0

OpenVPN client config file has a socks-proxy rule which allows connecting to a SOCKS proxy before connecting to a VPN. I installed Dante SOCKS proxy but it looks like it does not support SSL/TLS so credentials will be sent in clear text and someone on the same local network could do a man-in-the-middle attack by sniffing the network and see the credentials (https://security.stackexchange.com/questions/183146/are-socks5-credentials-safe-during-authentication-on-proxy-server).

Isn't it possible to add SSL/TLS support to Dante SOCKS proxy like it can be done with an FTP server?

If it is not possible officially, I think we need to use stunnel to create an SSL/TLS tunnel. But since the VPN only allows connections through UDP, I think we also need to use udptunnel (https://manpages.ubuntu.com/manpages/xenial/man1/udptunnel.1.html) because stunnel and SSL/TLS only work with TCP (https://www.stunnel.org/faq.html).

Here is my Dante SOCKS proxy configuration file /etc/sockd.conf on my VPS Linux server:

internal: venet0:0 port = 8088
external: venet0:0
socksmethod: username #none #rfc931
clientmethod: none
user.privileged: root
user.notprivileged: nobody
user.libwrap: nobody
client pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        log: connect disconnect error
}                                                                                                                                                                                             
socks pass {                                                                                                                                                                                  
        from: 0.0.0.0/0 to: 0.0.0.0/0                                                                                                                                                         
        protocol: tcp udp                                                                                                                                                                     
}

After starting sockd Dante SOCKS proxy, I start udptunnel on the same server, which should connect to the proxy:

udptunnel -s 8080 127.0.0.1:8088

Then I start stunnel on the same server, which should connect to udptunnel, with this configuration file /etc/stunnel/stunnel.conf:

client = no
[udptunnel]
accept = 8888
connect = 127.0.0.1:8080
cert = /etc/stunnel/stunnel.pem

And then I connect using OpenVPN on my computer, with this rule in the client config file:

socks-proxy PROXY_IP_ADDRESS 8888 stdin

However I did not get it working. I can only connect to the proxy and VPN if I am sending proxy credentials in clear text, which is not secure. Currently if I want to connect securely from a different IP address to a VPN, I have to connect from another VPN before connecting to the VPN, which works great but I would be interested to know if it is possible using a SOCKS proxy with SSL/TLS.

baptx
  • 103
  • 7

0 Answers0