February 14th, 2008
Boy, that proprietary software stuff sucks. My company offers VPN into the company network. Which is nice if you want to work from home. What’s not so nice: the client is windows only. It’s a “Check Point VPN-1 SecureClient”. Since Check Point stopped supporting linux there is no way to get into the network. But wait, actually there is. With a bit of tweaking, major inconveniences and a lot of traffic overhead I can still access the VPN from my linux box.
Our ingredients are
- a virtual machine (guest) with a windows installation
- an ssh server on the host machine
- putty on the guest
You see, there is already a lot of infrastructural overhead involved. Now what am I up to? Here is the plan
- Connect windows VM to company VPN.
- Connect windows VM to host.
- Tunnel from local machine to VM to VPN.
See the last step? Thats where the traffic overhead comes in.
Okay, if you still want to do this, here is a short How-To.
Host means the machine you are working on and from which you want to access the VPN. It is Linux and for now not allowed to enter the VPN (which is about to change).
Guest is the virtual machine you have to set up running Windows. This machine potentially runs on the same hardware as the host.
1. install ssh server
- apt-get install ssh
2. configure Firewall. These are iptables rules, you will have to adapt them if you use something else. Basically they say, allow incoming SSH connections, allow IKE and NAT traversal, as well as UDP encapsulation.
- ################# VPN through VM######################
- #### SSH server
- -A INPUT -p tcp --dport 22 -j ACCEPT
- -A OUTPUT -p tcp --sport 22 -j ACCEPT
- #### Internet key exchange (IKE)
- -A INPUT -p udp --sport 500 -j ACCEPT
- -A OUTPUT -p udp --dport 500 -j ACCEPT
- -A INPUT -p tcp --sport 500 -j ACCEPT
- -A OUTPUT -p tcp --dport 500 -j ACCEPT
- #### IPsec NAT-Traversal
- -A INPUT -p udp --sport 4500 -j ACCEPT
- -A OUTPUT -p udp --dport 4500 -j ACCEPT
- #### UDP Encapsulation Mode
- -A INPUT -p udp --sport 2746 -j ACCEPT
- -A OUTPUT -p udp --dport 2746 -j ACCEPT
- -A INPUT -p udp --sport 34590 -j ACCEPT
- -A OUTPUT -p udp --dport 34590 -j ACCEPT
1. install VPN client
2. install putty
1. At first you need to connect to the public IP address of your host. If you have a router, you need to provide the IP of the router.
- Hostname: Host public IP
2. Then you need to set up a reverse tunnel for each connection you want to make. Below I describe to connections. The first is to an HTTP server which provides webpages. The second tunnels to a SVN repository. You need to replace SERVER-YOU-WANT-TO-CONNECT-TO with the VPN-IP of the server you want to connect to!
- SSH -> tunnels
- o 1
- source port 10080
- destination SERVER-YOU-WANT-TO-CONNECT-TO:80
- -> Add
- o 2
- source port 13690
- destination SERVER-YOU-WANT-TO-CONNECT-TO:3690
- -> Add
3. connect to VPN
4. open SSH connection to host (via putty)
Now it’s time for the big moment. To browse the target web server open a browser and test localhost:10080. To work with the repository connect to localhost:13690. As you will see, the ports are the ones you provided to putty in the guest. Putty will start a normal SSH connection, but also opens a reverse tunnel from e.g. host:10080 to SERVER-YOU-WANT-TO-CONNECT-TO:80. And this now connects you to your VPN.
If it is not working check the router that it forwards connections on port 22 to your host.