Instantly share code, notes, and snippets.

Embed
What would you like to do?
Opera VPN behind the curtains is just a proxy, here's how it works

When setting up (that's immediately when user enables it in settings) Opera VPN sends few API requests to https://api.surfeasy.com to obtain credentials and proxy IPs, see below, also see The Oprah Proxy.

The browser then talks to a proxy de0.opera-proxy.net (when VPN location is set to Germany), it's IP address can only be resolved from within Opera when VPN is on, it's 185.108.219.42 (or similar, see below). It's an HTTP/S proxy which requires auth.

When loading a page with Opera VPN enabled, the browser sends a lot of requests to de0.opera-proxy.net with Proxy-Authorization request header.

The Proxy-Authorization header decoded: CC68FE24C34B5B2414FB1DC116342EADA7D5C46B:9B9BE3FAE674A33D1820315F4CC94372926C8210B6AEC0B662EC7CAD611D86A3 (that's sha1(device_id):device_password, where device_id and device_password come from the POST /v2/register_device API call, please note that this decoded header is from another Opera installation and thus contains different device_id and device_password than what is shown below)

These creds can be used with the de0.opera-proxy.net even when connecting from a different machine, it's just an HTTP proxy anyway.

When you use the proxy on a different machine (with no Opera installed), you'll get the same IP as when using Opera's VPN, of course.

This Opera "VPN" is just a preconfigured HTTP/S proxy protecting just the traffic between Opera and the proxy, nothing else. It's not a VPN.

They even call it Secure proxy (besides calling it VPN, sure) in Opera settings.

The API calls are:

  1. https://api.surfeasy.com/v2/register_subscriber
  2. https://api.surfeasy.com/v2/register_device
  3. https://api.surfeasy.com/v2/geo_list
  4. https://api.surfeasy.com/v2/discover

"Everybody gets a proxy" logo

I have automated the API calls and have built The Oprah Proxy, a simple Python script which will fetch the credentials for you. It will also list available locations and proxies.

