Reply by Grant Edwards December 9, 20082008-12-09
On 2008-12-09, David Brown <david@westcontrol.removethisbit.com> wrote:


>>> You could use OpenVPN.  By default, OpenVPN uses port 1194 UDP, but 
>>> you could choose port 80 TCP (i.e., http) if you prefer.
>> 
>> The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier
>> protocols. The default is UDP/1194.
>
> He said the http/https *ports* were open.  OpenVPN cannot use
> http as a carrier.


There are, however, ways to tunnel IP through HTTP:

  http://www.nocrew.org/software/httptunnel.html

I've never tried it, and proxies can be set up to defeat such
tunnelling
  

> But it is perfectly possible to have OpenVPN use port 80 tcp, 
> as long as it can get a direct connection.  If there is a http
> proxy in the way, then it will of course cause trouble.  It is
> therefore probably easier to use port 443 - proxies do not
> (because they *cannot*) cache or otherwise interfere with SSL
> traffic.


I can vouche for the fact that OpenVPN works fine with an https
proxy.


>> Very probably, there is a HTTP(S) proxy, and the tool for
>> it is corkscrew.
>
> Or one of many other similar tools - the OP should have a look
> at what is available before deciding.
>
> Of course, the customer has set up his firewall rules for a
> reason.  Any system designed to get round these rules should
> be cleared with the customer before use.


Agreed.  Under no circumstance should you do something like
that at a customer site without the customer's approval.  In
writing.  Assuming they're OK with your device phoning home,
they'd probably rather open a hole in the firewall to a
specific destination than turn you loose with a VPN/tunnelling
setup.

-- 
Grant Edwards                   grante             Yow! Well, I'm INVISIBLE
                                  at               AGAIN ... I might as well
                               visi.com            pay a visit to the LADIES
                                                   ROOM ...
Reply by David Brown December 9, 20082008-12-09
Tauno Voipio wrote:

> David Brown wrote:
>> stijn@fx-motion.com wrote:
>>> We would like to access a embedded (linux based) device behind a
>>> corporate firewall in a production facility.
>>>
>>> We would like to have telnet / ssh access to the device, but offcoarse
>>> our client doesn't want to open any ports so we can access our device.
>>>
>>> Only outgoing http/https ports are opened towards the internet.
>>>
>>> We can install a server at our office with a fixed WAN ip adres where
>>> the device could open  a tunnel to.
>>>
>>> This seems to be a trivial problem with all the IP based tools /
>>> software we have today, altough i don't find the right solution.
>>>
>>> I found hardware solutions provided by companies as eWon and
>>> Lantronix, this seems to be great for accessing a PLC or so, but as we
>>> can install any software on our own device, i would prefer a software
>>> only solution.
>>>
>>> Are there any lightweight  'VPN' solutions that could be tweaked ?
>>>
>>> Any pointers welcome.
>>>
>>
>> You could use OpenVPN.  By default, OpenVPN uses port 1194 UDP, but 
>> you could choose port 80 TCP (i.e., http) if you prefer.
> 
> 
> The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier
> protocols. The default is UDP/1194.
> 


He said the http/https *ports* were open.  OpenVPN cannot use http as a 
carrier.  But it is perfectly possible to have OpenVPN use port 80 tcp, 
as long as it can get a direct connection.  If there is a http proxy in 
the way, then it will of course cause trouble.  It is therefore probably 
easier to use port 443 - proxies do not (because they *cannot*) cache or 
otherwise interfere with SSL traffic.


> Very probably, there is a HTTP(S) proxy, and the tool for
> it is corkscrew.
> 


Or one of many other similar tools - the OP should have a look at what 
is available before deciding.

Of course, the customer has set up his firewall rules for a reason.  Any 
system designed to get round these rules should be cleared with the 
customer before use.
Reply by Grant Edwards December 8, 20082008-12-08
On 2008-12-08, Tauno Voipio <tauno.voipio@INVALIDiki.fi> wrote:


> The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier
> protocols. The default is UDP/1194.


Since HTTPS is encrypted using SSL/TLS, there's no way for the
firewall to tell the difference between HTTPS and any other
protocol using SSL/TLS.

I use OpenVPN via an HTTPS proxy all the time.  It works fine.


> Very probably, there is a HTTP(S) proxy, and the tool for
> it is corkscrew.


-- 
Grant Edwards                   grante             Yow! I feel like a wet
                                  at               parking meter on Darvon!
                               visi.com
Reply by Tauno Voipio December 8, 20082008-12-08
David Brown wrote:

> stijn@fx-motion.com wrote:
>> We would like to access a embedded (linux based) device behind a
>> corporate firewall in a production facility.
>>
>> We would like to have telnet / ssh access to the device, but offcoarse
>> our client doesn't want to open any ports so we can access our device.
>>
>> Only outgoing http/https ports are opened towards the internet.
>>
>> We can install a server at our office with a fixed WAN ip adres where
>> the device could open  a tunnel to.
>>
>> This seems to be a trivial problem with all the IP based tools /
>> software we have today, altough i don't find the right solution.
>>
>> I found hardware solutions provided by companies as eWon and
>> Lantronix, this seems to be great for accessing a PLC or so, but as we
>> can install any software on our own device, i would prefer a software
>> only solution.
>>
>> Are there any lightweight  'VPN' solutions that could be tweaked ?
>>
>> Any pointers welcome.
>>
> 
> You could use OpenVPN.  By default, OpenVPN uses port 1194 UDP, but you 
> could choose port 80 TCP (i.e., http) if you prefer.



The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier
protocols. The default is UDP/1194.

Very probably, there is a HTTP(S) proxy, and the tool for
it is corkscrew.

-- 

Tauno Voipio
tauno voipio (at) iki fi
Reply by David Brown December 8, 20082008-12-08
Rene Tschaggelar wrote:

> stijn@fx-motion.com wrote:
>> We would like to access a embedded (linux based) device behind a
>> corporate firewall in a production facility.
>>
>> We would like to have telnet / ssh access to the device, but offcoarse
>> our client doesn't want to open any ports so we can access our device.
>>
>> Only outgoing http/https ports are opened towards the internet.
>>
>> We can install a server at our office with a fixed WAN ip adres where
>> the device could open  a tunnel to.
>>
>> This seems to be a trivial problem with all the IP based tools /
>> software we have today, altough i don't find the right solution.
>>
>> I found hardware solutions provided by companies as eWon and
>> Lantronix, this seems to be great for accessing a PLC or so, but as we
>> can install any software on our own device, i would prefer a software
>> only solution.
>>
>> Are there any lightweight  'VPN' solutions that could be tweaked ?
>>
>> Any pointers welcome.
> 
> You should respect the customers wish for not
> having a constant connection. Have a button on
> the device, such that the customer can initiate
> a connection to your server in case a problem
> arises. You cannot expect the device to be
> able to connect any time. At least I would
> stop a device calling home at random intervals
> without a reason.


He did not say that the customer doesn't want a permanent connection, 
just that they don't want a port forwarded from their firewall and they 
only allow limited outgoing ports.  He should, of course, check that the 
customer is happy with his box having a permanent connection through a 
VPN - presumably the customer's IT folk would not allow him to connect 
the box to their network at all until they are happy with it.
Reply by Rene Tschaggelar December 8, 20082008-12-08
stijn@fx-motion.com wrote:

> We would like to access a embedded (linux based) device behind a
> corporate firewall in a production facility.
> 
> We would like to have telnet / ssh access to the device, but offcoarse
> our client doesn't want to open any ports so we can access our device.
> 
> Only outgoing http/https ports are opened towards the internet.
> 
> We can install a server at our office with a fixed WAN ip adres where
> the device could open  a tunnel to.
> 
> This seems to be a trivial problem with all the IP based tools /
> software we have today, altough i don't find the right solution.
> 
> I found hardware solutions provided by companies as eWon and
> Lantronix, this seems to be great for accessing a PLC or so, but as we
> can install any software on our own device, i would prefer a software
> only solution.
> 
> Are there any lightweight  'VPN' solutions that could be tweaked ?
> 
> Any pointers welcome.


You should respect the customers wish for not
having a constant connection. Have a button on
the device, such that the customer can initiate
a connection to your server in case a problem
arises. You cannot expect the device to be
able to connect any time. At least I would
stop a device calling home at random intervals
without a reason.
Reply by David Brown December 7, 20082008-12-07
stijn@fx-motion.com wrote:

> We would like to access a embedded (linux based) device behind a
> corporate firewall in a production facility.
> 
> We would like to have telnet / ssh access to the device, but offcoarse
> our client doesn't want to open any ports so we can access our device.
> 
> Only outgoing http/https ports are opened towards the internet.
> 
> We can install a server at our office with a fixed WAN ip adres where
> the device could open  a tunnel to.
> 
> This seems to be a trivial problem with all the IP based tools /
> software we have today, altough i don't find the right solution.
> 
> I found hardware solutions provided by companies as eWon and
> Lantronix, this seems to be great for accessing a PLC or so, but as we
> can install any software on our own device, i would prefer a software
> only solution.
> 
> Are there any lightweight  'VPN' solutions that could be tweaked ?
> 
> Any pointers welcome.
> 


You could use OpenVPN.  By default, OpenVPN uses port 1194 UDP, but you 
could choose port 80 TCP (i.e., http) if you prefer.
Reply by Tauno Voipio December 7, 20082008-12-07
stijn@fx-motion.com wrote:

> We would like to access a embedded (linux based) device behind a
> corporate firewall in a production facility.
> 
> We would like to have telnet / ssh access to the device, but offcoarse
> our client doesn't want to open any ports so we can access our device.
> 
> Only outgoing http/https ports are opened towards the internet.
> 
> We can install a server at our office with a fixed WAN ip adres where
> the device could open  a tunnel to.
> 
> This seems to be a trivial problem with all the IP based tools /
> software we have today, altough i don't find the right solution.
> 
> I found hardware solutions provided by companies as eWon and
> Lantronix, this seems to be great for accessing a PLC or so, but as we
> can install any software on our own device, i would prefer a software
> only solution.
> 
> Are there any lightweight  'VPN' solutions that could be tweaked ?
> 
> Any pointers welcome.



This might be a place for corkscrew - Google for it.
It contains a mechanism for tunneling over HTTP (S).

-- 

Tauno Voipio
tauno voipio (at) iki fi
Reply by December 7, 20082008-12-07
We would like to access a embedded (linux based) device behind a
corporate firewall in a production facility.

We would like to have telnet / ssh access to the device, but offcoarse
our client doesn't want to open any ports so we can access our device.

Only outgoing http/https ports are opened towards the internet.

We can install a server at our office with a fixed WAN ip adres where
the device could open  a tunnel to.

This seems to be a trivial problem with all the IP based tools /
software we have today, altough i don't find the right solution.

I found hardware solutions provided by companies as eWon and
Lantronix, this seems to be great for accessing a PLC or so, but as we
can install any software on our own device, i would prefer a software
only solution.

Are there any lightweight  'VPN' solutions that could be tweaked ?

Any pointers welcome.