• 14
name Punditsdkoslkdosdkoskdo

Proxpn and other VPNs in Iran

Back in the free world I purchased a lifetime-package of proXPN and tested it quite successfully under Linux.

Now I'm in Iran and everything fails. We seem to use ITC as ISP - which is the governmental provider and probably blocks any connections of "not certified" sources.

The Android App of proXPN fails to load with the message

Can't register device token. Please make sure you have an internet connection and try again

A friend of mine has an iPhone and uses the app OpenDoor which is seemingly not available under Android. Using this method works for him. I just got the OpenVPN Connect - but it refuses the config-files of ProXPN.

As there is no official Linux package for proXPN I'm using the ProXPN OpenVPN Bash Client.

But I can't use the nm-applets VPN-Configuration proxpn. due to the error:

unknown PPTP file extension

Also openvpn itself doesn't want to "eat" my file:

qohelet@Iran:/usr/local/bin$ sudo openvpn --config proxpn.ovpn 
Options error: --nobind doesn't make sense unless used with --remote

The file itself looks like:

# Conf from ProXPN Mac OS X 4.0.2 package contents
# Modified and commented where appropriate and necessary.

dev tun
proto tcp

# Default configuration is to keep trying forever, we bail after 30 seconds
resolv-retry 30

cipher BF-CBC
keysize 512

verb 4
mute 5
tun-mtu 1500
mssfix 1450

# Added in the shell script as a flag so configuration can be specified

reneg-sec 0

# Prevent man in the middle spying by other clients
# this is an addition which is not present in ProXPN's conf file
remote-cert-tls server

# Comment out this chunk since our script is Linux only
# and these configuration options are here to primarly deal
# with the built-in Windows firewall
;route-method exe
;route-delay 1
;route-metric 512

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failure
;http-proxy [proxy server] [proxy port #]

# Root CA cert provided by ProXPN
#The key...

# Cert provided by ProXPN, all clients have the same cert.
# While at first this seems problematic, it may be beneficial
# because makes it difficult to identify any individual user
# based only on their cert. This would not be the case if all
# clients had unique certs.

#And here follow keys and certificates...

I'm now unsure what exactly causes the inability to connect. Could it be the protocol? The IPs of proXPN aren't blocked as I can see from pinging. I could reach all of those: http://downgoat.net/proxpn-openvpn-on-linux-configuration.html

Using the openVPN bash client gives me the following output:

qohelet@Iran:~$ sudo proxpn

Welcome to the ProXPN OpenVPN Bash Client!

No credentials file found at /etc/proxpn/login.conf, you will be prompted by OpenVPN to login to ProXPN

Which exit node would you like to use?
1) Chicago    5) Dallas    9) NYC      13) Miami
2) Sweden     6) BASIC    10) Stockholm    14) SanJose
3) Netherlands    7) London   11) Prague
4) Singapore      8) LA       12) Seattle
Select an exit node:1
/usr/sbin/openvpn --config /etc/proxpn/proxpn.ovpn --remote chi1.proxpn.com 443 --auth-user-pass  --auth-nocache

