this post was submitted on 08 Apr 2024
15 points (75.9% liked)

Programming

17499 readers
27 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
 

I want to access an unrestricted desktop at home (preferably a docker novnc desktop container), from the very restricted office laptop/network.

The foundations are clear, started a docker container with novnc access published the porst, forwarded the required ports on my router, and i can access it from outside using my phone, or my own laptop, but can't from the office.

The novnc landing page loads, but the connection to remote desktop fails, probably because the websockets connections are also blocked in office, so only the plain http(s) accesses are allowed (not even RDP is allowed).

(Not even dyndns providers are allowed, but i can note my current ip address in my phone :D )

Ofc i barely can install anything on office laptop, so i can create fe openvpn tunnel, etc...

Do you have some hints if it can be solved?

top 14 comments
sorted by: hot top controversial new old
[–] [email protected] 21 points 7 months ago (2 children)

There's a reason they restrict these things. Trying to get around them is a bad idea. If you get caught, your professional life is over.

If you're that desperate, bring a non-office laptop and use a hotspot on your phone.

[–] [email protected] 9 points 7 months ago (1 children)

If you get caught, your professional life is over.

That seems hyperbolic. Maybe your workplace is super draconian and will immediately fire you in such a case. But different employers have different cultures. Where I work, there are running jokes among the employees about how hard it is to get fired. One of the few cases of a firing we know of involved someone who was so passed-out drunk at his desk that he couldn't be awoken. And that was after he was given multiple stern talkings to.

I've seen people play WOW and Counter Strike on their office computers in the office in very visible areas.

Lest you think "yeah, but no place where it's that hard to get fired is going to have a locked down firewall" this is the same place where I had to make a special request to have http://portswigger.net/ , the official site of Burp Suite Pro, the web application security tool, unblocked so I could evaluate it's suitability to replace the tool we were using previously. (From what I've seen, Burp Suite Pro is kindof the de facto tool for web app security among pen testers, or at least was at the time.) The reason given on the "this site is blocked" page the corporate proxy gave was because it had something to do with alcohol.

In my time here, I've gone to lengths to curcumvent corporate firewalls multiple times. Both for personal aims and because it was necessary to do my job. I've never once been repremanded for it.

OP knows their workplace. OP, be smart, but do if you can get away with it, go for it.

[–] [email protected] 5 points 7 months ago

As someone in a rapidly corporatifying company I'd like to reinforce how insanely hyperbolic that statement was. These rules don't exist for security reasons, they exist for contractual issues - rules will often be arbitrary and decrease effective security by requiring frequent elevation or encouraging weak credentials.

OP, do what you think is going to help you work most effectively - if you're using your work machine's tunnel to run torrents over your employer's VPN or look at nekked ladies then you'll be sacked if you get found out - if you're tunneling because your employer is a Microsoft shop and won't let you install vim then your manager (if they don't suck) will defend you if you're discovered.

Even if you get fired for working around the company firewalls it'll almost certainly be without cause (so EI/severance will apply) and it won't be career ending - nobody smart cares about this bullshit.

[–] [email protected] 7 points 7 months ago

All the replies to you so far don't seem to give a shit about cyber security. As an alternative experience, I've had a supervisor that was friends with the IT guy and together they bypassed the content filter. And not for porn or anything, for like games like wordle being blocked. They were both instantly fired when found out. Granted, this company dealt with financial transactions flowing through their network so had additional scrutiny and laws to follow, but this is basic security that any company should follow.

[–] [email protected] 13 points 7 months ago

Well first off, how nice/tolerant is your management? Do you have savings? Some companies can fire people over this stuff, other will just ignore it.

The easiest (and least likely to make anyone mad) solution would just be to bring in your own machine and use celular internet. This way your setup will be completly seperate from the company network, and they can hardly claim you were exposing them to malware or anything. On the other hand you might have problems accessing devices like printers without copying files back and forth (are USB drives allowed?).

[–] [email protected] 4 points 7 months ago (1 children)

You can setup Apache Guacamole on your server. It uses Websockets by default, but it also has an automatic fallback to plain http/https. It will be ultra slow, but at least it will be working. It will behave like any other website, so no security risks for your company if they already have a proxy server to monitor your Internet traffic.

[–] [email protected] 5 points 7 months ago (1 children)

Was about to post to use Guacamole too, web sockets will work over HTTPS, OP is likely trying to do websockets over another port that's getting blocked.

But over HTTPS with Guac should be fine because I did this exact thing on a very locked down work network

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

Some proxies block Websocket Connections by default for unknown URLs, even for port 443. Don't ask me how I know :D

[–] RonSijm 2 points 7 months ago* (last edited 7 months ago)

How about figure out what you can and can't access first. Like can you access the rest of the internet openly?

Are all sites allowed, are some things blacklisted, or are sites whitelisted? If things are whitelisted on the network, it might be pretty difficult to find a hole.

Anyways, you mentioned your phone - If you have unlimited data, I'd suggest you just set up your phone for tethering, and create a private wifi from your laptop to your phone using mobile data, that should bypass all network restrictions.

[–] [email protected] 1 points 7 months ago

Why not use a web-based tool like LogMeIn, Teamviewer, Anydesk, etc.?

[–] [email protected] 1 points 7 months ago

You can give chisel a try. It tunnels all traffic over http/https, and the client can then create port forwards, just as with ssh, to access other services.

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

as i wrote, i can't install anything on the office laptop, probably cant even set a proxy, no docker. SSH works, but only that windows one, putty cant be installed. Everything should be done on my home server, office laptop acts basicly as just a dumb browser sslh docker commands/compose yml-s are having references to moved images, also some are missing parts

[–] onlinepersona 1 points 7 months ago

Use one of the options described on StackOverflow:

  • open your SSH port on 443 - maybe that's enough
  • use a SOCKS proxy server that forwards the traffic from another host to yours
  • tunnel SSH over HTTPS using this old guide
  • Use "sslh – A ssl/ssh multiplexer" (basically an advanced version of the above but simpler to setup)

Anti Commercial AI thingyCC BY-NC-SA 4.0

[–] [email protected] 0 points 7 months ago

I don’t know much about, stuff, but maybe look into SoftEther VPN?