Menu
▾
▴
Re: [Openvpn-users] client unable to connect from behind proxy server
|
From: Jan J. K. <ja...@ni...> - 2008-07-21 15:10:08
|
Hi Jed, try running wireshark/tcpdump whilst connecting to the proxy using your browser and check for the 'Proxy-Authorization: Basic' line. Does the encrypted username/password match that of the one sent by openvpn (as shown in your server log) ? also, if the ISA server is refusing connection from anything other than a browser, try adding http-proxy-option AGENT "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" (or whatever FF version you want). my bet is, however , that the browser is sending a different username/password combo than openvpn does. HTH, JJK Jed Sheckler wrote: > Yes, I can connect no problem with a web browser (IE or FF), so I know > the credentials are good. That's what I'm not sure of, I guess, > whether I have somehow not configured OpenVPN to send the credentials > correctly, or if the proxy is receiving them, but is configured to > refuse connections from programs other than a browser. > > Thanks for your suggestion. > > Jed > > On Mon, Jul 21, 2008 at 3:19 AM, Jan Just Keijser <ja...@ni... > <mailto:ja...@ni...>> wrote: > > Hi Jed, > > are you sure you can connect to the proxy using e.g. a web browser > (or download 'wget' : that behaves pretty much the same way as > openvpn does in this repect) ? > > HTH, > > JJK > > Jed Sheckler wrote: > > I am trying to connect to my office's OpenVPN server from > behind a client proxy. I have never tried to connect via a > proxy before, so I am not sure if I am doing something wrong, > or this is just not possible. > > The relevant lines in my client config file are: > proto tcp > http-proxy 10.55.3.133 <http://10.55.3.133> > <http://10.55.3.133> 8080 "C:\\Program > Files\\OpenVPN\\config\\proxy_auth.txt" > > http-proxy-retry > > where proxy_auth.txt contains the username and password > required to connect to the proxy. > > The relevant lines from the log after failing to connect are: > > Sun Jul 20 09:43:00 2008 us=31000 Attempting to establish TCP > connection with 10.55.3.133:8080 <http://10.55.3.133:8080> > <http://10.55.3.133:8080> > Sun Jul 20 09:43:00 2008 us=765000 TCP connection established > with 10.55.3.133:8080 <http://10.55.3.133:8080> > <http://10.55.3.133:8080> > Sun Jul 20 09:43:00 2008 us=765000 Send to HTTP proxy: > 'CONNECT openvpn.xxxxx.com:443 <http://openvpn.xxxxx.com:443> > <http://openvpn.xxxxx.com:443> HTTP/1.0' > > Sun Jul 20 09:43:00 2008 us=765000 Attempting Basic > Proxy-Authorization > Sun Jul 20 09:43:00 2008 us=765000 Send to HTTP proxy: > 'Proxy-Authorization: Basic Y3B0bFx0b3RhbDp0b3RhbDIwMDg=' > Sun Jul 20 09:43:04 2008 us=156000 HTTP proxy returned: > 'HTTP/1.1 407 Proxy Authentication Required ( The ISA Server > requires authorization to fulfill the request. Access to the > Web Proxy service is denied. )' > Sun Jul 20 09:43:04 2008 us=156000 Proxy requires authentication > > Using NTLM authentication the result is similar: > > Sun Jul 20 09:49:59 2008 us=515000 Attempting to establish TCP > connection with 10.55.3.133:8080 <http://10.55.3.133:8080> > <http://10.55.3.133:8080> > Sun Jul 20 09:50:00 2008 us=296000 TCP connection established > with 10.55.3.133:8080 <http://10.55.3.133:8080> > <http://10.55.3.133:8080> > Sun Jul 20 09:50:00 2008 us=296000 Send to HTTP proxy: > 'CONNECT openvpn.xxxxxx.com:443 > <http://openvpn.xxxxxx.com:443> > <http://openvpn.xxxxxx.com:443> HTTP/1.0' > > Sun Jul 20 09:50:00 2008 us=296000 Attempting NTLM > Proxy-Authorization phase 1 > Sun Jul 20 09:50:00 2008 us=296000 Send to HTTP proxy: > 'Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAA==' > Sun Jul 20 09:50:03 2008 us=984000 HTTP proxy returned: > 'HTTP/1.1 407 Proxy Authentication Required ( Access is > denied. )' > Sun Jul 20 09:50:03 2008 us=984000 Proxy requires authentication > Sun Jul 20 09:50:04 2008 HTTP proxy returned: 'Via:1.1 ISAPROXY' > Sun Jul 20 09:50:04 2008 HTTP proxy returned: > 'Proxy-Authenticate: NTLM > TlRMTVNTUAACAAAAAAAAADgAAAACAgAC39062OdRBIkAAAAAAAAAAAAAAAA4AAAABQCTCAAAAA8=' > Sun Jul 20 09:50:04 2008 auth string: > 'TlRMTVNTUAACAAAAAAAAADgAAAACAgAC39062OdRBIkAAAAAAAAAAAAAAAA4AAAABQCTCAAAAA8=' > Sun Jul 20 09:50:04 2008 Received NTLM Proxy-Authorization > phase 2 response > Sun Jul 20 09:50:09 2008 us=15000 recv_line: TCP port read > timeout expired > Sun Jul 20 09:50:09 2008 us=15000 Send to HTTP proxy: 'CONNECT > openvpn.xxxxx.com:443 <http://openvpn.xxxxx.com:443> > <http://openvpn.xxxxx.com:443> HTTP/1.0' > Sun Jul 20 09:50:10 2008 us=15000 Send to HTTP proxy: 'Host: > openvpn.xxxxxx.com <http://openvpn.xxxxxx.com> > <http://openvpn.xxxxxx.com>' > > Sun Jul 20 09:50:10 2008 us=15000 Attempting NTLM > Proxy-Authorization phase 3 > Sun Jul 20 09:50:10 2008 us=15000 Send to HTTP proxy: > 'Proxy-Authorization: NTLM > TlRMTVNTUAADAAAAAAAAAGIAAAAYABgAQAAAAAAAAABiAAAACgAKAFgAAAAAAAAAYgAAAAAAAABiAAAAAgIAANkUD8qhN4awbE5PG6PdufZwDpTPk1jhMGNwdGxcdG90YWw=' > Sun Jul 20 09:50:12 2008 us=796000 HTTP proxy returned: > 'HTTP/1.1 407 Proxy Authentication Required ( The ISA Server > requires authorization to fulfill the request. Access to the > Web Proxy service is denied. )' > Sun Jul 20 09:50:12 2008 us=796000 HTTP proxy returned bad status > > Any assistance would be appreciated. > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > ------------------------------------------------------------------------ > > _______________________________________________ > Openvpn-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-users > |
