Openvpn Socks Proxy
Routing traffic through OpenVPN using a local SOCKS proxy
OpenVPN can be used with an obfuscation proxy, such as obfsproxy or obfs4, to avoid identification of VPN traffic through deep packet inspection. In this post I explain a connectivity problem that client-side OpenVPN faces when such a proxy is approached as a local SOCKS proxy by OpenVPN. A solution is provided, of open-source product I like to work with is OpenVPN. It allows network-savvy people to build robust virtual private network connections across the Internet and any other networks that use the TCP/IP protocol. Secured traffic can include just site-to-site communication, but an OpenVPN client can also be configured to route all other traffic to other (Internet) servers through the VPN. This is useful if one is in an untrustworthy environment. An example is the use of a wireless network which might be vulnerable to the KRACK attack. Alternatively, one might use a wireless card using 802. 1x authentication, and one of the used RSA private keys might be stored in a device vulnerable to ROCA. Or maybe it is just that the only available wireless connection is unencrypted. And even if the wireless connection might be completely secure, you might not want to trust the man-in-the-middle that connects the other side of it to the VPN can provide a(n additional) security layer to protect traffic confidentiality and integrity. Many Internet users possess an Internet connection at home that can be used to host an OpenVPN server. Once servers and clients are correctly configured, all they have to do is to activate the OpenVPN client with redirect-gateway def1 somewhere in the configuration to secure all traffic from eavesdroppers and other malicious metimes this is not enough. Not all offered Internet connections are open to the use of OpenVPN. Network administrators might be tempted to apply deep packet inspection to block secure connections. An obvious client-side symptom is that the connection is lost soon after it is established. While OpenVPN might protect information confidentiality and integrity, availability can still be negatively is possible to host and use an obfuscation proxy to make detection of an OpenVPN connection using deep packet inspection difficult. Such programs include obfsproxy and obfs4. These programs offer a SOCKS proxy interface on which an OpenVPN client can connect. The result is that VPN network packets are obfuscated, which makes it harder to identify the connection. For this, OpenVPN’s configuration file will have a line that will look something like socks-proxy 127. 0. 1 6876. 127. 1 is the localhost address, and 6876 is the chosen local port on which the obfuscation proxy is listening. Unfortunately, this introduces a complication when routing all traffic through the OpenVPN connection using redirect-gateway def1. To understand this complication, an example OpenVPN client configuration is required. The following example is based on a client running Linux:script-security 2
client
socks-proxy 127. 1 6876 # Use a local SOCKS proxy on TCP port 6876
proto tcp-client # Use a TCP connection to the OpenVPN server (through the proxy)
remote # Address of a server hosting an obfuscation proxy and OpenVPN
port 8080 # TCP port of the listening obfuscation proxy server
ca “” # Certificate of the certificate authority
cert “” # Client certificate
key “” # Client private key
ns-cert-type server # Pick one of these lines that
remote-cert-tls server # identifies the server’s certificate
persist-tun # Avoid TUN/TAP re-initialization upon reconnects
dev tun # Use a TUN (OSI layer 3) virtual network device for the VPN
redirect-gateway def1 # Redirect other traffic through the VPN
up /etc/openvpn/update-resolv-conf # Protect DNS requests from
down /etc/openvpn/update-resolv-conf # eavesdropping and manipulation.
It is assumed that the local network used by the client has an IP range of 172. 17. 1. 0/24 with an Internet router on 172. 1, and that the internal OpenVPN network uses the IP range 192. 168. 50. 0/24. The resulting routing table would be as follows:Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0. 0 192. 1 128. 0 UG 0 0 0 tun0 <--
0. 0 172. 1 0. 0 UG 600 0 0 enp0s3
127. 1 172. 1 255. 255. 255 UGH 0 0 0 enp0s3 <--!
