VPN at University

MotherMayI

MotherMayI

MotherMayI

Associate
Joined
9 Dec 2007
Posts
2,408
I have just moved to university halls accomodation, and am trying to adapt to life with a monitored and controlled internet connection. Its not going well.

Because of this, I decided to look in to alternative solutions - The best I have found seems to be using a VPN. I am currently having a few problems getting a VPN connection set up, I think partially because I am using Vista64 and partially because of obscure proxy settings I don't truely understand.

Either way, assuming I did get a VPN working using a specific VPN client (such as the one from http://www.vpntunnel.co.uk/ ), is that my best solution? Are there alternatives? Is it truly anonymous?

I am aware the network admins will see the bandwidth being used by me, but as I understand it it will just appear as http IE6 traffic? Is that correct?
 
Why on earth are you on IE6, for the love of god upgrade or use Firefox, or something!

When I was in halls I used to surf porn all the time, theres so many people there they cant pick up everyone on it.

But if its not porn your worried about then stop whatever illegal thing your doing.

Not much help VPN wise but I feel a lesson in morality.
 
Beansprout said:
Uni is where us geeks grow up, stop playing online gaming, go out, and discover girls and drunken antics ;)
Click to expand...

Way to make assumptions. I lived on my own with a group of friends for 2-3 years in the center of Brighton prior to coming to uni. I have gone to more clubs and parties than you can shake a stick at, but you know what? Its not all Im interested in, and frankly it gets pretty dam boring after a while. I have also been in a solid relationship with my girlfriend for just over a year now. I have done all the discovering of girls, drink and drugs and the novelty has worn off, a long time ago - It is not all I like doing anymore.

Porn is not what I'm worried about. Games, msn and to a certain extent Usenet is what I am worried about.
 
Perhaps get a VPS server and then just SSH/tunnel through it? Put it on port 80 or 445 and it'll just appear to be basic web browsing traffic.
 
Aekeron said:
Perhaps get a VPS server and then just SSH/tunnel through it? Put it on port 80 or 445 and it'll just appear to be basic web browsing traffic.
Click to expand...

No it wont! Well, not to any network tech worth his salt! It might make it more difficult (read expensive) to block but certainly not impossible to stop anything other than web traffic using port 80.

Your university internet connection will be very fast and unless you have something at the other end that is also very fast, you will just be crippling yourself as to the sorts of speeds you can get. Upload is more important than download on the remote end.

Lets assume you are going to be bouncing your traffic off a machine at your parent's house or something. You will need a VPN solution. You can look at IPSEC and others but personally I use OpenVPN and it works well for me. All you would need to do would be to set it up on a box at home and forward a port (probably best if it isn't the default OpenVPN port if you are trying to subvert your uni's network team for as long as possible), then have the client running on another machine acting as a gateway and set your default gateway to be the IP of the other box. If you're doing this on linux you need to enable IP forwarding and then voila, all your traffic is now going down the tunnel.

Question is, what is to be gained by doing that? If you are worried about usenet, you can usually pay a little bit more and have your connections SSL encrypted. Whilst that wont stop them from working out what you are doing (especially if you are slamming your connection 24/7) it will at least stop them from knowing what you are downloading. HTTP stuff is by the by, are you really that bothered about someone picking out YOUR packets from the thousands of other user's traffic? If you are, you're far more paranoid than you need to be, consider your uni as just another ISP and you'll see where I am coming from on that one.

Anything of use (banking etc) is all encrypted anyway and you're trusting them not to man-in-the-middle your handshake...
 
Last edited:
Sorry - I meant to say that they'd not be able to monitor exactly what the traffic is. And that it'd bypass any port restrictions. Obviously as I suggested using a VPS it can be assumed that the server would be on a decent speed connection.

I'd personally not worry about it all too much however.
 
Aekeron said:
Sorry - I meant to say that they'd not be able to monitor exactly what the traffic is. And that it'd bypass any port restrictions. Obviously as I suggested using a VPS it can be assumed that the server would be on a decent speed connection.

