OpenVPN is a VPN Server & Client, which can connect over either TCP or UDP ports. For this reason, it’s an ideal candidate for connecting out of a restrictive corporate network. This article shows you how to setup your OpenVPN Client to connect from behind a restrictive Firewall and HTTP Proxy.
I recently setup my Ubiquiti EdgeMax EdgeRouter Lite as an OpenVPN Client. While this worked great on a lightly restricted network, it is no match for the enterprise network complete with authenticating HTTP proxy and extensive black lists. For this guide, I’m going to use the EdgeMax router as a VPN client. However, you can use any OpenVPN client – simply by modifying the configuration file. If you’re using the EdgeMax, read my previous guide to first do the basic OpenVPN Client setup.
When Is It Alright To Circumvent a Firewall?
There are many reasons you would try and circumvent network filters, and most are probably less than legitimate. It’s up to you to determine if it’s acceptable to bypass restrictions explicitly put in place. Doing so can have very severe consequences, especially if you don’t fully know what you are doing. You could expose very sensitive information to the public. You could infect a network. You could bring a business to it’s knees.
I have circumvented firewalls using this method in the past, but only when I have been given explicit permission to do so by the IT guy or business owner.
Sometimes it’s too much effort for the IT guy to create extra firewall rules for you, especially if it’s for a short event such as an Outside Broadcast. Perhaps the on-site people don’t know how everything is setup and don’t want to re-hire those contractors who set it up originally.
What you do is your responsibility. You are accountable for your own actions. Be responsible.
I only recently have started using OpenVPN. The advantages are:
- Can run on one TCP port (e.g. 443)
- Tunnels UDP packets via TCP tunnel
- Easy to setup
- Will tunnel via a HTTP proxy
- Performance good enough for radio outside broadcasts
OpenVPN has been designed specifically to get through the toughest of network conditions securely and reliably. It’s traffic looks remarkably like a SSL connection. SSL packets can’t be inspected the same way HTTP packets can, and generally slip through a proxy unscathed.
Finding Firewall Holes
The first step to getting your tunnel out through a firewall/proxy is working out what is actually allowed out onto the public internet. Once you have worked this out, you can setup your VPN accordingly.
How do I find firewall holes?
Many networks, even the more restrictive ones, have a series of common outgoing TCP ports open to the public internet. These ports may include:
- 80 (Web)
- 110 (POP3)
- 143 (IMAP)
- 443 (Web SSL)
- 993 (IMAP over SSL)
To easily determine if these ports are allowing traffic through, setup a SSH server setup on the internet to accept connections over all of these ports. Using a SSH client (PuTTY on Windows or Terminal on Mac/Linux), you can then attempt to connect to each of these. If one works, then you have a very easy way out of the network.
Occasionally none of these ports will work. But you may notice that services such as email and web traffic still work correctly on your computer. What is going on here? This means could mean your network has one or more of the following:
- HTTP Proxy
- Whitelisted internet servers
- Packet sniffing and deep inspection
HTTP Proxies typically sit over ports 80 and 443, and perform both filtering and caching.
Whitelisting would be more commonly used for the other ports, specifically the email ones. A set of approved mail servers would be allowed access, and everything else barred. Whitelisting may also take place within your HTTP Proxy – only certain websites are allowed through, and everything else is barred.
Packet sniffing takes network security to a whole other level, and basically involves checking each packet and comparing it against a set of known good packets. Thus, packets deemed unworthy are dropped. I haven’t seen a network which does this, but you might be lucky enough to find one.
Using Alternative Ports
If you have found an alternative port, such as an email port, which is open to everyone then you should have an easy time getting your VPN up and running. Simply add this open port to the list of accepted ports on your OpenVPN Server. Once you have reconfigured your client & server to talk on the same port, you should be able to connect.
Using a HTTP Proxy
It is possible to get a reliable VPN tunnel connected through an HTTP Proxy. I’ve done it. I’ve run Outside Broadcasts using this method.
The OpenVPN Client needs to be configured with the following directive:
http-proxy YYY.YYY.YYY.YYY 8080
Once you add this in with the IP Address and port of your proxy, it should be able to connect. How do you add this to an EdgeMax? Simply add this line to the OVPN configuration file and re-upload it to your Ubiquiti EdgeMax via SSH file transfer.
You should now be able to connect to the tunnel via the proxy. If not, check the error logs to see what is being reported.
OpenVPN Client through Proxy Disconnects
If you have your OpenVPN tunnel disconnect after a period of time running through the proxy, there is a solution! The trick is to add the “–float” option to the client. This means it will allow data back through even if the source IP address has changed.
Here’s the commands you need to add this option to the EdgeMax, via the CLI:
set interfaces openvpn vtun0 openvpn-option "--float"
Once you restart the VPN tunnel you should now have a VPN tunnel that stays up for much, much longer.
Radio Outside Broadcasts via VPN Tunnel
As I mentioned earlier, you can run outside broadcasts using this method. I’ll be writing about it in a future article. Brilliant for broadcasting from that local school, club or business.
Photo Credit: vkramer / sxc.ht