In the previous recipe, a plain HTTP proxy was used to connect to an OpenVPN server. As a follow-up, in this recipe we will show how an OpenVPN connection can be set up when the HTTP proxy server requires authentication.
The HTTP proxy used in this recipe is a Linux-based Apache httpd
server with the mod_proxy
module loaded and configured for basic authentication.
We will use the following network layout:
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.12. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the configuration file, example8-9-server.conf
, from the Tuning TCP-based connections recipe from Chapter 8, Performance Tuning, as well as the client configuration file, basic-tcp-client.conf
, from the Server-side routing recipe from Chapter 2, Client-server IP-only Networks at hand.
[root@server]# openvpn --config example8-9-server.conf
httpd
server used in this recipe, the following proxy.conf
file was used:LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_connect_module modules/mod_proxy_connect.so ProxyRequests On ProxyVia On AllowCONNECT 1194 KeepAlive on <Proxy *> Order deny,allow Deny from all Require user cookbook AuthType Basic AuthName "Password Required" AuthUserFile /etc/httpd/conf/proxy-password </Proxy>
proxy-password
file using Apache's htpasswd
command:[root@proxyhost]# cd /etc/httpd/conf [root@proxyhost]# htpasswd -c proxy-password cookbook
basic-tcp-client.conf
:verb 5 http-proxy proxy.example.com 80 /etc/openvpn/cookbook/proxypass
example10-7-client.conf
.[client]# echo -e "cookbook
cookbook" > proxy-password
[client]# openvpn --config example10-7-client.conf
Attempting to establish TCP connection with [AF_INET]proxy.example.com:80 [nonblock] TCP connection established with [AF_INET]proxy.example.com:80 Send to HTTP proxy: 'CONNECT openvpnserver.example.com:1194 HTTP/1.0' Attempting Basic Proxy-Authorization HTTP proxy returned: 'HTTP/1.0 200 Connection Established' TCPv4_CLIENT link local: [undef] TCPv4_CLIENT link remote: [AF_INET]proxy.example.com:80 TLS: Initial packet from [AF_INET]proxy.example.com:80, sid=3593eadc c87fb5d4 VERIFY OK: depth=1, C=US, O=Cookbook 2.4, CN=Cookbook 2.4 CA, [email protected] Validating certificate key usage ++ Certificate has key usage 00a0, expects 00a0 VERIFY KU OK Validating certificate extended key usage ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication VERIFY EKU OK VERIFY OK: depth=0, C=US, O=Cookbook 2.4, CN=openvpnserver Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
As can be seen from the connection log, the OpenVPN client attempts basic proxy authorization when connecting to the HTTP proxy server. If the authentication is successful, the HTTP proxy grants access to the client to connect to the server.
Similar to the previous recipe, the OpenVPN client first connects to the HTTP proxy host. It attempts to authenticate to the HTTP proxy using basic authentication, using the username and password supplied in the proxy password file, /etc/openvpn/cookbook/proxypass
. After successful authentication, the client then sends an HTTP 'CONNECT'
request to connect to the OpenVPN server. From here on, the OpenVPN connection is set up in a similar fashion to a regular TCP-based setup.
OpenVPN supports multiple authentication mechanisms when connecting to an HTTP proxy.
OpenVPN also supports HTTP proxies that use NTLM proxy authorization, where NTLM stands for NT Lan Manager. Typically, this type of proxy is used in a Microsoft Windows environment. Unfortunately, OpenVPN's implementation of NTLM authorization is rather limited. It does not send out proper NTLMSSP messages and it works only with a very limited set of proxies. To enable support for this type of proxy add http-proxy proxyhost proxyport stdin ntlm
or http-proxy proxyhost proxyport stdin ntlm2
, where stdin
instructs OpenVPN to query the username and password on the command prompt.
OpenVPN also supports HTTP digest
authentication, which is more secure than the plain-text authentication outlined in this recipe. You can also use the option auto-nct
with the http-proxy
authentication directive to reject weak proxy authentication methods.
18.217.15.45