128. 0 UG 0 0 0 tun0 <--
192. 0 0. 0 255. 0 U 0 0 0 tun0
172. 0 U 600 0 0 enp0s3
The routes pointed at by arrows were added by redirect-gateway def1. The problematic route is the one with an exclamation mark. According to the OpenVPN man page:--redirect-gateway flags...
Automatically execute routing commands to cause all outgoing IP traffic to be redirected
over the VPN. This is a client-side option.
This option performs three steps:
(1) Create a static route for the --remote address which forwards to the
pre-existing default gateway. (... )
The configuration has remote, yet the value of socks-proxy is used to create this route. This is not described by the man redirect-gateway def1 behaves makes sense when a remote SOCKS proxy is used. In this situation, the client only connects to the SOCKS proxy using the information provided by the socks-proxy option, after which the proxy takes care of the rest of the transport using the information provided by the remote and port options. Still, this is something that should have been mentioned by the man page, as it prevents further OpenVPN traffic after a connection has been established when a local SOCKS proxy is VPN supports the execution of user scripts at different connection stages, which can be used to create a workaround. The option remote might not be used for routing by OpenVPN when a SOCKS proxy is used, but its value is still available in the $remote_1 environment variable. A small script can be called by OpenVPN to replace the broken functionality of redirect-gateway, the new OpenVPN client configuration:script-security 2
up # Redirect other traffic
down # through the VPN
The only changes are at the bottom of the file, where the redirect-gateway def1 line has been removed and the up and down options have been the file with the following content:#! /usr/bin/env bash
if [ "$script_type" == "up"]; then
route add -host $remote_1/32 gw $route_net_gateway
route add -net 0. 0/1 gw $route_vpn_gateway
route add -net 128. 0/1 gw $route_vpn_gateway
/etc/openvpn/update-resolv-conf
elif [ "$script_type" == "down"]; then
route del -host $remote_1/32 gw $route_net_gateway
fi
The used environment variables can be found on the OpenVPN man page. Only a single route is deleted after OpenVPN is issued the disconnect command. The other two routes are removed automatically when the TUN interface is disconnected. Note that the locations of the update-resolv-conf script are critical since non-VPN DNS is required to resolve $remote_1 to an IP address for the routing when the OpenVPN connection is created, the routing table will look like this (assuming that the obfuscation proxy and OpenVPN server listen on 213. 214. 215. 1 on the Internet):Kernel IP routing table
0. 0 UG 0 0 0 tun0
128. 0 UG 0 0 0 tun0
213. 255 UGH 0 0 0 enp0s3
The route at the bottom ensures that the client can continue to communicate with the server after the VPN connection is established. This is also how the routing table would look for a connection that uses redirect-gateway def1 without a SOCKS proxy.
tunnel openVPN connection <-> proxy SOCKS
willy87
OpenVPN User
Posts: 32 Joined: Tue Apr 26, 2016 8:09 pm
tunnel openVPN connection <-> proxy SOCKS
Hi guys! I would like to try to tunnel my openVPN connection over a SSH connection to be used for a proxy SOCKS.
I have:
running on my dedicated VPS
-putty on my tunnel win work pc (it uses proxy for surfing the web)
for client device iphone
I read many tutorials and pages but the issue is not so easy.. Could you help me?
For example I only know that port 443 need to be used in putty to reach my VPS as tunnel SSH.
I don’t know so wich port I may use for openvpn otocol..
Can I estabilish a openvpn connection from my iphone (client) (thanks to openvpn official app) to my dedicated VPS (server) through putty work pc tunnelling?
thanks guys to help my in this project!!
Re: tunnel openVPN connection <-> proxy SOCKS
Post
by willy87 » Fri May 13, 2016 9:34 pm
Hi! Thanks pabischoff!
looks here please
server
Code: Select allport 1194
proto tcp-server
dev tun1
ifconfig 10. 4. 0. 1 10. 2
status
verb 3
ca
cert
key
dh
client
Code: Select allclient
remote localhost 1194
port 1194
redirect-gateway def1
ifconfig 10. 2 10. 1
socks-proxy-retry
socks-proxy 127. 1 8080
i receive from log this error:
option error:remote option not specified..
