Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 20 of 20
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11

    You did not mention how you are currently accessing any of your clients - i.e. whether if you have SSH access on the site firewall. If so, I would just create an SSH tunnel to the internal client and then use that as the jump box to all other clients. OpenVPN would also work as others pointed out, but if your firewall admins block non-standard outbound traffic (very common practice), most likely the OpenVPN traffic would also get blocked.

  2. #12
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Sure, but use tcp 443 for openvpn and the connection will most probably succeed.
    You must always face the curtain with a bow.

  3. #13
    As a firewall admin, I'd be very upset if someone were opening up vpn connections from the inside networks to (what is insecure to the firewall admin) networks on the Internet. I'd have a lesser problem with giving someone non-privileged ssh access on the firewall with forwarding enabled to an internal client if I dint have a VPN concentrator (which is sort of unimaginable for bigger companies). The reason I say this is:
    1. I could control the remote client connecting to the firewall by IP in the sshd configs.
    2. I can set idle timeouts such that the connection goes down in idle conditions.
    3. If I have an IDS behind the firewall, I'd still be able to apply the corporate policy on the connections.

    But as a FW admin, if I did have a VPN concentrator, I'd ask the user to connet via VPN.

    Furthermore, I'd seriously recommend not to use a port like 443 for your outbound traffic. This will most likely be detected on an IDS, and may be interpreted as an attempt to compromise corporate security. In certain organizations this would be considered grounds for dismissal. if you want to use OpenVPN for an outbound connection, I'd recommend you be very forthright with your network security people and let them know what you are doing.

  4. $spacer_open
  5. #14
    Just to give you a bit more info on this. The devices are part of a product that we offer for public consumers. So these devices are in people's home network behind NAT routers from ISPs.

    Currently we have no way to remotely admin these devices, so was just thinking a way to do achieve this since it seems we will be shipping large number of units soon...



  6. #15
    Ah consumers....they dont really have any rights so it is free for....

    OpenVPN clients would be a good solution for you then. But how are you going to launch it on demand? Or is the plan to have the tunnels permanently up?

  7. #16
    yeah cannot think any other solution to it than have the tunnel permanently open. But I suppose VPN is designed for that kind of usage anyway since it is a virtual extension to private networks?


  8. #17
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    NH, USA
    i don't like the sound of this one bit

    I certainly would not like a device that allows VPN access to my private network, especially without my consent

  9. #18
    If it's not possible to open ports, the server would have to contact you. You could consider a reverse connection such as that used by the VNC family. This solution would be a little more complicated--You'd need a cron job or have someone at the server run the app. I'm not sure if this is feasible, but it's another possibility.

    There's some explanation here:
    tiny (Take the space out. This is my first post.)

    David Lightman: Joshua called me.
    McKittrick: [incredulous] David, computers don't call people!
    David Lightman: [shrugs] Yours did.

  10. #19
    So to be on the safe site, make sure, that the OpenVPN - Server site can only access the client on the other end.

    Mean: disable routing between the tunnel and the local costumer network.

    The problems about 443 ...
    If you use 443 on the OpenVPN Server the connection seems to be a https connection ... so the only use would be to hide the tunnel
    It's even using similar encryption ... and it's very hard to detect that it is a VPN Tunnel.
    But you mustn't use port 443 from or to the clients.
    Just use any high port ... as 35687 ... or simple the standart port

    However ... make sure to tell the customer that your device is going to connect to your company, for remote configuration if requested.
    And for the security - give the customer the possibility to disable this remote connection.

  11. #20
    Ojaro, our project solves this problem with a simple, open and scalable relay infrastructure. Download the open source command line tool and follow README.txt to get started. Cheers, tamberg

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts