I live at a college at University of Queensland, where we have pretty restrictive internet access. Data can be unrestricted, charged at 15c/MB (AUD), or through a HTTP Proxy at a much cheaper rate.

In order to get around this, I put my traffic through a HTTP proxy through a VPN to a remote host.There are a few things you should be aware of before you do this:

  • You’ll need software to tunnel the VPN through the proxy.
  • The VPN software must run at Layer 4, using a TCP connection. As such, PPTP is unsuitable, as is IPSec.
  • You’ll need to fiddle with the static routes on your computer to ensure DNS/Proxy goes through your normal default route, while all other traffic goes through the VPN.
  • Set up NAT on the remote host so you can access remote sites through it.

The Solution – Selection of Tools

In order to tunnel the VPN, I used HTTP Tunnel. This software has both a Windows and Unix client/server, and will allow you to tunnel arbitrary connections though a HTTP proxy, with support for proxy HTTP authentication.

OpenVPN is an Open Source VPN solution, with both Windows/Linux clients/servers. It has the ability to work through a single TCP connection, allowing us to tunnel it through the proxy.

Update: OpenVPN can now perform tunnelling through the HTTP proxy for you. The relevant config lines for OpenVPN you should look at are:

port 443

proto tcp-client

http-proxy proxyserver 8080


http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1


The Solution – On the Server

Ensure Universal TUN support is built into the kernel.

Install OpenVPN.

Run OpenVPN, first instanciating a daemon without encryption. Once you get this working, work your way up to using RSA encryption, or stick with a static key.

Assuming you will use the IP addresses for the server, and for the client on the VPN, this command will open a openvpn daemon instance:

openvpn –proto tcp-server –port 5000 –dev tun1 –ifconfig –verb 8

Run HTTP tunnel on the server (using the “hts” daemon), to listen on a port, and forward it to the VPN daemon (by default this should be I used port 81, as the proxy will allow connections to port 79, 80, 81, etc.

The command to do this, looks like:

hts -F localhost:5000 81

The Solution – On the Client

Run HTTP tunnel on the client (using the “htc” client), to listen on a port, and forward it to the htc daemon on the server.

htc -P proxyhost:proxyport -A “username:password” -F 5000 htshost:htsport

Install OpenVPN.

Run OpenVPN, first instanciating a client without encryption to the htc process. Assuming you will use the IP addresses for the server, and for the client on the VPN, this command will open a OpenVPN client instance:

openvpn –proto tcp-client –dev tun1 –ifconfig –verb 8 –remote

The Solution – Testing VPN Connection

With some luck, when you ping the server from the client over the VPN, we should get data flow:


If you get a reply, you should now look into using encryption for the VPN.

Routing and NAT

There are many HOWTOs available for setting up NAT. As such, it isn’t covered here.

Other Problems


  • routing tables are set up correctly,
  • the hts process is running on the server,
  • the server is listening on both the hts port and OpenVPN port,
  • you have correctly entered in proxy authentication details for htc.