ovpn-server[6967]: Re-using SSL/TLS context
Mar 26 00:47:00 ubuntu ovpn-server[6967]: LZO compression initialized
Mar 26 00:47:00 ubuntu ovpn-server[6967]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mar 26 00:47:00 ubuntu ovpn-server[6967]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mar 26 00:47:00 ubuntu ovpn-server[6967]: Local Options hash (VER=V4): 'c0103fa8'
Mar 26 00:47:00 ubuntu ovpn-server[6967]: Expected Remote Options hash (VER=V4): '69109d17'
Mar 26 00:47:00 ubuntu ovpn-server[6967]: TCP connection established with [AF_INET]192.168.1.32:58710
Mar 26 00:47:00 ubuntu ovpn-server[6967]: TCPv4_SERVER link local: [undef]
Mar 26 00:47:00 ubuntu ovpn-server[6967]: TCPv4_SERVER link remote: [AF_INET]192.168.1.32:58710
Mar 26 00:48:00 ubuntu ovpn-server[6967]: 192.168.1.32:58710 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 26 00:48:00 ubuntu ovpn-server[6967]: 192.168.1.32:58710 TLS Error: TLS handshake failed
Mar 26 00:48:00 ubuntu ovpn-server[6967]: 192.168.1.32:58710 Fatal TLS error (check_tls_errors_co), restarting
Mar 26 00:48:00 ubuntu ovpn-server[6967]: 192.168.1.32:58710 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 26 00:48:00 ubuntu ovpn-server[6967]: TCP/UDP: Closing socket
The client logs look pretty much the same.

Any suggestions for what I might try next?
Last edited by ProggerPete on Mon Mar 26, 2012 11:53 pm, edited 1 time in total.

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: How to establish a VPN connection through a HTTP Proxy

Post by janjust » Mon Mar 26, 2012 10:14 am

if the connection is very slow, try increasing the TLS handshake timeout using

Code: Select all

--tls-timeout 120
what do you see in the server log when you try to connect ?

ProggerPete
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 22, 2012 6:30 am

Re: How to establish a VPN connection through a HTTP Proxy

Post by ProggerPete » Mon Mar 26, 2012 11:57 pm

The logs in the previous post were from the server. Here is the log from the client.
Tue Mar 27 00:49:35 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Tue Mar 27 00:49:41 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 27 00:49:41 2012 LZO compression initialized
Tue Mar 27 00:49:41 2012 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Mar 27 00:49:41 2012 Socket Buffers: R=[8192->8192] S=[64512->64512]
Tue Mar 27 00:49:41 2012 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 27 00:49:41 2012 Local Options hash (VER=V4): '69109d17'
Tue Mar 27 00:49:41 2012 Expected Remote Options hash (VER=V4): 'c0103fa8'
Tue Mar 27 00:49:41 2012 Attempting to establish TCP connection with 127.0.0.1:668
Tue Mar 27 00:49:41 2012 TCP connection established with 127.0.0.1:668
Tue Mar 27 00:49:41 2012 TCPv4_CLIENT link local: [undef]
Tue Mar 27 00:49:41 2012 TCPv4_CLIENT link remote: 127.0.0.1:668
Tue Mar 27 00:50:41 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 27 00:50:41 2012 TLS Error: TLS handshake failed
Tue Mar 27 00:50:41 2012 Fatal TLS error (check_tls_errors_co), restarting
Tue Mar 27 00:50:41 2012 TCP/UDP: Closing socket
It still says 60 seconds in the TLS message despite me adding
tls-timeout 120
--tls-timeout 120
to both server.conf and the client ovpn file.

If the offer still stands I'll send you some login details so you can test. Would be good to be certain that my home end is set up correctly.

Cheers,
Peter

deeds67
OpenVpn Newbie
Posts: 11
Joined: Sat Oct 06, 2012 7:34 pm

Re: How to establish a VPN connection through a HTTP Proxy

Post by deeds67 » Sat Oct 13, 2012 11:31 pm

I'm getting the exact same errors that you did. Did you manage to fix this?

ProggerPete
OpenVpn Newbie
Posts: 8
Joined: Thu Mar 22, 2012 6:30 am

Re: How to establish a VPN connection through a HTTP Proxy

Post by ProggerPete » Sun Oct 14, 2012 10:46 am

Nope, I eventually gave up.

syleishere
OpenVpn Newbie
Posts: 1
Joined: Thu Nov 22, 2012 11:39 am

Re: How to establish a VPN connection through a HTTP Proxy

Post by syleishere » Thu Nov 22, 2012 11:45 am

Seen something similar before, its not config I don't think, a TLS handshake message also means ISP is doing DPI inspection of traffic and dropping the traffic.
One error I did see in your setup is you should have client connecting to SSL on port 443 so connection encrypted to begin with, then you can
put openvpn on port 80 or any other port, then it should be harder for them to DPI the packets as openvpn should be disguised at SSL traffic then, way you had it
they can easily inspect port 80, see encryption is going on , and drop the traffic.

alta45
OpenVpn Newbie
Posts: 1
Joined: Sun Jun 20, 2021 3:07 pm

Re: How to establish a VPN connection through a HTTP Proxy

Post by alta45 » Sun Jun 20, 2021 3:15 pm

I know this is an old article but when you search for this error on google you will get into this article first.
I was getting same "recv_line: TCP port read failed on recv()" error.
After I installed eset antivirus and update the antivirus openvpn connected like a magic.
Maybe the issue was the clock.
I am not sure what was the real issue but I am sure that installing antivirus and update it definitely made the trick for me.

Post Reply