I’ve been running OpenVPN for about eight years. Besides being a World Renown Proxy Expert, I am also the King of Covert Tunnels.
Lately, I have been doing most of my tunneling through ssh, primarily because it’s simple to set up multiple backup tunnels, whereas with OpenVPN you usually have just one. In fact, I switched from OpenVPN tto ssh tunnels because over the years I’ve had nothing but problems (many of my own making) with OpenVPN.
The first time I used OpenVPN (version one-point-something) I set it up through the proxy at my workplace. It RAWKED for about three years. Then one day the network folks did an “upgrade” to the network and it all went to Hell.
Before the upgrade I was getting a 35-45ms ping through the OpenVPN tunnel. After the upgrade it went to 150ms, which is about the speed of dialup. At that time I switched over to running OpenVPN over UDP, which is actually a better way to go from a performance standpoint, but it’s extremely hard to get the proper UDP ports open without explicitly asking for them (at which point it’s no longer a covert tunnel – that takes all the fun out of it!).
And now, we have an ISA 2004 server (originally I used – or rather was forced to work with -MS Proxy 2.0 and ISA 2000). The ISA firewall client (FWC) is handy since we can’t use “SecureNAT”, but it doesn’t work on Linux (which was why I used the proxy in the first place).
I solved that by hijacking an Open Source UDP proxy (originally written as an Unreal Tournament utility) and porting it over to Windows as a service. That way, I could bounce the OpenVPN UDP packets from the Linux box through my XP workstation and on to the ISA firewall service, using my logged in account for authentication. The ping over the tunnel dropped down to 25ms, faster than it ever was over the ISA proxy (which is a completely different thing from the ISA firewall service, a fact I can’t seem to get through my fellow security coworkers’ thick skulls).
That worked well, and there were already some streaming media UDP ports open, but I never hacked any failover into the the UDP proxy service. The OpenVPN connection would simply die every now and then and the service would have to be restarted.
One thing led to another and I started using ssh tunnels for the sole purpose of connecting back to my workstation just to restart the UDP proxy and OpenVPN. And I was running all the ssh tunnels through the ISA proxy, so I was basically back to where I started from.
Eventually, I installed redundant backup ssh tunnels and installed logic to switch proxies in case of an outage and started using the OpenVPN tunnel less and less.
And besides, the performance of the ssh tunnels was as fast as the OpenVPN connection over UDP anyway! The only issue was the forwarding of ungodly numbers of ports.
Another initial problem was the “robustitude” of the ssh connections, as PuTTy users may already know (PuTTy’s stability is non-existent through a proxy). An idle proxy connection is kicked after two minutes on ISA server. You have to use the connect-proxy utility (source code here) to keep the tunnel up and running. Note to Cygwin hacks: connect-proxy compiles nicely on Cygwin.
Why compile it? Why not use the package? I have a little “Secret Sauce” – three or four lines of C code – I add that helps me fly under the radar, so my version is “special”. wink wink
Anyway, sometime last year OpenVPN went commercial, but they still offer the “community version” so I decided to give it a shot.
I decided to run it over the ISA proxy, primarily because of the Secret Sauce I have developed. I hacked the sauce into the OpenVPN code, compiled, and installed. The results were similar to what I got eight years ago, but this time 25-45ms pings!
This has gone so well I’m considering trashing the UDP OpenVPN connection permanently.
Or at least leaving it dormant as a potential emergency backup.
After all, I’m all about proxies! That’s how I roll!
