[Support Request] Bypassing firewall/proxy

[paradox]

Hi,

I've got OpenVPN Connect on my Android (Nexus 5, KitKat, Cataclysm ROM) set-up and working flawlessly in order to connect to the OpenVPN server running my WRT45GL router running Tomato firmware in order to redirect traffic through the router on my home connection.

I've tested it using my mobile data connection, and it works perfectly.

I'm trying to get it working at college, where they have a firewall/filter in place - I can provide more detailed info about the setup etc, as long as that's perfectly fine to discuss here, let me know and I'll give more detailed info.

Thanks in advance.

[paradox]

Alright then, so I guess it's alright to talk about bypassing firewalls etc.

I already thought of using https to get through it, after trying 22, 23, 80, etc - tried using PuTTy before this also.
No idea if removing my IP is necessary at all for security but I did it anyway.

Here's my android connected to the VPN over mobile data:
http://i.imgur.com/xyPCBct.png
All web-access works, and I can access my router using this tunnel.

.ovpn settings file

Server settings on my router:
http://i.imgur.com/CTXHbyg.png
http://i.imgur.com/Uadoalw.png
I'm using certs/keys and Diffie Hellman parameters.

Attempting connection using college WiFi log:
http://i.imgur.com/jS9mWVD.png

College WiFi connection info:
http://i.imgur.com/F1oAm82.png

Various things using dSploit to find open ports etc on the connection, maybe this will help:
http://i.imgur.com/zfu6Jkr.png
http://i.imgur.com/5SuNsu5.png
http://i.imgur.com/nGkxjEU.png
http://i.imgur.com/fwqJelV.png

[paradox]

so I guess it's alright to talk about bypassing firewalls

You can discuss it but your college may not be pleased that you are trying .. it is also possible they block your openvpn traffic in other ways than simple port numbers. You may want to search your college websites for information relating to using a VPN as they may have specific rules and/or help for you.

Well that all goes without saying, which is why I wanted to check it was ok to discuss it.

So, can anyone offer any ideas?

[paradox]

Alright, well, I have a couple of ideas that I've toyed around with using PuTTy in the past, but I can confirm a stable connection from an outside source (my mobile data network-not wifi-connecting to my home router)

This is the router showing the connection from my phone using mobile data: http://i.imgur.com/xyPCBct.png

Showing the stable connection in the app: http://i.imgur.com/ym9lnAG.png

The colleges open wifi requires authentication, at the address: 172.29.0.96:442
Once authenticated, the adressess are all 10.120.0.2 as in the other screenshots.

Nothing works unless authenticated, let alone the OpenVPN connection.
However once connected, I can reach https websites, so as indicated here: http://i.imgur.com/nGkxjEU.png port 443 must be open, which is why I chose it for my server, but it isn't connecting - surely, because it's https, there's no way that they can identify what kind of traffic is going through it, and specifically block an openvpn connection? (I'm just guessing based on limited knowledge here)

If that is somehow the case, is there any way to mask or make the openvpn connection appear as a regular https website request or something to that effect? Or am I completely off-base here?

[paradox]

surely, because it's https, there's no way that they can identify what kind of traffic is going through it, and specifically block an openvpn connection? (I'm just guessing based on limited knowledge here)

If that is somehow the case, is there any way to mask or make the openvpn connection appear as a regular https website request or something to that effect? Or am I completely off-base here?

It is entirely possible for your college to recognise OpenVPN traffic regardless of what port you try to use - Deep packet inspection does exactly this.

As for disguising OpenVPN traffic to look like HTTPS traffic ... erm NO !

The battle between control and freedom is long and on-going.

If you have verified that you can use your VPN using HTTPS port with your mobile data network then it is fairly likely that you are being blocked else where, in this case, most likely your college. There are some odd tricks you might be able to try but I cannot help you with them and they may not even be possible with your phone. You can try the #OpenVPN IRC Channel on freenode.net - Or, given time, somebody else may be able to offer you further advice here on the forum.

I see, thanks for the info.
And just for the record, it's not that I'm trying to do anything malicious, it's really just an exercise in, well, fun, to try and get it done. Being able to access files on my PC remotely from the college would be useful too. Any websites that they block access too I can simply use my mobile data, so that's not really that important, except that the mobile data in the college, for some reason, is horrendous. Everybody's phone has a terrible data connection there, even near windows etc - could they be also using some kind of, I don't know, device to try and quash mobile data connections there too somehow?

Anyway, I posted here as a last resort since I don't know what else I can try that I already haven't, so I'm hoping someone comes along with more knowledge in the area.

Thanks again.

[paradox]

just for the record, it's not that I'm trying to do anything malicious

No problem .. at the forum we do not question why people want to use OpenVPN and we try to help where possible. Once again, I advise you to ask your college what their policy on private VPNs is .. they will be able to give you a clear and useful answer (although possibly not one you want to hear).

Yeah, I'm fairly sure it wouldn't be allowed, otherwise it wouldn't be so difficult to get it working.
Perhaps I can talk to a network technician directly and ask for some kind of access for my login through that port.

Could it be that I need to setup the openvpn connection to go through their proxy? When authenticated with it, only browser applications on my phone work - no connection with any other apps. So, the openvpn app isn't using the proxy, it's just trying to directly connect.

So, what I know is:
Authentication requires going to the page http://172.29.0.96:442

This, I'm assuming, is their proxy/gateway.
http://openvpn.net/index.php/open-sourc ... .html#http

Suppose the HTTP proxy requires NTLM authentication:

http-proxy 172.29.0.96 442 stdin ntlm

If I set it to use a proxy at that address/port, perhaps it would prompt for authentication, and then allow access through the android app connection?

I found this http://hints.macworld.com/article.php?s ... 4072524306 which will require some reading. I'll have to set up some multiple .ovpn configs and try them.

[paradox]

Alright. Tried 16 different .ovpn files with different ports on both the proxy IP and the IP it gives of the subnet when connected, nada.

Using my default .ovpn and adding the proxy in the OpenVPN Connect app seems to get me slightly further.

I get this when attempting to connect:
http://i.imgur.com/9Pxutee.png
http://i.imgur.com/shhfdik.png
http://i.imgur.com/shhfdik.png

I've googled the error and can't find anything about it. I'm guessing that the proxy is expecting some kind of specific response in order to login.

Any ideas, anyone?

If not, my next idea is to sniff the packets of the browser app as I authenticate to the network through it, and/or view the source of the authentication page to see if that reveals any information that could help.