Hi Jonathan - On Jul 30, 2009, Jonathan Bennett wrote:
> First off, fwknop is a great piece of software. I'm using it in > several different environments, with no problems. However, I've found > one situation that does present a problem. > > A good friend of mine has a network in a non-ideal environment. > There is a forced, authenticating HTTP proxy, but it isn't transparent. > Any communication with the Internet has to go through that proxy, but > the http requests must be sent to the proxy. > > We've gotten OpenVPN through this proxy, using that program's built > in http encapsulation option. It also allows us to specify the proxy. I > am providing the endpoint for that VPN, however I would like to secure > my network here at home. I will leave port 80 open, and run a simple web > site on Apache. Fwknopd is quite content to watch the http traffic for a > valid SPA. > > I know that the --HTTP option in fwknop encapsulates a SPA in an > HTTP request. At the moment, however, I can't come up with a good way to > get that request to go through the proxy. I suspect that the fwknop client is not able to create a "sufficiently valid" HTTP request according to what the proxy requires. For example, fwknop does not ensure that the SPA packet data starts with "/", and it also does not append, say, ".html" at the end (although hopefully the proxy doesn't actually require the later since lots of web traffic doesn't necessarily conform to this). Also, if you are using GnuPG, then the resulting SPA packet data is most likely about 1,000 bytes long, so this may look suspicious to the proxy. Do you know what rules the proxy enforces? You can monitor the requests the make it to your home webserver, correct? Can you try the following to see if the SPA data makes it through the proxy?: - Use the fwknop client to build an SPA packet, and use the "-v" option so that the SPA packet data will be printed on stdout. - Take the SPA packet data and use wget on the command line to manually build an HTTP request with this data. However, add "/" to the beginning of the data, and append ".html" to the end. - You can try this with both Rijndael and GnuPG, but I would try with Rijndael first (just don't use any --gpg options). Please note that -v works with the new fwknop-c client too. If the above results in any of your SPA packets getting through the proxy as a valid HTTP request, then I will add support for this to the fwknop client (and the server will require a small modification too). Oh, one more thing, the fwknop-1.9.12-pre6 release did include one small change to build HTTP requests with SPA data such that the request uses the pre-DNS resolution hostname instead of the IP (if you provided a hostname with -D on the fwknop command line). This change was made to allow webservers to see the hostname so they can apply things like virtual hosting configs, etc. Thanks, --Mike > Thanks again, > Jonathan Bennett > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
