• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6227
  • Last Modified:

OpenVPN trough HTTPs NTLM proxy

Dear collelagues,
here is the situation:
1) I spent a pretty long time to get the OpenVPN working behind our corporate proxy but without success so I would be glad if someone figure it out.
2) Without proxy (and of course outside our corporate LAN :-)) this configuration works flawlessly with multiple clients on mutliple locations.
3) Problem arises when I need to connect from our corporate LAN to my OpenVPN network
4) All trafic from our corp net to internet is going trough NTLM proxy server (some HW appliance now I guess). There is no possibility to reach internet directly due to strict IT security policy.
5) No sign of any activity on VPN server side - looks like client does not pass the VPN server at all

server config:
local 172.17.1.10
port 443
proto tcp
dev tun
dev-node OpenVPN
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.18.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
float
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

client configuration:
client
dev tun
dev-node OpenVPN
proto tcp-client
remote secret.domain.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
http-proxy proxy.server.address.com 8080 proxy-auth.txt ntlm
http-proxy-option VERSION 1.1
http-proxy-option AGENT Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
http-proxy-timeout 5
float
ca ca.crt
cert client2.crt
key client2.key
ns-cert-type server
comp-lzo
verb 10
mute 20

and this came up on the client into log (nothing came up on server side):
Thu Dec 17 00:44:41 2009 us=281000 Current Parameter Settings:
Thu Dec 17 00:44:41 2009 us=281000   config = 'PVPNC.ovpn'
Thu Dec 17 00:44:41 2009 us=281000   mode = 0
Thu Dec 17 00:44:41 2009 us=281000   show_ciphers = DISABLED
Thu Dec 17 00:44:41 2009 us=281000   show_digests = DISABLED
Thu Dec 17 00:44:41 2009 us=281000   show_engines = DISABLED
Thu Dec 17 00:44:41 2009 us=281000   genkey = DISABLED
Thu Dec 17 00:44:41 2009 us=281000   key_pass_file = '[UNDEF]'
Thu Dec 17 00:44:41 2009 us=281000   show_tls_ciphers = DISABLED
Thu Dec 17 00:44:41 2009 us=281000 Connection profiles [default]:
Thu Dec 17 00:44:41 2009 us=281000   proto = tcp-client
Thu Dec 17 00:44:41 2009 us=281000   local = '[UNDEF]'
Thu Dec 17 00:44:41 2009 us=281000   local_port = 0
Thu Dec 17 00:44:41 2009 us=281000   remote = 'secret.domain.com'
Thu Dec 17 00:44:41 2009 us=281000   remote_port = 443
Thu Dec 17 00:44:41 2009 us=281000   remote_float = ENABLED
Thu Dec 17 00:44:41 2009 us=281000   bind_defined = DISABLED
Thu Dec 17 00:44:41 2009 us=281000   bind_local = DISABLED
Thu Dec 17 00:44:41 2009 us=281000   connect_retry_seconds = 5
Thu Dec 17 00:44:41 2009 us=281000   connect_timeout = 10
