EmbeddedRelated.com
Forums

Accessing embedded device behind firewall

Started by Unknown December 7, 2008
We would like to access a embedded (linux based) device behind a
corporate firewall in a production facility.

We would like to have telnet / ssh access to the device, but offcoarse
our client doesn't want to open any ports so we can access our device.

Only outgoing http/https ports are opened towards the internet.

We can install a server at our office with a fixed WAN ip adres where
the device could open  a tunnel to.

This seems to be a trivial problem with all the IP based tools /
software we have today, altough i don't find the right solution.

I found hardware solutions provided by companies as eWon and
Lantronix, this seems to be great for accessing a PLC or so, but as we
can install any software on our own device, i would prefer a software
only solution.

Are there any lightweight  'VPN' solutions that could be tweaked ?

Any pointers welcome.







stijn@fx-motion.com wrote:
> We would like to access a embedded (linux based) device behind a > corporate firewall in a production facility. > > We would like to have telnet / ssh access to the device, but offcoarse > our client doesn't want to open any ports so we can access our device. > > Only outgoing http/https ports are opened towards the internet. > > We can install a server at our office with a fixed WAN ip adres where > the device could open a tunnel to. > > This seems to be a trivial problem with all the IP based tools / > software we have today, altough i don't find the right solution. > > I found hardware solutions provided by companies as eWon and > Lantronix, this seems to be great for accessing a PLC or so, but as we > can install any software on our own device, i would prefer a software > only solution. > > Are there any lightweight 'VPN' solutions that could be tweaked ? > > Any pointers welcome.
This might be a place for corkscrew - Google for it. It contains a mechanism for tunneling over HTTP (S). -- Tauno Voipio tauno voipio (at) iki fi
stijn@fx-motion.com wrote:
> We would like to access a embedded (linux based) device behind a > corporate firewall in a production facility. > > We would like to have telnet / ssh access to the device, but offcoarse > our client doesn't want to open any ports so we can access our device. > > Only outgoing http/https ports are opened towards the internet. > > We can install a server at our office with a fixed WAN ip adres where > the device could open a tunnel to. > > This seems to be a trivial problem with all the IP based tools / > software we have today, altough i don't find the right solution. > > I found hardware solutions provided by companies as eWon and > Lantronix, this seems to be great for accessing a PLC or so, but as we > can install any software on our own device, i would prefer a software > only solution. > > Are there any lightweight 'VPN' solutions that could be tweaked ? > > Any pointers welcome. >
You could use OpenVPN. By default, OpenVPN uses port 1194 UDP, but you could choose port 80 TCP (i.e., http) if you prefer.
stijn@fx-motion.com wrote:
> We would like to access a embedded (linux based) device behind a > corporate firewall in a production facility. > > We would like to have telnet / ssh access to the device, but offcoarse > our client doesn't want to open any ports so we can access our device. > > Only outgoing http/https ports are opened towards the internet. > > We can install a server at our office with a fixed WAN ip adres where > the device could open a tunnel to. > > This seems to be a trivial problem with all the IP based tools / > software we have today, altough i don't find the right solution. > > I found hardware solutions provided by companies as eWon and > Lantronix, this seems to be great for accessing a PLC or so, but as we > can install any software on our own device, i would prefer a software > only solution. > > Are there any lightweight 'VPN' solutions that could be tweaked ? > > Any pointers welcome.
You should respect the customers wish for not having a constant connection. Have a button on the device, such that the customer can initiate a connection to your server in case a problem arises. You cannot expect the device to be able to connect any time. At least I would stop a device calling home at random intervals without a reason.
Rene Tschaggelar wrote:
> stijn@fx-motion.com wrote: >> We would like to access a embedded (linux based) device behind a >> corporate firewall in a production facility. >> >> We would like to have telnet / ssh access to the device, but offcoarse >> our client doesn't want to open any ports so we can access our device. >> >> Only outgoing http/https ports are opened towards the internet. >> >> We can install a server at our office with a fixed WAN ip adres where >> the device could open a tunnel to. >> >> This seems to be a trivial problem with all the IP based tools / >> software we have today, altough i don't find the right solution. >> >> I found hardware solutions provided by companies as eWon and >> Lantronix, this seems to be great for accessing a PLC or so, but as we >> can install any software on our own device, i would prefer a software >> only solution. >> >> Are there any lightweight 'VPN' solutions that could be tweaked ? >> >> Any pointers welcome. > > You should respect the customers wish for not > having a constant connection. Have a button on > the device, such that the customer can initiate > a connection to your server in case a problem > arises. You cannot expect the device to be > able to connect any time. At least I would > stop a device calling home at random intervals > without a reason.
He did not say that the customer doesn't want a permanent connection, just that they don't want a port forwarded from their firewall and they only allow limited outgoing ports. He should, of course, check that the customer is happy with his box having a permanent connection through a VPN - presumably the customer's IT folk would not allow him to connect the box to their network at all until they are happy with it.
David Brown wrote:
> stijn@fx-motion.com wrote: >> We would like to access a embedded (linux based) device behind a >> corporate firewall in a production facility. >> >> We would like to have telnet / ssh access to the device, but offcoarse >> our client doesn't want to open any ports so we can access our device. >> >> Only outgoing http/https ports are opened towards the internet. >> >> We can install a server at our office with a fixed WAN ip adres where >> the device could open a tunnel to. >> >> This seems to be a trivial problem with all the IP based tools / >> software we have today, altough i don't find the right solution. >> >> I found hardware solutions provided by companies as eWon and >> Lantronix, this seems to be great for accessing a PLC or so, but as we >> can install any software on our own device, i would prefer a software >> only solution. >> >> Are there any lightweight 'VPN' solutions that could be tweaked ? >> >> Any pointers welcome. >> > > You could use OpenVPN. By default, OpenVPN uses port 1194 UDP, but you > could choose port 80 TCP (i.e., http) if you prefer.
The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier protocols. The default is UDP/1194. Very probably, there is a HTTP(S) proxy, and the tool for it is corkscrew. -- Tauno Voipio tauno voipio (at) iki fi
On 2008-12-08, Tauno Voipio <tauno.voipio@INVALIDiki.fi> wrote:

> The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier > protocols. The default is UDP/1194.
Since HTTPS is encrypted using SSL/TLS, there's no way for the firewall to tell the difference between HTTPS and any other protocol using SSL/TLS. I use OpenVPN via an HTTPS proxy all the time. It works fine.
> Very probably, there is a HTTP(S) proxy, and the tool for > it is corkscrew.
-- Grant Edwards grante Yow! I feel like a wet at parking meter on Darvon! visi.com
Tauno Voipio wrote:
> David Brown wrote: >> stijn@fx-motion.com wrote: >>> We would like to access a embedded (linux based) device behind a >>> corporate firewall in a production facility. >>> >>> We would like to have telnet / ssh access to the device, but offcoarse >>> our client doesn't want to open any ports so we can access our device. >>> >>> Only outgoing http/https ports are opened towards the internet. >>> >>> We can install a server at our office with a fixed WAN ip adres where >>> the device could open a tunnel to. >>> >>> This seems to be a trivial problem with all the IP based tools / >>> software we have today, altough i don't find the right solution. >>> >>> I found hardware solutions provided by companies as eWon and >>> Lantronix, this seems to be great for accessing a PLC or so, but as we >>> can install any software on our own device, i would prefer a software >>> only solution. >>> >>> Are there any lightweight 'VPN' solutions that could be tweaked ? >>> >>> Any pointers welcome. >>> >> >> You could use OpenVPN. By default, OpenVPN uses port 1194 UDP, but >> you could choose port 80 TCP (i.e., http) if you prefer. > > > The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier > protocols. The default is UDP/1194. >
He said the http/https *ports* were open. OpenVPN cannot use http as a carrier. But it is perfectly possible to have OpenVPN use port 80 tcp, as long as it can get a direct connection. If there is a http proxy in the way, then it will of course cause trouble. It is therefore probably easier to use port 443 - proxies do not (because they *cannot*) cache or otherwise interfere with SSL traffic.
> Very probably, there is a HTTP(S) proxy, and the tool for > it is corkscrew. >
Or one of many other similar tools - the OP should have a look at what is available before deciding. Of course, the customer has set up his firewall rules for a reason. Any system designed to get round these rules should be cleared with the customer before use.
On 2008-12-09, David Brown <david@westcontrol.removethisbit.com> wrote:

>>> You could use OpenVPN. By default, OpenVPN uses port 1194 UDP, but >>> you could choose port 80 TCP (i.e., http) if you prefer. >> >> The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier >> protocols. The default is UDP/1194. > > He said the http/https *ports* were open. OpenVPN cannot use > http as a carrier.
There are, however, ways to tunnel IP through HTTP: http://www.nocrew.org/software/httptunnel.html I've never tried it, and proxies can be set up to defeat such tunnelling
> But it is perfectly possible to have OpenVPN use port 80 tcp, > as long as it can get a direct connection. If there is a http > proxy in the way, then it will of course cause trouble. It is > therefore probably easier to use port 443 - proxies do not > (because they *cannot*) cache or otherwise interfere with SSL > traffic.
I can vouche for the fact that OpenVPN works fine with an https proxy.
>> Very probably, there is a HTTP(S) proxy, and the tool for >> it is corkscrew. > > Or one of many other similar tools - the OP should have a look > at what is available before deciding. > > Of course, the customer has set up his firewall rules for a > reason. Any system designed to get round these rules should > be cleared with the customer before use.
Agreed. Under no circumstance should you do something like that at a customer site without the customer's approval. In writing. Assuming they're OK with your device phoning home, they'd probably rather open a hole in the firewall to a specific destination than turn you loose with a VPN/tunnelling setup. -- Grant Edwards grante Yow! Well, I'm INVISIBLE at AGAIN ... I might as well visi.com pay a visit to the LADIES ROOM ...