Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
what do I need to bypass a restrictive company proxy
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ckx3009
Guru
Guru


Joined: 08 Apr 2008
Posts: 362
Location: Milano, Italy

PostPosted: Sat Jun 09, 2012 6:39 pm    Post subject: what do I need to bypass a restrictive company proxy Reply with quote

Hello,
I'm actually in a somehow bad situation at work, cause of a proxy server placed in my company's internal network.

- What I have on my own:
A PC able to run Gentoo linux + win7 inside a virtual machine (vmware workstation)
----- or -----
The same PC able to run win7 + Gentoo linux inside a virtual machine (vmware workstation)
A remote server (fast connection) running Gentoo linux (server profile, not hardened) with the usual tools we can find on a server: openssh, mysql, apache2 and so on.


- What I have to face:
the company's network, in particular a proxy server; this proxy server, after having authenticated, allows me only to browse web pages, nothing more.
As far as I know the only open ports are the 80 and 443.
I can't use those ports for something different than HTTP or HTTPS traffic, cause of (probably) packet inspection: I tried to move the listening port of my ssh server to the 443 but I was unable to contact my server.
As well, I'm able to contact it by web, I can even manage it using some tools like webmin and anyterm (with apache mod_proxy), but is not what I want due to security problems.


- What I would like:
To route every connection originated by my pc, to the remote server I own, in a similar way to what I do at home: the pc connected to the router, with the router facing the internet.
In other words, I would like to be in a "virtual" LAN with the remote server, and use it as a gateway, tunneling every connection into an SSL tunnel, in order to use the default 443 port (which I can use) and avoid packet inspection (and the deriving traffic blocking).


- What I ask:
On the internet there are a lot of guides and tips to do what I ask... the problem is that every guide I was able to find was not complete enough to perform the full process.
I don't even know exactly which tools I could use to do everything I need.
I need to perform the configurations both server and client side, when a lot of guides just explain what to do on the client, bypassing the server configuration and the tools used on the server to allow tunneling, connections, vpns and so on.

I would be really grateful if someone could help me out in this painful and probably complex project :P
Thanks a lot in advance :)
Back to top
View user's profile Send private message
Goverp
l33t
l33t


Joined: 07 Mar 2007
Posts: 907

PostPosted: Sun Jun 10, 2012 8:50 am    Post subject: Reply with quote

Quote:
Post subject: what do I need to bypass a restrictive company proxy

I'd start with a job offer from another company. If your company has put such a restrictive infrastructure in place, they'll probably be most upset if you bypass it. Their stance may not be logical, but it's their money, and your contract with them probably has a clause in it saying you won't misuse their infrastructure. Bypassing the restrictions probably counts as misuse.

IMHO If you don't like the restrictions, find another job.
_________________
Greybeard
Back to top
View user's profile Send private message
aCOSwt
Bodhisattva
Bodhisattva


Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space

PostPosted: Sun Jun 10, 2012 10:19 am    Post subject: Reply with quote

If you succeed, you will discover that Goverp is right.
_________________
Back to top
View user's profile Send private message
ckx3009
Guru
Guru


Joined: 08 Apr 2008
Posts: 362
Location: Milano, Italy

PostPosted: Tue Jun 12, 2012 8:43 pm    Post subject: Reply with quote

Well, I appreciate your opinions, but that's not the answer/suggestion I'm looking for...

I have already bypassed the proxy using the apache mod_proxy in order to redirect some application ports...but is not what I'm looking for.

Edit:
Really there is no anyone able to give me some help?
I can't believe that <.<
Back to top
View user's profile Send private message
keet
Guru
Guru


Joined: 09 Sep 2008
Posts: 534

PostPosted: Tue Jun 12, 2012 10:39 pm    Post subject: Reply with quote

Have you tried asking the people in charge of your network? They could probably make an exception -- it is almost certainly technically possible, though they might admittedly have little interest in doing it.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15989

