Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 20 of 20
You did not mention how you are currently accessing any of your clients - i.e. whether if you have SSH access on the site firewall. If so, I would just ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Just Joined!
    Join Date
    Feb 2009
    Posts
    54

    You did not mention how you are currently accessing any of your clients - i.e. whether if you have SSH access on the site firewall. If so, I would just create an SSH tunnel to the internal client and then use that as the jump box to all other clients. OpenVPN would also work as others pointed out, but if your firewall admins block non-standard outbound traffic (very common practice), most likely the OpenVPN traffic would also get blocked.

  2. #12
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,387
    Sure, but use tcp 443 for openvpn and the connection will most probably succeed.
    You must always face the curtain with a bow.

  3. #13
    Just Joined!
    Join Date
    Feb 2009
    Posts
    54
    As a firewall admin, I'd be very upset if someone were opening up vpn connections from the inside networks to (what is insecure to the firewall admin) networks on the Internet. I'd have a lesser problem with giving someone non-privileged ssh access on the firewall with forwarding enabled to an internal client if I dint have a VPN concentrator (which is sort of unimaginable for bigger companies). The reason I say this is:
    1. I could control the remote client connecting to the firewall by IP in the sshd configs.
    2. I can set idle timeouts such that the connection goes down in idle conditions.
    3. If I have an IDS behind the firewall, I'd still be able to apply the corporate policy on the connections.

    But as a FW admin, if I did have a VPN concentrator, I'd ask the user to connet via VPN.

    Furthermore, I'd seriously recommend not to use a port like 443 for your outbound traffic. This will most likely be detected on an IDS, and may be interpreted as an attempt to compromise corporate security. In certain organizations this would be considered grounds for dismissal. if you want to use OpenVPN for an outbound connection, I'd recommend you be very forthright with your network security people and let them know what you are doing.

  4. #14
    Just Joined!
    Join Date
    Apr 2010
    Posts
    6
    Just to give you a bit more info on this. The devices are part of a product that we offer for public consumers. So these devices are in people's home network behind NAT routers from ISPs.

    Currently we have no way to remotely admin these devices, so was just thinking a way to do achieve this since it seems we will be shipping large number of units soon...

    Regards,

    Olli

  5. #15
    Just Joined!
    Join Date
    Feb 2009
    Posts
    54
    Ah consumers....they dont really have any rights so it is free for....

    OpenVPN clients would be a good solution for you then. But how are you going to launch it on demand? Or is the plan to have the tunnels permanently up?

  6. #16
    Just Joined!
    Join Date
    Apr 2010
    Posts
    6
    yeah cannot think any other solution to it than have the tunnel permanently open. But I suppose VPN is designed for that kind of usage anyway since it is a virtual extension to private networks?

    Olli

  7. #17
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    i don't like the sound of this one bit

    I certainly would not like a device that allows VPN access to my private network, especially without my consent

  8. #18
    Just Joined!
    Join Date
    Apr 2010
    Posts
    1
    If it's not possible to open ports, the server would have to contact you. You could consider a reverse connection such as that used by the VNC family. This solution would be a little more complicated--You'd need a cron job or have someone at the server run the app. I'm not sure if this is feasible, but it's another possibility.

    There's some explanation here:
    tiny apps.org/docs/vnc/TinyApps.Org (Take the space out. This is my first post.)



    David Lightman: Joshua called me.
    McKittrick: [incredulous] David, computers don't call people!
    David Lightman: [shrugs] Yours did.

  9. #19
    Linux User
    Join Date
    Dec 2009
    Posts
    264
    So to be on the safe site, make sure, that the OpenVPN - Server site can only access the client on the other end.

    Mean: disable routing between the tunnel and the local costumer network.

    The problems about 443 ...
    If you use 443 on the OpenVPN Server the connection seems to be a https connection ... so the only use would be to hide the tunnel
    It's even using similar encryption ... and it's very hard to detect that it is a VPN Tunnel.
    But you mustn't use port 443 from or to the clients.
    Just use any high port ... as 35687 ... or simple the standart port

    However ... make sure to tell the customer that your device is going to connect to your company, for remote configuration if requested.
    And for the security - give the customer the possibility to disable this remote connection.

  10. #20
    Just Joined!
    Join Date
    Dec 2011
    Posts
    1
    Ojaro, our project yaler.org solves this problem with a simple, open and scalable relay infrastructure. Download the open source command line tool hg.yaler.org/yalertunnel and follow README.txt to get started. Cheers, tamberg

Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •