Open vpn behind proxy server

[kyk0]

Hello, I have found this matter in other topics in the forum but I wasn't succesfull in finding a solution, I apologize if it's been solved already

Basically I need to access a remote vpn server, but I am behind a university proxy.

my open vpn config is as follows: (it works when i access from other networks without proxy, except that I set it up as udp not tcp, but proxy requires tcp)

client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 1194

resolv-retry infinite
nobind

persist-key
persist-tun

http-proxy-retry
http-proxy www-cache.usyd.edu.au 8080 loginproxy.txt basic

ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
comp-lzo
# Set log file verbosity.
verb 3


Now, the file loginproxy.txt has my username and password as required by the openvpn standard (http://openvpn.net/index.php/open-sourc ... .html#http )

This is the log I get when trying to connect:

2011-08-08 12:44:25 *Tunnelblick: OS X 10.6.8; Tunnelblick 3.1.7 (build 2190.2413); OpenVPN 2.1.4

2011-08-08 12:44:37 *Tunnelblick: Attempting connection with openvpn_proxy; Set nameserver = 0; not monitoring connection

2011-08-08 12:44:37 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start openvpn_proxy.conf 1337 0 0 0 1 49

2011-08-08 12:44:37 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2] [PKCS11] built on Mar 1 2011

2011-08-08 12:44:37 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337

2011-08-08 12:44:37 Need hold release from management interface, waiting...

2011-08-08 12:44:37 MANAGEMENT: Client connected from 127.0.0.1:1337

2011-08-08 12:44:37 MANAGEMENT: CMD 'pid'

2011-08-08 12:44:37 MANAGEMENT: CMD 'state on'

2011-08-08 12:44:37 MANAGEMENT: CMD 'state'

2011-08-08 12:44:37 MANAGEMENT: CMD 'hold release'

2011-08-08 12:44:37 WARNING: file 'loginproxy.txt' is group or others accessible

2011-08-08 12:44:37 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

2011-08-08 12:44:37 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2011-08-08 12:44:37 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

2011-08-08 12:44:37 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2011-08-08 12:44:37 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

2011-08-08 12:44:37 LZO compression initialized

2011-08-08 12:44:37 Control Channel MTU parms [ L:1544 D:168 EF:68 EB:0 ET:0 EL:0 ]

2011-08-08 12:44:37 Socket Buffers: R=[262140->65536] S=[131070->65536]

2011-08-08 12:44:37 MANAGEMENT: >STATE:1312771477,RESOLVE,,,

2011-08-08 12:44:37 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]

2011-08-08 12:44:37 Local Options hash (VER=V4): 'ee93268d'

2011-08-08 12:44:37 Expected Remote Options hash (VER=V4): 'bd577cd1'

2011-08-08 12:44:37 Attempting to establish TCP connection with 129.78.32.209:8080 [nonblock]

2011-08-08 12:44:37 MANAGEMENT: >STATE:1312771477,TCP_CONNECT,,,

2011-08-08 12:44:37 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn --cd /Users/robi/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1337 --config /Users/robi/Library/Application Support/Tunnelblick/Configurations/openvpn_proxy.conf --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Srobi-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sopenvpn_proxy.conf.0_0_0_1_49.1337.openvpn.log --management-query-passwords --management-hold --script-security 2

2011-08-08 12:44:38 TCP connection established with 129.78.32.209:8080

2011-08-08 12:44:38 Send to HTTP proxy: 'CONNECT xxx.xxx.xxx.xxx:1194 HTTP/1.0'

2011-08-08 12:44:38 Attempting Basic Proxy-Authorization

2011-08-08 12:44:43 recv_line: TCP port read timeout expired: Operation now in progress (errno=36)

2011-08-08 12:44:43 TCP/UDP: Closing socket

2011-08-08 12:44:43 SIGTERM[soft,init_instance] received, process exiting

2011-08-08 12:44:43 MANAGEMENT: >STATE:1312771483,EXITING,init_instance,,

2011-08-08 12:44:43 *Tunnelblick: Flushed the DNS cache



I have no idea why I get the tcp port read time out..... Any help would be highly appreciated..

[Mimiko]

Hello.

"proto" option in server and client config file must be same. May be you get time out because you change proto to TCP only on client.

[janjust]

the message

2011-08-08 12:44:38 Send to HTTP proxy: 'CONNECT xxx.xxx.xxx.xxx:1194 HTTP/1.0'

2011-08-08 12:44:38 Attempting Basic Proxy-Authorization

2011-08-08 12:44:43 recv_line: TCP port read timeout expired: Operation now in progress (errno=36)

2011-08-08 12:44:43 TCP/UDP: Closing socket

show that the client fails to successfully connect to the HTTP proxy; configure your web browser to use this proxy server, including the username+password, then try to connect to xxx.xxx.xxx.xxx:1194 in your web browser - if that returns jibberish, then your proxy is working. If that times out, your problem is on the proxy server/openvpn server side.

