How to connect to OpenVPN via proxy or Tor

Table of contents

1. Specifics of connecting to an OpenVPN server through an HTTP proxy

1.1 Use TCP protocol

1.2 Using a proxy will affect network performance

1.3 Configuring Squid

2. How to check that the connection to OpenVPN is actually going through a proxy

2.1 Client and server logs

2.2 Traffic route

3. How to connect to a OpenVPN server via an HTTP proxy without authentication

4. How to connect to a OpenVPN server via an HTTP proxy with Basic authentication

5. How to connect to a OpenVPN server via an HTTP proxy with NTLM authentication

6. How to connect to a OpenVPN server via an HTTP proxy with Digest authentication

7. How to connect to a OpenVPN server via a SOCKS proxy

8. How to connect to a OpenVPN server via the Tor network

8.1 How to connect to an OpenVPN server via Tor (SOCKS)

8.2 How to connect to the OpenVPN server via Tor (HTTP proxy via Privoxy)

9. How to use VPN in Tails

10. Free VPN with proxy and Tor connection

This article is a list of recipes and tips in one way or another related to connecting to the OpenVPN server through a proxy server. For information on how to create your own OpenVPN network see “How to set up OpenVPN server and clients”. For a collection of various tips for using the OpenVPN network, see “OpenVPN advanced usage examples”.

Specifics of connecting to an OpenVPN server through an HTTP proxy

1) Use TCP protocol

See also:

• How to use OpenVPN with TCP protocol
• Comparison of performance (data transfer rate) of OpenVPN over UDP and TCP

If you plan to connect to OpenVPN via an HTTP/HTTPS proxy, then use TCP instead of UDP, otherwise you will encounter an error:

Options error: --http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)

Even if you add the “--proto tcp-client” option to the command to connect to the OpenVPN server running on UDP, you will successfully connect to the proxy server, but attempts to connect to OpenVPN will fail. Due to an error, the client will constantly try to reconnect to OpenVPN:

2021-11-06 09:41:10 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-11-06 09:41:10 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-11-06 09:41:10 TCP/UDP: Preserving recently used remote address: [AF_INET]157.245.118.66:44220
2021-11-06 09:41:10 Socket Buffers: R=[131072->131072] S=[16384->16384]
2021-11-06 09:41:10 Attempting to establish TCP connection with [AF_INET]157.245.118.66:44220 [nonblock]
2021-11-06 09:41:10 TCP connection established with [AF_INET]157.245.118.66:44220
2021-11-06 09:41:10 Send to HTTP proxy: 'CONNECT 185.117.153.79:5300 HTTP/1.0'
2021-11-06 09:41:10 Send to HTTP proxy: 'Host: 185.117.153.79'
2021-11-06 09:41:10 HTTP proxy returned: 'HTTP/1.1 200 Connection established'
2021-11-06 09:41:12 TCP_CLIENT link local: (not bound)
2021-11-06 09:41:12 TCP_CLIENT link remote: [AF_INET]157.245.118.66:44220
2021-11-06 09:41:13 Connection reset, restarting [0]
2021-11-06 09:41:13 SIGUSR1[soft,connection-reset] received, process restarting
2021-11-06 09:41:13 Restart pause, 5 second(s)
2021-11-06 09:41:18 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-11-06 09:41:18 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-11-06 09:41:18 TCP/UDP: Preserving recently used remote address: [AF_INET]157.245.118.66:44220
2021-11-06 09:41:18 Socket Buffers: R=[131072->131072] S=[16384->16384]
2021-11-06 09:41:18 Attempting to establish TCP connection with [AF_INET]157.245.118.66:44220 [nonblock]
2021-11-06 09:41:18 TCP connection established with [AF_INET]157.245.118.66:44220
2021-11-06 09:41:18 Send to HTTP proxy: 'CONNECT 185.117.153.79:5300 HTTP/1.0'
2021-11-06 09:41:18 Send to HTTP proxy: 'Host: 185.117.153.79'
2021-11-06 09:41:18 HTTP proxy returned: 'HTTP/1.1 200 Connection established'
2021-11-06 09:41:20 TCP_CLIENT link local: (not bound)
2021-11-06 09:41:20 TCP_CLIENT link remote: [AF_INET]157.245.118.66:44220
2021-11-06 09:41:20 Connection reset, restarting [0]
2021-11-06 09:41:20 SIGUSR1[soft,connection-reset] received, process restarting
2021-11-06 09:41:20 Restart pause, 5 second(s)

2) Using a proxy will affect network performance

Using a proxy will decrease the speed of traffic transmission in the OpenVPN network and also increase the ping.