PostPosted: Wed Jun 13, 2012 1:52 am    Post subject: Reply with quote

There are people here who are able to help you. However, it seems none of them have both read the thread and felt a desire to help you. I concur with keet that getting an exception to the policy is a cleaner and simpler solution than trying to bypass the filtering policy. Based on what you have told us, the technical bypass would be to establish an SSL-encrypted tunnel to a trusted peer, then run all your traffic over a forwarding protocol inside that tunnel.
Back to top
View user's profile Send private message
ckx3009
Guru
Guru


Joined: 08 Apr 2008
Posts: 362
Location: Milano, Italy

PostPosted: Wed Jun 13, 2012 7:30 am    Post subject: Reply with quote

I cannot ask to introduce an exception because just to allow one person to reach one server (for his job) giving him access to a shared folder, we need more than one month...
You can imagine how much time they will need only to consider giving access to someone thought the proxy.
We don't even have a well functioning PC to work with... having the MS exchange servers blocked every 5 seconds, connected a bad network and so on.

This is only due to inefficiency and bad managing.

Anyway yes, it would be an ssl tunnel to a trusted peer, then the traffic would run inside a vpn....I already know that is technically possible, but I need to understand how to realize that in the correct manner.
Back to top
View user's profile Send private message
Mad Merlin
Veteran
Veteran


Joined: 09 May 2005
Posts: 1155

PostPosted: Thu Jun 14, 2012 8:47 am    Post subject: Reply with quote

Sounds like you need... TCP over HTTPS. That sounds pretty gross (because it is), but there's probably some software out there that can do it for you, then you can route over that.
_________________
Game! - Where the stick is mightier than the sword!
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5847
Location: Removed by Neddy

PostPosted: Thu Jun 14, 2012 10:51 pm    Post subject: Reply with quote

just run sshd on port 443 and shell into the box from your work
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
Mad Merlin
Veteran
Veteran


Joined: 09 May 2005
Posts: 1155

PostPosted: Fri Jun 15, 2012 3:47 am    Post subject: Reply with quote

Naib wrote:
just run sshd on port 443 and shell into the box from your work


ckx3009 wrote:
I can't use those ports for something different than HTTP or HTTPS traffic, cause of (probably) packet inspection: I tried to move the listening port of my ssh server to the 443 but I was unable to contact my server.

_________________
Game! - Where the stick is mightier than the sword!
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Fri Jun 15, 2012 4:18 am    Post subject: Reply with quote

Mad Merlin wrote:
Sounds like you need... TCP over HTTPS. That sounds pretty gross (because it is), but there's probably some software out there that can do it for you, then you can route over that.


he could do something like this using stunnel methinks

far as his network's inspection tools go it'll look no different than HTTPS.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5847
Location: Removed by Neddy

PostPosted: Fri Jun 15, 2012 5:42 am    Post subject: Reply with quote

Mad Merlin wrote:
Naib wrote:
just run sshd on port 443 and shell into the box from your work


ckx3009 wrote:
I can't use those ports for something different than HTTP or HTTPS traffic, cause of (probably) packet inspection: I tried to move the listening port of my ssh server to the 443 but I was unable to contact my server.
they won't be able to inspect the packets, it will look like every other SSL connection to a secure website.
they might see a connection to an ip but if the traffic is tiny it won't raise any alarms.


also w.r.t. trying and not working. putty has a proxy option. if you are trying from a linux box there is a corkscrew programthe idea is the engage the proxy to allow your traffic throughthe proxy doesn't know the difference between ssh and a GET request, it just logscqches SMS enqbles on authorised logins.
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
jormartr
Apprentice
Apprentice


Joined: 02 Jan 2008
Posts: 174

PostPosted: Fri Jun 15, 2012 10:58 am    Post subject: Reply with quote

Maybe proxytunnel ?

http://proxytunnel.sourceforge.net

stunnel seems also an option, easy to google.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sun Jun 17, 2012 8:07 am    Post subject: Reply with quote

Naib wrote:
they won't be able to inspect the packets, it will look like every other SSL connection to a secure website.
they might see a connection to an ip but if the traffic is tiny it won't raise any alarms.


certain bits are still visible.
i.e. if there's no 'CONNECT' in the request, that'll be a pretty obvious tipoff to something doing packet inspection
i mean yeah, everything after successful SSL/TLS nego will be invisible short of MITM,

but if the initial handshaking is detected and blocked, you're SOL
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
lyallp
Veteran
Veteran


Joined: 15 Jul 2004
Posts: 1409
Location: Adelaide/Australia

PostPosted: Sun Jun 17, 2012 9:51 am    Post subject: Reply with quote

I am in a similar situation, Gentoo host, Windows 7 Corporate Virtual machine, behind proxy.

