# what do I need to bypass a restrictive company proxy

## ckx3009

Hello,

I'm actually in a somehow bad situation at work, cause of a proxy server placed in my company's internal network.

- What I have on my own:

A PC able to run Gentoo linux + win7 inside a virtual machine (vmware workstation)

----- or -----

The same PC able to run win7 + Gentoo linux inside a virtual machine (vmware workstation)

A remote server (fast connection) running Gentoo linux (server profile, not hardened) with the usual tools we can find on a server: openssh, mysql, apache2 and so on.

- What I have to face:

the company's network, in particular a proxy server; this proxy server, after having authenticated, allows me only to browse web pages, nothing more.

As far as I know the only open ports are the 80 and 443. 

I can't use those ports for something different than HTTP or HTTPS traffic, cause of (probably) packet inspection: I tried to move the listening port of my ssh server to the 443 but I was unable to contact my server. 

As well, I'm able to contact it by web, I can even manage it using some tools like webmin and anyterm (with apache mod_proxy), but is not what I want due to security problems.

- What I would like:

To route every connection originated by my pc, to the remote server I own, in a similar way to what I do at home: the pc connected to the router, with the router facing the internet.

In other words, I would like to be in a "virtual" LAN with the remote server, and use it as a gateway, tunneling every connection into an SSL tunnel, in order to use the default 443 port (which I can use) and avoid packet inspection (and the deriving traffic blocking).

- What I ask:

On the internet there are a lot of guides and tips to do what I ask... the problem is that every guide I was able to find was not complete enough to perform the full process.

I don't even know exactly which tools I could use to do everything I need. 

I need to perform the configurations both server and client side, when a lot of guides just explain what to do on the client, bypassing the server configuration and the tools used on the server to allow tunneling, connections, vpns and so on.

I would be really grateful if someone could help me out in this painful and probably complex project  :Razz: 

Thanks a lot in advance  :Smile: 

----------

## Goverp

 *Quote:*   

> Post subject: what do I need to bypass a restrictive company proxy

 

I'd start with a job offer from another company.  If your company has put such a restrictive infrastructure in place, they'll probably be most upset if you bypass it.  Their stance may not be logical, but it's their money, and your contract with them probably has a clause in it saying you won't misuse their infrastructure.  Bypassing the restrictions probably counts as misuse.

IMHO If you don't like the restrictions, find another job.

----------

## aCOSwt

If you succeed, you will discover that Goverp is right.

----------

## ckx3009

Well, I appreciate your opinions, but that's not the answer/suggestion I'm looking for... 

I have already bypassed the proxy using the apache mod_proxy in order to redirect some application ports...but is not what I'm looking for.

Edit: 

Really there is no anyone able to give me some help?  

I can't believe that <.<

----------

## keet

Have you tried asking the people in charge of your network?  They could probably make an exception -- it is almost certainly technically possible, though they might admittedly have little interest in doing it.

----------

## Hu

There are people here who are able to help you.  However, it seems none of them have both read the thread and felt a desire to help you.  I concur with keet that getting an exception to the policy is a cleaner and simpler solution than trying to bypass the filtering policy.  Based on what you have told us, the technical bypass would be to establish an SSL-encrypted tunnel to a trusted peer, then run all your traffic over a forwarding protocol inside that tunnel.

----------

## ckx3009

I cannot ask to introduce an exception because just to allow one person to reach one server (for his job) giving him access to a shared folder, we need more than one month...

You can imagine how much time they will need only to consider giving access to someone thought the proxy.

We don't even have a well functioning PC to work with... having the MS exchange servers blocked every 5 seconds, connected a bad network and so on.

This is only due to inefficiency and bad managing.

Anyway yes, it would be an ssl tunnel to a trusted peer, then the traffic would run inside a vpn....I already know that is technically possible, but I need to understand how to realize that in the correct manner.

----------

## Mad Merlin

Sounds like you need... TCP over HTTPS. That sounds pretty gross (because it is), but there's probably some software out there that can do it for you, then you can route over that.

----------

## Naib

just run sshd on port 443 and shell into the box from your work

----------

## Mad Merlin

 *Naib wrote:*   

> just run sshd on port 443 and shell into the box from your work

 

 *ckx3009 wrote:*   

> I can't use those ports for something different than HTTP or HTTPS traffic, cause of (probably) packet inspection: I tried to move the listening port of my ssh server to the 443 but I was unable to contact my server. 

