# [SOLVED]vpn possible?

## metalfan

hi,

is it possible to have a vpn in this configuration:

laptop -> http proxy -> gateway -> internet -> home computer (router and "vpn endpoint") ?

i was able to get a ssh connection to my home box over port 443, and i cant control the proxy nor the gateway.

greets

metalfan

----------

## rabinath

If You can run ssh everything should be fine, since You can use ssh to dig tunnels for tcp-connections. I have a similar situation. To forward a remote port to Your local machine using SSH do this:

```
ssh -L10110:localhost:110 remote.machine.com
```

The first argument behind -L is the local port for ssh to listen to. The second argument is the host, the connection shall be established with and the third of course the port on the remote machine. In this example You'd ssh to remote.machine.com and forward port 110 of remote.machine.com to 10110 of Your local machine. Don't be confused about the localhost within the port-numbers: this localhost means remote.machine.com, since You connect to that machine and the hostname localhost is from remote.machine.com's point of view. Now make Your mail-client fetch mail from POP3/localhost:10110 and ssh would tunnel the connection to remote.machine.com:110.

Now since You do want to run a VPN not just POP3 You have to set up a VPN server, eg. OpenVPN. Be sure to set up a TCP server, not UDP, since only TCP can be forwarded using SSH-tunnels. Then do

```
ssh -L1194:localhost:1194 remote.machine.com
```

and establish a OpenVPN connection on the same box You started the tunnel on to "localhost:1194". 

You can tunnel as much ports as You like using SSH, so You probably won't need a whole VPN setup, but I also head rumors that version 4.2 of OpenSSH will have sort of a VPN feature included.

Have fun piercing firewalls,

rab

----------

## metalfan

so i would tunnel my vpn connection into a ssl connection?

shouldnt there be a way to do this without the second encryption?

basically i want to get a connection to my bnc on my local machine, safe web/mail traffic through my home machine 

greets

metalfan

----------

## nobspangle

if you can get a ssh connection to your box using port 443 you should be able to run an openvpn connection on the same port using TCP.

Just set your home box up as a TCP server running on port 443 and then set your remote machine to connect using that port/protocol combo.

----------

## metalfan

well, actually it wasnt a complete connection...

tested it on a windows machine without my rsa key, so i got a connection refused. have to test that next week from my laptop with the proper key again.

----------

## nielchiano

 *metalfan wrote:*   

> hi,
> 
> is it possible to have a vpn in this configuration:
> 
> laptop -> http proxy -> gateway -> internet -> home computer (router and "vpn endpoint") ?
> ...

 

depends on what you're not telling us.

do you HAVE to use the proxy? or is it optional. In the optional case, the ssh over port 443 (or even 80) will do.

However, if you HAVE to use the proxy (maybe it's also a transparant proxy that you can't bypass) there is always httptunnel. It will make every TCP-connection act like real HTTP traffic, so the proxy won't notice.

----------

## metalfan

i would assume that i have to, i will know next thursday.

greets

metalfan

----------

## metalfan

hi,

i can use a static ip, ive gone through the openvpn config and hope that this is the right config:

#server

openvpn --proto tcp-server --lport 443 --dev tun --ifconfig 10.0.0.1 10.0.0.2 --verb 3 --comp-lzo --secret /etc/openvpn/static.key

#client

openvpn --proto tcp-client --rport 443 --nobind --dev tun --ifconfig 10.0.0.2 10.0.0.1 --verb 3 --comp-lzo --secret /etc/openvpn/static.key --remote 192.168.10.254 --redirect-gateway "def1"   

that will hopefully work for this setup:

client -> wlan -> proxy server -> internet -> homerouter -> inet

its working so far at home without the http proxy option

----------

## metalfan

Fri Mar  3 10:07:33 2006 OpenVPN 2.0.5 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Feb  7 2006

Fri Mar  3 10:07:33 2006 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri Mar  3 10:07:33 2006 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Mar  3 10:07:33 2006 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key

Fri Mar  3 10:07:33 2006 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Mar  3 10:07:33 2006 LZO compression initialized

Fri Mar  3 10:07:33 2006 TUN/TAP device tun0 opened

Fri Mar  3 10:07:33 2006 /sbin/ifconfig tun0 10.0.0.2 pointopoint 10.0.0.1 mtu 1500

Fri Mar  3 10:07:33 2006 Data Channel MTU parms [ L:1547 D:1450 EF:47 EB:135 ET:0 EL:0 AF:3/1 ]

Fri Mar  3 10:07:33 2006 Local Options hash (VER=V4): 'fa3fa0be'

Fri Mar  3 10:07:33 2006 Expected Remote Options hash (VER=V4): '82b988d6'

Fri Mar  3 10:07:33 2006 Attempting to establish TCP connection with 172.16.1.14:800

Fri Mar  3 10:07:33 2006 TCP connection established with proxyserverip:port

Fri Mar  3 10:07:33 2006 Send to HTTP proxy: 'CONNECT homerouterip:port HTTP/1.0'

Fri Mar  3 10:07:34 2006 HTTP proxy returned: 'HTTP/1.0 503 Service Unavailable'

Fri Mar  3 10:07:34 2006 HTTP proxy returned bad status

Fri Mar  3 10:07:34 2006 TCP/UDP: Closing socket

Fri Mar  3 10:07:34 2006 Closing TUN/TAP interface

Fri Mar  3 10:07:35 2006 SIGTERM[soft,init_instance] received, process exiting

does this mean my openvpn server didn't respond to the connection request?

i was able to use firefox with the proxy option enabled, no authentication was required.

greets

metalfan

----------

## nielchiano

 *metalfan wrote:*   

> Fri Mar  3 10:07:34 2006 HTTP proxy returned: 'HTTP/1.0 503 Service Unavailable'
> 
> does this mean my openvpn server didn't respond to the connection request?
> 
> i was able to use firefox with the proxy option enabled, no authentication was required.

 

I think so.... the proxy answered that he wouldn't do the connect; maybe because it's not a port 80 (and the admin has blocked it); maybe because he coudn't reach your home router (I don't know what error this would give, so I'm just including it for completeness)

Try to run VPN at port 80; maybe that will help

----------

## metalfan

Its possible to reach a machine through the firewall at port 443 with putty and the proxy option, so i guess the same port should be useable for openvpn.

But i will test port 80 in the next days.

metalfan

----------

## nielchiano

 *metalfan wrote:*   

> Its possible to reach a machine through the firewall at port 443 with putty and the proxy option, so i guess the same port should be useable for openvpn.
> 
> But i will test port 80 in the next days.
> 
> 

 

Well, you can also use 443, I just mentioned port 80, since that one is (almost) always open; but 443 has the extra "advantage" that your encrypted VPN tunnel won't stand out compared to plain text over port 80

----------

## metalfan

server:

openvpn --local serverinetip --proto tcp-server --lport 443 --dev tun --ifconfig 10.0.0.1 10.0.0.2 --verb 3 --comp-lzo --secret /etc/openvpn/static.key

client

openvpn --proto tcp-client --rport 443 --http-proxy proxyserverip 800 --nobind --dev tun --ifconfig 10.0.0.2 10.0.0.1 --verb 3 --comp-lzo --secret /etc/openvpn/static.key --remote serverinetip

i just remove the default gw before openvpn starts and set the default gateway after to 10.0.0.1, i can see all of my traffic over the tun0 interface

somehow openvpn wasn't able to bind to more then one ip on the server machine.

greets

metalfan

----------

