Connecting via an HTTP proxy

As stated in the previous recipe, it is not possible to directly connect to an OpenVPN server under certain circumstances. In such cases, OpenVPN can connect to an OpenVPN server via an intermediary host known as a proxy. This recipe will outline how to access an OpenVPN server via an roxy.

The HTTP proxy used in this recipe is a Linux-based Apache httpd server with the mod_proxy module loaded. This module can be configured to allow CONNECT requests. This type of request is needed to connect to secure web servers (HTTPS) as well as to an OpenVPN server. If the CONNECT request is not allowed, then the HTTP proxy cannot be used to set up an OpenVPN connection.

Getting ready

We will use the following network layout:

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.12. The client was running Windows 7 64 bit and OpenVPN 2.3.11. Keep the configuration file, example8-9-server.conf, from the Tuning TCP-based connections recipe from Chapter 8Performance Tuning, as well as the client configuration file, example8-9.ovpn, from the same recipe.

How to do it...

  1. Start the server:
    [root@server]# openvpn --config example8-9-server.conf
    
  2. Modify the client configuration file, example8-9.ovpn, by adding the lines:
    http-proxy http-proxy-host 80
    verb 4
    

    Here, http-proxy-host is either the name or the IP address of the host running the HTTP proxy software. In this recipe, the HTTP proxy was running on the HTTP default port 80. Save the configuration file as example10-6.ovpn.

  3. Start the client, and then check the connection log.

    The connection log will show that the OpenVPN client first connects to the HTTP proxy host and then sends an HTTP 'CONNECT' request to connect to the OpenVPN server:

    How to do it...

    The HTTP proxy host responds with the HTTP code 200 meaning OK, after which the VPN connection is established.

How it works...

An HTTP proxy host acts as an intermediary between the (OpenVPN) client and the server. HTTP proxies can be configured in most web browsers and are often used to gain access through a hotel or a corporate firewall. The client first connects to the HTTP proxy host and then requests a new connection to the actual endpoint using the HTTP 'CONNECT' request. If the HTTP proxy host allows the CONNECT request, the HTTP code 200 is returned and the connection to the OpenVPN server is granted. From here on, the OpenVPN connection is set up in a similar fashion to a regular TCP-based setup.

There's more...

When using an HTTP proxy host to connect to an OpenVPN server, there are a few caveats.

http-proxy options

There are a few options available in OpenVPN to configure the way in which OpenVPN connects with the HTTP proxy host:

  • http-proxy-timeout (n): This sets the timeout when connecting to the HTTP proxy host to (n) seconds. The default value is 5 seconds.
  • http-proxy-option AGENT (string): This sets the HTTP agent to (string) when connecting to the HTTP proxy host. Some proxies allow connections from "well-known" web browsers only.
  • http-proxy-option VERSION 1.1: This sets the HTTP protocol version to 1.1. The default is HTTP/1.0. OpenVPN 2.1 is not fully HTTP/1.1 compliant when connecting to an HTTP proxy host, causing some proxies to refuse access. This is fixed in OpenVPN 2.2.

Dodging firewalls

Please note that OpenVPN makes no attempt to hide itself from a firewall. Modern firewalls that perform the so-called deep-packet inspection can easily detect the type of traffic that OpenVPN is using to connect to the OpenVPN server and can block access based on that.

Performance

Similar to SOCKS proxies, HTTP proxy hosts tend to have an impact on the performance of a VPN setup. Both the bandwidth and the latency are usually affected when proxy hosts are used. This is mostly caused by having to connect to a separate host.

Using the OpenVPN GUI

In Windows, you can also the use OpenVPN GUI application to set up an HTTP proxy server:

Using the OpenVPN GUI

See also

  • The previous and next recipes in this chapter deal with connecting via a SOCKS proxy host and connecting via an HTTP proxy with authentication
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.179.177