POST /v2/register_subscriber HTTP/1.1
Host: api.surfeasy.com
Connection: keep-alive
Content-Length: 114
Accept: application/json
SE-Client-Type: se0304
SE-Client-API-Key: 3690AC1CE5B39E6DC67D9C2B46D3C79923C43F05527D4FFADCC860740E9E2B25
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2687.0 Safari/537.36 OPR/38.0.2205.0 (Edition developer)
Accept-Encoding: gzip, deflate, lzma
email=9CDFC88A-F4C7-42F2-90EC-8CFC90C11387%40se0304.surfeasy.vpn&password=90C72B97B498ED2377D107611640726F6165610C
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sun, 24 Apr 2016 01:02:06 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Status: 200 OK
X-UA-Compatible: IE=Edge,chrome=1
ETag: "43f3d56b6d9f5a5f571592b807546469"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: subscriber_credentials=635d20f66976263af72af312f690a55e796d184f6589871ffafcd173b28fcab472e5f9082dc3e1972d8177fc71451fb6275b8c84af46a3c6b0d7bb6ebe6c3d57%3A%3A; domain=.surfeasy.com; path=/; secure; HttpOnly
Set-Cookie: api_session=BAhJIgGvZXlKcFpDSTZNVEkyT0RFeE5qQXNJbTltSWpvM056YzJNREF3TENKMGF5STZJalkxWkRZeFlXVmpOV1ppCk5UTmhOVFZpTURObU5tSmpORFZrT1dGa05ESTBPV0V6TWpoaE9HRTBOVEptTXpVME16TmpaRGN5WXpNdwpZakl5TVRNM05Ea2lMQ0owYlNJNklqSXdNVFl0TURjdE1qTlVNREU2TURJNk1EWmFJbjA9CgY6BkVG--11e3897571b24700b24190f1a89bce317cfdc6bf; domain=.surfeasy.com; path=/; expires=Sat, 23-Jul-2016 01:02:06 GMT; HttpOnly
Set-Cookie: _proxy_manager_session31=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiJWZlOThjYjUzNTU2ODk4NTUzMzFjZjM4NWFjNjE0YWY0BjsAVEkiG3N1YnNjcmliZXJfY3JlZGVudGlhbHMGOwBGSSIBgDYzNWQyMGY2Njk3NjI2M2FmNzJhZjMxMmY2OTBhNTVlNzk2ZDE4NGY2NTg5ODcxZmZhZmNkMTczYjI4ZmNhYjQ3MmU1ZjkwODJkYzNlMTk3MmQ4MTc3ZmM3MTQ1MWZiNjI3NWI4Yzg0YWY0NmEzYzZiMGQ3YmI2ZWJlNmMzZDU3BjsAVA%3D%3D--217a0409bf7bd1c348c06378c41c9369e0cf99bb; domain=.surfeasy.com; path=/; secure; HttpOnly
X-Request-Id: 136be2daeba044ee3ad2241ccaa4e28c
X-Runtime: 0.482677
X-Rack-Cache: invalidate, pass
{
"return_code" : {
"0" : "OK"
},
"data" : {}
}
POST /v2/register_device HTTP/1.1
Host: api.surfeasy.com
Connection: keep-alive
Content-Length: 104
Accept: application/json
SE-Client-Type: se0304
SE-Client-API-Key: 3690AC1CE5B39E6DC67D9C2B46D3C79923C43F05527D4FFADCC860740E9E2B25
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2687.0 Safari/537.36 OPR/38.0.2205.0 (Edition developer)
Accept-Encoding: gzip, deflate, lzma
Cookie: subscriber_credentials=635d20f66976263af72af312f690a55e796d184f6589871ffafcd173b28fcab472e5f9082dc3e1972d8177fc71451fb6275b8c84af46a3c6b0d7bb6ebe6c3d57%3A%3A; api_session=BAhJIgGvZXlKcFpDSTZNVEkyT0RFeE5qQXNJbTltSWpvM056YzJNREF3TENKMGF5STZJalkxWkRZeFlXVmpOV1ppCk5UTmhOVFZpTURObU5tSmpORFZrT1dGa05ESTBPV0V6TWpoaE9HRTBOVEptTXpVME16TmpaRGN5WXpNdwpZakl5TVRNM05Ea2lMQ0owYlNJNklqSXdNVFl0TURjdE1qTlVNREU2TURJNk1EWmFJbjA9CgY6BkVG--11e3897571b24700b24190f1a89bce317cfdc6bf; _proxy_manager_session31=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiJWZlOThjYjUzNTU2ODk4NTUzMzFjZjM4NWFjNjE0YWY0BjsAVEkiG3N1YnNjcmliZXJfY3JlZGVudGlhbHMGOwBGSSIBgDYzNWQyMGY2Njk3NjI2M2FmNzJhZjMxMmY2OTBhNTVlNzk2ZDE4NGY2NTg5ODcxZmZhZmNkMTczYjI4ZmNhYjQ3MmU1ZjkwODJkYzNlMTk3MmQ4MTc3ZmM3MTQ1MWZiNjI3NWI4Yzg0YWY0NmEzYzZiMGQ3YmI2ZWJlNmMzZDU3BjsAVA%3D%3D--217a0409bf7bd1c348c06378c41c9369e0cf99bb
client_type=se0304&device_hash=4BE7D6F1BD040DE45A371FD831167BC108554111&device_name=Opera-Browser-Client
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sun, 24 Apr 2016 01:02:06 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Status: 200 OK
X-UA-Compatible: IE=Edge,chrome=1
ETag: "41d8e81a485d8c28d98a5a62b08aff2e"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: api_session=BAhJIgGvZXlKcFpDSTZNVEkyT0RFeE5qQXNJbTltSWpvM056YzJNREF3TENKMGF5STZJalkxWkRZeFlXVmpOV1ppCk5UTmhOVFZpTURObU5tSmpORFZrT1dGa05ESTBPV0V6TWpoaE9HRTBOVEptTXpVME16TmpaRGN5WXpNdwpZakl5TVRNM05Ea2lMQ0owYlNJNklqSXdNVFl0TURjdE1qTlVNREU2TURJNk1EWmFJbjA9CgY6BkVG--11e3897571b24700b24190f1a89bce317cfdc6bf; domain=.surfeasy.com; path=/; expires=Sat, 23-Jul-2016 01:02:06 GMT; HttpOnly
X-Request-Id: dfa01c93650d7bd47c2e6b64b7b46222
X-Runtime: 0.293166
X-Rack-Cache: invalidate, pass
{
"return_code" : {
"0" : "OK"
},
"data" : {
"device_id" : "se0304-b7327fdf8ba42c3d5f698e1",
"device_password" : "7A64DDCDBDDA78B0FE2B556445E9FBD9CDD96DC01F384013175B0BD172923938",
"client_type" : "se0304"
}
}
POST /v2/geo_list HTTP/1.1
Host: api.surfeasy.com
Connection: keep-alive
Content-Length: 50
Accept: application/json
SE-Client-Type: se0304
SE-Client-API-Key: 3690AC1CE5B39E6DC67D9C2B46D3C79923C43F05527D4FFADCC860740E9E2B25
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2687.0 Safari/537.36 OPR/38.0.2205.0 (Edition developer)
Accept-Encoding: gzip, deflate, lzma
Cookie: subscriber_credentials=635d20f66976263af72af312f690a55e796d184f6589871ffafcd173b28fcab472e5f9082dc3e1972d8177fc71451fb6275b8c84af46a3c6b0d7bb6ebe6c3d57%3A%3A; _proxy_manager_session31=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiJWZlOThjYjUzNTU2ODk4NTUzMzFjZjM4NWFjNjE0YWY0BjsAVEkiG3N1YnNjcmliZXJfY3JlZGVudGlhbHMGOwBGSSIBgDYzNWQyMGY2Njk3NjI2M2FmNzJhZjMxMmY2OTBhNTVlNzk2ZDE4NGY2NTg5ODcxZmZhZmNkMTczYjI4ZmNhYjQ3MmU1ZjkwODJkYzNlMTk3MmQ4MTc3ZmM3MTQ1MWZiNjI3NWI4Yzg0YWY0NmEzYzZiMGQ3YmI2ZWJlNmMzZDU3BjsAVA%3D%3D--217a0409bf7bd1c348c06378c41c9369e0cf99bb; api_session=BAhJIgGvZXlKcFpDSTZNVEkyT0RFeE5qQXNJbTltSWpvM056YzJNREF3TENKMGF5STZJalkxWkRZeFlXVmpOV1ppCk5UTmhOVFZpTURObU5tSmpORFZrT1dGa05ESTBPV0V6TWpoaE9HRTBOVEptTXpVME16TmpaRGN5WXpNdwpZakl5TVRNM05Ea2lMQ0owYlNJNklqSXdNVFl0TURjdE1qTlVNREU2TURJNk1EWmFJbjA9CgY6BkVG--11e3897571b24700b24190f1a89bce317cfdc6bf
device_id=6033E218A93734258100C090BE247C416DAD03B6
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Sun, 24 Apr 2016 01:02:06 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Status: 200 OK
X-UA-Compatible: IE=Edge,chrome=1
ETag: "238ae61eb6ad5f2c85642ef254d7790c"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: eb9fde2ffd6714263b96d987e369bf66
X-Runtime: 0.057996
X-Rack-Cache: invalidate, pass
{
"data" : {
"locale" : "en",
"geos" : [
{
"country_code" : "CA",
"country" : "Canada",
"lat" : 43.6667,
"lng" : -79.4167
},
{
"lng" : 8.682,
"lat" : 50.11,
"country_code" : "DE",
"country" : "Germany"
},
{
"country_code" : "US",
"country" : "United States",
"lng" : -74.006,
"lat" : 40.7145
}
]
},
"return_code" : {
"0" : "OK"
}
}
POST /v2/discover HTTP/1.1
Host: api.surfeasy.com
Connection: keep-alive
Content-Length: 50
Accept: application/json
SE-Client-Type: se0304
SE-Client-API-Key: 3690AC1CE5B39E6DC67D9C2B46D3C79923C43F05527D4FFADCC860740E9E2B25
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2687.0 Safari/537.36 OPR/38.0.2205.0 (Edition developer)
Accept-Encoding: gzip, deflate, lzma
Cookie: subscriber_credentials=635d20f66976263af72af312f690a55e796d184f6589871ffafcd173b28fcab472e5f9082dc3e1972d8177fc71451fb6275b8c84af46a3c6b0d7bb6ebe6c3d57%3A%3A; _proxy_manager_session31=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiJWZlOThjYjUzNTU2ODk4NTUzMzFjZjM4NWFjNjE0YWY0BjsAVEkiG3N1YnNjcmliZXJfY3JlZGVudGlhbHMGOwBGSSIBgDYzNWQyMGY2Njk3NjI2M2FmNzJhZjMxMmY2OTBhNTVlNzk2ZDE4NGY2NTg5ODcxZmZhZmNkMTczYjI4ZmNhYjQ3MmU1ZjkwODJkYzNlMTk3MmQ4MTc3ZmM3MTQ1MWZiNjI3NWI4Yzg0YWY0NmEzYzZiMGQ3YmI2ZWJlNmMzZDU3BjsAVA%3D%3D--217a0409bf7bd1c348c06378c41c9369e0cf99bb; api_session=BAhJIgGvZXlKcFpDSTZNVEkyT0RFeE5qQXNJbTltSWpvM056YzJNREF3TENKMGF5STZJalkxWkRZeFlXVmpOV1ppCk5UTmhOVFZpTURObU5tSmpORFZrT1dGa05ESTBPV0V6TWpoaE9HRTBOVEptTXpVME16TmpaRGN5WXpNdwpZakl5TVRNM05Ea2lMQ0owYlNJNklqSXdNVFl0TURjdE1qTlVNREU2TURJNk1EWmFJbjA9CgY6BkVG--11e3897571b24700b24190f1a89bce317cfdc6bf
serial_no=6033E218A93734258100C090BE247C416DAD03B6&requested_geo=%22DE%22
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sun, 24 Apr 2016 01:02:07 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Status: 200 OK
X-UA-Compatible: IE=Edge,chrome=1
ETag: "7ee0cb88bd334f002fdac08ca1879451"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: cd83f3a8974e8997cdcfb265085d3d05
X-Runtime: 0.843848
X-Rack-Cache: invalidate, pass
{
"return_code" : {
"0" : "OK"
},
"data" : {
"current_time" : 1461459727,
"ips" : [
{
"ports" : [
443
],
"ip" : "85.195.94.82",
"geo" : {
"country_code" : "DE",
"state_code" : "5"
},
"expiry_time" : 1462669327
},
{
"expiry_time" : 1462669327,
"ip" : "185.108.219.5",
"geo" : {
"country_code" : "DE",
"state_code" : "2"
},
"ports" : [
80
]
},
{
"ip" : "85.195.110.36",
"geo" : {
"country_code" : "DE",
"state_code" : "5"
},
"ports" : [
8181
],
"expiry_time" : 1462669327
},
{
"expiry_time" : 1462669327,
"ports" : [
22
],
"ip" : "185.108.219.44",
"geo" : {
"country_code" : "DE",
"state_code" : "2"
}
},
{
"expiry_time" : 1462669327,
"ip" : "185.108.219.10",
"geo" : {
"country_code" : "DE",
"state_code" : "2"
},
"ports" : [
443
]
},
{
"ip" : "85.195.110.35",
"geo" : {
"state_code" : "5",
"country_code" : "DE"
},
"ports" : [
80
],
"expiry_time" : 1462669327
},
{
"expiry_time" : 1462669327,
"geo" : {
"state_code" : "2",
"country_code" : "DE"
},
"ip" : "185.108.219.12",
"ports" : [
8181
]
},
{
"expiry_time" : 1462669327,
"ports" : [
22
],
"geo" : {
"state_code" : "5",
"country_code" : "DE"
},
"ip" : "139.59.136.236"
},
{
"expiry_time" : 1462669327,
"ports" : [
443
],
"ip" : "185.108.219.45",
"geo" : {
"country_code" : "DE",
"state_code" : "2"
}
}
],
"requester_geo" : {
"country_code" : "CZ",
"state_code" : "87"
}
}
}
@AntiDiesel

