1. Home
  2. Embedded Programming
  3. Accessing embedded device behind firewall

Accessing embedded device behind firewall

We would like to access a embedded (linux based) device behind a corporate firewall in a production facility.

We would like to have telnet / ssh access to the device, but offcoarse our client doesn't want to open any ports so we can access our device.

Only outgoing http/https ports are opened towards the internet.

We can install a server at our office with a fixed WAN ip adres where the device could open a tunnel to.

This seems to be a trivial problem with all the IP based tools / software we have today, altough i don't find the right solution.

I found hardware solutions provided by companies as eWon and Lantronix, this seems to be great for accessing a PLC or so, but as we can install any software on our own device, i would prefer a software only solution.

Are there any lightweight 'VPN' solutions that could be tweaked ?

Any pointers welcome.

Reply to
stijn
Loading thread data ...

This might be a place for corkscrew - Google for it. It contains a mechanism for tunneling over HTTP (S).

--

Tauno Voipio
tauno voipio (at) iki fi
Reply to
Tauno Voipio

You could use OpenVPN. By default, OpenVPN uses port 1194 UDP, but you could choose port 80 TCP (i.e., http) if you prefer.

Reply to
David Brown

You should respect the customers wish for not having a constant connection. Have a button on the device, such that the customer can initiate a connection to your server in case a problem arises. You cannot expect the device to be able to connect any time. At least I would stop a device calling home at random intervals without a reason.

Reply to
Rene Tschaggelar

He did not say that the customer doesn't want a permanent connection, just that they don't want a port forwarded from their firewall and they only allow limited outgoing ports. He should, of course, check that the customer is happy with his box having a permanent connection through a VPN - presumably the customer's IT folk would not allow him to connect the box to their network at all until they are happy with it.

Reply to
David Brown

The OP said HTTP or HTTPS. OpenVPN cannot use them as carrier protocols. The default is UDP/1194.

Very probably, there is a HTTP(S) proxy, and the tool for it is corkscrew.

--

Tauno Voipio
tauno voipio (at) iki fi
Reply to
Tauno Voipio

Since HTTPS is encrypted using SSL/TLS, there's no way for the firewall to tell the difference between HTTPS and any other protocol using SSL/TLS.

I use OpenVPN via an HTTPS proxy all the time. It works fine.

--
Grant Edwards                   grante             Yow! I feel like a wet
                                  at               parking meter on Darvon!
                               visi.com
Reply to
Grant Edwards

He said the http/https *ports* were open. OpenVPN cannot use http as a carrier. But it is perfectly possible to have OpenVPN use port 80 tcp, as long as it can get a direct connection. If there is a http proxy in the way, then it will of course cause trouble. It is therefore probably easier to use port 443 - proxies do not (because they *cannot*) cache or otherwise interfere with SSL traffic.

Or one of many other similar tools - the OP should have a look at what is available before deciding.

Of course, the customer has set up his firewall rules for a reason. Any system designed to get round these rules should be cleared with the customer before use.

Reply to
David Brown

There are, however, ways to tunnel IP through HTTP:

formatting link

I've never tried it, and proxies can be set up to defeat such tunnelling

I can vouche for the fact that OpenVPN works fine with an https proxy.

Agreed. Under no circumstance should you do something like that at a customer site without the customer's approval. In writing. Assuming they're OK with your device phoning home, they'd probably rather open a hole in the firewall to a specific destination than turn you loose with a VPN/tunnelling setup.

--
Grant Edwards                   grante             Yow! Well, I'm INVISIBLE
                                  at               AGAIN ... I might as well
                               visi.com            pay a visit to the LADIES
                                                   ROOM ...
Reply to
Grant Edwards

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.