So... How would you bypass a firewall?

So, I’m working on some research in my college for which me and my prof have built a fancy ThreadRipper Pro 7995WX, RTX 6000 Ada, 256GB RAM PC for running a lot of the compute intensive tasks.

The issue is, our college firewall is a bit overzealous and configured by people who do not have a more-than-bookish knowledge of any of the subjects at hand; therefore, they have blocked almost everything that they can, including Fedora mirrors and tailscale.com. Now, I have applied for the firewall exception, and it’s already in the chain of command, but I doubt that they either know what that even means or how to achieve it, or as so often happens in IT, this might just be forgotten for months.

Till then, I want a makeshift solution. It’s a gigabit connection, so is there anyway for me to bypass all these restrictions so I can use the “normal” internet on this? I’ve been thinking of OpenVPN-ing it to my homeserver, but the thing is, I don’t want to tie it to me. I’ve considered passing it through a Linode instance, but that’s an additional cost which I’ll have to sanction.

Either way, what would you all recommend as the best way to bypass this? Preferably a low/zero cost solution!

Thank you very much!

Also, mods, please do not ban this, I will get permission for the method suggested in writing from the higher ups in the department (that’s easier and actually official, without relying on someone else having the specific skillset to do something for resolving my request.)

Without a firewall rule your looking at some form of encrypted tunneling, which always requires an endpoint. VPN to some other location is the easiest mass bypass. If you want gigabit speeds over vpn wireguard is what you will need to use, openvpn has to much overhead to actually come close. I think you already nailed the question which is where is the endpoint. Ideally it would be a vps, that way ownership is is not yours.

Maybe someone else will have an idea.

What cant you get to that you want to? What is the firewall blocking that’s inhibiting your projects with the new box? What is the perceived risk in having an exit node tied to you? Answering these questions will go a long way to a solution.

Also have you tried going to see the folks in charge of the network in person and explained the project you’re working on? Some network engineers (myself included) like a good project and helping other tech minded folks out from time to time.

So, I have. In our specific college, unfortunately, they kinda don’t know much, and are doing the bare minimum pressing-buttons routine they were trained to.

My main use cases are: being able to use basic dependencies.

• Tailscale.com is broken and would be nice to have; I need to give remote API access to specific people without exposing it on the college network/internet.
• Half the dependencies in installers/compiled apps break for some weird reason. sudo dnf upgrade was giving me errors for certain apps that had specific sources it pulled from. They. probably just picked the strictest blocklist option by default and have been rolling with that.

Have you looked into ZeroTier? Its a software defined network so it may be able to punch through…

Understandable that that gets blocked.

No wonder when they block stuff like Fedora mirrors. Which seems like a wired behavior.
Why not call them up on that?

Of course you can always go the “shady, potentially job risking way” of using WireGuard over Port 443 . I doubt that is matter if it goes to your home IP or a VPS. It is not that they find out about your home IP anyway. There are other ways.

Rent the cheapest VPS ($3-5 per month) setup wireguard (easiest way: GitHub - Nyr/wireguard-install: WireGuard road warrior installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora), listen on any of the Ephemeral ports: Ephemeral port - Wikipedia

If they are not open try UDP 53 or 123.

But before you do this make sure your boss is ok with that.

So, I’m in a college, and the prof I’m working under is basically super senior. He approves of it all, it’s just that the rest of the team has just taken a corporate solution and have no config idea whatsoever.

There’s no one here who would even understand that sentence. That’s the gosh darned problem

Permission/legality is not a constraint.

While that seems overzealous to you, its absolutely correct approach from security standpoint. This is not your home network, this is academic/corporate one.

You allow only what you must , and your workload might be novel enough to run into issues with existing ruleset. Blocking vpns and private network is alos absolutely given, only incompetent netsec would leave that open.

This is human problem, not technical one. Its also not up to you to decide what is risk or not. Apply political pressure if you must, but idea of tunneling out on the sly is seriosuly misguided.

If you are discovered doing this, there might be serious trouble. If you are at larger and more prestigious institution at least, where security breach real risk.

At some places this is resume generating event.

I’ve been thinking of OpenVPN-ing it to my homeserver, but the thing is, I don’t want to tie it to me

I think you are subcouncilously how bad idea this is. If you really dead set ant doing this, go through your internal security policy and acceptable use for academic network and find out what is actually forbidden.

Again, I have explicit permission from the higher ups to do so.

While I absolutely agree, they have no idea of how it’s configured; therefore they rely on external providers for that knowledge and that takes time and has a huge backlog.

Official, signed form highest levels and specifically describing the methods and reasoning? You need to be ironclad and explicit in this.

There also seem to be something missing here, since if you have high enough support as you claim, then ordering opening firewall to selected destination like linux mirror is easy task in comparison.

So this smell like internal political bullshit and infighting instead. As in your higher ups are not high enough to actually matter within organization do have IT do what s needed, are in disfavor, or there is internal disorder.

Easiest way here is for you higher ups to cough up some spare cash, and you buy 5G access point and data plan for temporary unrestricted access to public net.

While I absolutely agree, they have no idea of how it’s configured; therefore they rely on external providers for that knowledge and that takes time and has a huge backlog.

