Jump to content

(open)VPNing through IP-Filtered Firwall


Recommended Posts

Hey Hak5'ers,

Im quite new to this community as you might notice but I'm a big fan of the episodes ;). After the second last episode (Episode 512) I decided to ask around here about an vpn idea I had for ages but never really realised.


I'm on a university campus that has an open network structure between all student-pc's. This is nice so you can share data over the network by using smb (samba) shares. I have my own server running on the campus , Windows 2003 RC2 (yea thats nasty :P) with a static ip reachable from outside the campus ofcourse. It runs a webserver, teamspeak, ftp and, ofcourse, it has a lot of stuff on it.

[The Idea]:

When I am at home I would like to connect to the network(shares) trough VPN running on my server. This by NATTING of masquarading the client on the network


- The university has a firewall that only allows a certain ip-range to connect to the inner network.

- The DHCP server (ofcourse) wont give you an ip unless it is registered (binded by MAC) in their system.

[What I tried]:

- Normal windows VPN with random IP

I tried to set up a windows VPN service but I have to assign all clients an IP. The problem is I can't assign a random ip in the allowed range cause this would cause IP-conflicts, and then....you get a call pretty quick about what you're trying to do...

- Windows VPN in combination with NAT

Well this should give your clients outside the network the same ip as the server so it can happily go around the network without beign suspicious. The only problem is...you have to select 2 devices for windows to create a NATTED VPN connection. The only problem is that those NIC's are both connected to the same network...

You pretty much feel it comming already...I crashed the whole network for all students on the campus cause my server was acting as the main DHCP and all traffic was redirected through my server.

[The Question]:

Is there a way to connect to the network using VPN and spoofing the clients IP in the IP of the server and browse the network (samba). I heard of a program called OpenVPN but didn't find a tutorial for spoofing an IP.

Maybe this is a stupid question and the answer is fairly simple. But I had some unsuccesfull tries and crashed the network a couple of tries so I thought it was time to ask some help.



Link to comment
Share on other sites

Spoofing an IP and using a VPN will never mix. The IP address is typically rolled into the certificate exchange during the VPN (IKE handshake) setup. So you need to be the IP address that you are advertising you are. It also makes a difference if we're talking split tunnel vs full tunnel.

VPN behind a NAT router works because there is a 1 to 1 translation. Dynamic NAT and VPN only works up to a point, GRE is on port 0, so only 1 person at a time can use a GRE tunnel run behind a dynamic NAT router.

We can get this more complicated if you want. :)

If your server is one of those IP addresses that is not dynamic and is reachable, you can get to it. Install OpenVPN, google for a tutorial and go. It'll work fine. You can browse that network because your server will NAT you to it's own IP (in a full tunnel mode). You won't be browsing that network if you use split tunnel.

If you think all this is too complicated to get going, install Hamachi on the server and your other PCs and call it day. Should take about 15 mins to finish that project.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...