Using a VPN at a locked-down workplace

Discussion in 'computers, web and general tech' started by kropotkin, Jul 12, 2018.

  1. kropotkin

    kropotkin libcom

    For the last 4 years I've tunneled through the restrictive network at work to my home computer using a PUTTY-based SSH tunnel, which has worked perfectly, as Chrome has a tunnel button plugin that meant it all worked seamlessly.

    I've just moved to a new workplace (NHS) where I'll be for the foreseeable future. Annoyingly, their IT dept has gone full lockdown. All ports are closed ('filtered' if I run netstat, and all look closed when I try to probe them from the web using e.g. canyouseeme). Gmail, google drive et al are blocked. Of course all the obvious stuff is blocked as well, but I rely on gmail and drive.

    I have NordVPN plugin for chrome, but although it connects fine I have no internet access through it. Trying to set up connections to the NordVPN servers through IPSEC or IKEv2 also doesn't work.

    TOR, oddly, works fine- so I'm having to use that.

    Can anyone clever suggest anything? TOR is slow and cumbersome.
  2. Mrs D

    Mrs D . Banned

    Use your smartphone?
    keybored and Badgers like this.
  3. cybershot

    cybershot Well-Known Member

    What OS is your home computer running?
  4. beesonthewhatnow

    beesonthewhatnow going deaf for a living

    “Hi, can someone suggest something that could be grounds for dismissal if I get caught”

    Throbbing Angel, salem, Nivag and 4 others like this.
  5. 8ball

    8ball Considerably more oppressed than yow

    Sometimes you need to circumvent your organisation’s short-sightedness to get your job done properly.
    NoXion, Lazy Llama and existentialist like this.
  6. souljacker

    souljacker A bit of skullduggery

    Guest wifi?

    Failing that, put a request in to IT to get a less restricted role. If it is work you are struggling to do without this VPN, they should allow it.
  7. Pickman's model

    Pickman's model Every man and every woman is a star

    I wonder if they've gone "full lockdown" because they've been the subject of hostile attention in the past. If there's a resource you need access to for your work why not talk to your it department who I am sure will give your request the attention it merits
  8. UnderAnOpenSky

    UnderAnOpenSky baseline neural therapy

    Or increase your post count here. :D
  9. farmerbarleymow

    farmerbarleymow Sweetcorn fiend

    Change the thread title to 'easy ways to get fired for gross misconduct'.

    Given you work in the NHS kropotkin you'd definitely get fired if you did this without authority. They'll almost certainly monitor the network for suspicious activity.
    Guineveretoo likes this.
  10. existentialist

    existentialist Apprentice bachelor

    Nah. It's NHS. Where the default IT policy is "if we don't know about it, we block/ban it". And a lot of NHS IT doesn't know very much. So a lot gets blocked and banned. To a quite ludicrous degree. They suddenly blocked Gmail et al after the WannaCry attack, in the belief that webmail was somehow a deadly vector for virus attacks, with the result that a lot of collaboration apart from purely internal NHS stuff became impossible. When the real problem was the plethora of unpatched ancient Windows systems operating without adequate protection, firewalling, etc.

    There's really no good reason why outgoing traffic on port 22 should be blocked, either...but it is. It achieves little, except inconvenience.
    NoXion likes this.
  11. kropotkin

    kropotkin libcom

    Nah, I'd be fine if I got caught. I'm not worried about that.
    farmerbarleymow likes this.
  12. kropotkin

    kropotkin libcom

    Thanks for the replies, but no suggestions yet!
    I understand the risks, and accept them. I'm after technical advice.
  13. farmerbarleymow

    farmerbarleymow Sweetcorn fiend

    I wouldn't be too sure about that. I've fired people for less serious IT issues (although I don't work for the NHS).
  14. kropotkin

    kropotkin libcom

    Number of people who can do your job vs. Illegally using Gmail.
  15. keybored

    keybored #NeverUseTheInternetAgain

    Underrated suggestion.
    farmerbarleymow likes this.
  16. kropotkin

    kropotkin libcom

    I just used a raspberry pi as an ssh tunnel gateway for chrome to access the Web. It was accessed using 1028bit keys, so pretty secured.
  17. kropotkin

    kropotkin libcom

    Yeah, but I'm crap at typing on phones. And I've loads of documents/papers/articles in drive I need access to
  18. keybored

    keybored #NeverUseTheInternetAgain

    If they bother to check they'll be able to see you're using Tor and assume you're a drug baron or child porn aficionado. Although if they haven't worked out how to block Tor they probably don't know how to check.
  19. keybored

    keybored #NeverUseTheInternetAgain

    Can you not just tether to your phone?
  20. kropotkin

    kropotkin libcom

    Is that doable without WiFi, Bluetooth or admin rights? They are ethernet connected pcs
    existentialist likes this.
  21. keybored

    keybored #NeverUseTheInternetAgain

    Ah. You could try a WiFi dongle but might need admin rights to install drivers (I'm not too clued up on Windows).
  22. kropotkin

    kropotkin libcom

    You'd def need admin rights for a dongle.
  23. keybored

    keybored #NeverUseTheInternetAgain

    Don't you need them to install (or set up natively) a VPN?

    ETA: Just reread and notice you're using a plugin.

    ETA2: Bring your own laptop to work :D
  24. joustmaster

    joustmaster offcumdun

    You might be able to run your ssh server on port 80 and connect that way.
    Depends if they inspect packets. I hope that they do.
    Last edited: Jul 12, 2018
  25. cybershot

    cybershot Well-Known Member

    Serious answer. Log an it support ticket. Request firewall ports are open for your machine (they can give you a static ip and create rules) obviously you’ll need to give a business case of why you need these ports open. I’m sure they will have had to do it for other users when it comes to connecting to third party services that don’t run on standard ports.
    Guineveretoo and farmerbarleymow like this.
  26. 8ball

    8ball Considerably more oppressed than yow

    Yeah, if something looks innocent enough I find they can be quite compliant in allowing things they don't really understand.
    farmerbarleymow likes this.
  27. 2hats


    I would imagine they are completely paranoid about what sensitive data* could be leaked out of their intranet, either directly, intentionally by employees or indirectly, unintentionally through trojans/other malicious payloads/social engineering and thus plump for default deny all. Also what jurisdictions such data could unknowingly end up in which would subsequently prove more than a bit awkward when hauled in front of the ICO/MSM.

    Is there not a separate non-sterile, untrusted network provided for more casual activity? Or just use your own personal mobile device.

    * of which I’m sure they have plenty.
    Last edited: Jul 12, 2018
    farmerbarleymow likes this.
  28. kropotkin

    kropotkin libcom

    Yeah, tried that, they just said no!

    Also, I've run my ssh server on different ports before at a different hospital, but here *all* ports are blocked to the outside world. I'm not an IT guy so don't understand how. Everywhere else I've been able to find an unlocked port and run an ssh tunnel through that...
  29. Supine

    Supine Rough Like Badger

    U75 - Can you help me destroy the NHS please! :D
    farmerbarleymow likes this.
  30. joustmaster

    joustmaster offcumdun

    So you have no http www access to the internet?
    alcopop likes this.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice