need help using openvpn to bypass corp firewall

Hey all,

I have a linux system at work, and have remote access to my linux box
at home, so I installed OpenVPN on each. My goal, of course, is to
bypass the corporate firewall (first priority is bypassing the web
filtering) and route certain traffic (web, Email, IM, etc) to move
over the VPN instead.

I followed the examples at openvpn's web site, and both my local
machine (client) and the remote machine (server) can ping each others
VPN IP addresses, so the tunnel itself is up and running just fine. I
guess I'm stuck on how to proceed from here, and curious as to the
'best' (generally accepted) method to route certain traffic through
the VPN.

1. Should I set up multiple iptables rules on my local machine to
route certain outgoing traffic on known ports to go through the VPN?
2. Should I just drop the corporate network 'default gateway', and set
my local system's default gateway to be the remote server? If so, do I
set the VPN IP of the server as the default, or the public IP of the
server?
3. I suppose I'll need to add iptables rules on the server for NAT,
since it does not currently 'act' as a gateway server for my other
home systems.

The OpenVPN examples I followed only seem to go far enough to actually
built the tunnel, which I've done. Now I need some examples to play
with for routing specific traffic over the VPN.

Thanks for any assistance, examples or sites for how to proceed.

(E-Mail Removed) writes:

>Hey all,

>I have a linux system at work, and have remote access to my linux box
>at home, so I installed OpenVPN on each. My goal, of course, is to
>bypass the corporate firewall (first priority is bypassing the web
>filtering) and route certain traffic (web, Email, IM, etc) to move
>over the VPN instead.

You realise that not only might you get fired you might get thrown in jail
as well. There was a case a few years ago where exactly this happened to a
contractor for Intel.

>I followed the examples at openvpn's web site, and both my local
>machine (client) and the remote machine (server) can ping each others
>VPN IP addresses, so the tunnel itself is up and running just fine. I
>guess I'm stuck on how to proceed from here, and curious as to the
>'best' (generally accepted) method to route certain traffic through
>the VPN.

>1. Should I set up multiple iptables rules on my local machine to
>route certain outgoing traffic on known ports to go through the VPN?
>2. Should I just drop the corporate network 'default gateway', and set
>my local system's default gateway to be the remote server? If so, do I
>set the VPN IP of the server as the default, or the public IP of the
>server?
>3. I suppose I'll need to add iptables rules on the server for NAT,
>since it does not currently 'act' as a gateway server for my other
>home systems.

>The OpenVPN examples I followed only seem to go far enough to actually
>built the tunnel, which I've done. Now I need some examples to play
>with for routing specific traffic over the VPN.

>Thanks for any assistance, examples or sites for how to proceed.

On Thu, 10 May 2007 11:22:15 -0700, wild98 rearranged some electrons to
form:

> Hey all,
>
> I have a linux system at work, and have remote access to my linux box
> at home, so I installed OpenVPN on each. My goal, of course, is to
> bypass the corporate firewall (first priority is bypassing the web
> filtering) and route certain traffic (web, Email, IM, etc) to move
> over the VPN instead.

I would guess your employer would probably frown on this behavior.
In fact, if you were to pull objectionable material onto your employer's
network, it would be grounds for a harrasment suit against your company if
someone saw it and objected to it. Not to mention you would be out on
the street. They could also prosecute you.

If you want to download music/porn/surf E-bay/whatever, you should
probably do it at home on your own time.


--
David M (dmacchiarolo)
http://home.triad.rr.com/redsled
T/S 53
sled351 Linux 2.4.18-14 has been up 6 days 13:13

On 10 May 2007, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed). com>, (E-Mail Removed) wrote:

> My goal, of course, is to bypass the corporate firewall (first
>priority is bypassing the web filtering) and route certain traffic
>(web, Email, IM, etc) to move over the VPN instead.

Why exactly do you feel you need to bypass the corporate firewall?
Is this something you need to do your job? Talk to your supervisor.
Is the unrelated to work? Quit your job so that you don't need to
worry about the firewall.

>I guess I'm stuck on how to proceed from here, and curious as to the
>'best' (generally accepted) method to route certain traffic through
>the VPN.

You also don't know how to use the search engine you are posting from
to research the subject directly. That figures. Here, try this:

Web Results 1 - 10 of about 575,000 for bypass corp firewall. (0.10
seconds)

You may even turn up a few convictions - but that's minor, right?

Old guy

(E-Mail Removed) wrote:
> Hey all,
>
> I have a linux system at work, and have remote access to my linux box
> at home, so I installed OpenVPN on each. My goal, of course, is to
> bypass the corporate firewall (first priority is bypassing the web
> filtering) and route certain traffic (web, Email, IM, etc) to move
> over the VPN instead.
>
> I followed the examples at openvpn's web site, and both my local
> machine (client) and the remote machine (server) can ping each others
> VPN IP addresses, so the tunnel itself is up and running just fine. I
> guess I'm stuck on how to proceed from here, and curious as to the
> 'best' (generally accepted) method to route certain traffic through
> the VPN.
>
> 1. Should I set up multiple iptables rules on my local machine to
> route certain outgoing traffic on known ports to go through the VPN?

No. The proper tool for routing is the route table, man route.

> 2. Should I just drop the corporate network 'default gateway', and set
> my local system's default gateway to be the remote server? If so, do I
> set the VPN IP of the server as the default, or the public IP of the
> server?

No. See above.

> 3. I suppose I'll need to add iptables rules on the server for NAT,
> since it does not currently 'act' as a gateway server for my other
> home systems.

The iptables rules are for address translations which
you do not need here.

> The OpenVPN examples I followed only seem to go far enough to actually
> built the tunnel, which I've done. Now I need some examples to play
> with for routing specific traffic over the VPN.

OpenVPN is not the tool here, it needs holes in the
main firewall for UDP/1194 for both directions. Are
you sure that the tunnel is open?

> Thanks for any assistance, examples or sites for how to proceed.

Mostly probably the corporate firewall is closed for
any traffic, and the connections to the outside are
provided by application-protocol specific proxies.

You are pretty probably limited to filtered HTTP access
to the outside, and OpenVPN does not run on it.

A different story is the legality of the set-up. You
very probably risk legal actions.

--

Tauno Voipio
tauno voipio (at) iki fi

(E-Mail Removed) wrote:
> I have a linux system at work, and have remote access to my linux box
> at home, so I installed OpenVPN on each. My goal, of course, is to
> bypass the corporate firewall [...]

I really wish you hadn't posted that. Corporate firewalls are there for
a reason. If you object to the implementation policies you need to follow
this up internally.


> [...] the tunnel itself is up and running just fine. I
> guess I'm stuck on how to proceed from here, and curious as to the
> 'best' (generally accepted) method to route certain traffic through
> the VPN.

To route by destination port you would use iptables. To route by
destination address you would use the routing table. OpenVPN allows
commands to be run when an interface is brought up (or torn down) so
you could put the iptables commands in the configuration file. Routing
commands are specifically covered in the documentation.

Chris

On Mon, 14 May 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <j4emh4-(E-Mail Removed)>, Chris Davies wrote:

>(E-Mail Removed) wrote:
>> I have a linux system at work, and have remote access to my linux box
>> at home, so I installed OpenVPN on each. My goal, of course, is to
>> bypass the corporate firewall [...]

>I really wish you hadn't posted that. Corporate firewalls are there for
>a reason.

You should spend some time scanning the newsgroup 'comp.security.firewalls'
where you get a number of trolls and pretenders claiming to use VPN or
even SSH to "bypass" the company/school firewall. They all miss the
fact that the traffic stands out like a sore thumb. They claim that
because the traffic is encrypted, "no one will ever know" what's going
on. I guess they've never had children, because when you hear the crash
of broken glass in another room, and the answer to your "what happened"
of "nothing" or "nothing happened" means it's time to wander on in and
see what disaster just occurred.

Old guy