I'd personally not worry about it all too much however.
Click to expand...

Yeah, thats pretty much spot on :)

Paying for a VPS might do it, providing you get shell access of course (which isn't a given IME). It would also give him good speeds but probably cap his bandwidth usage quite significantly if he plans to download from usenet a lot. 40Gb/month isn't that hard to do, especially if that is 40Gb of total transfers, meaning he will only get 20Gb/mo of actual download bandwidth before he gets a big(ger) bill. Percentile billing would probably work out even more expensive as usenet will max out his connection!

All in all, IMO, this is far far more hassle than its worth!
 
Definitely agree that it's more hassle than it's worth.

Interesting /re VPS boxes. I always thought that bandwidth was quite plentiful (though I guess that's in terms of total per month rather than burst) but processor time/ram usage was more restricted. I've only personally dealt with 'proper' dedis myself so I'm sure my info is out of date on that one :)
 
DRZ said:
No it wont! Well, not to any network tech worth his salt! It might make it more difficult (read expensive) to block but certainly not impossible to stop anything other than web traffic using port 80.

Your university internet connection will be very fast and unless you have something at the other end that is also very fast, you will just be crippling yourself as to the sorts of speeds you can get. Upload is more important than download on the remote end.

Lets assume you are going to be bouncing your traffic off a machine at your parent's house or something. You will need a VPN solution. You can look at IPSEC and others but personally I use OpenVPN and it works well for me. All you would need to do would be to set it up on a box at home and forward a port (probably best if it isn't the default OpenVPN port if you are trying to subvert your uni's network team for as long as possible), then have the client running on another machine acting as a gateway and set your default gateway to be the IP of the other box. If you're doing this on linux you need to enable IP forwarding and then voila, all your traffic is now going down the tunnel.

Question is, what is to be gained by doing that? If you are worried about usenet, you can usually pay a little bit more and have your connections SSL encrypted. Whilst that wont stop them from working out what you are doing (especially if you are slamming your connection 24/7) it will at least stop them from knowing what you are downloading. HTTP stuff is by the by, are you really that bothered about someone picking out YOUR packets from the thousands of other user's traffic? If you are, you're far more paranoid than you need to be, consider your uni as just another ISP and you'll see where I am coming from on that one.

Anything of use (banking etc) is all encrypted anyway and you're trusting them not to man-in-the-middle your handshake...
Click to expand...

I used to pay for SSL encryption at home anyhow, so I would be more than willing to do that. Does that mean that I could connect to usenet normally, without a VPN solution, and it would just appear that I am downloading a lot of data? Would there be any way of the admins knowing that this is via usenet, rather than ftp/http/whatever?

One of the main reasons for paying for a VPN for me was to play games. 99% of my games dont work, due to proxy settings. Even the VPN solution I bought to try out (£10, name above) wont connect to their servers - Again, I assume, because of the proxy settings. Is there any way around this at all?
 
MotherMayI said:
I used to pay for SSL encryption at home anyhow, so I would be more than willing to do that. Does that mean that I could connect to usenet normally, without a VPN solution, and it would just appear that I am downloading a lot of data? Would there be any way of the admins knowing that this is via usenet, rather than ftp/http/whatever?

One of the main reasons for paying for a VPN for me was to play games. 99% of my games dont work, due to proxy settings. Even the VPN solution I bought to try out (£10, name above) wont connect to their servers - Again, I assume, because of the proxy settings. Is there any way around this at all?
Click to expand...

It'll be obvious as hell to anyone with half a brain what you're doing, even if you use encryption it's stupidly obvious...

- He's using a lot of traffic... I wonder where to? What's the destination IP? Oh look, that's a usenet provider, lets shape his connection to 56k.

Anybody who can't complete that thought process in 30 seconds shouldn't be working in IT.

Or if they actually have decent kit, do deep inspection and it'll be immediately obvious it's not HTTP even if it's on port 80...
 
