NeuroAgent

Why OpenVPN Blocks SOCKS Proxy 3proxy

Solution for SOCKS proxy 3proxy unavailability after console connection to OpenVPN in VirtualBox. Learn about routing and OpenVPN configuration.

#block-outside-dns#konsolnoe-podklyuchenie#marshrutizatsiya-linux#openvpn-konfiguratsiya#socks-proksi-3proxy#split-tunneling#virtualbox-nastroiki

Why does the SOCKS proxy 3proxy stop working on the same VirtualBox virtual machine after connecting to OpenVPN from the console?

Detailed problem description:

There are two VirtualBox virtual machines for testing:

  1. Ubuntu 18
  2. Alpine Linux

They are not connected to each other, and the issue occurs on both systems independently, indicating that the problem is not specific to a particular Linux distribution.

Settings:

  • OpenVPN configuration file (ovpn)
  • OpenVPN installed through package manager
  • SOCKS proxy 3proxy installed on the virtual machine with a simple configuration for testing
  • The required port is forwarded in VirtualBox to the host machine
  • SOCKS proxy is used by some programs on the host machine

Problem:

  • When connecting to OpenVPN through the GUI network manager in Ubuntu 18: internet works through OpenVPN, SOCKS proxy works, programs connected to the proxy go through OpenVPN (which is what’s required)
  • When connecting through the console with the command “openvpn 1.ovpn”: connection is successfully established, but SOCKS proxy becomes inaccessible from the host
  • When disconnecting OpenVPN, SOCKS proxy works again

Additional observations:

  • SOCKS proxy port is accessible (checked via telnet)
  • Internet does not go through the SOCKS proxy

1.ovpn configuration file:

nobind
client
auth-nocache

# Path to certificates here
ca "ca.crt"
cert "blabla.crt"
key "blabla.key"

remote-cert-tls server
dev tun
proto tcp

resolv-retry infinite
persist-key
persist-tun

# Block outside DNS servers
# 
# COMMENT THIS LINE FOR
#   KEENETIC ROUTERS
#
setenv opt block-outside-dns

# OpenVPN 2.5 compatibility
setenv opt data-ciphers AES-128-GCM:AES-256-GCM

# Remote connections
remote-random
server-poll-timeout 15
connect-retry-max 20

remote blabla.com 23
remote blabla.com 43
remote blabla.com 49
remote blabla.com 53
remote  blabla.com 123
remote blabla.com 161
remote blabla.com 179
remote blabla.com 465
remote blabla.com 587
remote blabla.com 993
remote blabla.com 995
remote blabla.com 1194
remote blabla.com 443
remote blabla.com 495
NeuroAgent

The problem occurs because when connecting to OpenVPN through the console, the routing table is modified, which blocks access to local services, including the SOCKS proxy 3proxy. Unlike GUI connections, the console version of OpenVPN automatically adds routes that direct all traffic through the VPN tunnel, including traffic to localhost, which makes the local SOCKS proxy inaccessible.

Contents

Main Cause of the Problem

The problem occurs when connecting to OpenVPN through the console using the openvpn 1.ovpn command, as the OpenVPN client automatically modifies the system routing table. This change includes adding default routes through the VPN tunnel, which redirect all traffic, including traffic to local services such as the SOCKS proxy 3proxy.

According to research, when connecting via console, OpenVPN typically executes the redirect-gateway command (or similar), which adds routes of type 0.0.0.0/1 and 128.0.0.0/1 through the tun0 interface. These routes capture all traffic, including connections to localhost:proxy_port.

In contrast, connection through a GUI network manager may use different routing settings or may not modify the routing table as aggressively, allowing access to local services to be maintained.

Differences Between GUI and Console Connections

Research shows that there are significant differences in OpenVPN behavior when connecting through a graphical interface versus through the console:

GUI connection:

  • Often uses more conservative routing settings
  • May not automatically apply redirect-gateway def1
  • Maintains access to local network services

Console connection:

  • Automatically adds routes through the VPN tunnel
  • Creates two quantifier routes: 0.0.0.0/1 and 128.0.0.0/1 through tun0
  • Fully redirects traffic through the VPN, including localhost

As noted in one source, “when using ‘def1’ (it’s the right thing to do), OpenVPN will install two routes, namely 128.0.0.0/1 and 0.0.0.0/1), and won’t touch the default gateway” [source 10].

