6

I would like to use a PPTP or OpenVPN as a socks proxy, that way instead of funneling all traffic from my PC through it I would instead use that connection to create a SOCKS or HTTP proxy that I could use with any supported program.

How would I do this on both Linux and Windows (not at the same time of course)?

yudwizwe
  • 71
  • 1
  • 2
  • I don't think this makes any sense at all. VPN is not a socks Proxy and a socks proxy is not a VPN – barlop Mar 25 '18 at 18:40

4 Answers4

4

Yes you can do this.

  1. You need to connect to the VPN without it taking over your whole network, but still have the VPN's interface useable. I've done that with OpenVPN, by adding lines to the config file: 

    route-noexec         # Don't add or remove routes automatically

script-security 2    # Allow user-defined scripts to be called
down down.sh         # Run script called "down.sh" when connection goes down
up up.sh             # Run script called "up.sh" when connection comes up

    • up.sh script

      #!/bin/sh

VPN_IP=$ifconfig_local
VPN_GATEWAY=$route_vpn_gateway

# Route packets from the VPN's IP address to the VPN's gateway
  ip rule   add   from        $VPN_IP       table vpn
  ip route  add   default via $VPN_GATEWAY  table vpn

  ip route flush cache

    • down.sh script

      #!/bin/sh

VPN_IP=$ifconfig_local
VPN_GATEWAY=$route_vpn_gateway

# Flush table and delete the rule
  ip route  flush table vpn
  ip rule   del   from  $VPN_IP table vpn

  ip route  flush cache
  2. For the scripts to work, you need to create a new routing table, called vpn, by issuing:
    echo 1 vpn >> /etc/iproute2/rt_tables
    • You have to do this only once. The scripts implement policy routing. Their purpose is to ensure any packets sent through the VPN tunnel are routed to the appropriate gateway address (i.e. the VPN's default route is correctly set up, but used only by programs that connect directly to the tunnel).
  3. Bring up the VPN connection by issuing: openvpn config-file.conf
    • Your computer will now have an extra interface you can use directly, called tun0. Some programs (qBittorrent for example) will allow you to specify the interface to connect to. Choosing tun0 ensures all of the program's network traffic uses the VPN.

To achieve the OP's requested goal, you can install the socks server called Dante.

  • Part of the configuration for Dante is to set the internal and external interfaces.
    • For the internal, and depending on from where you wish to connect, use either the loopback interface (i.e. lo) or your main network interface (i.e. eth0).
    • For the external, use tun0, ensuring all network traffic over socks is routed through the VPN.

Example openvpn.conf

client
dev tun0
remote some-openvpn-server.somewhere.net 53     # Replace this by a real server url
proto udp
nobind
persist-key
persist-tun
tls-auth Wdc.key 1
ca ca.crt
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
float
route-method exe
route-delay 2
route-noexec          # Stop the connection taking over the whole machine
up up.sh              # Run the script called "up" when the connection comes up
down down.sh          # Run the script called "down" when the connection goes down
script-security 2     # Allow scripts to be called
auth-user-pass me     # Use the login credentials from the file called "me"
auth-retry interact
explicit-exit-notify 2
ifconfig-nowarn
auth-nocache
Glidos
  • 141
  • 4
  • 1
    Please remove non-essential options from your config, only listing those that apply to what is trying to be done. If you'd like to list the whole config, it would be better to list it as an example at the bottom of the answer, with the essential options specified above within the answer – JW0914 Oct 27 '19 at 12:54
  • I see the importance of what you are requesting, but it will be very difficult to comply. I don't know which of those options are important. I have explained that it is only the commented options that I have chosen myself, and the others come from a file downloaded from the vpn provider. I altered as little as I could because I didn't know the status of the others. I could reword the surrounding text to try to make it more clear that all the other options may vary with use case. – Glidos Oct 27 '19 at 17:00
  • The [OpenVPN man page](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage) explains what each option does. – JW0914 Oct 28 '19 at 03:17
  • I'll see what I can do when I next have an opportunity to experiment with it. – Glidos Oct 28 '19 at 13:15
  • Definitely better, but I still want to fiddle. – Glidos Oct 30 '19 at 13:22
  • An off-topic FYI, as this occurs all too often, AES-256-CBC is wholly unnecessary since AES-128 will remain uncrackable for some time. If you're really concerned, simply change the rekey values to a lower time and data limit _(every 5min /100MB data, etc.)_ All one does by using AES-256 is massively slow throughput to a crawl for zero security gain (`openssl speed aes-128-cbc aes-256-cbc`) . You may also want to ask your VPN provider why they're not providing OpenVPN 2.4, which added support for EC ciphers _(they're more efficient)_, TLS-Crypt, and changed compression to LZ4. – JW0914 Oct 30 '19 at 13:34
  • I cannot thank you enough! I was looking for this and spending many hours looking for solutions. But this is the only native solution that actually works! (most other solutions come with container solutions which I don't like) – Bigjim Jan 01 '21 at 09:47
1

For OpenVPN, there's a patch for ocproxy support, but it's outdated (for 2.3.x branch). I've ported it to the recent 2.5, but this is PoC (Windows not supported, yet). You can use it with ocproxy or tunsocks, which expose VPN as a SOCKS/HTTP proxy.

FYI, there's similar projects for WireGuard: wghttp, wg-http-proxy, wireproxy, onetun

ValdikSS
  • 94
  • 1
  • 4
0

You'll need something like this OpenVPN, L2TP, or PPTP client that is a SOCKS5 server | linux May be some container or virtual machine to act as a bridge - it'll have pptp interface and a socks proxy server inside. You'll need somehow to address socks traffic to the port configured for the service by any other tool you like (some port forwarding)

shoguevara
  • 9
  • 1
  • You linked a question without an answer. Did you mean https://stackoverflow.com/a/11749741/1333493 or what? – Nemo May 05 '18 at 22:07
  • I do realize, that I linked a question without answer. The purpose was to show the direction to dig further, because initial question didn't make sense. As you have noticed I further described what need to be done to solve the task. Anyway, I've never done anything like that and unfortunately I have no instructions how to do it, but with the directions I gave, those can be acquired from any linux admin with some networking skills. So rephrasing the question and creating a new topic would be a good suggestion imho. – shoguevara May 14 '18 at 11:00
-2

You don't. It would be like using a hacksaw to undo a screw - they are not the correct tools for the job.

I'm not sure if you are aware, but she can be used as a sox proxy which could be appropriate.

Also, the encryption behind pptp is totally broken and should not be used.

davidgo
  • 68,623
  • 13
  • 106
  • 163
  • 1
    -1 You wrote " would be like using a hacksaw to undo a screw " <-- Your analogy is totally wrong. Technically one could unscrew some screws with hacksaw, and hence your analogy is totally wrong. A Socks Proxy and a VPN are simply two different things, a VPN is not a socks proxy and a socks proxy is not a VPN. And neither of them is a job itself. They are both tools. So if you want to give an analogy, it'd be he's saying he wants to use an apple as an orange. – barlop Mar 25 '18 at 18:43
  • @barlop Downvoting because you don't like my choice of analogy? Not cool. BTW I think your analogy is worse - an apple can be used as an orange. I use VPNs as tools of my trade every day - I never said they were jobs. – davidgo Mar 25 '18 at 18:54
  • you wrote " an apple can be used as an orange" <-- what? how? And your analogy referred to a job (screwing a screw). Whereas his misunderstanding, primary misunderstanding even, was to say the thing he said in the first half of his first sentence, that I don't want to repeat as it is too nonsensical to bear repeating! – barlop Mar 25 '18 at 19:37