[kyk0]

Hello,
first of all thanks for both your replies.

Just to be clear, I am trying to access my openvpn server at my home university (in Italy), from my current university (australia), from within the university internet access, which allows external connections through a proxy.

I tried to access my openvpn server via web and I get a timeout. I tried to ping it on terminal and still get the timeout.
I have the proxy set up properly as otherwise I wouldn't be able to visit even this forums.

I can test my Openvpn server access with my phone connection, and I get the same exact behavior with the browser or terminal test ( I of course removed the proxy settings).

The connection though works (if I do proto udp..), here is the log..

2011-08-09 16:49:17 *Tunnelblick: OS X 10.6.8; Tunnelblick 3.1.7 (build 2190.2413); OpenVPN 2.1.4
2011-08-09 16:50:00 *Tunnelblick: Attempting connection with openvpn_noproxy; Set nameserver = 0; not monitoring connection
2011-08-09 16:50:00 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start openvpn_noproxy.conf 1337 0 0 0 1 49
2011-08-09 16:50:00 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2] [PKCS11] built on Mar 1 2011
2011-08-09 16:50:00 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2011-08-09 16:50:00 Need hold release from management interface, waiting...
2011-08-09 16:50:00 MANAGEMENT: Client connected from 127.0.0.1:1337
2011-08-09 16:50:00 MANAGEMENT: CMD 'pid'
2011-08-09 16:50:00 MANAGEMENT: CMD 'state on'
2011-08-09 16:50:00 MANAGEMENT: CMD 'state'
2011-08-09 16:50:00 MANAGEMENT: CMD 'hold release'
2011-08-09 16:50:00 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2011-08-09 16:50:00 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2011-08-09 16:50:00 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2011-08-09 16:50:00 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-08-09 16:50:00 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-08-09 16:50:00 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
2011-08-09 16:50:00 Socket Buffers: R=[42080->65536] S=[9216->65536]
2011-08-09 16:50:00 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
2011-08-09 16:50:00 Local Options hash (VER=V4): '70f5b3af'
2011-08-09 16:50:00 Expected Remote Options hash (VER=V4): 'a2e2498c'
2011-08-09 16:50:00 UDPv4 link local: [undef]
2011-08-09 16:50:00 UDPv4 link remote: xxx.xxx.xxx.xxx:1194
2011-08-09 16:50:00 MANAGEMENT: >STATE:1312872600,WAIT,,,
2011-08-09 16:50:00 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn --cd /Users/robi/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1337 --config /Users/robi/Library/Application Support/Tunnelblick/Configurations/openvpn_noproxy.conf --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Srobi-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sopenvpn_noproxy.conf.0_0_0_1_49.1337.openvpn.log --management-query-passwords --management-hold --script-security 2
2011-08-09 16:50:01 MANAGEMENT: >STATE:1312872601,AUTH,,,
2011-08-09 16:50:01 TLS: Initial packet from xxx.xxx.xxx.xxx:1194, sid=ae154b72 4c079ba7
2011-08-09 16:50:04 VERIFY OK: depth=1, /C=IT/ST=Emilia-Romagna/L=Bologna/O=Arces/OU=Star/CN=star-fw/emailAddress=mzivieri@arces.unibo.it
2011-08-09 16:50:04 VERIFY OK: depth=0, /C=IT/ST=Emilia-Romagna/L=Bologna/O=Arces/OU=Star/CN=star-fw/emailAddress=mzivieri@arces.unibo.it
2011-08-09 16:50:07 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
2011-08-09 16:50:07 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2011-08-09 16:50:07 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2011-08-09 16:50:07 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-08-09 16:50:07 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2011-08-09 16:50:07 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-08-09 16:50:07 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2011-08-09 16:50:07 [star-fw] Peer Connection Initiated with xxx.xxx.xxx.xxx:1194
2011-08-09 16:50:09 MANAGEMENT: >STATE:1312872609,GET_CONFIG,,,
2011-08-09 16:50:10 SENT CONTROL [star-fw]: 'PUSH_REQUEST' (status=1)
2011-08-09 16:50:11 PUSH: Received control message: 'PUSH_REPLY,route 192.168.212.0 255.255.254.0,dhcp-option DOMAIN star.arces.unibo.it,dhcp-option SEARCH star.arces.unibo.it arces.unibo.it,dhcp-option WINS 192.168.212.3,dhcp-option DNS 137.204.143.11,route 192.168.215.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.215.34 192.168.215.33'
2011-08-09 16:50:11 OPTIONS IMPORT: timers and/or timeouts modified
2011-08-09 16:50:11 OPTIONS IMPORT: --ifconfig/up options modified
2011-08-09 16:50:11 OPTIONS IMPORT: route options modified
2011-08-09 16:50:11 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2011-08-09 16:50:11 ROUTE default_gateway=172.20.10.1
2011-08-09 16:50:11 TUN/TAP device /dev/tun0 opened
2011-08-09 16:50:11 MANAGEMENT: >STATE:1312872611,ASSIGN_IP,,192.168.215.34,
2011-08-09 16:50:11 /sbin/ifconfig tun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2011-08-09 16:50:11 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2011-08-09 16:50:11 /sbin/ifconfig tun0 192.168.215.34 192.168.215.33 mtu 1500 netmask 255.255.255.255 up
2011-08-09 16:50:11 MANAGEMENT: >STATE:1312872611,ADD_ROUTES,,,
2011-08-09 16:50:11 /sbin/route add -net 192.168.212.0 192.168.215.33 255.255.254.0
add net 192.168.212.0: gateway 192.168.215.33
2011-08-09 16:50:11 /sbin/route add -net 192.168.215.1 192.168.215.33 255.255.255.255
add net 192.168.215.1: gateway 192.168.215.33
2011-08-09 16:50:11 Initialization Sequence Completed
2011-08-09 16:50:11 MANAGEMENT: >STATE:1312872611,CONNECTED,SUCCESS,192.168.215.34,137.204.213.232
2011-08-09 16:50:11 *Tunnelblick: Flushed the DNS cache




