Tunnef through NAT

Hello

Could anybody help me ? I want set up tunnel between two hosts, but one of
them is behind NAT/firewall and I have no root rights to it. It seems like:


[my lan] [firewall/NAT] [gateway] [internet] [2nd site of tunnel]

host B | host A <--------------> host C

I have root privilage to host B and C.

Please, help

Greg.

Ivanek wrote:
> Hello
>
> Could anybody help me ? I want set up tunnel between two hosts, but one of
> them is behind NAT/firewall and I have no root rights to it. It seems like:
>
>
> [my lan] [firewall/NAT] [gateway] [internet] [2nd site of tunnel]
>
> host B | host A <--------------> host C
>
> I have root privilage to host B and C.
>
> Please, help
>
> Greg.
>
>

CIPE does this VERY well! It was designed with NAT in mind.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQE/FEzci6NlI+CoSzsRAoBOAJ43/+mjXWlpNiHYF/lelVWHjVFElACgikOQ
MD9bMHqgqcmtueOCn2DWTj0=
=qfyu
-----END PGP SIGNATURE-----

Ivanek wrote:

> Hello
>
> Could anybody help me ? I want set up tunnel between two hosts, but one of
> them is behind NAT/firewall and I have no root rights to it. It seems
> like:
>
>
> [my lan] [firewall/NAT] [gateway] [internet] [2nd site of tunnel]
>
> host B | host A <--------------> host C
>
> I have root privilage to host B and C.

You might try CIPE, which is supposed to work through firewalls. However,
it will only work, if the firewall is configured udp packets on the port
you select.

Bear in mind, that if this is a work network, they may take a dim view of
someone running a vpn out of it.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

Sgranocchiando il cranio di Ivanek, vi trovai inciso:

> Hello
>
> Could anybody help me ? I want set up tunnel between two hosts, but one
> of them is behind NAT/firewall and I have no root rights to it. It seems
> like:
>
>
> [my lan] [firewall/NAT] [gateway] [internet] [2nd site of
> tunnel]
>
> host B | host A <--------------> host C
>
> I have root privilage to host B and C.

Cipe
Vtund
OpenVPN (!!!)

these will surely work...

--
Emanuele Balla aka Skull - Public Key #661E5CBF on www.keyserver.com
+----------------------------------------------------------------------+
"And 1.1.81 is officially BugFree(tm), so if you receive any bug-reports
on it, you know they are just evil lies." (By Linus Torvalds)

On Thu, 17 Jul 2003 12:20:48 GMT,
redhat_devel ((E-Mail Removed)) wrote:
>> Cipe
>
> This one surely will. CIPE was designed with NAT in mind and routable!
> unlike IPsec or PPtP.
>
>
>> Vtund

Vtund will work as well -- as long as TCP tunnels are used. For an
example, take a look at this message on the vtun users list.
http://sourceforge.net/mailarchive/m...msg_id=4205832

>> OpenVPN (!!!)

Don't know about OpenVPN ....

Bev
--
Bev A. Kupf
Bev's House of Pancakes

"Ivanek" <(E-Mail Removed)> wrote in message
news:bf1h30$eul$(E-Mail Removed)...
> Hello
>
> Could anybody help me ? I want set up tunnel between two hosts, but one of
> them is behind NAT/firewall and I have no root rights to it. It seems
like:
>
>
> [my lan] [firewall/NAT] [gateway] [internet] [2nd site of tunnel]
>
> host B | host A <--------------> host C
>
> I have root privilage to host B and C.
>
> Please, help
>

My favourite is CIPE. It can be made to work as long as one end of the
connection can be reached from the public Net.

There is also a project called Corkscrew, tunneling TCP on HTTP (which can
be used to tunnel SSH and nearly anything on top of it).

Please note that the firewall administrator might not be happy of any
tunneled traffic, especially if the contents are encrypted.

Tauno Voipio
tauno voipio @ iki fi

> On Thu, 17 Jul 2003 12:20:48 GMT,
> redhat_devel ((E-Mail Removed)) wrote:
>>> Cipe
>>
>> This one surely will. CIPE was designed with NAT in mind and routable!
>> unlike IPsec or PPtP.

CIPE and OpenVPN appear to be very similar in design. I should first
note that I am not very familiar with CIPE, but I use OpenVPN. Anyway,
each uses a single UDP port, which is easily NAT'ed (or even proxied!)

