As stated in the previous recipe, it is not possible to directly connect to an OpenVPN server under certain circumstances. In such cases, OpenVPN can connect to an OpenVPN server via an intermediary host known as a proxy. This recipe will outline how to access an OpenVPN server via an roxy.
The HTTP proxy used in this recipe is a Linux-based Apache httpd
server with the mod_proxy
module loaded. This module can be configured to allow CONNECT
requests. This type of request is needed to connect to secure web servers (HTTPS) as well as to an OpenVPN server. If the CONNECT
request is not allowed, then the HTTP proxy cannot be used to set up an OpenVPN connection.
We will use the following network layout:
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.12. The client was running Windows 7 64 bit and OpenVPN 2.3.11. Keep the configuration file, example8-9-server.conf
, from the Tuning TCP-based connections recipe from Chapter 8, Performance Tuning, as well as the client configuration file, example8-9.ovpn
, from the same recipe.
[root@server]# openvpn --config example8-9-server.conf
example8-9.ovpn
, by adding the lines:http-proxy http-proxy-host 80 verb 4
Here, http-proxy-host
is either the name or the IP address of the host running the HTTP proxy software. In this recipe, the HTTP proxy was running on the HTTP default port 80
. Save the configuration file as example10-6.ovpn
.
The connection log will show that the OpenVPN client first connects to the HTTP proxy host and then sends an HTTP 'CONNECT'
request to connect to the OpenVPN server:
The HTTP proxy host responds with the HTTP code 200
meaning OK
, after which the VPN connection is established.
An HTTP proxy host acts as an intermediary between the (OpenVPN) client and the server. HTTP proxies can be configured in most web browsers and are often used to gain access through a hotel or a corporate firewall. The client first connects to the HTTP proxy host and then requests a new connection to the actual endpoint using the HTTP 'CONNECT'
request. If the HTTP proxy host allows the CONNECT
request, the HTTP code 200
is returned and the connection to the OpenVPN server is granted. From here on, the OpenVPN connection is set up in a similar fashion to a regular TCP-based setup.
When using an HTTP proxy host to connect to an OpenVPN server, there are a few caveats.
There are a few options available in OpenVPN to configure the way in which OpenVPN connects with the HTTP proxy host:
http-proxy-timeout
(n
): This sets the timeout when connecting to the HTTP proxy host to (n
) seconds. The default value is 5 seconds.http-proxy-option AGENT
(string
): This sets the HTTP agent to (string
) when connecting to the HTTP proxy host. Some proxies allow connections from "well-known" web browsers only.http-proxy-option VERSION 1.1
: This sets the HTTP protocol version to 1.1. The default is HTTP/1.0. OpenVPN 2.1 is not fully HTTP/1.1 compliant when connecting to an HTTP proxy host, causing some proxies to refuse access. This is fixed in OpenVPN 2.2.Please note that OpenVPN makes no attempt to hide itself from a firewall. Modern firewalls that perform the so-called deep-packet inspection can easily detect the type of traffic that OpenVPN is using to connect to the OpenVPN server and can block access based on that.
Similar to SOCKS proxies, HTTP proxy hosts tend to have an impact on the performance of a VPN setup. Both the bandwidth and the latency are usually affected when proxy hosts are used. This is mostly caused by having to connect to a separate host.
3.145.179.177