Setting up a NTLM Proxy for testing NTLM authentication support in OpenVPN

Since NTLM is a proprietary authentication protocol only available on Windows, it is not trivial to set up test environments to test the support for using NTLM authentication against HTTP proxy servers that is included in OpenVPN. This document describes one way that worked and proved useful.

This is heavily based on a ​Stackoverflow answer.

Installing Apache httpd

There exists a ​NTLM auth mod for Apache httpd and Apache httpd can act as an HTTP proxy. This provides a good starting point. The mod only works on Windows machines since it relies on the system's support for NTLM and can't provide the authentication on its own. There are multiple pre-compiled distributions available of Apache httpd for Windows. But ​ApacheHaus was the only one I found that also provided a pre-compiled version of mod_auth_ntlm. So I used that. Installation is just extracting the archives and following the READMEs.

You might need to install a Windows firewall rule to allow access to the port you want Apache listening to.

Configuring Apache httpd

The following configuration worked for me (only showing the parts specific to the proxy):

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ntlm_module modules/mod_authn_ntlm.so

ProxyVia On
ProxyRequests On 
AllowCONNECT 51194

<Proxy "*">
    AuthName "Private location"
    AuthType SSPI
    NTLMAuth On
    NTLMAuthoritative On
    <RequireAll>
        <RequireAny>
            Require valid-user
        </RequireAny>
        <RequireNone>
            Require user "ANONYMOUS LOGON"
        </RequireNone>
    </RequireAll>
</Proxy>

Note the use of AllowCONNECT when trying to connect to OpenVPN servers not listening on port 443.