Turning openvpn connection into a socks5 proxy

markx · Post by **markx** » Fri Nov 07, 2014 7:28 am

I am trying to turn an openvpn connection that runs on a dedicated server (centos 6.5 x86_64) into a socks5 proxy so I can use it anywhere by just connecting to IP:PORT without having to run anything locally.

First I tested ssh -vvv -g -D 12321 -N localhost on the server, then from my home computer I can do curl --socks5 {SERVER_IP}:12321 http://icanhazip.com and it returns the server ip, so that works fine. What I want to do now is for that to return the ip from the openvpn running on the server. This is what I tried:

On the server, I ran openvpn myconf.conf, this is myconf.conf:

Code: Select all

client
auth-user-pass user.conf
dev tun
resolv-retry infinite
nobind

persist-key
persist-tun
ns-cert-type server
verb 3
;mute 20
route-metric 1

ca ./ca.crt
cert ./user.crt
key ./user.key

proto tcp
script-security 3
remote-random
route-pull
remote {IP1} 443
remote {IP2} 443
remote {IP3}

The config file includes the route-nopull option so it wont mess with the normal server network. Then i add the routes with this:

Code: Select all

ip route add default via 10.200.1.174 dev tun0 table 944;
ip rule add from 10.200.1.174 table 944;
ip rule add fwmark 944 table 944;
ip route flush cache;

10.200.1.174 is the ip assigned to the tun0 interface when running the openvpn client, now when I try this curl --interface tun0 http://icanhazip.com I get the openvpn ip, so the openvpn is working too.

Now I need to make the ssh socks5 go to the tun0 interface, the only way I could thing to for marking the packets is to run ssh as another user I created just for that, so after adduser vpn1, I run:

Code: Select all

su vpn1 -c "ssh -vvv -g -D 12321 -N localhost".

Then I added these iptables rules:

Code: Select all

iptables -t mangle -A OUTPUT -m owner --uid-owner vpn1 -j MARK --set-mark 944;
iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.200.1.174;
iptables -A INPUT -p tcp --dport 12321 -j ACCEPT;

And this, because without it it doesn't seem to work:

Code: Select all

sysctl -w net/ipv4/ip_forward=1;
sysctl -w net.ipv4.conf.tun0.rp_filter=2;

Now if i run this on the server:

curl -4 --socks5 localhost:12321 http://icanhazip.com

I get the openvpn ip, now I want to connect there remotely. (btw I had to use -4 because it uses ipv6 otherwise and it wont resolve any domain that way, not too interested on that yet).

If i run this from my pc:

curl -4 --socks5 {SERVER_IP}:12321 http://icanhazip.com

It hangs for long time at * Trying {SERVER_IP}... for long time until it shows "Connection timed out". The ssh window (with -vvv) doesn't show anything, but if I run tcpdump -i tun0 -n (on the server) and run the curl command (on my pc) I see this:

Code: Select all

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
23:45:39.648394 IP {SERVER_IP}.12321 > {MY_PC_IP}.56581: Flags [S.], seq 3421495562, ack 2835571822, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:45:41.048416 IP {SERVER_IP}.12321 > {MY_PC_IP}.56581: Flags [S.], seq 3421495562, ack 2835571822, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:45:42.650234 IP {SERVER_IP}.12321 > {MY_PC_IP}.56581: Flags [S.], seq 3421495562, ack 2835571822, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:45:43.048411 IP {SERVER_IP}.12321 > {MY_PC_IP}.56581: Flags [S.], seq 3421495562, ack 2835571822, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:45:48.647415 IP {SERVER_IP}.12321 > {MY_PC_IP}.56581: Flags [S.], seq 3562105292, ack 2835571822, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:45:49.847414 IP {SERVER_IP}.12321 > {MY_PC_IP}.56581: Flags [S.], seq 3562105292, ack 2835571822, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:45:51.847400 IP {SERVER_IP}.12321 > {MY_PC_IP}.56581: Flags [S.], seq 3562105292, ack 2835571822, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:47:12.946012 IP {SERVER_IP}.12321 > {MY_PC_IP}.56699: Flags [S.], seq 2163318591, ack 398005444, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:47:14.145399 IP {SERVER_IP}.12321 > {MY_PC_IP}.56699: Flags [S.], seq 2163318591, ack 398005444, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:47:15.947724 IP {SERVER_IP}.12321 > {MY_PC_IP}.56699: Flags [S.], seq 2163318591, ack 398005444, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:47:16.145408 IP {SERVER_IP}.12321 > {MY_PC_IP}.56699: Flags [S.], seq 2163318591, ack 398005444, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:47:21.944808 IP {SERVER_IP}.12321 > {MY_PC_IP}.56699: Flags [S.], seq 2303924762, ack 398005444, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:47:23.344723 IP {SERVER_IP}.12321 > {MY_PC_IP}.56699: Flags [S.], seq 2303924762, ack 398005444, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:47:25.344396 IP {SERVER_IP}.12321 > {MY_PC_IP}.56699: Flags [S.], seq 2303924762, ack 398005444, win 14600, options [mss 1460,nop,nop,sackOK], length 0
23:48:19.770438 IP 222.186.59.4<-- I DON'T KNOW WHAT IS THIS IP, DOESN'T SEEM TO BE NEITHER VPN SERVER OR icanhazip.com IP|.x11 > 10.200.1.174.radan-http: Flags [S], seq 689963008, win 16384, options [mss 1367], length 0
23:48:19.770462 IP 10.200.1.174.radan-http > 222.186.59.4.x11: Flags [R.], seq 0, ack 689963009, win 0, length 0
^C
16 packets captured
16 packets received by filter
0 packets dropped by kernel

Since the curl --socks5... works locally (also works remotely but only when using it without the vpn), and tcpdump shows some data when I try to run it remotely, I am guessing I am missing some iptables rules, but couldn't figure out which ones.

Any ideas?