This comment has been minimized.

Show comment
Hide comment
@AntiDiesel

AntiDiesel commented Apr 22, 2016

Thanks

@Tsutsukakushi

This comment has been minimized.

Show comment
Hide comment
@Tsutsukakushi

Tsutsukakushi Apr 22, 2016

I don't see why you'd even expect it to be a real VPN when those have nothing to do with web browsers.

Tsutsukakushi commented Apr 22, 2016

I don't see why you'd even expect it to be a real VPN when those have nothing to do with web browsers.

@PriceChild

This comment has been minimized.

Show comment
Hide comment
@two-dogs

This comment has been minimized.

Show comment
Hide comment
@two-dogs

two-dogs Apr 23, 2016

vpn or proxy, i tested it, call it what you will, it worked for me, unless someone finds something insecure about the connection and i mean in the general sense, as in 'they are sending my traffic to china for a review' , then i got no complaints, lets see how long this is a free service, so far i am pleased, free secure proxy/vpn is good, bravo opera.

System: Host: linux-s4s1 Kernel: 4.5.0-3-default x86_64 (64 bit gcc: 5.3.1)
Desktop: Cinnamon 2.8.8 (Gtk 3.20.3) Distro: openSUSE Tumbleweed (20160417) <-- thats linux, not windows or mac, the link is wrong :)

two-dogs commented Apr 23, 2016

vpn or proxy, i tested it, call it what you will, it worked for me, unless someone finds something insecure about the connection and i mean in the general sense, as in 'they are sending my traffic to china for a review' , then i got no complaints, lets see how long this is a free service, so far i am pleased, free secure proxy/vpn is good, bravo opera.

System: Host: linux-s4s1 Kernel: 4.5.0-3-default x86_64 (64 bit gcc: 5.3.1)
Desktop: Cinnamon 2.8.8 (Gtk 3.20.3) Distro: openSUSE Tumbleweed (20160417) <-- thats linux, not windows or mac, the link is wrong :)

@two-dogs

This comment has been minimized.

Show comment
Hide comment
@two-dogs

two-dogs Apr 23, 2016

System: Host: linux-s4s1 Kernel: 4.5.0-3-default x86_64 (64 bit gcc: 5.3.1)
Desktop: Cinnamon 2.8.8 (Gtk 3.20.3) Distro: openSUSE Tumbleweed (20160417)

the combination of opera-turbo enable and vpn enabled breaks vpn, tested on http://whatismyipaddress.com/

two-dogs commented Apr 23, 2016

System: Host: linux-s4s1 Kernel: 4.5.0-3-default x86_64 (64 bit gcc: 5.3.1)
Desktop: Cinnamon 2.8.8 (Gtk 3.20.3) Distro: openSUSE Tumbleweed (20160417)

the combination of opera-turbo enable and vpn enabled breaks vpn, tested on http://whatismyipaddress.com/

@bwat47

This comment has been minimized.

Show comment
Hide comment
@bwat47

bwat47 Apr 23, 2016

It seemed pretty obvious to me that a vpn integrated in a browser wouldn't effect other applications.... (and semantics issues when it comes to referring to it as a vpn vs a proxy aside, I don't think Opera ever claimed that it would work for anything other than browser connections)... doesn't seem much different from the vpn browser extensions out there

bwat47 commented Apr 23, 2016

It seemed pretty obvious to me that a vpn integrated in a browser wouldn't effect other applications.... (and semantics issues when it comes to referring to it as a vpn vs a proxy aside, I don't think Opera ever claimed that it would work for anything other than browser connections)... doesn't seem much different from the vpn browser extensions out there

@berdario

This comment has been minimized.

Show comment
Hide comment
@berdario

berdario Apr 23, 2016

I think they added a bit of polish/magic compared to what you'd get in a plain https proxy that you could setup yourself, since when visiting an HTTPS page it'll show the certificate information from the site that you're visiting, and not the one from the actual machine you're connecting to (the proxy).

Similarly (unlike poorly setup proxies like Lenovo's Superfish) it also prevents connection to sites with invalid certificates.

berdario commented Apr 23, 2016

I think they added a bit of polish/magic compared to what you'd get in a plain https proxy that you could setup yourself, since when visiting an HTTPS page it'll show the certificate information from the site that you're visiting, and not the one from the actual machine you're connecting to (the proxy).

Similarly (unlike poorly setup proxies like Lenovo's Superfish) it also prevents connection to sites with invalid certificates.

@yuwentw

This comment has been minimized.

Show comment
Hide comment
@yuwentw

yuwentw Apr 24, 2016

What is the post data to register_subscriber?

yuwentw commented Apr 24, 2016

What is the post data to register_subscriber?

@yemenifree

This comment has been minimized.

Show comment
Hide comment
@yemenifree

yemenifree Apr 24, 2016

service don't work anymore in Saudi Arabia ^^

yemenifree commented Apr 24, 2016

service don't work anymore in Saudi Arabia ^^

@cweiske

This comment has been minimized.

Show comment
Hide comment
@cweiske

cweiske Apr 24, 2016

A VPN would also tunnel DNS requests, which a simple HTTP proxy does not. So you're still leaking information.

cweiske commented Apr 24, 2016

A VPN would also tunnel DNS requests, which a simple HTTP proxy does not. So you're still leaking information.

@beshrkayali

This comment has been minimized.