I tried to modify socks ip.. remote ip.. add “client” at begin but nothing..
Just for your info I already set in work pc the putty software with tunnel on port D8080 and for necessary HTTP proxy 8080 (same port)
I try with pc browser and if i set socks proxy localhost port 8080 i can surf correctly under tunnel. So puttytunnel is working fine.
We just need to set connection from client iphone (i use openvpn connect) and my dedicated VPS in debian where is running
Thanks for helping me..
If you have better idea to surf with my openVPN from my iphone i will really happyy!!!!
by willy87 » Fri May 13, 2016 9:59 pm
EDIT: I write again and now should be ok.
But i cannot connect because i receive error regarding localhost
I try also to set
Code: Select allsocks-proxy-retry
socks-proxy 172. 27. 153. 206 8080
(172. 206 is work pc ip where tunnel is on)
thanks for helping guyss
log
Code: Select allOpenVPN Start —–
OpenVPN core 3. 0 ios armv7s thumb2 32-bit
2016-05-13 23:54:05 UNUSED OPTIONS
5 [ifconfig] [10. 2] [10. 1]
6 [socks-proxy-retry]
7 [socks-proxy] [172. 206] [8080]
8 [set] [CLIENT_CERT] [0]
2016-05-13 23:54:05 EVENT: RESOLVE
2016-05-13 23:54:05 Contacting [::1]:1194 via TCP
2016-05-13 23:54:05 EVENT: WAIT
2016-05-13 23:54:05 SetTunnelSocket returned 1
2016-05-13 23:54:05 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:05 Client terminated, restarting in 2…
2016-05-13 23:54:07 EVENT: RECONNECTING
2016-05-13 23:54:07 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:07 EVENT: WAIT
2016-05-13 23:54:07 SetTunnelSocket returned 1
2016-05-13 23:54:07 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:07 Client terminated, restarting in 2…
2016-05-13 23:54:09 EVENT: RECONNECTING
2016-05-13 23:54:09 EVENT: RESOLVE
2016-05-13 23:54:09 Contacting [::1]:1194 via TCP
2016-05-13 23:54:09 EVENT: WAIT
2016-05-13 23:54:09 SetTunnelSocket returned 1
2016-05-13 23:54:09 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:09 Client terminated, restarting in 2…
2016-05-13 23:54:11 EVENT: RECONNECTING
2016-05-13 23:54:11 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:11 EVENT: WAIT
2016-05-13 23:54:11 SetTunnelSocket returned 1
2016-05-13 23:54:11 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:11 Client terminated, restarting in 2…
2016-05-13 23:54:13 EVENT: RECONNECTING
2016-05-13 23:54:13 EVENT: RESOLVE
2016-05-13 23:54:13 Contacting [::1]:1194 via TCP
2016-05-13 23:54:13 EVENT: WAIT
2016-05-13 23:54:13 SetTunnelSocket returned 1
2016-05-13 23:54:13 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:13 Client terminated, restarting in 2…
2016-05-13 23:54:15 EVENT: RECONNECTING
2016-05-13 23:54:15 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:15 EVENT: WAIT
2016-05-13 23:54:15 SetTunnelSocket returned 1
2016-05-13 23:54:15 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:15 Client terminated, restarting in 2…
2016-05-13 23:54:17 EVENT: RECONNECTING
2016-05-13 23:54:17 EVENT: RESOLVE
2016-05-13 23:54:17 Contacting [::1]:1194 via TCP
2016-05-13 23:54:17 EVENT: WAIT
2016-05-13 23:54:17 SetTunnelSocket returned 1
2016-05-13 23:54:17 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:17 Client terminated, restarting in 2…
2016-05-13 23:54:19 EVENT: RECONNECTING
2016-05-13 23:54:19 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:19 EVENT: WAIT
2016-05-13 23:54:19 SetTunnelSocket returned 1
