How do I connect to Internet using VPN on Blocked Network

[Just Checking]

I am trying to access my home network (or anywhere on the internet) on my Samsung Galaxy S5 Android mobile device through a VPN when connected to my work network. I set up a PPTP VPN on the mobile device and home router (Asus RT-AC68) which works fine when connecting to other unsecure networks. When I try to use my employers network, it will not establish a connection until I turn off the VPN. If I connect into the network, then try to establish a VPN tunnel, the connection is lost. I am using PPTP VPN since that was straight forward to implement on the router and mobile device. I would like to operate my mobile devices with the VPN turned on constantly so that I don't forget to turn it on when I really need it.

Any suggestions on what I can try to get the connection? My employer is a large company with a large IT staff. I suspect that they are blocking the ports used for VPNs, blocking the URL (I am using asuscomm.com because my home network is on a dynamic IP), or some other way to block traffic. My employer blocks my access to things like Plex but doesn't block other streaming from sites like Amazon, Pandora, Hulu, or Netflix. I don't normally access those sites. I just tried them out to test things out.

I have read that adding SSL encryption and SSH in addition to the VPN tunnel may allow spoofing of the network. I'd like input from people who have encountered this problem before. Thanks.

 

[sfx2000]

Probably want to use 3G/4G/LTE rather than trying to connect thru your employer's network - they may seen this as a security issue, and that might not end well for you

 

[Just Checking]

Probably want to use 3G/4G/LTE rather than trying to connect thru your employer's network - they may seen this as a security issue, and that might not end well for you

Believe me, I would do that if I could. The building I am in is constructed of thick, high metal content concrete with a metal roof and steel framework. Cellular signals don't penetrate into, or out of, the building very good. To use my cellular network I have to go out of my office to a hallway with a window by an outside wall in order to get a fair signal. Only people who have the cellular carrier used by my employer (Sprint) get good signal because Sprint installed multiple repeaters to boost the cellular signal.

I don't like using the wireless provided by my employer for any non-work related use. Especially un-encrypted use. They can monitor everything on the network - as is their right since they own and maintain it. I just don't have a good alternative unless I switch to Sprint as a cellular carrier and that is a Really Bad option.

 

[sfx2000]

I don't like using the wireless provided by my employer for any non-work related use. Especially un-encrypted use. They can monitor everything on the network - as is their right since they own and maintain it.

That, and consider if you're working with anything that has to do with customer privacy, healthcare, finance, or technology - the company has an obligation to their customers and shareholders to ensure that information is kept confidential.

So they have various tools to do so - a VPN session from a wireless client, encrypted or not, is a big red flag that will alert a IT network or system admin...

Many companies will have more than one SSID out there - one for company official usage (example might be CorpWifi) and then a Guest SSID on a VLAN that provides direct internet access with no access to the internal network (ex. CorpGuest). But with many enterprise networks, even the Guest network is logged and monitored...

Side note - back when I was in device development - we put WiFi into handsets, and we would have to whitelist the MAC addresses for the devices and any non-company owned AP's with the IT group - to keep those devices under development and QA (Unit and Integration testing) from getting flagged and alarming the security group...

So that why I mentioned earlier that it's probably not a good idea - having that one on one session with a manager or HR (in the case of an exit review) is something that might be a bit unpleasant.

Go back and review the policies for personal equipment that can access the corporate network and what activity is permitted (or not)...

I just don't have a good alternative unless I switch to Sprint as a cellular carrier and that is a Really Bad option.

Understood - it's probably not just any single operator that has problems punching thru those walls - in building penetration is a problem for just about everyone - PCS/AWS bands esp. as that is where most of the 3G/4G/LTE dataservices are commonly run (ATT and Verizon in the US do have some lower frequency bands in the 700MHz realm, and T-Mobile has a bit as well).

 

[Just Checking]

That, and consider if you're working with anything that has to do with customer privacy, healthcare, finance, or technology - the company has an obligation to their customers and shareholders to ensure that information is kept confidential.

So they have various tools to do so - a VPN session from a wireless client, encrypted or not, is a big red flag that will alert a IT network or system admin...

