As a traveling consultant, I often find myself working for clients that have very restrictive internet access policies (to say the least). I have worked on clients that keep things so locked down that I actually have difficulty doing my job as a developer. One client in particular was causing me grief because of the following restrictions:
I respect the intent of the restrictions, no matter the methods used. I decided to keep the spirit of this and just terminal into my home machine when I needed to check my work mail and look at Google groups for answers. I would leave the local drives disconnected so as not to introduce anything from their network to mine or vice versa. This would keep their network risk free of the viruses they were afraid of, but allow me to be able to function. It initially worked pretty well and I was able to just keep a remote window open and reference it as needed during the day.
Then something changed… I could no longer access my machine using RDS. I managed to RDS to another machine and then RDS from there back to my machine. I changed the port my server listened on from the default 3389 and got it working again. This told me that they had decided to block 3389. Things continued fine for a few more weeks when all of a sudden, it stopped working again. This time, it looked like they had put a filter on the firewall to block all RDS traffic because port changing had no effect. I could see this was an escalating arms race. I decided to to look at getting a personal VPN solution.
In my research, I found that there are a few consumer router models on the market that can act as VPN end-points. I also knew that I could buy a Linksys WRT54G and use something like Sveasoft to get a cheap but sophisticated VPN solution. However, the one nagging issue with all of these was that they relied on either IPSec or PPTP. These can easily be blocked and cannot traverse an HTTP Proxy. I wanted something that would tunnel through an HTTP Proxy – which meant SSL VPN.
If you are not aware, buying an SSL VPN device is not a cheap proposition (they start in the low $10K ranges). Some of them are a bit of a mis-nomer as well as they just web-ify certain applications, but do not actually provide a VPN. In my searching, I finally found OpenVPN. It is a free, flexible, and powerful software SSL VPN solution. All I had to do was setup the VPN client on my home machine and my laptop, create a couple certificates (easy to do), twiddle the config slightly and I have an encrypted connection back to my home server to use as I please. I also had to use port forwarding to send the OpenVPN traffic through my router’s firewall to my home machine VPN Server. If I really wanted to, I could even route my internet traffic over the SSL VPN and evade their proxy server filtering completely. However, as I mentioned earlier, it is not my intent to do anything that violates the spirit of why they have these restrictions. So, I am typing this in my RDS session that is being tunneled through the proxy server over an encrypted SSL VPN connection. I have launched the latest salvo in the arms race, I wonder what will be next…
Comments [0] September 12, 2005 Trackback Tracked by:"Extemporaneous Mumblings - A VPN for Road Warriors" (Rickey Whitworth) [Trackback]http://www.whitworth.org/Blog/PermaLink,guid,5132081f-a4d0-40b4-9061-7228cd0fa0b... [Pingback]"OpenVPN on your WRT54G" (Extemporaneous Mumblings) [Trackback]
This is the personal site of Ryan Dunn, co-author of the The .NET Developers Guide to Directory Services Programming.
Ryan currently works for Microsoft and is the Technical Evangelist for SQL Server Data Services (SSDS)
Buy the Book
Contact Ryan