2016-05-13 23:54:19 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:19 Client terminated, restarting in 2…
2016-05-13 23:54:21 EVENT: RECONNECTING
2016-05-13 23:54:21 EVENT: RESOLVE
2016-05-13 23:54:21 Contacting [::1]:1194 via TCP
2016-05-13 23:54:21 EVENT: WAIT
2016-05-13 23:54:21 SetTunnelSocket returned 1
2016-05-13 23:54:21 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:21 Client terminated, restarting in 2…
2016-05-13 23:54:23 EVENT: RECONNECTING
2016-05-13 23:54:23 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:23 EVENT: WAIT
2016-05-13 23:54:23 SetTunnelSocket returned 1
2016-05-13 23:54:23 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:23 Client terminated, restarting in 2…
2016-05-13 23:54:25 EVENT: RECONNECTING
2016-05-13 23:54:25 EVENT: RESOLVE
2016-05-13 23:54:25 Contacting [::1]:1194 via TCP
2016-05-13 23:54:25 EVENT: WAIT
2016-05-13 23:54:25 SetTunnelSocket returned 1
2016-05-13 23:54:25 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:25 Client terminated, restarting in 2…
2016-05-13 23:54:27 EVENT: RECONNECTING
2016-05-13 23:54:27 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:27 EVENT: WAIT
2016-05-13 23:54:27 SetTunnelSocket returned 1
2016-05-13 23:54:27 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:27 Client terminated, restarting in 2…
2016-05-13 23:54:29 EVENT: RECONNECTING
2016-05-13 23:54:29 EVENT: RESOLVE
2016-05-13 23:54:29 Contacting [::1]:1194 via TCP
2016-05-13 23:54:29 EVENT: WAIT
2016-05-13 23:54:29 SetTunnelSocket returned 1
2016-05-13 23:54:29 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:29 Client terminated, restarting in 2…
2016-05-13 23:54:31 EVENT: RECONNECTING
2016-05-13 23:54:31 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:31 EVENT: WAIT
2016-05-13 23:54:31 SetTunnelSocket returned 1
2016-05-13 23:54:31 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:31 Client terminated, restarting in 2…
2016-05-13 23:54:33 EVENT: RECONNECTING
2016-05-13 23:54:33 EVENT: RESOLVE
2016-05-13 23:54:33 Contacting [::1]:1194 via TCP
2016-05-13 23:54:33 EVENT: WAIT
2016-05-13 23:54:33 SetTunnelSocket returned 1
2016-05-13 23:54:33 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:33 Client terminated, restarting in 2…
2016-05-13 23:54:35 EVENT: RECONNECTING
2016-05-13 23:54:35 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:35 EVENT: WAIT
2016-05-13 23:54:35 SetTunnelSocket returned 1
2016-05-13 23:54:35 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:35 Client terminated, restarting in 2…
2016-05-13 23:54:37 EVENT: RECONNECTING
2016-05-13 23:54:37 EVENT: RESOLVE
2016-05-13 23:54:37 Contacting [::1]:1194 via TCP
2016-05-13 23:54:37 EVENT: WAIT
2016-05-13 23:54:37 SetTunnelSocket returned 1
2016-05-13 23:54:37 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:37 Client terminated, restarting in 2…
2016-05-13 23:54:39 EVENT: RECONNECTING
2016-05-13 23:54:39 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:39 EVENT: WAIT
2016-05-13 23:54:39 SetTunnelSocket returned 1
2016-05-13 23:54:39 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:39 Client terminated, restarting in 2…
2016-05-13 23:54:41 EVENT: RECONNECTING
2016-05-13 23:54:41 EVENT: RESOLVE
2016-05-13 23:54:41 Contacting [::1]:1194 via TCP
2016-05-13 23:54:41 EVENT: WAIT
2016-05-13 23:54:41 SetTunnelSocket returned 1