 

----------

## cach0rr0

 *Mad Merlin wrote:*   

> Sounds like you need... TCP over HTTPS. That sounds pretty gross (because it is), but there's probably some software out there that can do it for you, then you can route over that.

 

he could do something like this using stunnel methinks 

far as his network's inspection tools go it'll look no different than HTTPS.

----------

## Naib

 *Mad Merlin wrote:*   

>  *Naib wrote:*   just run sshd on port 443 and shell into the box from your work 
> 
>  *ckx3009 wrote:*   I can't use those ports for something different than HTTP or HTTPS traffic, cause of (probably) packet inspection: I tried to move the listening port of my ssh server to the 443 but I was unable to contact my server.  

 they won't be able to inspect the packets, it will look like every other SSL connection to a secure website.

they might see a connection to an ip but if the traffic is tiny it won't raise any alarms.

also w.r.t. trying and not working. putty has a proxy option. if you are trying from a linux box there is a corkscrew programthe idea is the engage the proxy to allow your traffic throughthe proxy doesn't know the difference between ssh and a GET request, it just logscqches SMS enqbles on authorised logins.

----------

## jormartr

Maybe proxytunnel ?

http://proxytunnel.sourceforge.net

stunnel seems also an option, easy to google.

----------

## cach0rr0

 *Naib wrote:*   

> they won't be able to inspect the packets, it will look like every other SSL connection to a secure website.
> 
> they might see a connection to an ip but if the traffic is tiny it won't raise any alarms.
> 
> 

 

certain bits are still visible. 

i.e. if there's no 'CONNECT' in the request, that'll be a pretty obvious tipoff to something doing packet inspection

i mean yeah, everything after successful SSL/TLS nego will be invisible short of MITM, 

but if the initial handshaking is detected and blocked, you're SOL

----------

## lyallp

I am in a similar situation, Gentoo host, Windows 7 Corporate Virtual machine, behind proxy.

Check out package net-misc/corkscrew.

----------

## fabien29200

Doing it every day at work.

On my server : SSH listening on port 8080. And that's it.

At work : Win 7 machine. Putty to creates the tunnel. It opens a local port on the PC, and forwards packets to my SSH through the company proxy.

Then, I have 2 browsers. Chrome for everything I don't need to hide, Firefox for everything personal.

Firefox is configured to use a Socks 5 proxy on localhost with the local port defined in Putty.

HTH.

----------

## ckx3009

I noticed about proxytunnel and corkscrew, but there is something "in the middle" that does not allow me to create the connection.

Probably the problem is in the https encapsulation process...I don't know how to do perform that.

I mean: to encapsulate some traffic, I need one applet able to do that on my local PC. On the other side, i need something to decapsulate the same traffic...it could be a running daemon listening for something, but I don't understand the "server side".

For example, about proxytunnel: it says it is very easy to use...yes, on the client it looks like that, but is there not any remote side to configure?

Stunnel is not exactly what I was looking for...I would like to (at the end of the work) be in a virtual LAN with my server...so I would like to do a vpn over SSL, while Stunnel is "only" able to redirect the output to an SSH server.

I was lookig for IPSEC, but it looks "a little" hard to configure...same for the openvpn server.

----------

## lyallp

Simply configure your external machine to have SSH running on a publicly accessible port (preferably not the default  :Smile:  )

On your internal machine, setup ssh to use corkscrew to connect to that host on the known port.

Then, when you connect, with SSH, you can setup any port forwardings you like, say, local port 4321 goes to the remote machines port 80, which would allow you to browse http://localhost:4321 as though it was http://remotehost.

Regarding using this connection to proxy all outgoing traffic, that would require something extra.

----------

## gasparov

 *ckx3009 wrote:*   

> I noticed about proxytunnel and corkscrew, but there is something "in the middle" that does not allow me to create the connection.
> 
> 

 

on a properly set up firewall corkscrew is a no go.

This works every time http://sebsauvage.net/punching/index.html, it explains how to tunnel traffic with httptunnel using ssh for port forwarding. you need to run hts on server (traffic encaspulation) and htc on office computer, the with ssh you play with the ports. You don't need support for CONNECT

BTW there is a reason why those firewalls are up, if you make a tunnel one of them is that the security of the intranet doesn't depend from the admin anymore but from you. That's why what you are asking is illegal, take care.

I guess you can start from there to open a vpn on your server, I don't know why it needs to be so complicated thoug.   :Very Happy: 

----------

## gerdesj

OpenVPN can go through quite a few proxies including sending a user/password.

Cheers

Jon

----------

