== Setting up a NTLM Proxy for testing NTLM authentication support in OpenVPN Since NTLM is a proprietary authentication protocol only available on Windows, it is not trivial to set up test environments to test the support for using NTLM authentication against HTTP proxy servers that is included in OpenVPN. This document describes one way that worked and proved useful. This is heavily based on a [https://stackoverflow.com/a/48238953/10681123 Stackoverflow answer]. === Installing Apache httpd There exists a [https://github.com/TQsoft-GmbH/mod_authn_ntlm NTLM auth mod] for Apache httpd and Apache httpd can act as an HTTP proxy. This provides a good starting point. The mod only works on Windows machines since it relies on the system's support for NTLM and can't provide the authentication on its own. There are multiple pre-compiled distributions available of Apache httpd for Windows. But [https://www.apachehaus.com/cgi-bin/download.plx?z ApacheHaus] was the only one I found that also provided a pre-compiled version of mod_auth_ntlm. So I used that. Installation is just extracting the archives and following the READMEs. You might need to install a Windows firewall rule to allow access to the port you want Apache listening to. === Configuring Apache httpd The following configuration worked for me (only showing the parts specific to the proxy): {{{ LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule ldap_module modules/mod_ldap.so LoadModule auth_ntlm_module modules/mod_authn_ntlm.so ProxyVia On ProxyRequests On AllowCONNECT 51194 AuthName "Private location" AuthType SSPI NTLMAuth On NTLMAuthoritative On Require valid-user Require user "ANONYMOUS LOGON" }}} Note the use of `AllowCONNECT` when trying to connect to OpenVPN servers not listening on port 443.