Sometimes there are places where is impossible to reach to internet without pass through a proxy. Using proxy is problematic because usually is impossible to read mail or use chat, irc and any application which work on a port different from 80 or 443.

This how to should work on most of the cases, unless the proxy policy is too restrictive.

Basically, the idea is to use the main connections to all the application which support proxy and are simple to configure and a customized route only for services that can’t pass thought a proxy.

Server

Openvpn uses default port 1194 (TCP or UDP), to pass over a proxy you must use the 443 port. I suggest to leave default openvpn port and apply a prerouting rule on iptables which map the 443 port on 1194:

iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 443 -j DNAT --to-destination 192.168.10.127:1194

Let’s start to configure openvpn service.

First of all you must read this official howto section to understand how to generate certificate (there are a lot of scripts and sample configuratino files shipped with openvpn package); you can also modify and use my configuration file.
Here my server configuration file:

mode server
local 192.168.10.127
;port 443
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
keepalive 10 120
tls-auth keys/ta.key 0 # This file is secret
cipher AES-128-CBC # AES
comp-lzo
user nobody
group nobody
persist-key
persist-tun
verb 5
mute 20

I stored my certificates into /etc/openvpn/keys and my openvpn configuration file into /etc/openvpn.
I want to spend just few words about network configuration:

• 192.168.10.0/24 is my home network (192.168.10.127 is my server network address)
• 192.168.x.x/x is network I’m connected with client
• 10.8.0.0/24 is the tunnel network

Client

Here a basic configuration (you can find a well explained file into sample configuration openvpn files):

client
dev tun
proto tcp-client
remote public_ip_address 443 #Public ip address of your home network
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-128-CBC
ca "/etc/openvpn/keys/home/ca.crt"
cert "/etc/openvpn/keys/home/client1.crt"
key "/etc/openvpn/keys/home/client1.key"
tls-auth "/etc/openvpn/keys/home/ta.key" 1
comp-lzo
verb 5
http-proxy proxy.ras 80 passwd_file basic
#http-proxy-retry
http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1


I will not explain about keys and certificates here because openvpn how to give you a good explanation about it.
If your proxy need authentication, you must put proxy username and proxy password into your passwd_file, respectly on first and second line.

Now, you can start openvpn on server (service start openvpn).
Then you have to start openvpn on client. If you pass through a proxy, services can return you a FAILED, in this case, you should check /var/log/messages to get information about it.

If you got something like:

Initialization Sequence Completed

the tunnel is started. To verify that it work, just try to ping other tunnel part.

Natting and fowarding
Now is necessary to enable NAT and forward on your openvpn server, to allow certain flows, forwarded througt your vpn can reach internet by passing on your home router.

Just apply this few rules:

/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

now the server configuration is done.

Now we have to create static routes:

route add -host ip_you_want_to_staticize gw your_vpn_tunnel_address

for example: jabber, you have to retrieve your jabber server ip address, and insert into route command.as “ip_you_want_to_staticize”.

If you don’t have a dns into your subnet, to maintain transparency in applications, is better to use /etc/hosts to map every ip address to his name.

I’m using vpn only for jabber and email, I want to use also mugshot but it doesn’t work…dunno why.

Thanks to Kiwi to help me.

This post is under construction…so If you have suggestion or any issue to propose me, don’t hesitate to tell me.