Are you sure you mean proxy settings?

Chances are, you're firewalled pretty extensively which will stop you from doing quite a lot. You will have the usual range of ports open and that will pretty much be that.

If they are really clever they will be filtering at Layer 7 which means that no matter what you do (well, not entirely ;)) you wont be able to get out on anything other than the protocols they want you to use. If not, you MIGHT be able to find a usenet provider offering you service on a range of ports (ie anything other than the usual NNTP ports, which are more than likely going to be blocked or at the very least shaped).

Funnily enough, I have (for entirely different reasons) done something similar to what you want to do but I have the advantage of the use of a proper dedicated server running linux which lets me do a lot of this stuff on any port I want - which is exactly what you need to be able to do, connect to a service you have set up on a port that is allowed out onto the internet.

FYI, if the ONLY way out onto the internet is via an actual proxy server, you're going to need some very, very clever stuff indeed to get around it (if it has been done properly!)
 
MotherMayI said:
Way to make assumptions. I lived on my own with a group of friends for 2-3 years in the center of Brighton prior to coming to uni. I have gone to more clubs and parties than you can shake a stick at, but you know what? Its not all Im interested in, and frankly it gets pretty dam boring after a while. I have also been in a solid relationship with my girlfriend for just over a year now. I have done all the discovering of girls, drink and drugs and the novelty has worn off, a long time ago - It is not all I like doing anymore.

Porn is not what I'm worried about. Games, msn and to a certain extent Usenet is what I am worried about.
Click to expand...
Good :p

Thing is your usual ISP connection is also 'monitored and controlled' - maybe moreso than a uni connection these days...your home ISP just doesn't block ports.
 
bigredshark said:
It'll be obvious as hell to anyone with half a brain what you're doing, even if you use encryption it's stupidly obvious...

- He's using a lot of traffic... I wonder where to? What's the destination IP? Oh look, that's a usenet provider, lets shape his connection to 56k.

Anybody who can't complete that thought process in 30 seconds shouldn't be working in IT.

Or if they actually have decent kit, do deep inspection and it'll be immediately obvious it's not HTTP even if it's on port 80...
Click to expand...

TBH if he is using a VPN you'll have to have some top kit to break 2048-bit encrypted traffic to have a hope in hell of finding out what he is doing... which means that guys like us would probably just shape the hell out of it anyway!

Its a good thing that there are so few people that know what they are doing running networks all over the place :D
 
DRZ said:
TBH if he is using a VPN you'll have to have some top kit to break 2048-bit encrypted traffic to have a hope in hell of finding out what he is doing... which means that guys like us would probably just shape the hell out of it anyway!

Its a good thing that there are so few people that know what they are doing running networks all over the place :D
Click to expand...

Encrypted usenet would be obvious (traffic to an IP which is going to be registered to a usenet provider, obviously not http if they have l7 inspection, large volume of traffic from a single IP in one direction)

If you bounce the traffic through a dedicated hosting box or use a VPN the main protection is the connection will not be with an IP known as a usenet host. It's still be a high volume of traffic in one direction from one host, even if you use port 80 it'll stand out as not http in deep inspection...

If you want to play games I'd go talk to your uni IT guys and ask why they block those ports and if there's anything you can do to get them unblocked. Otherwise I suggest you get over using usenet on until you have your own connection.
 
Yup, no joy. They said 'try now', so I'm guessing they tried something but then said thy could do nothing more for 'security reasons', and it still doesnt work.
 
MotherMayI said:
Yup, no joy. They said 'try now', so I'm guessing they tried something but then said thy could do nothing more for 'security reasons', and it still doesnt work.
Click to expand...

Well, the options are pretty much laid out, either try and get a VPN working or give up. I'm sure they publish some kind of policy on internet usage, I'd read it, because if you get your access revoked for the year for breaching it you'll be kicking yourself.
 
You must log in or register to reply here.
Back
Top Bottom