In article <(E-Mail Removed) du>,
Bev A. Kupf wrote:
>>> Vtund
>
> Vtund will work as well -- as long as TCP tunnels are used. For an

UDP is better suited to this task. The added overhead of TCP multiplies,
especially when there is packet loss. The encapsulated TCP connections
have their own error checking, so having the VPN on TCP is redundant and
wasteful.

>>> OpenVPN (!!!)
>
> Don't know about OpenVPN ....

Looking at CIPE, it appears that the chief distinction between OpenVPN
and CIPE is the source of the encryption. CIPE was using its own crypto
code, and is moving toward the kerneli/cryptoAPI. OpenVPN uses OpenSSH.

I'm no crypto-expert, but I know enough to know that very few people ARE
crypto-experts. I think it's best to leave crypto in the hands of those
who know what they're doing. OpenSSL is by far subjected to the most
scrutiny, so I feel safest using it. All those vulnerabilities we see
reported tell me that OpenSSL is being audited. Maybe we'll have to
upgrade it 2-3 times a year, but as long as we do keep up we can feel
secure.

On the networking side, again, OpenVPN hands off to another project: the
tun/tap driver. This makes things very portable. OpenVPN is really just
a clone of pppd! Raw remote data comes in on the UDP port, and OpenVPN
runs that through openssl for decryption. Then it's made available to
the system on the tun0 interface. Raw local data comes in on tun0, and
again OpenVPN runs it through openssl for encryption. The encapsulated
connections goes out on the UDP port to the remote.

I really like the design of this. It's not the most widely-used VPN
implementation, but its design sure makes a lot of sense. It appeals to
me in the best Unix tradition of "do one job, do it well, work with
other pieces of the system."

I do have some familiarity with pptpd, having to support some Windows
clients. It's another TCP/IP-over-TCP implementation, and above I
described in a nutshell why that's not ideal. For a more detailed
discussion of the issues, see
http://sites.inka.de/bigred/devel/tcp-tcp.html

MPPE encryption is flawed. Really, you can't trust Microsoft to design
anything decent WRT security. 'Nuff said.

I don't know anything about vtund nor IPSec, but I hope someone will
jump in here with a quick overview / sales pitch. I'd like to know
more, but I doubt anyone could persuade me to move away from OpenVPN.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

Bev A. Kupf wrote:

> Vtund will work as well -- as long as TCP tunnels are used. For an
> example, take a look at this message on the vtun users list.

It's not a good idea to use TCP to carry a TCP tunnel. You'll get flow
control conflicts. CIPE uses UDP to carry the tunnel, which avoids the
problem.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

In article <E4ERa.16844$(E-Mail Removed) gers.com>,
James Knott wrote:
> The problem is not error checking. It's the flow control, used in reponse
> to lost/delay packets that causes the problem.

Ah, okay, thanks. I must confess that I gave Olaf's tcp-tcp.html page
only a quick look, and that I lack the detailed understanding of low-
level protocols as well.

>> Looking at CIPE, it appears that the chief distinction between OpenVPN
>> and CIPE is the source of the encryption. CIPE was using its own crypto
>> code, and is moving toward the kerneli/cryptoAPI. OpenVPN uses OpenSSH.
>
> CIPE uses IDEA & Blowfish.

Both are well-regarded and -tested algorithms indeed. But most crypto
vulnerabilities tend to come from outside the algorithm, such as from
how it is implemented in software. The best user-oriented discussion of
this that I can recall is from PRZ's excellent README files for PGP.

The point I was trying to make is that I like the fact that OpenVPN's
crypto code is elsewhere, in another very active and highly scrutinised
project. OpenSSL has been and is continually being audited by real
cryptographers. What about CIPE's? Possibly, but I don't know.

I think CIPE is making a good move toward cryptoapi, but there again, I
doubt that code has received anywhere near the scrutiny that OpenSSL
has. HVR of cryptoapi has done an excellent job, but AFAIK he's not a
professional cryptographer. Like PRZ, he's just a coder who took an
interest in cryptography.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

On Thu, 17 Jul 2003 20:52:36 GMT,
James Knott ((E-Mail Removed)) wrote:
> Bev A. Kupf wrote:
>
>> Vtund will work as well -- as long as TCP tunnels are used. For an
>> example, take a look at this message on the vtun users list.
>
> It's not a good idea to use TCP to carry a TCP tunnel. You'll get flow
> control conflicts. CIPE uses UDP to carry the tunnel, which avoids the
> problem.
>

I've read Olaf's page. Do you know of any practical examples where
tunneling over fast link causes problems with the backoff timers?
I don't .....

Bev

--
Bev A. Kupf
Bev's House of Pancakes