1

Situation:

We, as the pioneering researchers(!), have a small network in our lab and the university has provided Internet access that let us access to privileged scientific resources like IEEE, ScienceDirect, etc.

I am looking for a way to connect to lab network through Internet when we are away and have this privileged access (and also be able to remotely connect to the lab computers and simulate some things).

Sadly, our network is behind the NAT-server of university, so there is no chance in a pure VPN-Server solution. There is no chance to configure the main NAT-server of university neither.

Possible Solution:

I have tried Hamachi VPN software, but as I realized Hamachi does not establish a VPN Server behind a NAT. It is actually a peer-to-peer solution for computers behind NATs over the Internet.

One Hamachi-based solution is to configure one of the lab computers as a VPN server and installing Hamachi on it. Then the distant users should install and run Hamachi on their computers and then connect to first the Virtual Hamachi Network and then the VPN-Server.

Problems of proposed solution:

But there is some problems about this:

  • Will Hamachi really work on a VPNServer? Not surprisingly, Some users use linux :) Is there any linux-based Hamachi software for them?
  • The procedure of connecting to the lab internal network is a little bit complex, and as you know researchers are really not good at computers. Is there any way to KISS (S imple and S traightforward)
  • The Hamachi software causes some mistakes in my routing table. Specifically, sometimes I lose internet access when I connect to our Hamachi Virtual Network and I have to reconnect. Is this a common problem with Hamachi? If yes, too bad because this would confuse and annoy other less-experienced users.

Future work:

Do you know any better free solution to connect to the workplace LAN that is behind a NAT?

Some words about legality:

Just as SvenW said, actions like this is a may raise some legal concerns. I asked about this and sysadmins said it is okay as far as we don't spread this access to the other people. Our team is consisted of 14 people and each of us can have his username/password to connect to. Therefore, all the activities can be logged and any misuse can be traced.

Community
  • 1
Isaac
  • 581
  • 1
  • 12
  • 25

3 Answers3

3

Short answer: Ask your networking people if they accept it, otherwise stop right now.

Long answer:

It is highly likely that what you want to do is not covered by the contracts between your university and ScienceDirect et al. and could lead to the termination of those contracts and possible heavy penalties if you get uncovered. Depending on where you live, it might even end in the termination of your contract...

If your networking people don't offer any proxy and/or VPN access, there will be a reason for it, so it's unwise to try to sneak your way around this. Or maybe they even do and you just don't know it - have you tried asking?

Finally: Contrary to what you might think, most admins are trying to be as helpful as possible, but if we say something is not possible, there is usual a good reason for it, which might be technical, legal, monetary of even the additional workload it would create which can't be handled with the staff at hand.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • +1. Well said, and as a university sysadmin, I agree 100%. – EEAA Jun 19 '11 at 23:50
  • Also: "Do not meddle in the affairs of sysadmins, for they are subtle and quick to anger." :) – EEAA Jun 19 '11 at 23:50
  • Thanks for the consideration. The admin of university are actually lazy, and they avoid any configuration and help of course for laziness. I asked about legal problems and they said it is *okay* as far as we do not spread this access to the other people. Our team is consisted of 14 people and each of us can have his username/password to connect to. Then, any activity can be logged and traced. Addtionally, our university **does** provide a web-based proxy for the students, but it is really slow and it corrupts most websites because it is not updated, again, for laziness. – Isaac Jun 19 '11 at 23:54
2

First and foremost, I agree with SvenW's answer. I wouldn't even consider something like this without sysadmin recognition and approval. That being said, there might be a few solutions.

You could use a permanent gateway host: have a system outside your university's network with a reverse ssh-tunnel set up. Have a system internal to the network ssh out to your "gateway" machine, and use options like -R8000:127.0.0.1:8000 to provide a tunnel into your university network. Run Squid on your university system and you can your own proxy. Of course, be sure to properly secure it and restrict access to just your team. You could also run OpenVPN and have the advantages of a full VPN, at the cost of some speed.

There are packages that can maintain SSH tunnels and automatically restart dead connections, but if you set your keepalives well and use key-based authentication you should have minimal service disruptions.

Michael Lowman
  • 3,584
  • 19
  • 36
  • Thanks. So we need a valid IP address for the gateway, right? Currently we do not have this options (we are doomed users in the world of NAT) but if we get a one, this solution will be great because, as i realize, it will transparent all the things and users just need to connect VPN to a VPN server (the gateway). – Isaac Jun 20 '11 at 00:40
  • yes, you would need a server with an accessible public IP address or something NATed that you could forward a port to. But really, you should try working with your sysadmins to deploy a proper direct VPN. It's their job to help you with things like this. – Michael Lowman Jun 20 '11 at 02:54
0

try TeamViewer. It'll get past most NATs and firewalls, and it is dead simple to use. If your sysadmins are as lazy as you say, they would not even have heard of TeamViewer.

Lemming
  • 11