Show comment
Hide comment
@beshrkayali

beshrkayali Apr 24, 2016

For some reason I can't get Opera's falsely adversities VPN. Can someone check if, as @cweiske noted, dns does indeed leak through it with something like: dnsleaktest.com. It'd be a major issue since they're also advertising anonymity.

beshrkayali commented Apr 24, 2016

For some reason I can't get Opera's falsely adversities VPN. Can someone check if, as @cweiske noted, dns does indeed leak through it with something like: dnsleaktest.com. It'd be a major issue since they're also advertising anonymity.

@spaze

This comment has been minimized.

Show comment
Hide comment
@spaze

spaze Apr 24, 2016

@yuwentw I've noticed that I missed the post payload, sorry, will add it soon. I'm working on a script to get the creds.

Owner

spaze commented Apr 24, 2016

@yuwentw I've noticed that I missed the post payload, sorry, will add it soon. I'm working on a script to get the creds.

@spaze

This comment has been minimized.

Show comment
Hide comment
@spaze

spaze Apr 24, 2016

@cweiske @beshrkayali Hostnames are resolved remotely, when using Opera's "VPN", DNS requests do not leak. Checked with dnsleaktest.com and also looking at the packets. Opera's currently leaking IP through WebRTC and plugins and they are open about it, see update at the bottom of https://www.helpnetsecurity.com/2016/04/22/opera-browser-vpn-proxy/

Owner

spaze commented Apr 24, 2016

@cweiske @beshrkayali Hostnames are resolved remotely, when using Opera's "VPN", DNS requests do not leak. Checked with dnsleaktest.com and also looking at the packets. Opera's currently leaking IP through WebRTC and plugins and they are open about it, see update at the bottom of https://www.helpnetsecurity.com/2016/04/22/opera-browser-vpn-proxy/

@spaze

This comment has been minimized.

Show comment
Hide comment
@spaze

spaze Apr 24, 2016

@yuwentw Hi, I've added post data to the API calls and also built The Oprah Proxy, a simple Python script which will do all the calls and fetch the data for you.

Owner

spaze commented Apr 24, 2016

@yuwentw Hi, I've added post data to the API calls and also built The Oprah Proxy, a simple Python script which will do all the calls and fetch the data for you.

@yuwentw

This comment has been minimized.

Show comment
Hide comment
@yuwentw

yuwentw Apr 24, 2016

@spaze Using your example command but change the URI to "http://ifconfig.no/all.json" . It will be asked for authentication from proxy. Any idea?

yuwentw commented Apr 24, 2016

@spaze Using your example command but change the URI to "http://ifconfig.no/all.json" . It will be asked for authentication from proxy. Any idea?

@spaze

This comment has been minimized.

Show comment
Hide comment
@spaze

spaze Apr 25, 2016

@yuwentw Oh, sorry, I forgot to put Basicin the Proxy-Authorization header. Should work now, sorry for that and thanks! Let me know if it's ok.

Owner

spaze commented Apr 25, 2016

@yuwentw Oh, sorry, I forgot to put Basicin the Proxy-Authorization header. Should work now, sorry for that and thanks! Let me know if it's ok.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Apr 26, 2016

@spaze This is bullshit. Opera cannot call this a VPN. They need to get their terms right. Thanks for the research.

ghost commented Apr 26, 2016

@spaze This is bullshit. Opera cannot call this a VPN. They need to get their terms right. Thanks for the research.

@merlineus

This comment has been minimized.

Show comment
Hide comment
@merlineus

merlineus May 2, 2016

@spaze what encryption type Opera using for tunneling traffic to it's proxy? And is it possible to use encryption with your method?

merlineus commented May 2, 2016

@spaze what encryption type Opera using for tunneling traffic to it's proxy? And is it possible to use encryption with your method?

@spaze

This comment has been minimized.

Show comment
Hide comment
@spaze

spaze May 3, 2016

@merlineus It uses TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher suite. You can see all supported cipher suites at this Qualys SSL Labs Server Test report

Opera's proxy servers are not even accessible using plain HTTP, other browsers use encrypted HTTPS as well when talking to these proxies.

Owner

spaze commented May 3, 2016

@merlineus It uses TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher suite. You can see all supported cipher suites at this Qualys SSL Labs Server Test report

Opera's proxy servers are not even accessible using plain HTTP, other browsers use encrypted HTTPS as well when talking to these proxies.

@esemeniuc

This comment has been minimized.

Show comment
Hide comment
@esemeniuc

esemeniuc May 10, 2016

Thanks for all the work on oprah proxy 👍
Also, just a head up, this seems "inspired":
https://www.surfeasy.com/blog/get-vpn-get-vpn-everyone-gets-vpn/

esemeniuc commented May 10, 2016

Thanks for all the work on oprah proxy 👍
Also, just a head up, this seems "inspired":
https://www.surfeasy.com/blog/get-vpn-get-vpn-everyone-gets-vpn/

@dessant

This comment has been minimized.

Show comment
Hide comment
@dessant

dessant May 18, 2016

@spaze, which tool did you use to inspect the opera requests?

dessant commented May 18, 2016

@spaze, which tool did you use to inspect the opera requests?

@spaze

This comment has been minimized.

Show comment
Hide comment
@spaze

spaze Jun 11, 2016

@dessant I've used browser's own chrome://net-internals/#events.

Owner

spaze commented Jun 11, 2016

@dessant I've used browser's own chrome://net-internals/#events.

@aeroxy

This comment has been minimized.

