0

I have a OpenVPN server successfully setup on a digital ocean droplet following this amazing tutorial: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

Then I also made a http proxy server using squid proxy on a different droplet.

When I try to connect to my VPN server, I get 503 Service Unavailable on the logs of the client. Also when I try to curl my VPN server, still the same result:

curl -I -x myproxy.com:80 http://myvpn.com:1194 or curl -I -x myproxy.com:80 http://myvpn.com

I turned off the ufw of my OpenVPN server, still the same results.

Where should I fix? My OpenVPN server? My My OpenVPN server's iptables? My squid proxy conf?

Please help..

OpenVPN server config.

server.conf

port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 1.1.1.1" push "dhcp-option DNS 1.0.0.1" keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC auth SHA256 user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log verb 3 explicit-exit-notify 1

client.conf

 client dev tun proto tcp remote rl.rltech.xyz 1194 # domain I attached to my vpn server resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun http-proxy proxy.rltech.xyz 80 # domain I attached my proxy server (squid proxy running on port 80) http-proxy-retry http-proxy-timeout 5 http-proxy-option CUSTOM-HEADER Host www.googlevideo.com http-proxy-option CUSTOM-HEADER X-Forwarded-For www.googlevideo.com ca ca.crt cert client.crt key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC auth SHA256 key-direction 1 verb 3 ;mute 20 ; script-security 2 ; up /etc/openvpn/update-resolv-conf ; down /etc/openvpn/update-resolv-conf ; script-security 2 ; up /etc/openvpn/update-systemd-resolved ; down /etc/openvpn/update-systemd-resolved ; down-pre ; dhcp-option DOMAIN-ROUTE . <ca> -----BEGIN CERTIFICATE----- cert here .. -----END CERTIFICATE----- </ca>

iptables.sh (the only rules on my VPN Server)

#!/bin/bash iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A OUTPUT -o tun+ -j ACCEPT

iptables -L

Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere state NEW udp dpt:openvpn ACCEPT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere

Proxy server

squid.conf

acl SSL_ports port 1194 # OpenVPN acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1194 # OpenVPN acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports dns_nameservers 1.1.1.1 1.0.0.1 http_access allow all http_port 80 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320
Improve this question
1
  • I can connect normally if I change the protocol of the client.conf to udp and remove http proxy. Commented Oct 11, 2020 at 1:53

2 Answers 2

Reset to default
0

According to the documentation here you must use TCP with the http-proxy directive so try to set proto tcp in both server and client config

Improve this answer
4
  • Just added that code on my existing squid.conf file sir, still the same results. Commented Oct 13, 2020 at 9:15
  • According to the documentation here link you must use TCP with the http-proxy directive so try to set proto tcp in both server and client config Commented Oct 13, 2020 at 16:48
  • Thanks sir, your comment solved the issue. Commented Oct 14, 2020 at 2:28
  • You're welcome. I edited my previous answer so please mark it as accepted and delete your answser to clarify. Commented Oct 14, 2020 at 8:54
0

As per @demathos

I deployed another instance of openvpn server, now running is: openvpn@server - 1194/udp openvpn@server1 - 1194/tcp

netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 733/sshd tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 24288/openvpn tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 616/systemd-resolve tcp6 0 0 :::22 :::* LISTEN 733/sshd tcp6 0 0 :::80 :::* LISTEN 20175/(squid-1) udp 0 0 127.0.0.53:53 0.0.0.0:* 616/systemd-resolve udp 0 0 0.0.0.0:33916 0.0.0.0:* 20175/(squid-1) udp 0 0 0.0.0.0:1194 0.0.0.0:* 19762/openvpn udp6 0 0 :::33573 :::* 20175/(squid-1)
Improve this answer
1
  • My client now can connect using the config above. Thank you. Solved. Commented Oct 14, 2020 at 2:26

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.