what do I need to bypass a restrictive company proxy

ckx3009

Hello,
I'm actually in a somehow bad situation at work, cause of a proxy server placed in my company's internal network.

- What I have on my own:
A PC able to run Gentoo linux + win7 inside a virtual machine (vmware workstation)
----- or -----
The same PC able to run win7 + Gentoo linux inside a virtual machine (vmware workstation)
A remote server (fast connection) running Gentoo linux (server profile, not hardened) with the usual tools we can find on a server: openssh, mysql, apache2 and so on.

- What I have to face:
the company's network, in particular a proxy server; this proxy server, after having authenticated, allows me only to browse web pages, nothing more.
As far as I know the only open ports are the 80 and 443.
I can't use those ports for something different than HTTP or HTTPS traffic, cause of (probably) packet inspection: I tried to move the listening port of my ssh server to the 443 but I was unable to contact my server.
As well, I'm able to contact it by web, I can even manage it using some tools like webmin and anyterm (with apache mod_proxy), but is not what I want due to security problems.

- What I would like:
To route every connection originated by my pc, to the remote server I own, in a similar way to what I do at home: the pc connected to the router, with the router facing the internet.
In other words, I would like to be in a "virtual" LAN with the remote server, and use it as a gateway, tunneling every connection into an SSL tunnel, in order to use the default 443 port (which I can use) and avoid packet inspection (and the deriving traffic blocking).

- What I ask:
On the internet there are a lot of guides and tips to do what I ask... the problem is that every guide I was able to find was not complete enough to perform the full process.
I don't even know exactly which tools I could use to do everything I need.
I need to perform the configurations both server and client side, when a lot of guides just explain what to do on the client, bypassing the server configuration and the tools used on the server to allow tunneling, connections, vpns and so on.

I would be really grateful if someone could help me out in this painful and probably complex project

Thanks a lot in advance

Goverp · Advocate Joined: 07 Mar 2007 Posts: 2204

aCOSwt · Posted: Sun Jun 10, 2012 10:19 am Post subject:

If you succeed, you will discover that Goverp is right.
_________________

ckx3009 · Posted: Tue Jun 12, 2012 8:43 pm Post subject:

Well, I appreciate your opinions, but that's not the answer/suggestion I'm looking for...

I have already bypassed the proxy using the apache mod_proxy in order to redirect some application ports...but is not what I'm looking for.

Edit:
Really there is no anyone able to give me some help?
I can't believe that <.<

keet · Guru Joined: 09 Sep 2008 Posts: 574

Have you tried asking the people in charge of your network? They could probably make an exception -- it is almost certainly technically possible, though they might admittedly have little interest in doing it.

Hu · Administrator Joined: 06 Mar 2007 Posts: 23097

There are people here who are able to help you. However, it seems none of them have both read the thread and felt a desire to help you. I concur with keet that getting an exception to the policy is a cleaner and simpler solution than trying to bypass the filtering policy. Based on what you have told us, the technical bypass would be to establish an SSL-encrypted tunnel to a trusted peer, then run all your traffic over a forwarding protocol inside that tunnel.

ckx3009 · Posted: Wed Jun 13, 2012 7:30 am Post subject:

I cannot ask to introduce an exception because just to allow one person to reach one server (for his job) giving him access to a shared folder, we need more than one month...
You can imagine how much time they will need only to consider giving access to someone thought the proxy.
We don't even have a well functioning PC to work with... having the MS exchange servers blocked every 5 seconds, connected a bad network and so on.

This is only due to inefficiency and bad managing.

Anyway yes, it would be an ssl tunnel to a trusted peer, then the traffic would run inside a vpn....I already know that is technically possible, but I need to understand how to realize that in the correct manner.

Mad Merlin · Veteran Joined: 09 May 2005 Posts: 1155

Sounds like you need... TCP over HTTPS. That sounds pretty gross (because it is), but there's probably some software out there that can do it for you, then you can route over that.
_________________
Game! - Where the stick is mightier than the sword!

Naib · Posted: Thu Jun 14, 2012 10:51 pm Post subject:

just run sshd on port 443 and shell into the box from your work
_________________
#define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0;

Mad Merlin · Veteran Joined: 09 May 2005 Posts: 1155

cach0rr0 · Posted: Fri Jun 15, 2012 4:18 am Post subject:

Naib · Posted: Fri Jun 15, 2012 5:42 am Post subject:

jormartr · Apprentice Joined: 02 Jan 2008 Posts: 174

Maybe proxytunnel ?

http://proxytunnel.sourceforge.net

stunnel seems also an option, easy to google.

cach0rr0 · Posted: Sun Jun 17, 2012 8:07 am Post subject:

lyallp · Posted: Sun Jun 17, 2012 9:51 am Post subject:

I am in a similar situation, Gentoo host, Windows 7 Corporate Virtual machine, behind proxy.

Check out package net-misc/corkscrew.
_________________
...Lyall

fabien29200 · n00b Joined: 12 Jun 2006 Posts: 32

Doing it every day at work.

On my server : SSH listening on port 8080. And that's it.

At work : Win 7 machine. Putty to creates the tunnel. It opens a local port on the PC, and forwards packets to my SSH through the company proxy.

Then, I have 2 browsers. Chrome for everything I don't need to hide, Firefox for everything personal.
Firefox is configured to use a Socks 5 proxy on localhost with the local port defined in Putty.

HTH.

ckx3009 · Posted: Sun Jun 17, 2012 5:32 pm Post subject:

I noticed about proxytunnel and corkscrew, but there is something "in the middle" that does not allow me to create the connection.

Probably the problem is in the https encapsulation process...I don't know how to do perform that.
I mean: to encapsulate some traffic, I need one applet able to do that on my local PC. On the other side, i need something to decapsulate the same traffic...it could be a running daemon listening for something, but I don't understand the "server side".
For example, about proxytunnel: it says it is very easy to use...yes, on the client it looks like that, but is there not any remote side to configure?
Stunnel is not exactly what I was looking for...I would like to (at the end of the work) be in a virtual LAN with my server...so I would like to do a vpn over SSL, while Stunnel is "only" able to redirect the output to an SSH server.

I was lookig for IPSEC, but it looks "a little" hard to configure...same for the openvpn server.

lyallp · Posted: Mon Jun 18, 2012 10:29 am Post subject:

Simply configure your external machine to have SSH running on a publicly accessible port (preferably not the default

)
On your internal machine, setup ssh to use corkscrew to connect to that host on the known port.
Then, when you connect, with SSH, you can setup any port forwardings you like, say, local port 4321 goes to the remote machines port 80, which would allow you to browse http://localhost:4321 as though it was http://remotehost.
Regarding using this connection to proxy all outgoing traffic, that would require something extra.
_________________
...Lyall

gasparov · Tux's lil' helper Joined: 13 Apr 2006 Posts: 105

gerdesj · Posted: Fri Jun 22, 2012 10:27 pm Post subject:

OpenVPN can go through quite a few proxies including sending a user/password.

Cheers
Jon