Critique my idea for specialized routing/proxy/vpn/tunneling software

[ESquared]

I can't really figure out what forum to ask this in. It's really a networking question, but right now it's not about any particular brand or technology or even programming language. So if you think there's a better forum to ask this in, please let me know.

The goal

Perform regular internet activity of any kind from a location that only allows port 80 traffic over its firewall. Bonus: encrypt all traffic.

Resources

I have a spare computer at home that is reachable over the internet and can have any software loaded or be configured in any way. I am using dynamic DNS for it.

Ideas so far

• Install VPN software at home, create a VPN tunnel over port 80 to that system, use a pre-built proxy server or just use RDP to remote control the computer and do what I want. Problems: clunky (working inside of an RDP window). Requires installing VPN client software on local computer. Requires double-downloading: once to home computer, once to firewalled computer. Not sure if any VPN software will let me use port 80. I might be able to use the home internet connection directly via being virtually on my home LAN, but then there are routing problems. I want some programs and instances to use the proxy, but others not to.

• Use the VPN with a local virtual machine that can have its routing table rewritten (answering one of the problems of the previous point but adding the additional problem of installing a virtual machine).

• Use an anonymizer/web proxy such as [/white]/ww[white][/white]w.freeproxy.ru/en/free_proxy/cgi-proxy.htm]these. Problems: doesn't work for every ftp site. Secure data is exposed to third party. Not 100% reliable. Sites may be blocked by firewall. Doesn't support things like remote desktop. Doesn't help me reach inside my own home firewall to do things on my home computer.

• Write my own application that does these routing/proxy/tunneling functions.

Let's say I want to connect to ftp:/[white][/white]/ft[white][/white]p.somesite.com:21/filename.zip.

what if I construct a URL to talk to my application at mydomain.com, like so:

[tt] ftp:/[white][/white]/port-21.ft[white][/white]p.apple.com.proxy.mydomain.com:80/file.zip[/tt]

This would be an instruction to my application to basically be a router, converting my port 80 connection to it to a port 21 connection to ft[white][/white]p.apple.com/file.zip

- It wouldn't need to know the protocol because it is only relaying traffic back and forth.
- It would simply forward every packet between me and the ftp site, doing a flip of the ports

Or lets say I wanted to do some banking to https:/[white][/white]/ww[white][/white]w.wamu.com
it could be something like this:

[tt] https:/[white][/white]/port-443.ssl-intermediate.url-rewrite.prot-https.ww[white][/white]w.wamu.com.proxy.mydomain.com:80[/tt]

This would instruct the software to act as a web server insofar as it decrypts the SSL session to do any necessary URL rewriting in the transmitted page, then establish its own connection to

http://www.wamu.com

ala https:/[white][/white]/ww[white][/white]w.wamu.com:443.

I was thinking about representing the information in the domain name because of cases where the connection I want to make does not use directories (such as RDP) so I couldn't use a scheme like:

[tt]proxy1ort1/proxy2ort2/ww[white][/white]w.address.com/url[/tt]

or

[tt]http:/[white][/white]/proxy1ort1/-_-/http:/[white][/white]/proxy2ort2/-_-/http:/[white][/white]/ww[white][/white]w.address.com/url[/tt]

I already confirmed that using dynamic DNS I can add all the garbage I want in front of the real domain name. If it is mydomain.com, using anything.I.want.here.mydomain.com works. And at least for web requests, I should see in the headers what page is being requested. Of course, I am not so sure that I can read out the full-text domain name for things like an RDP connection, so that's a big problem.

So maybe I could do something like a mix of the VPN + the proxy/routing application. Or perhaps I could always submit two requests! The first could be information about how to handle the next request from me. Then the next request works correctly.

Okay, so totally aside from working out the details of this imagined program, does anyone have ideas about how to accomplish what I want?

Have I overlooked something obvious? Are one of the options I mentioned easier than I think? Are there additional options I am not aware of? Is there some big roadblock to my idea?

And if such an application DID exist as what I just described, would it be valuable to you? Would you pay for it?

Erik

[COLOR=black #e0e0e0]For SQL and technical ideas, visit my blog, Squared Thoughts.

_{The best part about anything that has cheese is the cheese.}[/color]

 

[SiriusBlackOp]

Honestly, I don’t get it. How is this useful?

Senior Software Developer

http://www.scoutsft.com

 

[ESquared]

I went to a children's hospital a month ago. I ran out of time to set up my laptop, so I planned to connect to my home computer and ftp some files from there, only I couldn't, because they only allowed port 80. I couldn't ftp. I couldn't RDP. I couldn't VPN. I was stuck idle because I didn't have the files I needed to do the work I needed to do.

"FTP via web" sites failed to connect to my home computer. I went through huge shenanigans to connect to another computer via Remote Desktop web, then ftp home, download the files, package them in chunks of no more than 10 mb each, email them to myself using a web mail client, and then download the files. It took hours.

The next time I am stuck behind a port-80-only firewall, I'd like to not be handicapped, without needing to have done any special anticipatory preparation.