3) Configuring Squid

Configuring a Squid proxy server to work with OpenVPN does not require any special options. For example, to use Squid as a proxy server to connect to OpenVPN without authentication, it is enough to specify the following lines in the configuration file (replace port 44220 with any other):

http_port 44220
acl portA localport 44220
http_access allow portA

Additionally, you can set up Basic or Digest authentication – OpenVPN supports both.

See also: How to create and configure a Squid proxy server

How to check that the connection to OpenVPN is actually going through a proxy

1) Client and server logs

The client and server logs should contain numerous references to the IP and port of the proxy server.

For example, the initial data is as follows:

• Proxy: 157.245.118.66:44220
• OpenVPN server: 185.117.153.79:5300

Example of client log: as you can see, the connection is made with proxy 157.245.118.66:44220; commands are sent to the proxy server containing references to the VPN server 185.117.153.79:5300:

2021-11-06 11:07:25 TCP/UDP: Preserving recently used remote address: [AF_INET]157.245.118.66:44220
2021-11-06 11:07:25 Socket Buffers: R=[131072->131072] S=[16384->16384]
2021-11-06 11:07:25 Attempting to establish TCP connection with [AF_INET]157.245.118.66:44220 [nonblock]
2021-11-06 11:07:26 TCP connection established with [AF_INET]157.245.118.66:44220
2021-11-06 11:07:26 Send to HTTP proxy: 'CONNECT 185.117.153.79:5300 HTTP/1.0'
2021-11-06 11:07:26 Send to HTTP proxy: 'Host: 185.117.153.79'
2021-11-06 11:07:27 HTTP proxy returned: 'HTTP/1.1 200 Connection established'
2021-11-06 11:07:29 TCP_CLIENT link local: (not bound)
2021-11-06 11:07:29 TCP_CLIENT link remote: [AF_INET]157.245.118.66:44220
2021-11-06 11:07:29 TLS: Initial packet from [AF_INET]157.245.118.66:44220, sid=ae11f46a 0d3d585c

The OpenVPN server log says that the connection came from the proxy's IP address:

2021-11-06 11:13:07 us=508241 TCP connection established with [AF_INET]157.245.118.66:47930

2) Traffic route

When using an OpenVPN connection, all routes are redirected through the IP of the OpenVPN server. If the connection is made through a proxy, then in the settings of the user's route, all connections are sent through the IP address of the proxy server.

Command for displaying routes:

ip route

An example of routes with disabled OpenVPN connection:

default via 192.168.1.1 dev wlo1 proto dhcp metric 600
192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.44 metric 600

Let's see the routes on the client machine connected to the OpenVPN server:

ip route

As you can see, the routes mention the IP address 157.245.118.66, which is the address of the proxy server, not the OpenVPN server:

0.0.0.0/1 via 10.8.1.17 dev tun0 
default via 192.168.1.1 dev wlo1 proto dhcp metric 600 
10.8.1.1 via 10.8.1.17 dev tun0 
10.8.1.17 dev tun0 proto kernel scope link src 10.8.1.18 
128.0.0.0/1 via 10.8.1.17 dev tun0 
157.245.118.66 via 192.168.1.1 dev wlo1 
192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.44 metric 600 

See also: Setting up network routes: the choice of connection used for the Internet; simultaneous use of multiple connections for different purposes

How to connect to a OpenVPN server via an HTTP proxy without authentication

To connect to a remote host via HTTP, you must use the --http-proxy option and specify at least two arguments with it: server address and port number.

For example, the command to connect to the OpenVPN server directly looks like this:

sudo openvpn client2.ovpn

It omits the --config option, which points to a configuration file. But when using other options, you must specify --config as the program will not be able to interpret the arguments correctly. Thus, the following command is identical to the previous one:

sudo openvpn --config client2.ovpn

To connect to OpenVPN through a proxy, use a command of the form:

sudo openvpn --config client2.ovpn --http-proxy PROXY-IP PROXY-PORT

Example command to connect to OpenVPN through a proxy (proxy address 157.245.118.66 and port number 44220) without checking the username and password:

sudo openvpn --config client2.ovpn --http-proxy 157.245.118.66 44220

The value of the --http-proxy option can be specified in the .ovpn configuration file, for example, by specifying the following line in the client2.ovpn file:

http-proxy PROXY-IP PROXY-PORT

For example:

http-proxy 157.245.118.66 44220

To connect to OpenVPN through a proxy, you can use the following command – you no longer need to specify proxy parameters in the command line:

sudo openvpn client2.ovpn

How to connect to a OpenVPN server via an HTTP proxy with Basic authentication

For basic authentication (in addition to the required IP address and proxy port in any case), a username and password are required to access the proxy server.