Check out package net-misc/corkscrew.
_________________
...Lyall
Back to top
View user's profile Send private message
fabien29200
n00b
n00b


Joined: 12 Jun 2006
Posts: 32

PostPosted: Sun Jun 17, 2012 11:29 am    Post subject: Reply with quote

Doing it every day at work.

On my server : SSH listening on port 8080. And that's it.

At work : Win 7 machine. Putty to creates the tunnel. It opens a local port on the PC, and forwards packets to my SSH through the company proxy.

Then, I have 2 browsers. Chrome for everything I don't need to hide, Firefox for everything personal.
Firefox is configured to use a Socks 5 proxy on localhost with the local port defined in Putty.

HTH.
Back to top
View user's profile Send private message
ckx3009
Guru
Guru


Joined: 08 Apr 2008
Posts: 362
Location: Milano, Italy

PostPosted: Sun Jun 17, 2012 5:32 pm    Post subject: Reply with quote

I noticed about proxytunnel and corkscrew, but there is something "in the middle" that does not allow me to create the connection.

Probably the problem is in the https encapsulation process...I don't know how to do perform that.
I mean: to encapsulate some traffic, I need one applet able to do that on my local PC. On the other side, i need something to decapsulate the same traffic...it could be a running daemon listening for something, but I don't understand the "server side".
For example, about proxytunnel: it says it is very easy to use...yes, on the client it looks like that, but is there not any remote side to configure?
Stunnel is not exactly what I was looking for...I would like to (at the end of the work) be in a virtual LAN with my server...so I would like to do a vpn over SSL, while Stunnel is "only" able to redirect the output to an SSH server.

I was lookig for IPSEC, but it looks "a little" hard to configure...same for the openvpn server.
Back to top
View user's profile Send private message
lyallp
Veteran
Veteran


Joined: 15 Jul 2004
Posts: 1409
Location: Adelaide/Australia

PostPosted: Mon Jun 18, 2012 10:29 am    Post subject: Reply with quote

Simply configure your external machine to have SSH running on a publicly accessible port (preferably not the default :) )
On your internal machine, setup ssh to use corkscrew to connect to that host on the known port.
Then, when you connect, with SSH, you can setup any port forwardings you like, say, local port 4321 goes to the remote machines port 80, which would allow you to browse http://localhost:4321 as though it was http://remotehost.
Regarding using this connection to proxy all outgoing traffic, that would require something extra.
_________________
...Lyall
Back to top
View user's profile Send private message
gasparov
Tux's lil' helper
Tux's lil' helper


Joined: 13 Apr 2006
Posts: 105

PostPosted: Fri Jun 22, 2012 9:14 pm    Post subject: Reply with quote

ckx3009 wrote:
I noticed about proxytunnel and corkscrew, but there is something "in the middle" that does not allow me to create the connection.



on a properly set up firewall corkscrew is a no go.

This works every time http://sebsauvage.net/punching/index.html, it explains how to tunnel traffic with httptunnel using ssh for port forwarding. you need to run hts on server (traffic encaspulation) and htc on office computer, the with ssh you play with the ports. You don't need support for CONNECT

BTW there is a reason why those firewalls are up, if you make a tunnel one of them is that the security of the intranet doesn't depend from the admin anymore but from you. That's why what you are asking is illegal, take care.

I guess you can start from there to open a vpn on your server, I don't know why it needs to be so complicated thoug. :D
Back to top
View user's profile Send private message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 621
Location: Yeovil, Somerset, UK

PostPosted: Fri Jun 22, 2012 10:27 pm    Post subject: Reply with quote

OpenVPN can go through quite a few proxies including sending a user/password.

Cheers
Jon
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum