Run VPN server on PC without admin rights

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Frederick Virchanza Gotham
OpenVpn Newbie
Posts: 3
Joined: Sat Jan 21, 2023 4:17 pm

Run VPN server on PC without admin rights

Post by Frederick Virchanza Gotham » Sat Jan 21, 2023 5:07 pm

I have access to a remote PC running Linux, and I can SSH into it, but I don't have root access. When I try to run OpenVPN as a demon on the remote server, it fails because it can't create the 'tun' device.

I'm considering forking OpenVPN -- or starting from scratch with my own code -- so that I can run a VPN server on a remote server without admin rights. At the beginning I'll focus specifically on Linux servers, but my idea here should work fine on a MS-Windows server also.

Here's how I'll go about it:

(1) Contrary to how things normally work, the VPN client will listen on TCP port 443 for an incoming connection. (So those of us using NAT will have to go into our router settings to open a NAT pinhole to forward port 443 to our PC). UDP would be preferable but a lot of firewalls will block it.
(2) The VPN server will connect to TCP port 443 on the client.
(3) The client will have a virtual network device, and the client's routing table will route all internet traffic through the virtual network device.
(4) The server will not have a virtual network device -- because we can't create one if we don't have admin rights.

So here are the steps for how you bring the VPN connection to life and use it for IP traffic:
(1) On your laptop, you start the client program to listen on TCP port 443
(2) On your laptop, you SSH into the Linux server and start the server program to connect to your laptop
(3) So there is now a live TCP socket between VPN server and VPN client
(4) Let's say that the client wants to send a DNS lookup request to the IP address 4.2.2.1, so the client checks its routing table and sees that "0.0.0.0/0" goes through the virtual network device, and so it sends the DNS lookup to the virtual network device.
(5) The virtual network device receives the DNS lookup, and the IP packet looks something like this:

Code: Select all

Source IP = 192.168.1.23
Destination IP = 4.2.2.1
Layer 4 Protocol = UDP
Source Port = 32359
Destination Port = 53
Payload = Tell me the IP of virjacode.com
(6) The virtual network devices takes this IP packet and places it as the payload inside another IP packet to send to the Linux server
(7) The Linux server receives this packet, and the first thing it does is perform NAT to change it to something like:

Code: Select all

Source IP = 10.0.0.7  (previously 192.168.1.23)
Destination IP = 4.2.2.1
Layer 4 Protocol = UDP
Source Port = 21769 (previously 32359)
Destination Port = 53
Payload = Tell me the IP of virjacode.com
(8) The VPN server sends this packet out on its network as it would any IP packet, and then when it receives a reply, it reverses the NAT operation and forwards the IP packet to the VPN client.

So this means that we can have a VPN server running on a remote Linux server without the need for admin rights.

Please give me your thoughts on this. Right now in my head this definitely seems possible.

I could either fork OpenVPN on Github or alternatively start from scratch with my own code. At the beginning I'd make it very very simple: i.e. maximum one client and only IPv4. Although another idea came to me just now, instead of forking OpenVPN, I could fork the SSH client program (e.g. the DropBear SSH client program) and I could add a new command-line option to it:

Code: Select all

ssh user@remote_server.com --vpn on
So then the SSH client program could do everything by itself (i.e. create the local virtual network device and start forwarding traffic). I could put one or two more command-line options in to specify routes and whether or not to use NAT, for example:

Code: Select all

ssh user@remote_server.com --vpn on --vpn-route-entry 0.0.0.0/0 --vpn-address-translation on
Note that I can change the SSH client program without having to make an alteration to the SSH server application.

Frederick Virchanza Gotham
OpenVpn Newbie
Posts: 3
Joined: Sat Jan 21, 2023 4:17 pm

Re: Run VPN server on PC without admin rights

Post by Frederick Virchanza Gotham » Sun Feb 12, 2023 12:52 am

I have this working now. I combined three programs into one:
* The SSH client from 'openssh'
* tun2socks from 'badvpn'
* route from 'busybox'

So at the command line you can just do:

ssh --vpn username@server

and it connects to the remote server and sets up a VPN. Most importantly though, you don't need admin rights on the remote SSH server.

Frederick Virchanza Gotham
OpenVpn Newbie
Posts: 3
Joined: Sat Jan 21, 2023 4:17 pm

Re: Run VPN server on PC without admin rights

Post by Frederick Virchanza Gotham » Wed Mar 15, 2023 10:57 am

Screenshot:

Image

yoni_ash
OpenVpn Newbie
Posts: 1
Joined: Sat Apr 15, 2023 11:33 am

Re: Run VPN server on PC without admin rights

Post by yoni_ash » Sat Apr 15, 2023 11:52 am

I stumbled by this post, while looking for a means to run vpn server with no root privllages. I got you up to step 8:
(8) The VPN server sends this packet out on its network as it would any IP packet, and then when it receives a reply, it reverses the NAT operation and forwards the IP packet to the VPN client.
What do you mean by
sends this packet out on its network as it would any IP packet
How could you forward the ip packets, since it requires you to change the ip-header of the packet (recreate a packet). From what i know, which requires creating raw socket, that inturn requires root.

You can not create a virtual network interface on the server, thus I am not expecting you to send the received packets through the virtual interface, making changes to the ip routing table. So that the reach out to some physical network interface -> INTERNET.

Or are you willing to recreate the transport layer or any other layer at the server side, like establishing you own vpn_server to remote_server connection per every vpn_client to vpn_server connection and just transpass the data (as SOCKS proxy would do).

I am quite new to network programming and if there is a work around (specially for case 1), I would really like to know.

Post Reply