OpenVPN client config file has a socks-proxy
rule which allows connecting to a SOCKS proxy before connecting to a VPN.
I installed Dante SOCKS proxy but it looks like it does not support SSL/TLS so credentials will be sent in clear text and someone on the same local network could do a man-in-the-middle attack by sniffing the network and see the credentials (https://security.stackexchange.com/questions/183146/are-socks5-credentials-safe-during-authentication-on-proxy-server).
Isn't it possible to add SSL/TLS support to Dante SOCKS proxy like it can be done with an FTP server?
If it is not possible officially, I think we need to use stunnel
to create an SSL/TLS tunnel. But since the VPN only allows connections through UDP, I think we also need to use udptunnel
(https://manpages.ubuntu.com/manpages/xenial/man1/udptunnel.1.html) because stunnel and SSL/TLS only work with TCP (https://www.stunnel.org/faq.html).
Here is my Dante SOCKS proxy configuration file /etc/sockd.conf
on my VPS Linux server:
internal: venet0:0 port = 8088
external: venet0:0
socksmethod: username #none #rfc931
clientmethod: none
user.privileged: root
user.notprivileged: nobody
user.libwrap: nobody
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect disconnect error
}
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
protocol: tcp udp
}
After starting sockd
Dante SOCKS proxy, I start udptunnel
on the same server, which should connect to the proxy:
udptunnel -s 8080 127.0.0.1:8088
Then I start stunnel
on the same server, which should connect to udptunnel
, with this configuration file /etc/stunnel/stunnel.conf
:
client = no
[udptunnel]
accept = 8888
connect = 127.0.0.1:8080
cert = /etc/stunnel/stunnel.pem
And then I connect using OpenVPN on my computer, with this rule in the client config file:
socks-proxy PROXY_IP_ADDRESS 8888 stdin
However I did not get it working. I can only connect to the proxy and VPN if I am sending proxy credentials in clear text, which is not secure. Currently if I want to connect securely from a different IP address to a VPN, I have to connect from another VPN before connecting to the VPN, which works great but I would be interested to know if it is possible using a SOCKS proxy with SSL/TLS.