📆 22. 4. 2016 📂 Opera, VPN, Proxy

Behind the curtain, the VPN in the Opera browser is just a proxy. Here's how it works.

When setting up Opera VPN (that's immediately when user enables it in settings), the browser sends few API requests to https://api.surfeasy.com to obtain credentials and proxy IPs, see below, also see The Oprah Proxy.

The browser then talks to a proxy de0.opera-proxy.net (when VPN location is set to Germany), it's IP address can only be resolved from within Opera when VPN is on, it's 185.108.219.42 (or similar, see below). It's an HTTP/S proxy which requires auth.

When loading a page with Opera “VPN” enabled, the browser sends a lot of HTTPS requests to de0.opera-proxy.net with Proxy-Authorization request header.

The Proxy-Authorization header decoded:

CC68FE24C34B5B2414FB1DC116342EADA7D5C46B:9B9BE3FAE674A33D1820315F4CC94372926C8210B6AEC0B662EC7CAD611D86A3

That's sha1(device_id):device_password, where device_id and device_password come from the HTTPS POST /v2/register_device API call. Please note that this decoded header is from another Opera installation and thus contains different device_id and device_password than what is shown in the examples.

These creds can be used with the de0.opera-proxy.net even when connecting from a different machine, it's just an HTTP proxy anyway.

When you use the proxy on a different machine (with no Opera installed), you'll get the same IP as when using Opera's VPN, of course.

This Opera “VPN” is just a preconfigured HTTP/S proxy protecting just the traffic between Opera and the proxy, nothing else. It's not a VPN.

They even call it Secure proxy (besides calling it VPN, sure) in Opera settings.

The API calls are:

  1. https://api.surfeasy.com/v2/register_subscriber example
  2. https://api.surfeasy.com/v2/register_device example
  3. https://api.surfeasy.com/v2/geo_list example
  4. https://api.surfeasy.com/v2/discover example
“Everybody gets a proxy” logo

I have automated the API calls and have built The Oprah Proxy, a simple Python script which will fetch the credentials for you. It will also list available locations and proxies.

This has been initially published on GitHub as a gist.


Recommended reading

Michal Špaček

I build web applications and I'm into web application security. I like to speak about secure development. My mission is to teach web developers how to build secure and fast web applications and why.

Public trainings

Come to my public trainings, everybody's welcome:

PHP application security
(12. 3. 2018 Praha)

HTTPS for developers and admins
(13. 3. 2018 Praha)

Web application performance
(březen 2018 Praha)

Česky