Mon Nov 16 19:47:48 2015 us=371638 Current Parameter Settings:
Mon Nov 16 19:47:48 2015 us=371831   config = '/etc/proxpn/proxpn.ovpn'
Mon Nov 16 19:47:48 2015 us=371872   mode = 0
Mon Nov 16 19:47:48 2015 us=371906   persist_config = DISABLED
Mon Nov 16 19:47:48 2015 us=371939   persist_mode = 1
Mon Nov 16 19:47:48 2015 us=371969 NOTE: --mute triggered...
Mon Nov 16 19:47:48 2015 us=372014 270 variation(s) on previous 5 message(s) suppressed by --mute
Mon Nov 16 19:47:48 2015 us=372050 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Enter Auth Username:mymail@gmail.com
Enter Auth Password:
Mon Nov 16 19:48:01 2015 us=840598 LZO compression initialized
Mon Nov 16 19:48:01 2015 us=840880 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Nov 16 19:48:01 2015 us=841014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Mon Nov 16 19:48:01 2015 us=901436 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Nov 16 19:48:01 2015 us=901629 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 512,key-method 2,tls-client'
Mon Nov 16 19:48:01 2015 us=901743 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 512,key-method 2,tls-server'
Mon Nov 16 19:48:01 2015 us=901880 Local Options hash (VER=V4): '729fc673'
Mon Nov 16 19:48:01 2015 us=902116 Expected Remote Options hash (VER=V4): 'ce7b442d'
Mon Nov 16 19:48:01 2015 us=902287 Attempting to establish TCP connection with [AF_INET] [nonblock]
Mon Nov 16 19:48:11 2015 us=904720 TCP: connect to [AF_INET] failed, will try again in 5 seconds: Connection timed out
Mon Nov 16 19:48:26 2015 us=957119 TCP: connect to [AF_INET] failed, will try again in 5 seconds: Connection timed out
Mon Nov 16 19:48:41 2015 us=981127 TCP: connect to [AF_INET] failed, will try again in 5 seconds: Connection timed out
Mon Nov 16 19:48:57 2015 us=4394 TCP: connect to [AF_INET] failed, will try again in 5 seconds: Connection timed out
Mon Nov 16 19:49:12 2015 us=30729 TCP: connect to [AF_INET] failed, will try again in 5 seconds: Connection timed out
Mon Nov 16 19:49:27 2015 us=58663 NOTE: --mute triggered...

I'm running low on ideas now. Is there a way of using proXPN an Proxy-Server in Firefox. Trying it once by simply using the IP and my login-details failed without any result at all.

I'd be glad if any of you has an idea...

Using the configuration file with a GUI

If you look at the proxpn script, you will see that the command issued is:

openvpn --config $OPENVPN_CONF \
  --remote $remote $PORT \
  --auth-nocache \
  --auth-user-pass $AUTH_CREDS

If you want to feed the OpenVPN config file to some other tool (like a GUI or a mobile client), you might need to add those extra informations somewhere in the config files:

remote $remote 443
auth-user-pass $password

You need to replace the variables with the suitable values. Pick one of the exit nodes from the proxvpn.


You shoud however be aware that:

  • OpenVPN may use port TCP 443 and may use TLS but it is not running on top of TLS/TCP! What this means is that your traffic will be recognisable as OpenVPN trafic. It will not look like a standard TLS (HTTP/TLS, etc.) trafic.

  • If you use the DNS name of the server in the configuration file, your machine will do a DNS lookup for foo.proxpn.com outside on the VPN (in cleantext) in order to get the IP address of the remote VPN server. People looking at your DNS trafic will be able to know that you are using a VPN.

  • Even if you use the IP address in the confiruation file, it will be quite easy to find that this IP address is providing a (well-known) VPN service.

  • You might want to use a kill-switch in order to avoid leaking informations if your VPN tunnel goes down.

Using a VPN hides and protects what you are doing in the VPN but usually the fact that you are using a VPN is not hidden. Some people in your country might not like the fact that you're trying to circumvent their restrictions.

Update: Lying DNS

As @dave_thompson_085 pointed out the IP addres you're getting is bogus. This is because Iran is lying (censoring) many DNS queries.

From France:

$ dig A chi1.proxpn.com
chi1.proxpn.com.    14400   IN  A

Using an DNS server in Iran:

$ dig A chi1.proxpn.com @
chi1.proxpn.com.    889 IN  A

Many (but not all) of the DNS servers from this list are giving the same bogus answer.

The article Internet Censorship in Iran: A First Look explains that this IP address (in fact in the article) is serving a page explaining:

Access to the requested website is not possible. For complaints click here."


Under this system, any web request to a blocked site is redirected to a web page owned by the censor, located at the address (see Figure 1). This address, first established in March 2010 [2], is within private network address space as described by RFC 1918 [32] and is only accessible from inside Iran’s national network.

Another reference: Current State of Internet Censorship in Iran

  • 3
Reply Report
      • 2
    • if chi1.proxpn.com actually resolved to (i.e. you didn't 'mask' that) you are getting bogus DNS; mine says that name is, and all 10.x.x.x addresses are private (rfc 1918) and can't be used for an internet connection. Check your DNS config and /etc/hosts file. You say you can ping the hosts/addresses on that webpage, so try (at least one of) them; my DNS has the same or reasonably close addresses, except Seattle (for pptp-se1 I get which responds, for pptp-se I get which doesn't).

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags