Vpn

[smugnus]

Hello!
I've checked the forum before posting... I've noticed some people asking this same question here and on other forums and there never seems to be an answer, so here we go, my turn to ask it now:

The Goal:
To be able to surf the real (unfiltered) internet, privately, on a powerbook, from a place that likes to block certain websites and protocols, with the help of an OSX Server somewhere else. Sounds simple right?

The Scenario:
1. G4 MDD Tower running OSX Server 10.5.6 in a location that has the real, unrestricted internet. It is also running DynDNS with no problems.
2. G4 powerbook running OSX 10.4.11 in a location that has very restricted internet but wishes it had the real internet.

So is the answer VPN? Which kind? Apple's built-in VPN on OSX Server? L2TP over IPSec? Does one need to also run a proxy server in addition to VPN? If using a proxy for web, will we need proxy servers for each and every other protocol which we may want to access? Or is it possible to directly "share" the internet connection of the OSX Server across VPN to the powerbook client with no added proxy software anywhere? Has anyone successfully done this?

I've seen a few vague answers to this scenario scattered about the web, and none of them seemed very straight forward or easy, and would not result in a very private connection. Is there a simple 1-2-3 answer that doesn't involve downloading stuff, typing fancy terminal commands, spending more money, or compiling binaries and so forth?

 

[dampfdruck]

If your remote environment is so restricted, you may not be able to establish a VPN connection to your home site. If anything, OpenVPN is the best VPN solution available (simple to configure, secure, reliable).

In casre where the local environment is very restrictive, a UMTS modem (3G) is typically the best solution.

 

[smugnus]

OK great.. Any other thoughts, answers to my questions?
Thanks!

 

[myjay610]

With a VPN you should be able to have the option to route all network traffic across the tunnel - so everything would go through the server at home. It should feel like you are actually within the boundary of the home network the server is at when you're connected via VPN.

If you're really concerned with just using the VPN as a web proxy you could easily tunnel your web traffic over a ssh connection/socks proxy instead.

 

[jseely]

A full blown VPN is way overkill for simply getting around content filters. I do consulting for a living and run into this problem often. My solution:

- Setup tinyproxy on a system you control. Bind it to localhost only, and note the port you use.
- Setup SSH on the same system, noting the port. Port choice here is key, because some places won't allow port 22 out. I actually have two SSH instances on my system - one statically set up 53, and another that is configurable via a password protected https web page I access from my phone. So, if 53 isn't allowed out of a network I'm on, I'll try 20, 21, 23, 80, 443 etc, until I find something that works.
- On your remote system, establish an SSH connection like so:

ssh -p <port> -L <local proxy port>:localhost:<remote proxy port> user@remote_host

This will open a port on your local system (local proxy port) and tunnel it over the ssh connection to the remote systems tinyproxy instance.

- Now go into your browser preferences and point your proxies to host=localhost and port=local proxy port. Done! Note though, you'll have to keep the ssh session active to use the proxy.

 

[myjay610]

That's still overkill.

ssh -D <localport> user@server.com -p <remote_port>

i.e. ssh -D 9999 user@server.com -p 1709

Then go into your proxy settings and enable SOCKS proxy to localhost:9999.

Done, you don't have to install anything on home computer, just enable SSH and change the hosting port to something else if you need to, the port settings are in /etc/services

 

[jseely]

Really good tip myjay610, I didn't know that was possible!

 

[mmcxiiad]

would this encrypt all of the traffic?

 

[Seismo]

My company blocks all outgoing traffic except for http, https and ftp. I found this out by just trying every well-known port.
So, I set up a Linux box at home running VNC server.
I configured my router to forward port 443 traffic to port 5901 on the Linux box.
Now I just bring up the VNC client on my machine at work, point to hostname:65979 (VNC client-speak for port 443), and BAM! I'm on my home machine.
So, if you're looking for a virtualized desktop situation, it doesn't get much free-er or easier than this. I can surf the web, fire up bit-torrent, all kinds of fun stuff, without sending that traffic through my company's routers.