Thu Dec 17 00:44:41 2009 us=281000 NOTE: --mute triggered...
Thu Dec 17 00:44:41 2009 us=281000 261 variation(s) on previous 20 message(s) suppressed by --mute
Thu Dec 17 00:44:41 2009 us=281000 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
Thu Dec 17 00:44:41 2009 us=281000 PKCS#11: pkcs11_initialize - entered
Thu Dec 17 00:44:41 2009 us=281000 PKCS#11: pkcs11_initialize - return 0-'CKR_OK'
Thu Dec 17 00:44:41 2009 us=281000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Dec 17 00:44:41 2009 us=281000 WE_INIT maxevents=4 flags=0x00000002
Thu Dec 17 00:44:41 2009 us=281000 WE_INIT maxevents=4 capacity=8
Thu Dec 17 00:44:41 2009 us=437000 PRNG init md=SHA1 size=36
Thu Dec 17 00:44:41 2009 us=437000 LZO compression initialized
Thu Dec 17 00:44:41 2009 us=437000 MTU DYNAMIC mtu=0, flags=1, 0 -> 140
Thu Dec 17 00:44:41 2009 us=437000 TLS: tls_session_init: entry
Thu Dec 17 00:44:41 2009 us=437000 PID packet_id_init seq_backtrack=0 time_backtrack=0
Thu Dec 17 00:44:41 2009 us=437000 PID packet_id_init seq_backtrack=0 time_backtrack=0
Thu Dec 17 00:44:41 2009 us=437000 TLS: tls_session_init: new session object, sid=c6f1314e 8637583d
Thu Dec 17 00:44:41 2009 us=437000 TLS: tls_session_init: entry
Thu Dec 17 00:44:41 2009 us=437000 PID packet_id_init seq_backtrack=0 time_backtrack=0
Thu Dec 17 00:44:41 2009 us=437000 PID packet_id_init seq_backtrack=0 time_backtrack=0
Thu Dec 17 00:44:41 2009 us=437000 TLS: tls_session_init: new session object, sid=43e48fcf 8ce52838
Thu Dec 17 00:44:41 2009 us=453000 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Dec 17 00:44:41 2009 us=453000 MTU DYNAMIC mtu=1450, flags=2, 1544 -> 1450
Thu Dec 17 00:44:41 2009 us=453000 RESOLVE_REMOTE flags=0x0101 phase=1 rrs=0 sig=-1 status=1
Thu Dec 17 00:44:41 2009 us=453000 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Dec 17 00:44:41 2009 us=453000 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Dec 17 00:44:41 2009 us=453000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Dec 17 00:44:41 2009 us=453000 Local Options hash (VER=V4): '69109d17'
Thu Dec 17 00:44:41 2009 us=453000 Expected Remote Options hash (VER=V4): 'c0103fa8'
Thu Dec 17 00:44:41 2009 us=453000 STREAM: RESET
Thu Dec 17 00:44:41 2009 us=453000 STREAM: INIT maxlen=1544
Thu Dec 17 00:44:41 2009 us=453000 Attempting to establish TCP connection with proxyipaddress:8080
Thu Dec 17 00:44:41 2009 us=531000 TCP connection established with proxyipaddress:8080
Thu Dec 17 00:44:41 2009 us=531000 Send to HTTP proxy: 'CONNECT secret.domain.com:443 HTTP/1.1'
Thu Dec 17 00:44:41 2009 us=531000 Attempting NTLM Proxy-Authorization phase 1
Thu Dec 17 00:44:41 2009 us=531000 Send to HTTP proxy: 'Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAA=='