Critical services managed by MSP and minimal internal IT that does mostly end user support? Ahh, that smell like academia.

Iirc, OP mentioned he already started the ball rolling for official sanctioned access that he requested.

OP is just impatient not to waste weeks of time, and would rather be kicked off course for breach of acceptable use policy, to get the genuine work done earlier.

I have no idea how bad the IT department is, or how lazy, or good.
Sounds like there is a correct process, that has been started, and should really Bea waited for.

It does seem going out of band, like a 5g hotspot or something, would mean the IT are not having to chase down holes poked in their net, and reduces the burden on them to diagnose and remdiate breaches after the fact.

Although, if they don’t do deep packet inspection, and the traffic is legitimate interest, simply unauthorised, the a tunnel over 443,

I dont think UDP port 53 would work, as they really should be capturing all DNS for their own content filtering.

Obviously the place is an academic place, so filtering is super important, because Kids. But also exception process HAS to exist, because research. And a structured, easy to use system, that does not require super technical IT staff, means it should hold up better to breaches like this, where every research is a special snowflake and can’t wait for actual exception process.

If the senior teaching staff, really was on board, could they not email the dean/whoverver, and ask them to fast track the IT application?

If the dean is not on board, or is an ass and would not fast track it, then they would be even WORSE when the breach is discovered, and no way would cover the nscks of the department head, or the student doing the project…

As I mentioned, they do NOT know and they’re literally busy for the next week installing a lab since they only have like two people, and that lab needs to come up before the end of the semester since the end semester exams will be conducted on it and… yeah.

I just hate the red tape, and I want to get done with my work.

Thing is, this new lab is technically a pure research lab. It isn’t even for regular students, specifically for the research team.

Again, it’s an HR limitation. They’re ready to see my application in a week or so, and that is just a lot of lost time.

ANYWAYS, here’s everything I’ve tried so far

• Trying ProtonVPN + Port 443; breals.
• Zerotier; breaks. Like I can set it up, shows up on the dashboard, but doesn’t ping. Every other device does.
• Default ProtonVPN wg.conf; also breaks.

I prefer SSH tunnels over VPNs, thought you may not get the speeds you need.

SSH is almost never blocked, so tunnel traffic over it tends to work.

Don’t have static IPs on either system, though (yet.)

It sounds like your best bet is to grab a dsl router and data plan and be self sustained and on your way. I’m betting that as your project progresses you’ll find more and more things blocked.

The local dns and firewall rules are only part of the safeguards in academic environments that have their internet subsidised which is likely the case on your campus. The ISP gives a very discounted rate for access while controlling additional DNS and content filtering on their end as well. So the request will go through your local IT department to be sent to the ISP for review and approval. If you are unhappy with the timeframe of a week from the local guys you’re really not going to like the ISP turnaround time.

As for the fair use agreement (usually with admission paperwork) you signed just be aware that a note from a professor will not help you out or trump this initial agreement if things go south. There’s a lot in play with subsidies and insurances and the reality is that compliance with them will always be a larger priority than one user’s project.

I know it’s a bummer but the DSL plan is a solid way to get what you want in the timeframe you want. Ask your professor what they have left in the department budget and maybe they’ll pay for it. Could be a win win

Yeah, that’s what I realised honestly. Testing that right now with my personal testing WAP/Router and mobile hotspot

Ah well, the joys of networking.

Then why use a VPS and not connect to your home?

To bypass - you need to know and understand what you need to bypass.

With the description you give, it feels like some predetermined by vendor categories are disabled. Here, there’s the possibilities can be plenty… Therefore - first step - fingerprint the solution - version does not really matter yet, but at least understand what’s in the way.

Secondly, when it’s determined what kind of solution is in place - there’s options to limit depending on vendor, licensing and general setup.

In short, Webfilter, DNS filter, application control, WAF or something vendor specific?

Take the example if it’s a DNS filter - a usually simple categorizing of DNS lookups can be allowed or blocked.

If it’s a webfilter, there’s usually a combination of DNS and small fingerprinting of the content served.

If it’s Application Control, it’s usually a combination of the two examples above, getting really close to how WAF operates - there’s usually pre-determined categories that can be allowed or denied.

If it’s a Web Application Firewall (or a more up to date variant that also includes API protection), it’s getting close to a proxy, that are all the way with the above parts mentioned in the OSI model.

In short, to defeat or work around - there’s always the small fun part of - it will be noticed, or updated from the vendor…

Heck, it might even be handmade IPS rules (lookup snort for examples) that triggers. This is why starting to “know your enemy” is the first part, and then start checking what is blocked and not.

The cost here is time. A more time-managed solution, is to ask for exceptions for valid usage, this should be the default - and, with the above, you can assist as you state the less interested in what they manage to manage better ;). But in short - they should give you valid access to approved tools, approved distro-repos, or with the ‘ticket’ created, grant you access needed for legitimate work related access.

But wait you say - I haven’t given the info on how to do anything of the above parts… No, I have not - but, this is something that is not harder than booting said machine with perhaps even a live usb with a distrobution that contains tools to perform said actions with the needed packages pre-installed.