[geeks] VPN Help needed...

Geoffrey S. Mendelson gsm at mendelson.com
Thu Jan 3 08:51:05 CST 2008 

On Thu, Jan 03, 2008 at 02:26:31PM +0000, Mark Benson wrote:
> $work have developed a requirement to access parts of our company Intranet
> at home. They have a small, very basic TCP/IP network with a Windows 2003
> Server machine running our Intranet stuff. As our work from home will
> involve handling confidential data, I figured an IPsec VPN would be the best
> idea. Basically rendered down to it's most basic, we need to be able to
> access a series of HTTP pages on out internal server using a secure
> connection from outside. I can't bear the the thought of opening a Windows
> server to the outside world either as a VPN server or hanging a web server
> out into the cloud. I'd prefer to keep it well away behind a Firewall and
> use a secure gateway in which, as I understand it, IPsec and VPN allow you
> to do.
> 

Well, I would do something a lot simpler assuming you can use Firefox.

1. You set up a server behind the firewall that runs SSH.

   The SSH server only accepts ssh version 2 connections with 
   DSA keys (no password or RSA version 1 key authentication).
   It should use a nonstandard port. Have the router forward that
   port to the server.

2. You set up a batch file on the user's computer that SSH's to the
   server and logs on. SSH for Windows can be downloaded as part of
   the Cygwin package, or there is a package of just the SSH and enough
   Cygwin to run it.

   You start SSH with the -D option and specify a port number let's 
   say 1080. Note that old versions of SSH support SOCKS4 (no DNS)
   protocol, the new ones support SOCKS5 (DNS) too.

3. You set up FireFox to use localhost port 1080 as a socks server.
   
3a. You install an add-on called FoxyProxy, which will select the proxy
    by a pattern, and use something like "http*://*.<workdomain>/*"
    with a proxy of "127.0.0.1:1080".

It's actually less complicated than it sounds. It also works on all *NIX
type systems with a reasonably late SSH client.

To me, the main advantage of doing this is that it is NOT two way,
I can't sit at work and access your computer or LAN at home.

Geoff.

-- 
Geoffrey S. Mendelson, Jerusalem, Israel gsm at mendelson.com  N3OWJ/4X1GM
IL Voice: (07)-7424-1667 U.S. Voice: 1-215-821-1838 
Visit my 'blog at http://geoffstechno.livejournal.com/

More information about the geeks mailing list