On 2008-12-09, David Brown <david@westcontrol.removethisbit.com> wrote:
>>> You could use OpenVPN. By default, OpenVPN uses port 1194 UDP, but
>>> you could choose port 80 TCP (i.e., http) if you prefer.
>>
>> The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier
>> protocols. The default is UDP/1194.
>
> He said the http/https *ports* were open. OpenVPN cannot use
> http as a carrier.
> But it is perfectly possible to have OpenVPN use port 80 tcp,
> as long as it can get a direct connection. If there is a http
> proxy in the way, then it will of course cause trouble. It is
> therefore probably easier to use port 443 - proxies do not
> (because they *cannot*) cache or otherwise interfere with SSL
> traffic.
I can vouche for the fact that OpenVPN works fine with an https
proxy.
>> Very probably, there is a HTTP(S) proxy, and the tool for
>> it is corkscrew.
>
> Or one of many other similar tools - the OP should have a look
> at what is available before deciding.
>
> Of course, the customer has set up his firewall rules for a
> reason. Any system designed to get round these rules should
> be cleared with the customer before use.
Agreed. Under no circumstance should you do something like
that at a customer site without the customer's approval. In
writing. Assuming they're OK with your device phoning home,
they'd probably rather open a hole in the firewall to a
specific destination than turn you loose with a VPN/tunnelling
setup.
--
Grant Edwards grante Yow! Well, I'm INVISIBLE
at AGAIN ... I might as well
visi.com pay a visit to the LADIES
ROOM ...
Reply by David Brown●December 9, 20082008-12-09
Tauno Voipio wrote:
> David Brown wrote:
>> stijn@fx-motion.com wrote:
>>> We would like to access a embedded (linux based) device behind a
>>> corporate firewall in a production facility.
>>>
>>> We would like to have telnet / ssh access to the device, but offcoarse
>>> our client doesn't want to open any ports so we can access our device.
>>>
>>> Only outgoing http/https ports are opened towards the internet.
>>>
>>> We can install a server at our office with a fixed WAN ip adres where
>>> the device could open a tunnel to.
>>>
>>> This seems to be a trivial problem with all the IP based tools /
>>> software we have today, altough i don't find the right solution.
>>>
>>> I found hardware solutions provided by companies as eWon and
>>> Lantronix, this seems to be great for accessing a PLC or so, but as we
>>> can install any software on our own device, i would prefer a software
>>> only solution.
>>>
>>> Are there any lightweight 'VPN' solutions that could be tweaked ?
>>>
>>> Any pointers welcome.
>>>
>>
>> You could use OpenVPN. By default, OpenVPN uses port 1194 UDP, but
>> you could choose port 80 TCP (i.e., http) if you prefer.
>
>
> The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier
> protocols. The default is UDP/1194.
>
He said the http/https *ports* were open. OpenVPN cannot use http as a
carrier. But it is perfectly possible to have OpenVPN use port 80 tcp,
as long as it can get a direct connection. If there is a http proxy in
the way, then it will of course cause trouble. It is therefore probably
easier to use port 443 - proxies do not (because they *cannot*) cache or
otherwise interfere with SSL traffic.
> Very probably, there is a HTTP(S) proxy, and the tool for
> it is corkscrew.
>
Or one of many other similar tools - the OP should have a look at what
is available before deciding.
Of course, the customer has set up his firewall rules for a reason. Any
system designed to get round these rules should be cleared with the
customer before use.
Reply by Grant Edwards●December 8, 20082008-12-08
On 2008-12-08, Tauno Voipio <tauno.voipio@INVALIDiki.fi> wrote:
> The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier
> protocols. The default is UDP/1194.
Since HTTPS is encrypted using SSL/TLS, there's no way for the
firewall to tell the difference between HTTPS and any other
protocol using SSL/TLS.
I use OpenVPN via an HTTPS proxy all the time. It works fine.
> Very probably, there is a HTTP(S) proxy, and the tool for
> it is corkscrew.
--
Grant Edwards grante Yow! I feel like a wet
at parking meter on Darvon!
visi.com
Reply by Tauno Voipio●December 8, 20082008-12-08
David Brown wrote:
> stijn@fx-motion.com wrote:
>> We would like to access a embedded (linux based) device behind a
>> corporate firewall in a production facility.
>>
>> We would like to have telnet / ssh access to the device, but offcoarse
>> our client doesn't want to open any ports so we can access our device.
>>
>> Only outgoing http/https ports are opened towards the internet.
>>
>> We can install a server at our office with a fixed WAN ip adres where
>> the device could open a tunnel to.
>>
>> This seems to be a trivial problem with all the IP based tools /
>> software we have today, altough i don't find the right solution.
>>
>> I found hardware solutions provided by companies as eWon and
>> Lantronix, this seems to be great for accessing a PLC or so, but as we
>> can install any software on our own device, i would prefer a software
>> only solution.
>>
>> Are there any lightweight 'VPN' solutions that could be tweaked ?
>>
>> Any pointers welcome.
>>
>
> You could use OpenVPN. By default, OpenVPN uses port 1194 UDP, but you
> could choose port 80 TCP (i.e., http) if you prefer.
The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier
protocols. The default is UDP/1194.
Very probably, there is a HTTP(S) proxy, and the tool for
it is corkscrew.
--
Tauno Voipio
tauno voipio (at) iki fi
Reply by David Brown●December 8, 20082008-12-08
Rene Tschaggelar wrote:
> stijn@fx-motion.com wrote:
>> We would like to access a embedded (linux based) device behind a
>> corporate firewall in a production facility.
>>
>> We would like to have telnet / ssh access to the device, but offcoarse
>> our client doesn't want to open any ports so we can access our device.
>>
>> Only outgoing http/https ports are opened towards the internet.
>>
>> We can install a server at our office with a fixed WAN ip adres where
>> the device could open a tunnel to.
>>
>> This seems to be a trivial problem with all the IP based tools /
>> software we have today, altough i don't find the right solution.
>>
>> I found hardware solutions provided by companies as eWon and
>> Lantronix, this seems to be great for accessing a PLC or so, but as we
>> can install any software on our own device, i would prefer a software
>> only solution.
>>
>> Are there any lightweight 'VPN' solutions that could be tweaked ?
>>
>> Any pointers welcome.
>
> You should respect the customers wish for not
> having a constant connection. Have a button on
> the device, such that the customer can initiate
> a connection to your server in case a problem
> arises. You cannot expect the device to be
> able to connect any time. At least I would
> stop a device calling home at random intervals
> without a reason.
He did not say that the customer doesn't want a permanent connection,
just that they don't want a port forwarded from their firewall and they
only allow limited outgoing ports. He should, of course, check that the
customer is happy with his box having a permanent connection through a
VPN - presumably the customer's IT folk would not allow him to connect
the box to their network at all until they are happy with it.
Reply by Rene Tschaggelar●December 8, 20082008-12-08
stijn@fx-motion.com wrote:
> We would like to access a embedded (linux based) device behind a
> corporate firewall in a production facility.
>
> We would like to have telnet / ssh access to the device, but offcoarse
> our client doesn't want to open any ports so we can access our device.
>
> Only outgoing http/https ports are opened towards the internet.
>
> We can install a server at our office with a fixed WAN ip adres where
> the device could open a tunnel to.
>
> This seems to be a trivial problem with all the IP based tools /
> software we have today, altough i don't find the right solution.
>
> I found hardware solutions provided by companies as eWon and
> Lantronix, this seems to be great for accessing a PLC or so, but as we
> can install any software on our own device, i would prefer a software
> only solution.
>
> Are there any lightweight 'VPN' solutions that could be tweaked ?
>
> Any pointers welcome.
You should respect the customers wish for not
having a constant connection. Have a button on
the device, such that the customer can initiate
a connection to your server in case a problem
arises. You cannot expect the device to be
able to connect any time. At least I would
stop a device calling home at random intervals
without a reason.
Reply by David Brown●December 7, 20082008-12-07
stijn@fx-motion.com wrote:
> We would like to access a embedded (linux based) device behind a
> corporate firewall in a production facility.
>
> We would like to have telnet / ssh access to the device, but offcoarse
> our client doesn't want to open any ports so we can access our device.
>
> Only outgoing http/https ports are opened towards the internet.
>
> We can install a server at our office with a fixed WAN ip adres where
> the device could open a tunnel to.
>
> This seems to be a trivial problem with all the IP based tools /
> software we have today, altough i don't find the right solution.
>
> I found hardware solutions provided by companies as eWon and
> Lantronix, this seems to be great for accessing a PLC or so, but as we
> can install any software on our own device, i would prefer a software
> only solution.
>
> Are there any lightweight 'VPN' solutions that could be tweaked ?
>
> Any pointers welcome.
>
You could use OpenVPN. By default, OpenVPN uses port 1194 UDP, but you
could choose port 80 TCP (i.e., http) if you prefer.
Reply by Tauno Voipio●December 7, 20082008-12-07
stijn@fx-motion.com wrote:
> We would like to access a embedded (linux based) device behind a
> corporate firewall in a production facility.
>
> We would like to have telnet / ssh access to the device, but offcoarse
> our client doesn't want to open any ports so we can access our device.
>
> Only outgoing http/https ports are opened towards the internet.
>
> We can install a server at our office with a fixed WAN ip adres where
> the device could open a tunnel to.
>
> This seems to be a trivial problem with all the IP based tools /
> software we have today, altough i don't find the right solution.
>
> I found hardware solutions provided by companies as eWon and
> Lantronix, this seems to be great for accessing a PLC or so, but as we
> can install any software on our own device, i would prefer a software
> only solution.
>
> Are there any lightweight 'VPN' solutions that could be tweaked ?
>
> Any pointers welcome.
This might be a place for corkscrew - Google for it.
It contains a mechanism for tunneling over HTTP (S).
--
Tauno Voipio
tauno voipio (at) iki fi
Reply by ●December 7, 20082008-12-07
We would like to access a embedded (linux based) device behind a
corporate firewall in a production facility.
We would like to have telnet / ssh access to the device, but offcoarse
our client doesn't want to open any ports so we can access our device.
Only outgoing http/https ports are opened towards the internet.
We can install a server at our office with a fixed WAN ip adres where
the device could open a tunnel to.
This seems to be a trivial problem with all the IP based tools /
software we have today, altough i don't find the right solution.
I found hardware solutions provided by companies as eWon and
Lantronix, this seems to be great for accessing a PLC or so, but as we
can install any software on our own device, i would prefer a software
only solution.
Are there any lightweight 'VPN' solutions that could be tweaked ?
Any pointers welcome.