Is that so hard to understand? Honestly, I don't get why you don't get it! Even if you don't think it's useful, are you willing to help me realize my goal?

I also enjoy programming as a hobby as well as by profession. Writing a router/tunnel/proxy such as this sounds like a load of fun. But I'd rather work on software that doesn't exist out there or is useful, so along with having fun and hopefully learning something, I also perhaps get a chance to make some money from my efforts.

 

[cjelec]

I look at my firewall every now and again, and the amount of attacks i have on port 80 (and some others) are astonishing.

So, you want to open up a port, that will allow gray/blacks onto your pc? your mad

 

[ESquared]

I'll put the server into a DMZ, heck I'll put it in its own subnet. And I could make it have no other ports open. And with either this computer or my firewall I can deny all but a specific IP range that I know I'm coming in on. Heck, I can set up some scripting so that I can send myself an email with the port list to open, and the script logs into my firewall and opens only the port I'll connect from. There are all sorts of ways to make it secure

In any case, so what if I'm mad? I'll address security when the time comes. I see no reason that the thing can't be made secure enough. I can run it on an old pentium computer that has nothing worth attacking. All it will do is allow connections through it, kind of like an anonymizer service or ftp-via-web service does. What's the problem?

And what are "gray/blacks"?

[COLOR=black #e0e0e0]For SQL and technical ideas, visit my blog, Squared Thoughts.

_{The best part about anything that has cheese is the cheese.}[/color]

 

[cjelec]

Well, I was going to write hackers but that is unfair to the proper white hats...

Back to the original question... I have thought about this my self, it could be possible with two options:

1) A html based remote control with file system
2) A client and server based applications

The first would be the easiest to write as the client is already done. You would really be creating a fancy web server.

The second is harder, but more secure. You could create your own protocol, telnet sort of system that you can create your own front end for viewing files etc...

Both could be built into a form of remote control with desktop viewer, the win32 api's could help you there (capture screen->compress->send to client).

My smoothy (firewall) has a web based remote control, it also allows me to view the bash screen for admin work. Its done with an java applet, but it could be done with javascript.

The rest of what you have said is also possible. I have created my own proxy server using vb.net. It currently services 11 pc's at a customers site. It does some fancy stuff to scan each page for content...

You could create a proxy server to find the url's and change them so that they point back to your own server (like you described above).

Using encryption with a browser could be a problem as the default is port 443. It may work if you reference it to port 80 (

https://mysite.com:80/...)

But this is now looking more like an asp.net project?

 

[cjelec]

Sorry, I said win32 in my last post (don't know why) its actually user32 and gdi32 api's.

 

[ESquared]

At this point the language and implementation doesn't matter. I'm hoping for brainstorming and experience from other professionals.

Thanks for the ideas so far.

[COLOR=black #e0e0e0]For SQL and technical ideas, visit my blog, Squared Thoughts.

_{The best part about anything that has cheese is the cheese.}[/color]

 

[SiriusBlackOp]

If you need FTP on port 80, why not just enable Directory Browsing and disallow Anonymous Login? If you setup your permissions correctly, you can browse a given web-shared directly via http.

I wasn’t trying to be sarcastic before. It’s a legitimate statement and question.


Senior Software Developer

http://www.scoutsft.com

 

[ESquared]

You're right that directory browsing would work, IF I had known ahead of time I would need it. But using this method means I am restricted to only webserver functions. What if I want to reach different machines inside or outside of my firewall... telnet, FTP, remote desktop to another machine besides the web server? What if I want to connect to my SQL server?

If I could have two ports open, I could use one to manage the firewall and one for the actual connection, and change what the connection connects to whenever I wanted. But there is only one port, 80.

There are also other situations I haven't gone into in detail where an encrypted session is valuable to me and where proxying is valuable to me.

And at one point at the children's hospital their firewall software went bananas and started blocking things like yahoo mail. With a powerful application running at home like the one I'm describing, that would be no problem to me then.

[COLOR=black #e0e0e0]For SQL and technical ideas, visit my blog, Squared Thoughts.

_{The best part about anything that has cheese is the cheese.}[/color]

 

[hexOffender]

Why not just set up a gmail account with a gdrive.. a shell extension that runs locally and uses the extra Gmail disk space like a local drive. I work at a childrens Hospital, so I find it hard to believe that port 110 and 443 would be blocked which would prevent access to webmail. Honestly the Gmail Drive is much better than web based FTP and gets around email attachment quotas. Get it here

http://www.softpedia.com/get/Internet/E-mail/Mail-Utilities/GMail-Drive-shell-extension.shtml

 

[ESquared]

I explored the gdrive at the children's hospital and got locked out of my account for a few hours.

The problem though was not about simple access but about time.

If I'd had the time to upload stuff to my gmail drive, I would have had the time to load it on the laptop in the first place.

Plus, I have more than 300GB of things at home that I just might want to have access to from anywhere. That's not going to fit in a google account.

Thank you for the idea, though!