Many companies will have more than one SSID out there - one for company official usage (example might be CorpWifi) and then a Guest SSID on a VLAN that provides direct internet access with no access to the internal network (ex. CorpGuest). But with many enterprise networks, even the Guest network is logged and monitored...

Side note - back when I was in device development - we put WiFi into handsets, and we would have to whitelist the MAC addresses for the devices and any non-company owned AP's with the IT group - to keep those devices under development and QA (Unit and Integration testing) from getting flagged and alarming the security group...

So that why I mentioned earlier that it's probably not a good idea - having that one on one session with a manager or HR (in the case of an exit review) is something that might be a bit unpleasant.

Go back and review the policies for personal equipment that can access the corporate network and what activity is permitted (or not)...



Understood - it's probably not just any single operator that has problems punching thru those walls - in building penetration is a problem for just about everyone - PCS/AWS bands esp. as that is where most of the 3G/4G/LTE dataservices are commonly run (ATT and Verizon in the US do have some lower frequency bands in the 700MHz realm, and T-Mobile has a bit as well).

Yes I work in a Technology Company that is getting much more concerned about "Cyber-Security" - As am I. They are tightening upon network access to an ever increasing degree. That is just smart and probably overdue anyway.

I will just have to not be connected all the time and take more frequent breaks to check my personal business.

I'm still curious about how to mask a VPN on a network for my own edification. This seems to be more of a problem in countries like China where they are making significant efforts to block all encrypted networks and monitor all communications.

 

[sfx2000]

I'm still curious about how to mask a VPN on a network for my own edification.

Well in corp space - between UTM and IDS platforms, the fingerprints for any VPN server, irregardless of ports used, are well known and will be red-flagged as a matter of policy.

If your employer's policy is to not allow VPN's from the cube/office space, I wouldn't even consider to challenge it

 

[chadster766]

Yes I work in a Technology Company that is getting much more concerned about "Cyber-Security" - As am I. They are tightening upon network access to an ever increasing degree. That is just smart and probably overdue anyway.

I will just have to not be connected all the time and take more frequent breaks to check my personal business.

I'm still curious about how to mask a VPN on a network for my own edification. This seems to be more of a problem in countries like China where they are making significant efforts to block all encrypted networks and monitor all communications.

Create an SSL connection to the outside world. Even deep packet inspection can't decipher the communications going across that without the SSL certificate for decryption. This wouldn't typically be blocked by a firewall because that would block most of the internet as well.

I should mention this is common knowledge so I'm not revealing anything new here.

 

[sfx2000]

Create an SSL connection to the outside world. Even deep packet inspection can't decipher the communications going across that without the SSL certificate for decryption. This wouldn't typically be blocked by a firewall because that would block most of the internet as well.

Not a technical issue - that can be solved perhaps...

This is a policy issue with traffic on the employer's network, so while it may be tough to decrypt an ssl session, the fact that it's there, and both end-points can be discovered, a UTM/IDS platform will flag that connection - thus becoming a career-limiting move...

 

[chadster766]

Not a technical issue - that can be solved perhaps...

This is a policy issue with traffic on the employer's network, so while it may be tough to decrypt an SSL session, the fact that it's there, and both end-points can be discovered, a UTM/IDS platform will flag that connection - thus becoming a career-limiting move...

Doesn't the fact that UTM/IDS platforms can only detect the SSL connections but not determine if the communications are legitimate (if done by knowledgeable person) make them only useful for the most basic of attacks and forensics after the fact? If the SSL tunnel communications are bounced the forensics are kind of useless too aren't they ?

 

[Just Checking]

Doesn't the fact that UTM/IDS platforms can only detect the SSL connections but not determine if the communications are legitimate (if done by knowledgeable person) make them only useful for the most basic of attacks and forensics after the fact? If the SSL tunnel communications are bounced the forensics are kind of useless too aren't they ?

The use of SSL in addition to a VPN was what I proposed originally based on my research. Good to know that this was verified. On the TOR website I found discussions about China being able to detect these VPN tunnels anyway and shutting them down. I believe that China is willing to disrupt "legitimate" traffic in order to prevent their people from communicating in ways the Chinese government does not want.

