3

I'm trying to get around a very restrictive firewall that blocks everything besides ports 80 and 443 and apparently even does DPI to block VPNs. For that matter I'm trying to obfuscate OpenVPN traffic using obfsproxy. Here's my setup:

Server

obfsproxy obfs2 --dest=127.0.0.1:16080 --shared-secret=[secret] server 0.0.0.0:3389 running.

lsof -i :3389 shows

COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
obfsproxy 1341 root    3u  IPv4  14396      0t0  TCP *:3389 (LISTEN)

OpenVPN Server is running on TCP 16080, Access Server console is accessible and everything looks ok.

Client

Edit: obfsproxy is the python version obtained through pip.

sudo obfsproxy obfs2 --shared-secret=[secret] socks 127.0.0.1:443 running in a terminal window in OSX 10.9.5.

Trying to connect using 'Tunnelblick' with the following client.ovpn:

setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
pull
remote [Server-IP] 3389 tcp
route [Server-IP] 255.255.255.255 net_gateway
socks-proxy-retry
socks-proxy 127.0.0.1 443
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-user-pass
comp-lzo no
verb 3
setenv PUSH_PEER_INFO

# Certs...

The Problem

Tunnelblick keeps trying to connect and the obfsproxy shell on the client side keeps printing the following line during that time: 2015-01-30 15:52:42,508 [ERROR] Invalid SOCKS command: '3'. So, at least on Client side the obfsproxy seems to be found by Tunnelblick, but that's as far as I come with this. How can I solve this or at least get more debugging information?

Update

The obfsproxy client also prints 2015-01-30 15:39:36,431 [ERROR] Invalid SOCKS version: '71' on the first line after startup. This seems to be created in the following python script: http://pydoc.net/Python/obfsproxy/0.2.7/obfsproxy.network.socks5/. Obfsproxy seems to require Socks5. I'm trying to figure out how to get my VPN client to talk Socks5, so far I can't find any more info on how to force a version.

Update 2

Viscosity client has a bit more log output, it prints recv_socks_reply: Socks proxy returned bad reply. It also doesn't lead to the invalid version error in obfsproxy, however it still can't connect, obfsproxy prints invalid socks command 3. Also, I've tried with an older obfsproxy binary that's bundled with torbrowser OSX distribution (2.4.6 alpha 2), which I assume is not the python version. Same behaviour in Viscosity, proxy returned bad reply.

Michel Müller
  • 5,535
  • 3
  • 31
  • 49
  • Try to install obfsproxy via PIP, it contains what appears to be a socks5 support – Noam Rathaus Feb 25 '15 at 16:07
  • Thanks. I'll look into it again once I get some time - that might take a bit though. – Michel Müller Feb 25 '15 at 23:06
  • BTW: Just because obfsproxy under PIP supports SOCKS5, it doesn't mean it works with OpenVPN :( – Noam Rathaus Feb 26 '15 at 05:45
  • Oh, I can just see now by reading my question again: > Client > Edit: obfsproxy is the python version obtained through pip. -> i.e. the pip version doesn't solve my problem. It's rather the communication between client and obfsproxy I think - socks doesn't seem to be all that standardized. – Michel Müller Feb 26 '15 at 05:53

2 Answers2

0

What version of OpenVPN are you using? I had to grab the latest version (2.3.6) to get this patch before I could get the ab9il.net example working. Instructions on how to get the latest version can be found here.

shafools
  • 157
  • 1
  • 2
  • 10
0

I had that "For Invalid SOCKS command: '3'" problem. Using wireshark, I saw that "command 3" was a UdpConnect, and indeed, my config for OpenVPN was udp, which is recommended, but not supported by obfsproxy. I can see you have tcp on your Tunnelbrick conf. Maybe tunnelbrick does not support TCP ? Or for my OpenVPN version (2.3.6), I need to have "proto tcp-client" line, maybe it changed ?

I also had " Invalid SOCKS version xx" problems. socket version is the first byte send on a socks server. Someone probably try to connect your client using the wrong protocole.

Using wireshark on Mac, you could probably see what's going on in your case.

FredG
  • 712
  • 7
  • 10