OpenVPN through an HTTP proxy server

I discovered that OpenVPN supports connections through an HTTP proxy server. This makes it possible to establish a VPN from a completely firewalled network where the only external access is through a proxy server1. It takes advantage of the fact that SSL connections are simply tunnelled through the server and aren't interfered with like unencrypted connections.

The server setup is almost identical to a normal configuration, except that the tunnel must use TCP instead of UDP (since the proxy server will establish a TCP connection). Since most proxy servers only allow SSL connections to certain ports, you will also need to change the port number that the server listens on. The best is 443 since that is used for HTTPS, but if the server is also running a web server on port 443, then 563 is probably the next best choice. This port is assigned to NNTPS, and is allowed by the default Squid configuration. The following two lines enable TCP connections and change the port number.

proto tcp-server
port 563

The client configuration is also very similar. It simply needs to enable TCP connections, set the correct port number, and specify the proxy server.

remote 563
http-proxy 8080
proto tcp-client

OpenVPN can also authenticate to the proxy server using either Basic or NTLM authentication. To enable this add "stdin basic" or "stdin ntlm" to the http-proxy line. This will prompt for the username and password when the VPN is started. For more details see the OpenVPN documentation.

  1. I am not commenting on the ethics of this. If you need to resort to this method, you probably shouldn't be doing it. 

Trackback URL for this post:

Imágenes bonitas y tarjetas

Imágenes bonitas y tarjetas gratis con mensajes de amor que
sirven como terapia de pareja para fortalecer
una relación, ademas muchas postales de amistad para.

I disagree with #1. Networks

I disagree with #1. Networks with proxy-only internet access are very common in public places such as internet cafes, restaurants and universities. For some of us, having unhampered access to protocols other than HTTP is important.

I don't disagree that it's

I don't disagree that it's important — that's the whole reason that I set it up. However, if non-HTTP protocols are blocked it's most probably because the Internet provider doesn't want users using those protocols. By bypassing those restrictions you are infringing the access policy of the provider.

Hi there this is somewhat of

Hi there this is somewhat of off topic but
I was wondering if blogs use WYSIWYG editors or if you have to manually
code with HTML. I'm starting a blog soon but have no coding know-how so I wanted to get advice
from someone with experience. Any help would be greatly appreciated!

Hello colleagues, good post

Hello colleagues, good post and pleasant arguments commented at this place, I am in fact enjoying by these.

Unas posibilidades que, como

Unas posibilidades que, como podrás ver por tu mismo, están adaptadas al máximo
puesto que muchas veces se incluyen algunas frases que ayudan a dar ese toque personal que tanto nos agrada.

Since the actual point of

Since the actual point of origin ends up being the remote end of the openvpn tunnel (i.e. your home Internet, etc.) this type of setup isn't really a violation of acceptable use policies unless they explicitly prohibit VPN connections (and who doesn't use VPN when connecting from coffee shops, etc?).

I constantly spent my half an

I constantly spent my half an hour to read this web site's articles every day along with a mug of coffee.