I stated the above because it is another verification of what I believe sfx2000 was stating in post #8 above - that the network administrator may not be able to penetrate the SSL encryption but can profile the traffic and monitor bandwidth usage along with initiation point (to determine where the traffic originated within the network) as well as end point to determine where it went. If the traffic is using high bandwidth indicating something like streaming media or transferring very large files, the network or system admins are going to flag it for investigation even if they cannot tell what is being transferred. If I used the TOR implementation to mask the outside initiation point node, it would do nothing to deter the admin from discovering the device inside the network where the traffic was going. The fact that TOR, or some other proxy server in a suspect country was being used has to be even more of a red flag for the admins. SFX2000 can correct me if I have mis-stated his argument.

I am taking sfx2000's advice and not pursuing this on my employers network. I do want to understand how to implement encryption masking strategies for VPN's.

The TOR website has quite a bit of information on strategies to get around the blocks put up by the Chinese government. Being a neophyte at this, I don't have the background knowledge to fully understand those strategies but they seemed to be effective; at least for now. Since I travel to China on business, I am interested in this because I want to be able to access my home networks through a VPN tunnel. My efforts to do this in the past were not successful and I need to implement something to secure my communications with my home networks.

Is there a tutorial that someone can recommend on how to implement a SSH/SSL on top of a VPN with its encryption to mask it? I know the concept but not how to actually do it. I'd also like to know if this significantly slows down the transfer rates over those imposed by the VPN. Having two layers of encryption has got to have some cost.

 

[sfx2000]

I stated the above because it is another verification of what I believe sfx2000 was stating in post #8 above - that the network administrator may not be able to penetrate the SSL encryption but can profile the traffic and monitor bandwidth usage along with initiation point (to determine where the traffic originated within the network) as well as end point to determine where it went. If the traffic is using high bandwidth indicating something like streaming media or transferring very large files, the network or system admins are going to flag it for investigation even if they cannot tell what is being transferred. If I used the TOR implementation to mask the outside initiation point node, it would do nothing to deter the admin from discovering the device inside the network where the traffic was going. The fact that TOR, or some other proxy server in a suspect country was being used has to be even more of a red flag for the admins. SFX2000 can correct me if I have mis-stated his argument.

I am taking sfx2000's advice and not pursuing this on my employers network. I do want to understand how to implement encryption masking strategies for VPN's.

You're hitting it perfectly - it's one thing when it's our network, but on an employer's network, they define the policies about what is acceptable use of the network.

After the recent spate of high-profile incidents, many IT/Network shops are being much more vigilant about traffic and threat surfaces on their internal network.

Now you mentioned that Sprint did put repeaters in the building/campus - nothing wrong about getting a pre-paid wifi hotspot (e.g. Karma or Virgin Mobile perhaps) and using that to access public internet thru your smartphone, which might be a great option to take up...

I'm not hear to discourage study about how to do this, just as a forum member, I don't feel it's appropriate for me to advise someone on how to circumvent a company's policy and put another forum member at risk...

 

[sfx2000]

Since I travel to China on business, I am interested in this because I want to be able to access my home networks through a VPN tunnel.

BTW - I used to travel to China on business - never trust anything that was in country over there, esp. on hotel/public hotspots - I would take a burner phone and company laptop, and when returning to the US, having that laptop wiped/re-imaged... same with the phone.

I wouldn't even consider trying to VPN into my home network from China (or a couple of other countries that I used to visit).

 

[Just Checking]

BTW - I used to travel to China on business - never trust anything that was in country over there, esp. on hotel/public hotspots - I would take a burner phone and company laptop, and when returning to the US, having that laptop wiped/re-imaged... same with the phone.

I wouldn't even consider trying to VPN into my home network from China (or a couple of other countries that I used to visit).

Since my trips to to China and other countries may last 3-6 weeks, I have to get access to my home networks to administer them. I also own apartments and run networks in them. If something happens, I need to access them remotely.

I need to implement a system to access networks. If SSL over VPN's using 2048 bit encryption are not secure against all but nation-states, what does work? I realize that, if the Chinese or USA gov't wants to capture and decrypt my communications and network, they can probably do that. They can also get that when I am at home.