Show comment
Hide comment
@aeroxy

aeroxy Oct 4, 2016

So I tried this with iPhone with no luck so far, while Android works just fine. I tried the following methods:

  1. Use iphone's default HTTP proxy setting, obviously not working.
  2. Create a custom pac file and use auto config. Not working. No credential prompt and no network response.
  3. Use third party SSL VPN like Draytek's SmartVPN and Cisco's AnyConnect. Not working. Doesn't seem to support Opera's encryption method (Draytek seems to support it but it requires a server certificate that opera proxy doesn't have).

Why don't I just use Opera VPN on an iPhone? Because all IPsec connections seem to be blocked by my ISP.

aeroxy commented Oct 4, 2016

So I tried this with iPhone with no luck so far, while Android works just fine. I tried the following methods:

  1. Use iphone's default HTTP proxy setting, obviously not working.
  2. Create a custom pac file and use auto config. Not working. No credential prompt and no network response.
  3. Use third party SSL VPN like Draytek's SmartVPN and Cisco's AnyConnect. Not working. Doesn't seem to support Opera's encryption method (Draytek seems to support it but it requires a server certificate that opera proxy doesn't have).

Why don't I just use Opera VPN on an iPhone? Because all IPsec connections seem to be blocked by my ISP.

@COLABORATI

This comment has been minimized.

Show comment
Hide comment
@COLABORATI

COLABORATI Oct 13, 2016

How can I change the device id or any other id that is send on each start or, even better, every ten minutes? Is there a plugin for this?
Thanks for your research work!

COLABORATI commented Oct 13, 2016

How can I change the device id or any other id that is send on each start or, even better, every ten minutes? Is there a plugin for this?
Thanks for your research work!

@setya5785

This comment has been minimized.

Show comment
Hide comment
@setya5785

setya5785 Nov 8, 2016

hi there,

i hope you don't mind i made .net implementation based on your oprah-proxy.py (only up to the part where the app register and retrieve credentials).

setya5785 commented Nov 8, 2016

hi there,

i hope you don't mind i made .net implementation based on your oprah-proxy.py (only up to the part where the app register and retrieve credentials).

@ahmadalibaloch

This comment has been minimized.

Show comment
Hide comment
@ahmadalibaloch

ahmadalibaloch Feb 5, 2017

what about the free opera vpn application on Android and iOS. The iOS app also adds a vpn profile. Is that also a proxy? No. btw I was looking to get those vpn profile credentials to add a profile on laptop. Any one can guide?

ahmadalibaloch commented Feb 5, 2017

what about the free opera vpn application on Android and iOS. The iOS app also adds a vpn profile. Is that also a proxy? No. btw I was looking to get those vpn profile credentials to add a profile on laptop. Any one can guide?

@spaze

This comment has been minimized.

Show comment
Hide comment
@spaze
Owner

spaze commented Feb 10, 2017

@Xenophon94

This comment has been minimized.

Show comment
Hide comment
@Xenophon94

Xenophon94 May 16, 2017

Adding following exceptions to AVG works (Settings-Exceptions-URLs)
https://api.surfeasy.com*
https://.opera-proxy.net

Xenophon94 commented May 16, 2017

Adding following exceptions to AVG works (Settings-Exceptions-URLs)
https://api.surfeasy.com*
https://.opera-proxy.net

@AgapovAlexsey

This comment has been minimized.

Show comment
Hide comment
@AgapovAlexsey

AgapovAlexsey May 17, 2017

@spaze how you get post data in chrome://net-internals/#events ? i recived only data lenght

AgapovAlexsey commented May 17, 2017

@spaze how you get post data in chrome://net-internals/#events ? i recived only data lenght

@muwlgr

This comment has been minimized.

Show comment
Hide comment
@muwlgr

muwlgr May 25, 2017

I appreciate your work. It is invaluable in our current Ukraine situation. Now looking for a way to integrate it as a sub-proxy/peer with Squid

muwlgr commented May 25, 2017

I appreciate your work. It is invaluable in our current Ukraine situation. Now looking for a way to integrate it as a sub-proxy/peer with Squid

@sponnusa

This comment has been minimized.

Show comment
Hide comment
@sponnusa

sponnusa Jun 21, 2017

This has stopped working. The following is the output from the script. Could it be fixed?

<>

https://github.com/spaze/oprah-proxy :::===~~~~~~~~=
DEBUG: Call register_subscriber
DEBUG: Your SurfEasy email: 1f01e185-17e5-42fc-89b6-901539ee95e8@se0310.surfeasy.vpn
DEBUG: Your SurfEasy password: ca8e39ff-e447-4c47-b23d-28e8ed2b2b5d
DEBUG: Your SurfEasy password hash: BC2C5FC1861DB42A6CA00AD2C72594EEF91A239A
DEBUG: These are not the credentials you are looking for (you won't probably need these, ever)
ERROR: Invalid client.

sponnusa commented Jun 21, 2017

This has stopped working. The following is the output from the script. Could it be fixed?

<>

https://github.com/spaze/oprah-proxy :::===~~~~~~~~=
DEBUG: Call register_subscriber
DEBUG: Your SurfEasy email: 1f01e185-17e5-42fc-89b6-901539ee95e8@se0310.surfeasy.vpn
DEBUG: Your SurfEasy password: ca8e39ff-e447-4c47-b23d-28e8ed2b2b5d
DEBUG: Your SurfEasy password hash: BC2C5FC1861DB42A6CA00AD2C72594EEF91A239A
DEBUG: These are not the credentials you are looking for (you won't probably need these, ever)
ERROR: Invalid client.

@tjleon1

This comment has been minimized.

Show comment
Hide comment
@tjleon1

tjleon1 Aug 3, 2017

@spaze "Hostnames are resolved remotely, when using Opera's "VPN", DNS requests do not leak. Checked with dnsleaktest.com and also looking at the packets."

