Connecting via an HTTP proxy with authentication

In the previous recipe, a plain HTTP proxy was used to connect to an OpenVPN server. As a follow-up, in this recipe we will show how an OpenVPN connection can be set up when the HTTP proxy server requires authentication.

The HTTP proxy used in this recipe is a Linux-based Apache httpd server with the mod_proxy module loaded and configured for basic authentication.

Getting ready

We will use the following network layout:

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.12. The client was running Fedora 22 Linux and OpenVPN 2.3.11. Keep the configuration file, example8-9-server.conf, from the Tuning TCP-based connections recipe from Chapter 8Performance Tuning, as well as the client configuration file, basic-tcp-client.conf, from the Server-side routing recipe from Chapter 2Client-server IP-only Networks at hand.

How to do it...

  1. Start the server:
    [root@server]# openvpn --config example8-9-server.conf
    
  2. Set up the HTTP proxy server to support basic authentication. For the Apache httpd server used in this recipe, the following proxy.conf file was used:
            LoadModule proxy_module modules/mod_proxy.so 
            LoadModule proxy_balancer_module modules/mod_proxy_balancer.so 
            LoadModule proxy_ftp_module modules/mod_proxy_ftp.so 
            LoadModule proxy_http_module modules/mod_proxy_http.so 
            LoadModule proxy_connect_module modules/mod_proxy_connect.so 
     
            ProxyRequests On 
            ProxyVia On 
            AllowCONNECT 1194 
            KeepAlive on 
     
            <Proxy *> 
                Order deny,allow 
                Deny from all 
                Require user cookbook 
                AuthType Basic 
                AuthName "Password Required" 
                AuthUserFile /etc/httpd/conf/proxy-password 
            </Proxy> 
    
  3. Create the proxy-password file using Apache's htpasswd command:
      [root@proxyhost]# cd /etc/httpd/conf
    [root@proxyhost]# htpasswd -c proxy-password cookbook
    
  4. Add the following lines to the client configuration file, basic-tcp-client.conf:
            verb 5 
            http-proxy proxy.example.com 80 /etc/openvpn/cookbook/proxypass 
    
  5. Save the configuration file as example10-7-client.conf.
  6. Create a plain-text file containing the username and password created in step 3; for example, by using:
    [client]# echo -e "cookbook
    cookbook" > proxy-password
    
  7. Start the client and wait for the connection to be established:
    [client]# openvpn --config example10-7-client.conf
    
  8. Next, we take a closer look at the client logfile. If the right username and password are entered, the HTTP proxy grants access to connect to the OpenVPN server and the VPN connection is established:
    Attempting to establish TCP connection with     
            [AF_INET]proxy.example.com:80 [nonblock]
    TCP connection established with [AF_INET]proxy.example.com:80
    Send to HTTP proxy: 'CONNECT openvpnserver.example.com:1194   
            HTTP/1.0'
    Attempting Basic Proxy-Authorization
    HTTP proxy returned: 'HTTP/1.0 200 Connection Established'
    TCPv4_CLIENT link local: [undef]
    TCPv4_CLIENT link remote: [AF_INET]proxy.example.com:80
    TLS: Initial packet from [AF_INET]proxy.example.com:80,      
            sid=3593eadc c87fb5d4
    VERIFY OK: depth=1, C=US, O=Cookbook 2.4, CN=Cookbook 2.4 CA, 
            [email protected]
    Validating certificate key usage
    ++ Certificate has key usage  00a0, expects 00a0
    VERIFY KU OK
    Validating certificate extended key usage
    ++ Certificate has EKU (str) TLS Web Server Authentication, 
            expects TLS Web Server Authentication
    VERIFY EKU OK
    VERIFY OK: depth=0, C=US, O=Cookbook 2.4, CN=openvpnserver
    Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit 
            key
    

    As can be seen from the connection log, the OpenVPN client attempts basic proxy authorization when connecting to the HTTP proxy server. If the authentication is successful, the HTTP proxy grants access to the client to connect to the server.

How it works...

Similar to the previous recipe, the OpenVPN client first connects to the HTTP proxy host. It attempts to authenticate to the HTTP proxy using basic authentication, using the username and password supplied in the proxy password file, /etc/openvpn/cookbook/proxypass. After successful authentication, the client then sends an HTTP 'CONNECT' request to connect to the OpenVPN server. From here on, the OpenVPN connection is set up in a similar fashion to a regular TCP-based setup.

There's more...

OpenVPN supports multiple authentication mechanisms when connecting to an HTTP proxy.

NTLM proxy authorization

OpenVPN also supports HTTP proxies that use NTLM proxy authorization, where NTLM stands for NT Lan Manager. Typically, this type of proxy is used in a Microsoft Windows environment. Unfortunately, OpenVPN's implementation of NTLM authorization is rather limited. It does not send out proper NTLMSSP messages and it works only with a very limited set of proxies. To enable support for this type of proxy add http-proxy proxyhost proxyport stdin ntlm or http-proxy proxyhost proxyport stdin ntlm2, where stdin instructs OpenVPN to query the username and password on the command prompt.

Authentication methods

OpenVPN also supports HTTP digest authentication, which is more secure than the plain-text authentication outlined in this recipe. You can also use the option auto-nct with the http-proxy authentication directive to reject weak proxy authentication methods.

OpenVPN GUI limitations

The current OpenVPN GUI does not allow you to specify a username or password in the GUI. This was supported in older versions of the Windows OpenVPN GUI application. As this feature is not widely used it was removed during the rewrite of the GUI.

See also

  • The previous recipe in this chapter, where a connection is established using an HTTP proxy without extra authentication
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.18.145