Changes to the Routing Table

When connecting to OpenVPN through the console, the following changes occur in the routing table:

bash
# Before connecting to OpenVPN
default via 192.168.1.1 dev eth0 
127.0.0.1/8 dev lo scope host

# After console connection
0.0.0.0/1 via 10.8.0.1 dev tun0
128.0.0.0/1 via 10.8.0.1 dev tun0
default via 10.8.0.1 dev tun0
127.0.0.1/8 dev lo scope host

These changes mean that:

  1. All traffic to IP addresses with the first octet 0-127 goes through 128.0.0.0/1
  2. All traffic to IP addresses with the first octet 128-255 goes through 0.0.0.0/1
  3. Both routes point to the VPN gateway 10.8.0.1

As a result, connections to localhost:port SOCKS proxy also attempt to go through the VPN tunnel, which makes the service inaccessible.

Solutions and Workarounds

1. Disable Gateway Redirection in the OpenVPN Configuration

Add the following lines to the 1.ovpn configuration file:

# Don't redirect all traffic through VPN
redirect-gateway def1 bypass-dhcp

# Or completely disable gateway redirection
# redirect-gateway no

2. Create a Custom Routing Table

Create a separate routing table for VPN and configure the rules accordingly:

bash
# Add to your OpenVPN startup script
ip route add default via 10.8.0.1 dev tun0 table vpn
ip rule add from all lookup vpn pref 10000

3. Use Split-Tunneling

Configure OpenVPN to route only specific networks through the VPN:

# Route only specific networks through VPN
route 10.0.0.0 255.0.0.0
route 172.16.0.0 255.240.0.0
route 192.168.0.0 255.255.0.0

4. Configure 3proxy to Work with VPN

Modify the 3proxy configuration to listen only on the loopback interface:

conf
# In 3proxy config
nserver 8.8.8.8
nserver 8.8.4.4
nscache 65536
timeouts 1 5 30 60 180 1800 15 60

# Listen only on localhost
socks -p1080 -a127.0.0.1

Configuring OpenVPN to Maintain Access to Local Services

To solve the problem of accessing local services when connecting to OpenVPN through the console, the following configuration is recommended:

conf
# Basic settings
nobind
client
auth-nocache

# Certificate paths
ca "ca.crt"
cert "blabla.crt"
key "blabla.key"
remote-cert-tls server
dev tun
proto tcp

# Reconnection settings
resolv-retry infinite
persist-key
persist-tun

# Important: disable blocking of external DNS
# setenv opt block-outside-dns

# Compatibility with OpenVPN 2.5
setenv opt data-ciphers AES-128-GCM:AES-256-GCM

# Remote server settings
remote-random
server-poll-timeout 15
connect-retry-max 20

# Key changes to maintain access to local services
redirect-gateway def1 bypass-dhcp

# Or use split-tunneling instead of gateway redirection
# route 10.0.0.0 255.0.0.0
# route 172.16.0.0 255.240.0.0
# route 192.168.0.0 255.255.0.0

# Remote servers
remote blabla.com 23
remote blabla.com 43
# ... other remote directives

If you want to completely disable gateway redirection, use:

redirect-gateway no

Conclusion

  • Main problem: Console connection to OpenVPN modifies the routing table, blocking access to local services such as SOCKS proxy
  • Key difference: GUI connection usually doesn’t modify routing as aggressively, maintaining access to localhost services
  • Solutions: Disable gateway redirection, use split-tunneling, configure separate routing tables, or modify 3proxy configuration
  • Recommendation: For testing environments, it’s better to use redirect-gateway no in the OpenVPN configuration for console connections to avoid issues with local services

The issue is that by default, when connecting via console, OpenVPN tries to route all traffic through the VPN tunnel, including traffic to local services. Proper configuration of OpenVPN solves this problem and maintains access to the SOCKS proxy 3proxy.

Sources

  1. OpenVPN routing table change - Super User
  2. How to stop openvpn from changing the routing table? - Reddit
  3. RoutedLans – OpenVPN Community Wiki
  4. Prevent the client routing table modification during OpenVPN connection - OpenVPN Forum
  5. How to push the routing table to the client? - OpenVPN Forum
  6. OpenVPN - Understand the routing table + How to route only the traffic to a specific ip via the VPN - Unix & Linux Stack Exchange
  7. iptables - Rerouting traffic from OpenVPN client for local-only access - Unix & Linux Stack Exchange
  8. How can we change the routes that are created by openvpn? - OpenVPN Forum
  9. problem setting up routing in openvpn - OpenVPN Forum
  10. Default routing behavior in OpenVPN - OpenVPN Forum
How to configure split-tunneling in OpenVPN to maintain access to local services?What is the difference between redirect-gateway and redirect-gateway no in OpenVPN configuration?How to check the routing table after connecting to OpenVPN and why does it change?Why doesn't GUI OpenVPN connection block local services, but console connection does?How to properly configure 3proxy to work with VPN tunnel without losing access to localhost?What iptables rules are needed for access to local services when using OpenVPN?
Ask NeuroAgent