OpenVPN through an HTTP proxy server

I discovered that OpenVPN supports connections through an HTTP proxy server. This makes it possible to establish a VPN from a completely firewalled network where the only external access is through a proxy server1. It takes advantage of the fact that SSL connections are simply tunnelled through the server and aren't interfered with like unencrypted connections.

The server setup is almost identical to a normal configuration, except that the tunnel must use TCP instead of UDP (since the proxy server will establish a TCP connection). Since most proxy servers only allow SSL connections to certain ports, you will also need to change the port number that the server listens on. The best is 443 since that is used for HTTPS, but if the server is also running a web server on port 443, then 563 is probably the next best choice. This port is assigned to NNTPS, and is allowed by the default Squid configuration. The following two lines enable TCP connections and change the port number.

proto tcp-server
port 563

The client configuration is also very similar. It simply needs to enable TCP connections, set the correct port number, and specify the proxy server.

remote 563
http-proxy 8080
proto tcp-client

OpenVPN can also authenticate to the proxy server using either Basic or NTLM authentication. To enable this add "stdin basic" or "stdin ntlm" to the http-proxy line. This will prompt for the username and password when the VPN is started. For more details see the OpenVPN documentation.

  1. I am not commenting on the ethics of this. If you need to resort to this method, you probably shouldn't be doing it. 

Trackback URL for this post:

I disagree with #1. Networks

I disagree with #1. Networks with proxy-only internet access are very common in public places such as internet cafes, restaurants and universities. For some of us, having unhampered access to protocols other than HTTP is important.

I don't disagree that it's

I don't disagree that it's important — that's the whole reason that I set it up. However, if non-HTTP protocols are blocked it's most probably because the Internet provider doesn't want users using those protocols. By bypassing those restrictions you are infringing the access policy of the provider.

Since the actual point of

Since the actual point of origin ends up being the remote end of the openvpn tunnel (i.e. your home Internet, etc.) this type of setup isn't really a violation of acceptable use policies unless they explicitly prohibit VPN connections (and who doesn't use VPN when connecting from coffee shops, etc?).