Monday, September 12, 2005

A VPN for Road Warriors

As a traveling consultant, I often find myself working for clients that have very restrictive internet access policies (to say the least).  I have worked on clients that keep things so locked down that I actually have difficulty doing my job as a developer.  One client in particular was causing me grief because of the following restrictions:

  • No outside laptops on the network (they issued me one when I got there).  Their intent is to stop outsiders from introducing worms or viruses, but in reality it is just a pain for the hundreds of contractors that are engaged there and an added expense in needing to provide a laptop to everyone.  I was lucky enough to get local admin rights to my laptop, but there are plenty that don’t have that.  With local admin access, I could at least install the tools I needed to get my job done.
  • No outside mail on the network – including all types of web mail.  This is also intended to stop the spread of any mail bound viruses.  I would think they would make an exception for work email, but that is not the case.  This means that I am totally disconnected from the mothership except for my smartphone during the day.  This is pretty hard to deal with as I get plenty of mail from work during the day and ignoring it until I can check it from the hotel is usually not a good option.
  • Extremely restrictive web filtering:  I am talking no blogs, no Google groups, nothing remotely related to the word ‘download’.  This hurts a bit since I tend to use Google groups and blogs quite a bit for .NET development.  I never realized what a handicap this would be until I tried to go without it.  I think the intent here is to keep people from looking at anything considered ‘social’.

I respect the intent of the restrictions, no matter the methods used.  I decided to keep the spirit of this and just terminal into my home machine when I needed to check my work mail and look at Google groups for answers.  I would leave the local drives disconnected so as not to introduce anything from their network to mine or vice versa.  This would keep their network risk free of the viruses they were afraid of, but allow me to be able to function.  It initially worked pretty well and I was able to just keep a remote window open and reference it as needed during the day.

Then something changed… I could no longer access my machine using RDS.  I managed to RDS to another machine and then RDS from there back to my machine.  I changed the port my server listened on from the default 3389 and got it working again.  This told me that they had decided to block 3389.  Things continued fine for a few more weeks when all of a sudden, it stopped working again.  This time, it looked like they had put a filter on the firewall to block all RDS traffic because port changing had no effect.  I could see this was an escalating arms race.  I decided to to look at getting a personal VPN solution.

In my research, I found that there are a few consumer router models on the market that can act as VPN end-points.  I also knew that I could buy a Linksys WRT54G and use something like Sveasoft to get a cheap but sophisticated VPN solution.  However, the one nagging issue with all of these was that they relied on either IPSec or PPTP.  These can easily be blocked and cannot traverse an HTTP Proxy.  I wanted something that would tunnel through an HTTP Proxy – which meant SSL VPN.

If you are not aware, buying an SSL VPN device is not a cheap proposition (they start in the low $10K ranges).  Some of them are a bit of a mis-nomer as well as they just web-ify certain applications, but do not actually provide a VPN.  In my searching, I finally found OpenVPN.  It is a free, flexible, and powerful software SSL VPN solution.  All I had to do was setup the VPN client on my home machine and my laptop, create a couple certificates (easy to do), twiddle the config slightly and I have an encrypted connection back to my home server to use as I please. I also had to use port forwarding to send the OpenVPN traffic through my router’s firewall to my home machine VPN Server.  If I really wanted to,  I could even route my internet traffic over the SSL VPN and evade their proxy server filtering completely.  However, as I mentioned earlier, it is not my intent to do anything that violates the spirit of why they have these restrictions.  So, I am typing this in my RDS session that is being tunneled through the proxy server over an encrypted SSL VPN connection.  I have launched the latest salvo in the arms race, I wonder what will be next…