Thu Dec 17 00:44:43 2009 us=593000 HTTP proxy returned: 'HTTP/1.1 407 Proxy Authentication Required'
Thu Dec 17 00:44:43 2009 us=593000 Proxy requires authentication
Thu Dec 17 00:44:43 2009 us=593000 HTTP proxy returned: 'Mime-Version: 1.0'
Thu Dec 17 00:44:43 2009 us=593000 HTTP proxy returned: 'Date: Thu, 17 Dec 2009 00:44:43 CET'
Thu Dec 17 00:44:43 2009 us=593000 HTTP proxy returned: 'Content-Type: text/html'
Thu Dec 17 00:44:43 2009 us=593000 HTTP proxy returned: 'Proxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADAAAAACAgAAYOan29uai+kAAAAAAAAAAAAAAAAwAAAA'
Thu Dec 17 00:44:43 2009 us=593000 auth string: 'TlRMTVNTUAACAAAAAAAAADAAAAACAgAAYOan29uai+kAAAAAAAAAAAAAAAAwAAAA'
Thu Dec 17 00:44:43 2009 us=593000 Received NTLM Proxy-Authorization phase 2 response
Thu Dec 17 00:44:48 2009 us=609000 recv_line: TCP port read timeout expired
Thu Dec 17 00:44:48 2009 us=609000 Send to HTTP proxy: 'CONNECT secret.domain.com:443 HTTP/1.1'
Thu Dec 17 00:44:49 2009 us=609000 Send to HTTP proxy: 'Host: secret.domain.com'
Thu Dec 17 00:44:49 2009 us=609000 Attempting NTLM Proxy-Authorization phase 3
Thu Dec 17 00:44:49 2009 us=609000 Send to HTTP proxy: 'Proxy-Authorization: NTLM TlRMTVNTUAADAAAAAAAAAF8AAAAYABgAQAAAAAAAAABfAAAABwAHAFgAAAAAAAAAXwAAAAAAAABfAAAAAgIAADNtZzkk2kBIu3wvKbWczlAlGqTFQx26mm5ldXppbGw='
Thu Dec 17 00:44:51 2009 us=640000 HTTP proxy returned: 'HTTP/1.1 407 Proxy Authentication Required'
Thu Dec 17 00:44:51 2009 us=640000 HTTP proxy returned bad status
Thu Dec 17 00:44:51 2009 us=640000 PID packet_id_free
Thu Dec 17 00:44:51 2009 us=640000 PID packet_id_free
Thu Dec 17 00:44:51 2009 us=640000 PID packet_id_free
Thu Dec 17 00:44:51 2009 us=640000 PID packet_id_free
Thu Dec 17 00:44:51 2009 us=640000 PID packet_id_free
Thu Dec 17 00:44:51 2009 us=640000 PID packet_id_free
Thu Dec 17 00:44:51 2009 us=640000 PID packet_id_free
Thu Dec 17 00:44:51 2009 us=640000 PID packet_id_free
Thu Dec 17 00:44:51 2009 us=640000 TCP/UDP: Closing socket
Thu Dec 17 00:44:51 2009 us=640000 PID packet_id_free
Thu Dec 17 00:44:51 2009 us=640000 SIGTERM[soft,init_instance] received, process exiting
Thu Dec 17 00:44:51 2009 us=640000 PKCS#11: pkcs11_terminate - entered
Thu Dec 17 00:44:51 2009 us=640000 PKCS#11: pkcs11h_terminate entry
Thu Dec 17 00:44:51 2009 us=640000 PKCS#11: Removing providers
Thu Dec 17 00:44:51 2009 us=640000 PKCS#11: Releasing sessions
Thu Dec 17 00:44:51 2009 us=640000 PKCS#11: Terminating slotevent
Thu Dec 17 00:44:51 2009 us=640000 PKCS#11: _pkcs11h_slotevent_terminate entry
Thu Dec 17 00:44:51 2009 us=640000 PKCS#11: _pkcs11h_slotevent_terminate return
Thu Dec 17 00:44:51 2009 us=640000 PKCS#11: Marking as uninitialized
Thu Dec 17 00:44:51 2009 us=640000 PKCS#11: pkcs11_terminate - return
Thu Dec 17 00:44:51 2009 us=640000 Closing Win32 semaphore 'openvpn_netcmd'

Any help is much appreciated. I tried everything I found... maybe there is someone more skilled who will know-how to achieve.

Do not hesitate to contact me for any further information....

Libor
0
Libis_aka_Dusk
Asked:
Libis_aka_Dusk
  • 8
  • 6
1 Solution
 
arnoldCommented:
The client never gets the OK from the proxy.  The first attempt to authenticate timed out during phase 2.
Try instead of using a file for the proxy configuration to use the stdin where you will be prompted for the proxy credentials domain\username and password if you have not tried it?
See if that gets you further along.
0
 
arnoldCommented:
Are you sure you need to have proto tcp-client on the client side and not simply proto tcp?
http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html#http
0
 
Libis_aka_DuskAuthor Commented:
thanks for your response.
1) I did tried to switch from tcp-client to tcp with no change
2) also I tried to change file onto stdin, trying to enter domain login both with or without realm. I suppose there should be access denied or authentification failure message, but is still simply timing out :-(

Any other ideas? Any help is much appreciated...
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
arnoldCommented:
The problem seems to be that the NTLM authorization information is not included in the connect request.

There is a line: Thu Dec 17 00:44:41 2009 us=281000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Not sure what that is all about.
I think the openVPN client is supposed to:
Send to the proxy:
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAAAAAAF8AAAAYABgAQAAAAAAAAABfAAAABwAHAFgAAAAAAAAAXwAAAAAAAABfAAAAAgIAADNtZzkk2kBIu3wvKbWczlAlGqTFQx26mm5ldXppbGw=
Connect secret.domain.com:443 HTTP/1.1

The other part, have you tried accessing without the proxy.

Port 443 is an encrypted port and usually would either be blocked by IT since it is not possible to monitor data flowing through this port or would be allowed to go through as you've tried.

On the LAN are you able to get to any secure sites?

A simpler fix could be to have openVPN server on port 80.

0
 
Libis_aka_DuskAuthor Commented:
1) how to fix that? What is the cause?
2) i fixed that (added the script-security 2 into config). Now that line is gone. No luck with VPN functionality.
3) Of course I tried it :-) no luck. There is not possibility of reaching the internet without that proxy. Outside the corporate office OpenVPN is working. Not inside - and that is my issue here.
4) I am not sure if our corporate IT security blocking the port. Maybe they block the connect command at the proxy as well? If so is there a workaround?
5) Yes I am able to reach any https secure site I want.
6) I tried it - unfortunately no luck again when I use the 80 as destination port. Log messages remain the same.
0
 
arnoldCommented:
The corporate setup might be enforcing a corporate policy.
To prevent exactly what you are trying to do.
0
 
Libis_aka_DuskAuthor Commented:
Well this is my primary issue here and what I need solution for. I need to tunnel out and connect to my other network.
Is there a workaround how to tunnel outside?
Other VPN software you could recommend with similar functionality and which will pass trough the proxy?
Which will simulate https usage?

By the way Logmein works in the same corporate LAN trough the proxy. Probably its tunneling out trough standard HTTPS session. I would like to use something similar here.
And also tried Logmein Hamachi VPN which is not working too :-)

Please help...
0
 
arnoldCommented:
I think the help you seem to be looking for is a way to circumvent the IT policy.
It sounds as though you may have an IP conflict.
0
 
Libis_aka_DuskAuthor Commented:
1) But I still missing any solution how to achieve that. That is the issue.
2) I dont get the point of IP conflict in case I cant reach and build the tunnel because it is not passing the proxy. Could you give me a rope?
0
 
arnoldCommented:
Are all ports restricted? i.e. if you setup the openVPN server on a non-standard port for any service.
6482

Whatever you are trying to achive, you should check with corporate IT.

I think this is the end of my contribution to this discussion.
0
 
Libis_aka_DuskAuthor Commented:
1) server is not behind proxy, client is
2) I did tried other port
3) corporate security restricting communication to any other ports than 80 and 443. Problem is no one from these works.
0
 
arnoldCommented:
You have IP 172.16.0.0/16 what is the corporate IP range?

Test the openVPN NTLM auth mechanism within your own environment to see what it is doing and what an NTLM auth configured proxy expects.  Once you solve that, you should solve the issue you have.

Do you have an openssl client on the client system?  use it to try and connect to the openVPN server.
i.e. establish a connection to the proxy, and then see if you can connect through to your server.
0
 
Libis_aka_DuskAuthor Commented:
Thanks for assistance...
1) 10.0.0.0/2 i dont think it is possible to have an confict before interface is activated. This occurs after the proxy is authenthicated and session is estabilished from client to server via proxy.
2) In my own enviroment (ISA server 2006 as a proxy) it works. Not in the corporate one.
3) I never done that before. As I look into manual I am not able to do that? How to try it?
0
 
arnoldCommented:
Is your ISA configured for NTLM authentication and are you using a laptop that is not on the LAN of the ISA i.e. where you would be prompted for username/password?
http://www.openssl.org/support/faq.html
openssl s_client -connect www.some.host:443 (additional options are possible)
Try accessing a regular site and then try to connect to your openVPN server.

Note that you would need to manually generate the HTTP request.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now