Proxy username and password cannot be specified on the command line. This data must either be placed in a file with two lines:

USERNAME
PASSWORD

For example, the username and password are placed in AUTHENTICATION-FILE.txt, then as the third argument of the --http-proxy option you need to specify the path to this file and the command to connect through the proxy will be something like this:

sudo openvpn --config client2.ovpn --http-proxy PROXY-IP PROXY-PORT AUTHENTICATION-FILE.txt

For example:

sudo openvpn --config client2.ovpn --http-proxy 157.245.118.66 44220 authfile.txt

The username and password for proxy authentication can be placed in the .ovpn file using the following syntax:

<http-proxy-user-pass>
USERNAME
PASSWORD
</http-proxy-user-pass>

The above shows how to add the value of the --http-proxy option to the configuration file, so all the settings for connecting to the proxy can be collected in the .ovpn file as follows:

http-proxy PROXY-IP PROXY-PORT
<http-proxy-user-pass>
USERNAME
PASSWORD
</http-proxy-user-pass>

If you did not specify the AUTHENTICATION-FILE.txt or the <http-proxy-user-pass>…</http-proxy-user-pass> section, you will be prompted for the username and password for connecting to the proxy in the console.

How to connect to a OpenVPN server via an HTTP proxy with NTLM authentication

As the fourth argument to the --http-proxy option, you can specify an authentication method, it can be one of “none”, “basic” or “ntlm”.

For NTLM authentication, specify “ntlm” string, for example:

sudo openvpn --config client2.ovpn --http-proxy 157.245.118.66 44220 authfile.txt ntlm

How to connect to a OpenVPN server via an HTTP proxy with Digest authentication

You may have noticed that there is no option for HTTP Digest authentication, but this kind of authentication is supported. It is enabled using the “auto” or “auto-nct” flags, which should replace the “AUTHENTICATION-FILE” argument. That is, it turns out that the username and password will need to be specified in the .ovpn file or entered manually in the console.

Proxy connection settings with Digest authentication in the .ovpn file:

http-proxy PROXY-IP PROXY-PORT auto
<http-proxy-user-pass>
USERNAME
PASSWORD
</http-proxy-user-pass>

The “auto” flag makes it so that OpenVPN automatically detects the authentication method.

The “auto-nct” flag (meaning no clear-text auth) instructs OpenVPN to automatically detect the authentication method, but reject weak authentication protocols such as HTTP Basic Authentication.

Examples:

• http-proxy proxy.example.net 3128
• http-proxy proxy.example.net 3128 authfile.txt
• http-proxy proxy.example.net 3128 stdin
• http-proxy proxy.example.net 3128 auto basic
• http-proxy proxy.example.net 3128 auto-nct ntlm

How to connect to a OpenVPN server via a SOCKS proxy

To connect to the OpenVPN server through a SOCKS proxy, use the --socks-proxy option. It has one required argument – this is the server. Optionally, you can specify a port (1080 by default) and an authentication file. The authentication file is a file containing the username and password in 2 lines, or “stdin” can be used to query from the console.

How to connect to a OpenVPN server via the Tor network

Since the Tor network uses the SOCKS protocol, one would think that connecting to OpenVPN through the Tor network is just a special case of connecting through a SOCKS proxy, but in practice you need to remember that the Tor network does not transmit UDP traffic. But this is just the beginning.

You cannot use Tor as a proxy for OpenVPN if Tor is running on the same machine from which you are trying to connect to the VPN server. To understand why such a connection is impossible, consider what happens when using a VPN server.

When we connect to a VPN server (without a proxy or Tor), new routes are set on the local computer:

• in the default route, all traffic now goes not to the gateway (router), but to the IP address of the VPN server
• in order not to be locked (it is impossible to get to the IP address of the VPN server without getting on the router), one more route is added: “all traffic for the IP address of the VPN server is now redirected to the router”. That is, an exception is made for the IP address of the VPN server.

If you connect to a VPN through a proxy (for example, through Tor), the following routes are added:

• the first as before – all traffic now goes to the IP address of the VPN server
• and the second is different – exactly the same exception is made, but for the IP address of the proxy server

So, if the proxy server is located on another computer, then it works without problems.

But if the LOOPBACK (localhost) IP address of the proxy server is specified, then the following set of rules is obtained:

• first, as usual – all traffic goes to the IP address of the VPN server
• second – an exception is made for the proxy IP address, but this is 127.0.0.1, that is, localhost.

That is, the system locks itself. Yes, it is possible to connect to a VPN over Tor even if the Tor service is running on the same computer. But immediately after that, the VPN adds the routes necessary for its operation, which tightly block the traffic flow – it cannot leave the computer.