BUT, it fails if I proto tcp:

2011-08-09 16:53:48 *Tunnelblick: OS X 10.6.8; Tunnelblick 3.1.7 (build 2190.2413); OpenVPN 2.1.4
2011-08-09 16:53:49 *Tunnelblick: Attempting connection with openvpn_noproxy; Set nameserver = 0; not monitoring connection
2011-08-09 16:53:49 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start openvpn_noproxy.conf 1337 0 0 0 1 49
2011-08-09 16:53:49 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn --cd /Users/robi/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1337 --config /Users/robi/Library/Application Support/Tunnelblick/Configurations/openvpn_noproxy.conf --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Srobi-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sopenvpn_noproxy.conf.0_0_0_1_49.1337.openvpn.log --management-query-passwords --management-hold --script-security 2
2011-08-09 16:53:50 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2] [PKCS11] built on Mar 1 2011
2011-08-09 16:53:50 MANAGEMENT: TCP Socket listening on 127.0.0.1:1337
2011-08-09 16:53:50 Need hold release from management interface, waiting...
2011-08-09 16:53:50 MANAGEMENT: Client connected from 127.0.0.1:1337
2011-08-09 16:53:50 MANAGEMENT: CMD 'pid'
2011-08-09 16:53:50 MANAGEMENT: CMD 'state on'
2011-08-09 16:53:50 MANAGEMENT: CMD 'state'
2011-08-09 16:53:50 MANAGEMENT: CMD 'hold release'
2011-08-09 16:53:50 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2011-08-09 16:53:50 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2011-08-09 16:53:50 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
2011-08-09 16:53:50 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-08-09 16:53:50 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2011-08-09 16:53:50 Control Channel MTU parms [ L:1543 D:168 EF:68 EB:0 ET:0 EL:0 ]
2011-08-09 16:53:50 Socket Buffers: R=[262140->65536] S=[131070->65536]
2011-08-09 16:53:50 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
2011-08-09 16:53:50 Local Options hash (VER=V4): 'd8421bb0'
2011-08-09 16:53:50 Expected Remote Options hash (VER=V4): 'c413e92e'
2011-08-09 16:53:50 Attempting to establish TCP connection with 137.204.213.232:1194 [nonblock]
2011-08-09 16:53:50 MANAGEMENT: >STATE:1312872830,TCP_CONNECT,,,
2011-08-09 16:54:00 TCP: connect to 137.204.213.232:1194 failed, will try again in 5 seconds: Operation timed out
2011-08-09 16:54:05 MANAGEMENT: >STATE:1312872845,TCP_CONNECT,,,


So, I guess my openvpn server doesn't like the tcp connect, is there any way I can go through the proxy udp?

[Mimiko]

Your home OpenVPN server in configs have the line:

Code: Select all

proto udp

Which states, that OpenVPN server will accept connection only at UDP. You cannot mix TCP and UDP o client and server. Both must UDP or TCP. So, connect from mobile, change server's configuration to "proto TCP" and use at client TCP also.

[kyk0]

Thanks, unluckily I do not have access to the server configuration side
It is a shared openvpn server managed by the university system manager. I was wondering if there was any workaround to use UDP + proxy...

[Mimiko]

1. only SOCKS proxy can forward UDP packet.
2. Not much proxy programs accepts UDP. You can't proxy UDP, simply because unlike TCP, UDP is a connectionless protocol. A proxy relies on you making a connection to the proxy server, that proxy server making the request on your behalf, and then returning the data back to you.

[kyk0]

Thanks. Unluckily I am in the unhappy situation of not being able to control neither the proxy nor the openvpn server.
Hopefully I will get some feedback by my system manager..
Cheers and thanks for the help.