VPN Tunnelling through HTTP Proxy
Situation
I live at a college at
In order to get around this, I put my traffic through a HTTP proxy through a VPN to a remote host.
There are a few things you should be aware of before you do this:
- You'll need software to tunnel the VPN through the proxy.
- The VPN software must run at Layer 4, using a TCP connection. As such, PPTP is unsuitable, as is IPSec.
- You'll need to fiddle with the static routes on your computer to ensure DNS/Proxy goes through your normal default route, while all other traffic goes through the VPN.
- Set up NAT on the remote host so you can access remote sites through it.
The Solution - Selection of Tools
In order to tunnel the VPN, I used HTTP Tunnel. This software has both a Windows and Unix client/server, and will allow you to tunnel arbitrary connections though a HTTP proxy, with support for proxy HTTP authentication.
OpenVPN is an Open Source VPN solution, with both Windows/Linux clients/servers. It has the ability to work through a single TCP connection, allowing us to tunnel it through the proxy.
Update: I received word from an anonymous source that OpenVPN can now perform tunnelling through the HTTP proxy for you. The relevant config lines for OpenVPN you should look at are:
port 443proto tcp-clienthttp-proxy proxyserver 8080http-proxy-retryhttp-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1
The Solution - On the Server
Ensure Universal TUN support is built into the kernel.
Install OpenVPN.
Run OpenVPN, first instanciating a daemon without encryption. Once you get this working, work your way up to using RSA encryption, or stick with a static key.
Assuming you will use the IP addresses 10.0.0.1 for the server, and 10.0.0.2 for the client on the VPN, this command will open a openvpn daemon instance:
openvpn --proto tcp-server --port 5000 --dev tun1 --ifconfig 10.0.0.1 10.0.0.2 --verb 8
Run HTTP tunnel on the server (using the "hts" daemon), to listen on a port, and forward it to the VPN daemon (by default this should be 127.0.0.1:5000). I used port 81, as the proxy will allow connections to port 79, 80, 81, etc.
The command to do this, looks like:
hts -F localhost:5000 81
The Solution - On the Client
Run HTTP tunnel on the client (using the "htc" client), to listen on a port, and forward it to the htc daemon on the server.
htc -P proxyhost:proxyport -A "username:password" -F 5000 htshost:htsport
Install OpenVPN.
Run OpenVPN, first instanciating a client without encryption to the htc process. Assuming you will use the IP addresses 10.0.0.1 for the server, and 10.0.0.2 for the client on the VPN, this command will open a OpenVPN client instance:
openvpn --proto tcp-client --dev tun1 --ifconfig 10.0.0.2 10.0.0.1 --verb 8 --remote 127.0.0.1
The Solution - Testing VPN Connection
With some luck, when you ping the server from the client over the VPN, we should get data flow:
ping 10.0.0.1
If you get a reply, you should now look into using encryption for the VPN.
Routing and NAT
There are many HOWTOs available for setting up NAT. As such, it isn't covered here.
Niciun comentariu:
Trimiteți un comentariu