DNS leak test provides the following information:

What do the results of this test mean?

The servers identified above receive a request to resolve a domain name (e.g. www.eff.org) to an IP address everytime you enter a website address in your browser.
The owners of the servers above have the ability to associate your personal IP address with the names of all the sites you connect to and store this data indefinitely. This does not mean that they do log or store it indefinitely but they may and you need to trust whatever their policy says.
If you are connected to a VPN service and ANY of the servers listed above are not provided by the VPN service then you have a DNS leak and are choosing to trust the owners of the above servers with your private data.

When I ran the extended test through Opera VPN, it returned 26 servers - all belonging to Google and not to Opera. Considering the last line above, I have a concern that my private data may still be in the hands of Google which may or may not keep logs. When I ran the same test through Google Chrome, it returned only 6 servers, none of which belonged to Google.

tjleon1 commented Aug 3, 2017

@spaze "Hostnames are resolved remotely, when using Opera's "VPN", DNS requests do not leak. Checked with dnsleaktest.com and also looking at the packets."

DNS leak test provides the following information:

What do the results of this test mean?

The servers identified above receive a request to resolve a domain name (e.g. www.eff.org) to an IP address everytime you enter a website address in your browser.
The owners of the servers above have the ability to associate your personal IP address with the names of all the sites you connect to and store this data indefinitely. This does not mean that they do log or store it indefinitely but they may and you need to trust whatever their policy says.
If you are connected to a VPN service and ANY of the servers listed above are not provided by the VPN service then you have a DNS leak and are choosing to trust the owners of the above servers with your private data.

When I ran the extended test through Opera VPN, it returned 26 servers - all belonging to Google and not to Opera. Considering the last line above, I have a concern that my private data may still be in the hands of Google which may or may not keep logs. When I ran the same test through Google Chrome, it returned only 6 servers, none of which belonged to Google.

@h3298

This comment has been minimized.

Show comment
Hide comment
@h3298

h3298 Aug 16, 2017

  1. @AgapovAlexsey: "how you get post data in chrome://net-internals/#events"? i recived only data lengh
    —Enlarge the window and look to the right

  2. @sponnusa: "This has stopped working."
    —Forked & fixed - https://github.com/nampud/oprah-proxy
    (spaze should patch this - or update the main article to say its broken)

  3. @tjleon1: "I have a concern that my private data may still be in the hands of Google"
    Google does not see your IP address. spaze commented Apr 24, 2016:
    —Hostnames are resolved remotely, when using Opera's "VPN", DNS requests do not leak.

Interesting: http://dnsleak.com appears to show a DNS leak but https://dnsleaktest.com does not
This is probably good enough for use with open WiFi hotspots, etc. If you have a greater concern you should use a real VPN.


  1. @spaze: Under "usage with other browsers" at /spaze/oprah-proxy, it should be noted that you can use a LOCAL proxy configuration file if you want to change the server, for example:

https://addons.mozilla.org/en-US/firefox/addon/pac-reloader/

Local file path syntax for various browsers
https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/PACAP.html

  1. I think Opera generates a new user username/password for every server change or reconnection. To emulate the full GUI you need to create a browser extension. Example:
    https://www.surfeasy.com/vpn-browser-extension-chrome/

h3298 commented Aug 16, 2017

  1. @AgapovAlexsey: "how you get post data in chrome://net-internals/#events"? i recived only data lengh
    —Enlarge the window and look to the right

  2. @sponnusa: "This has stopped working."
    —Forked & fixed - https://github.com/nampud/oprah-proxy
    (spaze should patch this - or update the main article to say its broken)

  3. @tjleon1: "I have a concern that my private data may still be in the hands of Google"
    Google does not see your IP address. spaze commented Apr 24, 2016:
    —Hostnames are resolved remotely, when using Opera's "VPN", DNS requests do not leak.

Interesting: http://dnsleak.com appears to show a DNS leak but https://dnsleaktest.com does not
This is probably good enough for use with open WiFi hotspots, etc. If you have a greater concern you should use a real VPN.


  1. @spaze: Under "usage with other browsers" at /spaze/oprah-proxy, it should be noted that you can use a LOCAL proxy configuration file if you want to change the server, for example:

https://addons.mozilla.org/en-US/firefox/addon/pac-reloader/

Local file path syntax for various browsers
https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/PACAP.html

  1. I think Opera generates a new user username/password for every server change or reconnection. To emulate the full GUI you need to create a browser extension. Example:
    https://www.surfeasy.com/vpn-browser-extension-chrome/
@h3298

This comment has been minimized.

Show comment
Hide comment
@h3298

h3298 Aug 21, 2017

spaze commented on Feb 10
> As mentioned on https://github.com/spaze/oprah-proxy: Opera VPN for iOS and Opera VPN for Android are both real VPN.

Opera just pushed an iOS update called "Opera VPN gold" and the free servers immediately quit working after installing.
Android & iOS users with root might want to backup the old VPN client before updating.

h3298 commented Aug 21, 2017

spaze commented on Feb 10
> As mentioned on https://github.com/spaze/oprah-proxy: Opera VPN for iOS and Opera VPN for Android are both real VPN.

Opera just pushed an iOS update called "Opera VPN gold" and the free servers immediately quit working after installing.
Android & iOS users with root might want to backup the old VPN client before updating.

@NeoGenet1c

This comment has been minimized.

Show comment
Hide comment
@NeoGenet1c

NeoGenet1c Sep 4, 2017

Great article @spaze, thanks!

Any idea why would be api.surfeasy.com on the blacklist of our Uni's firewall/proxy (I think we use https://www.checkpoint.com)? What are the risks, if there are any?

NeoGenet1c commented Sep 4, 2017

Great article @spaze, thanks!

Any idea why would be api.surfeasy.com on the blacklist of our Uni's firewall/proxy (I think we use https://www.checkpoint.com)? What are the risks, if there are any?

@spaze

This comment has been minimized.

Show comment
Hide comment
@spaze

spaze Jan 5, 2018

Hey @NeoGenet1c! Sorry, missed your comment. My wild guess is that api.surfeasy.com might be blocked so that people can't bypass corporate/uni content filters by using Opera's browser "VPN". Blocking api.surfeasy.com will prevent setting up the connection the proxy server, so the "VPN" is unusable.

Owner

spaze commented Jan 5, 2018

Hey @NeoGenet1c! Sorry, missed your comment. My wild guess is that api.surfeasy.com might be blocked so that people can't bypass corporate/uni content filters by using Opera's browser "VPN". Blocking api.surfeasy.com will prevent setting up the connection the proxy server, so the "VPN" is unusable.

@brunospino

This comment has been minimized.

Show comment
Hide comment
@brunospino

brunospino Feb 1, 2018

Hello,

does anyone know if it is possible to set up a specific country instead of a generic different one? I mean, a friend of mine with very limited knowledge is trying to use his Eurosport subscription in Costarica, but he needs to present itself as "Italian". I've noticed Opera got some Italian proxy, and it uses it by default if you flag the first option (it sounds like "best location" translated from Italian) and you really are in Italy. So I wonder if it possible to force the server choice. By choosing EU as location it seems there is a random forward mostly to France and Germany.

Thank you

brunospino commented Feb 1, 2018

Hello,

does anyone know if it is possible to set up a specific country instead of a generic different one? I mean, a friend of mine with very limited knowledge is trying to use his Eurosport subscription in Costarica, but he needs to present itself as "Italian". I've noticed Opera got some Italian proxy, and it uses it by default if you flag the first option (it sounds like "best location" translated from Italian) and you really are in Italy. So I wonder if it possible to force the server choice. By choosing EU as location it seems there is a random forward mostly to France and Germany.

Thank you

@johncrisostomo

This comment has been minimized.

Show comment
Hide comment
@johncrisostomo

johncrisostomo Jun 22, 2018

Is this still accurate? I thought Opera parted ways with SurfEasy, hence their mobile "VPN" service was shut down earlier this year. Also, does this mean that SurfEasy's service is not a VPN in the truest sense? Or do they offer both true VPN and proxy services?

johncrisostomo commented Jun 22, 2018

Is this still accurate? I thought Opera parted ways with SurfEasy, hence their mobile "VPN" service was shut down earlier this year. Also, does this mean that SurfEasy's service is not a VPN in the truest sense? Or do they offer both true VPN and proxy services?

@xaosnox

This comment has been minimized.

Show comment
Hide comment
@xaosnox

xaosnox Oct 5, 2018

I have been using Opera's secure proxy server since they introduced it. It is a bit flaky. Sometimes I have to restart Opera to get it to connect, but have been very pleased with it overall. I never expected it to be anything more than what it is—a secure proxy server connection for the browser. But now, I'm experiencing a different issue that is very disturbing. I can connect to Opera's server fine, and running diagnostics shows that the connection to the internet and the ISP is fine. However, any time I have the proxy service enabled, I get a "No Internet" page. Pages that I have open, such as webmail, say they aren't connecting. I'm hoping this is just a temporary glitch with Opera's server, but I suspect it's something much more troubling. I think the ISP is blocking secure proxy servers. I'm going to do some experimenting, but Im wondering if anyone else has started seeing this same issue. It was working fine as of this morning. My carrier is Xfinity/Comcast.

If what I suspect is true, the battle for a secure and private internet has just escalated to a whole new level! Can anyone help me find out if this is just me, Opera, or an ISP issue?

xaosnox commented Oct 5, 2018

I have been using Opera's secure proxy server since they introduced it. It is a bit flaky. Sometimes I have to restart Opera to get it to connect, but have been very pleased with it overall. I never expected it to be anything more than what it is—a secure proxy server connection for the browser. But now, I'm experiencing a different issue that is very disturbing. I can connect to Opera's server fine, and running diagnostics shows that the connection to the internet and the ISP is fine. However, any time I have the proxy service enabled, I get a "No Internet" page. Pages that I have open, such as webmail, say they aren't connecting. I'm hoping this is just a temporary glitch with Opera's server, but I suspect it's something much more troubling. I think the ISP is blocking secure proxy servers. I'm going to do some experimenting, but Im wondering if anyone else has started seeing this same issue. It was working fine as of this morning. My carrier is Xfinity/Comcast.

If what I suspect is true, the battle for a secure and private internet has just escalated to a whole new level! Can anyone help me find out if this is just me, Opera, or an ISP issue?

@xaosnox

This comment has been minimized.

Show comment
Hide comment
@xaosnox

xaosnox Oct 5, 2018

Seems to be working now. Guess it was just a problem with the Opera servers. The way things are going, you can't blame me for being a little paranoid! Things are getting pretty draconian.

xaosnox commented Oct 5, 2018

Seems to be working now. Guess it was just a problem with the Opera servers. The way things are going, you can't blame me for being a little paranoid! Things are getting pretty draconian.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment