OpenVPN 503 behind http proxy

Question

I have a OpenVPN server successfully setup on a digital ocean droplet following this amazing tutorial: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

Then I also made a http proxy server using squid proxy on a different droplet.

When I try to connect to my VPN server, I get 503 Service Unavailable on the logs of the client. Also when I try to curl my VPN server, still the same result:

curl -I -x myproxy.com:80 http://myvpn.com:1194 or curl -I -x myproxy.com:80 http://myvpn.com

I turned off the ufw of my OpenVPN server, still the same results.

Where should I fix? My OpenVPN server? My My OpenVPN server's iptables? My squid proxy conf?

Please help..

OpenVPN server config.

server.conf

port 1194

proto udp


dev tun

ca ca.crt
cert server.crt
key server.key  

dh dh.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /var/log/openvpn/ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

keepalive 10 120

tls-auth ta.key 0 

cipher AES-256-CBC
auth SHA256

user nobody
group nogroup

persist-key
persist-tun

status /var/log/openvpn/openvpn-status.log

verb 3

explicit-exit-notify 1

client.conf

client

dev tun

proto tcp

remote rl.rltech.xyz 1194 # domain I attached to my vpn server


resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

http-proxy proxy.rltech.xyz 80 # domain I attached my proxy server (squid proxy running on port 80)
http-proxy-retry
http-proxy-timeout 5
http-proxy-option CUSTOM-HEADER Host www.googlevideo.com
http-proxy-option CUSTOM-HEADER X-Forwarded-For www.googlevideo.com




ca ca.crt
cert client.crt
key client.key

remote-cert-tls server


tls-auth ta.key 1


cipher AES-256-CBC
auth SHA256
key-direction 1

verb 3

;mute 20

; script-security 2
; up /etc/openvpn/update-resolv-conf
; down /etc/openvpn/update-resolv-conf
; script-security 2
; up /etc/openvpn/update-systemd-resolved
; down /etc/openvpn/update-systemd-resolved
; down-pre
; dhcp-option DOMAIN-ROUTE .

<ca>
-----BEGIN CERTIFICATE-----
cert here ..
-----END CERTIFICATE-----
</ca>

iptables.sh (the only rules on my VPN Server)

#!/bin/bash
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Proxy server

squid.conf

acl SSL_ports port 1194      # OpenVPN
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 1194      # OpenVPN
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
dns_nameservers 1.1.1.1 1.0.0.1
http_access allow all
http_port 80
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

Answer 1

According to the documentation here you must use TCP with the http-proxy directive so try to set proto tcp in both server and client config

Answer 2

As per @demathos

I deployed another instance of openvpn server, now running is: openvpn@server - 1194/udp openvpn@server1 - 1194/tcp

netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      733/sshd
tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN      24288/openvpn
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      616/systemd-resolve
tcp6       0      0 :::22                   :::*                    LISTEN      733/sshd
tcp6       0      0 :::80                   :::*                    LISTEN      20175/(squid-1)
udp        0      0 127.0.0.53:53           0.0.0.0:*                           616/systemd-resolve
udp        0      0 0.0.0.0:33916           0.0.0.0:*                           20175/(squid-1)
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           19762/openvpn
udp6       0      0 :::33573                :::*                                20175/(squid-1)