2016-05-13 23:54:41 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:41 Client terminated, restarting in 2…
2016-05-13 23:54:43 EVENT: RECONNECTING
2016-05-13 23:54:43 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:43 EVENT: WAIT
2016-05-13 23:54:43 SetTunnelSocket returned 1
2016-05-13 23:54:43 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:43 Client terminated, restarting in 2…
2016-05-13 23:54:45 EVENT: RECONNECTING
2016-05-13 23:54:45 EVENT: RESOLVE
2016-05-13 23:54:45 Contacting [::1]:1194 via TCP
2016-05-13 23:54:45 EVENT: WAIT
2016-05-13 23:54:45 SetTunnelSocket returned 1
2016-05-13 23:54:45 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:45 Client terminated, restarting in 2…
2016-05-13 23:54:47 EVENT: RECONNECTING
2016-05-13 23:54:47 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:47 EVENT: WAIT
2016-05-13 23:54:47 SetTunnelSocket returned 1
2016-05-13 23:54:47 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:47 Client terminated, restarting in 2…
2016-05-13 23:54:49 EVENT: RECONNECTING
2016-05-13 23:54:49 EVENT: RESOLVE
2016-05-13 23:54:49 Contacting [::1]:1194 via TCP
2016-05-13 23:54:49 EVENT: WAIT
2016-05-13 23:54:49 SetTunnelSocket returned 1
2016-05-13 23:54:49 Transport Error: TCP connect error on ‘localhost:1194’ ([::1]:1194): Connection refused
2016-05-13 23:54:49 Client terminated, restarting in 2…
2016-05-13 23:54:51 EVENT: RECONNECTING
2016-05-13 23:54:51 Contacting 127. 1:1194 via TCP
2016-05-13 23:54:51 EVENT: WAIT
2016-05-13 23:54:51 SetTunnelSocket returned 1
2016-05-13 23:54:51 Transport Error: TCP connect error on ‘localhost:1194’ (127. 1:1194): Connection refused
2016-05-13 23:54:51 Client terminated, restarting in 2…
2016-05-13 23:54:53 EVENT: RECONNECTING
2016-05-13 23:54:53 EVENT: RESOLVE
2016-05-13 23:54:53 EVENT: DISCONNECTED
2016-05-13 23:54:53 Raw stats on disconnect:
TCP_CONNECT_ERROR: 24
N_RECONNECT: 24
2016-05-13 23:54:53 Performance stats on disconnect:
CPU usage (microseconds): 122549
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2016-05-13 23:54:53 —– OpenVPN Stop —–
pabischoff
OpenVpn Newbie
Posts: 3 Joined: Tue May 10, 2016 5:41 pm
by pabischoff » Mon May 16, 2016 10:47 pm
I could be wrong but I think you need to set your cert, secret, and ca files in your client config the same way as your server config, and make sure those files are in your config directory:ca
That might be why it’s rejecting the connection. You can also try appending the contents of those files to the end of the client config:
A server log would help.
OpenVPN client as SOCKS 5 server? [closed] – Super User
What you want to do is enable shell access on the OpenVPN server (or any computer on the OpenVPN network, really) and create a shell account for your proxy.
Use ssh -D 127. 0. 1:8080 username on the commandline of your client system where username is the name of the proxy shell account you created, and 8080 is the SOCKS5 port you wish to use on the local machine. ssh should be installed by default on Macs/Linux/BSD or easy to install if it’s not, and for Windows you can use PuTTY or Cygwin’s ssh to set up a tunnel. I know this doesn’t answer the question, but it would be the quickest way to achieve what you want, assuming you can get shell access to a computer over the OpenVPN network.
The other way would be to find a SOCKS5 server which allows you to specify the bind address for outgoing connections.