Tunneling all traffic with no access to server

Got a problem with Viscosity or need help? Ask here!

ranza

Posts: 2
Joined: Wed Jan 27, 2021 6:30 am

Post by ranza » Wed Jan 27, 2021 7:35 am
Hi,

Thank you for the amazing work with Viscosity - your app has really simplified my PHD student life ;)

Anyway today, I've decided to play a little with the default config files I received some time ago from my university to connect with my machine at the university (mac).

The motivation was to enable easy downloading of journal articles locally which are automatically accessible on my remote university machine. I'm no networking expert, so I've tried to do this for many hours to no avail.

During my tries I've learned a few things:

1. By default, the connection does not redirect all traffic but just those of trying to reach the subnet (this I knew before).

Here's the (relevant?) output of netstat -r:
Code: Select all
default	homerouter.cpe	UGSc	en0
default	172.29.33.21	UGScI	utun10
127	localhost	UCS	lo0
localhost localhost	UH	lo0
169.254	link#4	UCS	en0	!
172.16.136/24	172.29.33.21	UGSc	utun10
172.29.33.1/32	172.29.33.21	UGSc	utun10
172.29.33.21	172.29.33.22	UHr	utun10
172.29.33.21/32	link#15	UCS	utun10
My remote machine is has an inside address: 172.16.136.48
2. It seems that upon connecting with the machine X (remote server), the remote server gives my machine a routing table entries (disabling `Pull Options` made my host unreachable) and which semi-randomly assign me a gateway Y (172.29.33.21 in this case). I think this thing is called an `interface`
3. My remote machine default gateway is Z (172.16.136.1)
4. If I set the default gateway (in Viscosity) to X, Y, Z and/or the DNS it does not work. In particular it looks like the assigned gateway (Y) knows only local addresses as I can't ping anything.
5. I've looked into books and learned that the server usually requires `IP-traffic forwarding` enabled which it probably doesn't have.
6. Proxy doesn't work through UDP, right?

Here's all that I've tried:
1. Setting `All Traffic` to: `Send all traffic over VPN connection`
without touching anything else
2. `route-route-delay 20` extra command
3. change of default gateway to X, Y, Z
4. change of DNS Settings to X, Y, Z
5. disabling `No Bind`
6. disabling `Pull Options`
7. enabling Proxy
and various combinations of thereof. The domains X, Y, Z will be introduced in a moment.

Here's my default config:
Remote server: X
Method: UDP
Device: tun
Auth: SSL/TLS Client with CA, Cert and my key
Other options:
Code: Select all
- No bind
- Pull Options
Networking: All Automatic
Transport: No proxy
Extra commands:
Code: Select all
push "route 172.16.136.0 255.255.255.0"
mssfix 1400
resolv-retry infinite
cipher DES-CBC
mute 20
comp-lzo
tls-cipher DEFAULT:@SECLEVEL=0
float
keepalive 10 120
Lastly,
I somehow managed to do this with combination of VPN connection to my machine and sshuttle app. However it seems like an overkill, plus, my machine network settings take about half a minute to recover after disconnecting/killing the "sshuttle".

Disclaimer:
I'd like to do this without additional communication with the university administrators because:
a) what I'm trying to do is perfectly ok (legal), because I can already do this, but much slower (either by logging to the machine or by using university credentials in a webpage which allows access to journals)
b) I'd like to learn how to do this and have more control over what is being sent to the remote server. Ideally I'd like to redirect most website traffic, but leave some some (mostly system) connections local.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sat Jan 30, 2021 10:59 am
Hi ranza,

It sounds like the OpenVPN server is configured to only allow access to certain subnets. I'm afraid you're not going to be able to force it to route traffic it isn't configured for from the client-side: while you can route the traffic into the VPN tunnel, the server is likely blocking it (at the firewall level) or doesn't know what to do with it (at the routing level).

Ideally you could set up the OpenVPN server to support NAT and accept all traffic so you could route access to the journal websites through it. However if that isn't an option, you'll need to use your university machine as a relay point. You're not going to be able to achieve this with standard routing (because the VPN server isn't going to route traffic with an external destination IP address), however you have a couple of options:

1. Run a HTTP or SOCKS proxy on your university machine, and configure your VPN connection to use this while connected. For example you could use an app like SquidMan on your university Mac. You can then instruct Viscosity to automatically set this proxy while connected to the VPN server using the advanced commands at the page linked below. The proxy server's address will be your university machine's IP address.
https://www.sparklabs.com/support/kb/ar ... y-commands

Also keep in mind that the proxy will be accessible on the local network, so you'll want to set up some authentication for it to prevent unauthorised access.

If you want to get really tricky, you can configure a PAC (Proxy Auto-Configuration) file so only certain traffic is sent via the proxy. So you can just have your journal websites using the proxy, while all other traffic uses your normal network connection.

2. Run a second OpenVPN server on your university machine. After connecting to your university OpenVPN server first, you then connect the second OpenVPN connection to your university machine. It would need to be configured to support traffic forwarding using NAT. In many ways this is similar to your sshuttle setup, except you're using OpenVPN for the second tunnel.
https://www.sparklabs.com/support/kb/ar ... taneously/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

ranza

Posts: 2
Joined: Wed Jan 27, 2021 6:30 am

Post by ranza » Tue Feb 02, 2021 5:43 am
Wow, thank you for the terrific answer!

Actually I've started suspecting that my question was too dumb, but you've shown excellent user support nevertheless.
Thank you once again, I'll try those approaches one by one!
3 posts Page 1 of 1