This problem can be solved by connecting via Tor running on another computer, even if on the same local network, even using virtual machines. An example of a working configuration with a virtual machine: a real computer acts as a proxy running Tor, and connection to OpenVPN through a Tor proxy is performed from a virtual machine. The opposite option – connecting to OpenVPN from a real machine through a virtual proxy machine will not work. You can use two virtual machines, one of which will be a proxy running Tor, and the second will be used to connect to OpenVPN.

It is for this reason that the Whonix distribution has two halves – the main OS and the gateway.

You can use Tor as a VPN proxy like:

• SOCKS proxy – in this case, you will not need other programs except Tor
• HTTP proxy – in addition to Tor, you also need Privoxy

How to connect to an OpenVPN server via Tor (SOCKS)

Install the tor package on the computer that will act as a proxy through Tor.

On Debian, Kali Linux, Linux Mint, Ubuntu, this is done with the command:

sudo apt install tor

In Arch Linux, BlackArch, Manjaro, installation is performed by the command

sudo pacman -S tor

By default, the tor service only allows incoming connections from localhost, that is, connections from other computers are not accepted.

Open the /etc/tor/torrc file:

sudo gedit /etc/tor/torrc

and add a line like this to it:

SOCKSPort EXTERNAL_IP:9050

For example:

SOCKSPort 192.168.1.39:9050

Start tor services:

sudo systemctl start tor

You can add tor to startup:

sudo systemctl enable tor

Now you can connect to the OpenVPN server via Tor running on the remote computer:

sudo openvpn --config client5.ovpn --socks-proxy 192.168.1.39 9050

How to connect to the OpenVPN server via Tor (HTTP proxy via Privoxy)

Privoxy which can be used as an HTTP proxy → SOCKS proxy adapter. That is, the OpenVPN client will connect to Privoxy as an HTTP proxy, and Privoxy will redirect traffic to Tor, which uses the SOCKS protocol.

On the computer that will act as a proxy through Tor, install the tor and privoxy packages.

On Debian, Kali Linux, Linux Mint, Ubuntu, this is done with the command:

sudo apt install tor privoxy

In Arch Linux, BlackArch, Manjaro, installation is performed by the command

sudo pacman -S tor privoxy

To configure Privoxy on a computer that will act as a proxy through Tor, in the file /etc/privoxy/config

sudo gedit /etc/privoxy/config

add the line:

forward-socks5t / 127.0.0.1:9050 .

By default, Privoxy only accepts incoming connections from the same computer, so that Privoxy starts accepting connections from outside, replace the line

listen-address 127.0.0.1:8118

with

listen-address :8118

If you want connections to be accepted only from the local network, then specify the local IP address, for example:

listen-address 192.168.1.20:8118

Start tor and privoxy services:

sudo systemctl start tor privoxy

You can add these services to startup:

sudo systemctl enable tor privoxy

By default privoxy listens on port 8118, also specify the IP address of the computer running Privoxy and Tor, for example:

sudo openvpn --config client5.ovpn --http-proxy 192.168.1.39 8118

Due to the nature of the Tor network, the connection may not occur the first time, and the connection may be slow and unstable.

How to use VPN in Tails

Under the article on using Tails, I was asked how to connect to a VPN over Tor in Tails.

Not only is it impossible to use a proxy with a loopback address (and this problem cannot be solved at all), but there are also limitations in Tails itself. For example, commands run as root do not have network access, and OpenVPN requires root privileges.

That is, connecting to a VPN server via Tor in Tails is not possible. In general, in Tails, using a VPN (for example, to connect through a remote proxy server) is either impossible at all, or requires such changes in system settings that the OS loses all its specific advantages and actually ceases to be Tails.

If you are thinking of Tails and VPN, then Whonix should be considered to use Tor and VPN at the same time.

Free VPN with proxy and Tor connection

In the article “autovpn2 and autovpn3 - scripts to automatically connect to a free VPNs” I mentioned that the autovpn3 script (which searches for free VPN servers and connects the computer through them), so, this script allows you to search for free VPNs through a proxy, and also download them settings and make a connection through a proxy.

In order for the program to do all actions through a proxy, edit the following settings in the autovpn3.sh file:

proxy=0 # replace with 1 if you want to search for VPN and connect to VPN through a proxy
proxyIP='' # IP address of the proxy server
proxyPort=8080 # proxy server port
proxyType='http' # type of proxy server, can be socks or http

Remember that for the reasons explained above, you cannot use a locally running Tor as a proxy to connect to a VPN server.