Using OpenVPN with HTTP Proxy to bypass ISP restrictions

mdhasankhan5512 · January 20, 2025, 1:40pm

Hi everyone,

I'm facing an issue with OpenVPN on my OpenWrt router, and I need your help. My ISP blocks everything except a few sites like YouTube, Likee, and TikTok. I want to use OpenVPN with an HTTP proxy to bypass these restrictions. Here's my situation in detail:

Problem:

When I use the provided OpenVPN configuration on my mobile (OpenVPN client app) or PC, it connects successfully, and I can browse the internet freely.When connected to another ISP that has no restrictions, I can connect to OpenVPN on my openwrt router with the same configuration successfully. However, when I use the same configuration on my OpenWrt router on the isp which has restrictions, the connection fails. The logs show repeated errors related to HTTP proxy, as detailed below.

OpenVPN Configuration:

client  
dev tun  
proto tcp  
remote 178.128.209.238 33627  
remote-cert-tls server  
cipher AES-256-CBC  
comp-lzo  
auth-user-pass  
verb 3  
redirect-gateway def1  
script-security 2  
route 0.0.0.0 0.0.0.0  
dhcp-option DNS 8.8.8.8  
dhcp-option DNS 8.8.4.4  
nobind  
http-proxy-option CUSTOM-HEADER CONNECT HTTP/1.0  
http-proxy-option CUSTOM-HEADER Host freeyoutube.com  
http-proxy-option CUSTOM-HEADER X-Online-Host freeyoutube.com  
http-proxy-option CUSTOM-HEADER X-Forward-Host freeyoutube.com  
http-proxy-option CUSTOM-HEADER Connection:Keep-Alive  
http-proxy 178.128.209.238 8080  

<ca>  
-----BEGIN CERTIFICATE-----  
-----END CERTIFICATE-----  
</ca>  
<cert>  
-----BEGIN CERTIFICATE-----  
-----END CERTIFICATE-----  
</cert>  
<key>  
-----BEGIN PRIVATE KEY-----  
-----END PRIVATE KEY-----  
</key>

Logs from OpenWrt:

Mon Jan 20 12:55:40 2025 daemon.warn openvpn(test)[8278]: WARNING: Compression for receiving enabled...  
Mon Jan 20 12:55:41 2025 daemon.notice openvpn(test)[8278]: HTTP proxy returned: 'HTTP/1.0 302 Moved Temporarily'  
Mon Jan 20 12:55:41 2025 daemon.err openvpn(test)[8278]: HTTP proxy returned bad status  
Mon Jan 20 12:55:41 2025 daemon.notice openvpn(test)[8278]: TCP/UDP: Closing socket  
Mon Jan 20 12:55:41 2025 daemon.notice openvpn(test)[8278]: SIGUSR1[soft,HTTP proxy error] received, process restarting

What I've Tried:

Verified that the OpenVPN configuration works on other devices (mobile and PC).
Ensured OpenWrt is running the latest stable version.
Confirmed that OpenVPN is properly installed and configured on OpenWrt.

Questions:

Why does the OpenVPN connection fail specifically on OpenWrt, while working on other devices?
Is the issue related to how OpenWrt handles HTTP proxy headers or some missing dependencies?
Are there additional OpenVPN or OpenWrt settings I should adjust to resolve this?

Additional Info:

OpenWrt version: 24.10.0rc-5
OpenVPN version:2.6.12-r1

Any advice or suggestions would be greatly appreciated! Thank you in advance for your time and help.

frollic · January 20, 2025, 2:37pm

if you got the OpenVPN tunnel, what do you need the proxy for ?

tried restarting without the http-proxy* options ?

mdhasankhan5512 · January 20, 2025, 2:52pm

these http-proxy-option lines modify the HTTP headers that OpenVPN sends when using a proxy, likely helping you disguise the traffic as if it's for a specific website (like YouTube) to bypass restrictions or filtering because only youtube tiktok and likee is accessible from my wifi. and when connecting from mobile openvpn client it shows no errors with the same config .

frollic · January 20, 2025, 2:56pm

that's not what I asked.

if your openvpn tunnel comes up, why would you need to disguise the traffic any further ?

your openvpn remote IP appears to be in Singapore - https://geoiplookup.io/geo/178.128.209.238.

mdhasankhan5512 · January 20, 2025, 3:13pm

my openvpn server ip is not accessible from my wifi only if i show that the traffic is from youtube then only my isp firewall will let it go to that ip otherwise not

frollic · January 20, 2025, 3:24pm

no idea what this means.

this doesn't make any sense, if your traffic goes via the tunnel, it can't be blocked by your ISP, unless your clients still use the ISPs DNS, instead of sending the DNS requests through the tunnel.

mdhasankhan5512 · January 20, 2025, 3:34pm

first of all you have to make the tunnel but if your openvpn server is not accessible from your current network how would you make the tunnel brother ?

frollic · January 20, 2025, 3:38pm

you don't have a server, but a client, which is supposed to route all or parts of your internet traffic through a tunnel ...

https://openwrt.org/docs/guide-user/network/routing/pbr

egc · January 20, 2025, 3:40pm

Not sure if this is related but compression is deprecated however it usually gives another error.

auth-user-pass needs a file with username and password or if you are using OpenVPN 2.6 you can use:
<auth-user-pass>
[USER NAME]
[PASSWORD]
</auth-user-pass>

mdhasankhan5512 · January 20, 2025, 3:55pm

i have removed http proxy sections but didnt connect to that server here is the logs

Mon Jan 20 15:53:26 2025 daemon.warn openvpn(test)[4901]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: OpenVPN 2.6.12 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
Mon Jan 20 15:53:26 2025 daemon.warn openvpn(test)[4901]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: LZ4 compression initializing
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: TCP/UDP: Preserving recently used remote address: [AF_INET]178.128.209.238:33627
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: Attempting to establish TCP connection with [AF_INET]178.128.209.238:33627
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: TCP connection established with [AF_INET]178.128.209.238:33627
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: TCPv4_CLIENT link local: (not bound)
Mon Jan 20 15:53:26 2025 daemon.notice openvpn(test)[4901]: TCPv4_CLIENT link remote: [AF_INET]178.128.209.238:33627
root@OpenWrt:~#

mdhasankhan5512 · January 20, 2025, 4:09pm

i have used another file for username and password and mentioned it in the config

frollic · January 20, 2025, 5:06pm

Looks very connected to me ?

system · January 30, 2025, 5:07pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.