Point of view - MSP working with SMB’s, so I’m not going to give you the ‘good reason’ care theatre. Corporate-serving IT probably don’t know more than turning a key on some firewall appliance they bought, because that’s cheapest in terms of staff to get one of their security tickboxes and they’d have ticked all the boxes before closing the browser and moving on. Changing it is dangerous for them, meaning paperwork. Just bear in mind, it’s probably not their fault.
I guess these days most such appliances require an SSL certificate be installed on the device for the FW to man in the middle all your traffic. It could be you actually have one and can pull it out of a windows certificate store. Probably won’t be so lucky, but I’d at least look at it.
But if not, definitely don’t (depending on availability)
USB wifi
USB wwan
USB bluetooth from an internal usb header to a tethered phone (I know a couple places pretty hard on the we’ll-fire-you security category that missed that even being enabled) but I mean you need it. for your RSI-resistant mouse.
you might find a guest wifi might have less ‘security’ enabled, because it’s not enabling access to internal resources. but if you can afford a threadripper you can afford a mobile data plan. If you need occasional big files (70b models, just a guess) you can just sneakernet them.
probably best to take it off-lan if you do either (even if only for updates), if you need some network access you can get WWAN routers with ethernet ports.
SoftEther VPN server is pretty good at punching through firewalls. I have some users that connect from behind the Great Firewall of China without issue.
Take Mordac, The Preventer of Information Services, for a nice lunch somewhere. Get to know Mordac, and let him do most of the talking. How to Win Friend and Influence People stuff. Try to keep it away from work, or if you do talk about that, make it about his career or interesting challenges he’s solved. If he does 90% of the talking, he’ll think it’s a great conversation and will leave with a positive opinion of you. Now as you’re leaving, you could ask if he could help you prioritize a ticket for getting software security updates. That will sound important and also trivial to him (so he won’t be scared away by the effort) so he’ll likely say yes. Then say you’ll email the issue to him and do so later that afternoon.
First of all, sorry for this “introduction” to the bad aspects of academia, at least in some institutions. They’re not all like that, but it sucks that IT in your institution is so calcified.
Just to double-check: does the server that you are using for your project have to be connected to the university or college network and on-prem? If it does, and you end up finding a way to circumvent whatever firewall they have there, make sure that you get a signed instruction to do whatever you need to do to be able to move forward with your project. I write “instruction”, because that way it’s documented that you were just following instructions.
Now, if it’s possible to physically move the server off-campus for a limited amount of time, that might be the easiest way to do what you need to do. But again, before even touching the case, get permission to do so in writing. Even better, let your supervisor get the permission and have you mentioned in it as the person who is carrying the actual moving out. By permission I mean a hardcopy on official letterhead, signed in ink, with the inventory number and everything else in the text. With one signed copy that you keep for your own files. This way, you’re covered.
So, why all these precautions?
Because it can be unbelievable just how many people come running when they believe that someone did something without permission.
Because, in the long term, I do not want this to be connected to me. I’ll graduate in 2 years, this will be here for much longer. And my homeserver already has 80, 443, 51820 tied up in my own tools.
Had the same doubt. It’s defo not DNS, that’d be easy. I got tailscale on there and then connected it to my Tailscale network (while on my mobile data) and then switched to their network and it still didn’t work, so they’re blocking the domain AND some kind of traffic. Changing the DNS provider itself breaks the network, so that’s… interesting.
Thank you!
Haha, that’s what I did. I’d like to work remotely but I can’t ig, I’m just gonna switch to their wired when I want big downloads, and when in the lab, I’m just gonna do mobile tethering.
Huh, cool, gotta check this out.
These are people who do not understand or appreciate technology, but are just scared of it. I 100% understand where you’re coming from, but at the risk of doxxing myself, I am from India, and here, showing that work is being done is paramount to doing or understanding or liking it.
TIL, wow. That’s interesting.
Fair. Even in second year undergrad CS, people are afraid of Linux despite having an entire semester on POSIX fundamentals, so… idk what to say.
Thanks a ton, everyone. I get the moral policing, I really do, honestly. That said, for me, this was mostly an intellectual exercise to build my networking skills to do the bypass anyway. The IT staff will meet me next week, so until then, I’ll go with my makeshift solution, but it was really fun spending at least 4-5 hours trying to troubleshoot variations of this problem.
No static IP, though? I mean, the main point of the whole exercise is to avoid the limitations on tooling accessibility, but I’d also like to get SSH working so that I can work remotely.
You can create a reverse tunnel with ssh and even reverse port forward with ssh. You can also use a ssh to tunnel all your traffic through it. It might be TCP in TCP and is a bit slow but as a short term solution it works.
As long as the server has a static IP the client will reconnect automatically.
As soon you mentioned being from Indian Academia. i remembered my college workaround was a bit manual. we got in the good graces of the student body. back then students managed a lot of the college infrastructure under faculty supervision.
i got the permision to pay the bill for ISP ( it was BSNL, we used to handle cash, visit the office in the city and pay the bills) managed to get the number of the tech who serviced the college area. we used the consumer no to set a on site visit after some hardware fail due to grounding issue.
Our Campus was out of the city so it was like a full day affair. as he finished doing the work noonish. i offer him to take him out for lunch.
just a roadside dhaba we kids were regulars.
Got chatting, told him the issue that we wanted to watch the world cup in the class projector.
but couldn’t because the solo IT guy wouldn’t comply even after getting department heads permissions. back then data was costly and mobile network coverage was piss poor.
He said he couldn’t share the college credentials but there was a boys hostel around 2 km from the main campus on the same network.
We got the credentials for that, we all watched the match, ran an lan event and some even managed to download and setup movie nights.
Couple of students were interrogated over the years , as they had to get their laptops configured by IT for some college VPN or placement support.
Those credentials were active, unmonitored from 2012 to 2018.
I want to know howwwww. They give us this trashy ISP in our rooms that only does 15 Mbit, in 2025. It’s so sad ugggghhhh. 5G is my savior. I wanna move out of the hostel but my parents won’t let me.
vpn over https to home server then pivot through vpn for your exit node.
Universities block open source projects in order to stifle students. Remember that you are there to be indoctrinated with their ideologies, not innovate.
Https is generally allowed through the standard ports. This will break your standard routing at home so expect to go home and revert changes each night. You’ll effectively have web traffic coming in and your LAN acting as a bent pipe.
This removes your WAN IP from login logs when you access resources from school. Does not remove the gobs of data over HTTPS, but if you save large files locally at home and bring them the next day on a drive that alleviates it.
Most colleges are the same, incompetent IT using outdated SOP’s.
Obviously, this is all use at your own risk information.
Never forget Aaron Swartz.
P.S. MIT is trash and the same indoctrination engine as any other university in the U.S.
Changing DNS and “breaking it” simply means - no additional DNS is tolerated, ie, DNS control is in place. Perhaps DNS over HTTPS might be possible. In short, the long run game needs to have the authorization to do what you need to do, and the changes / exceptions enabled to do so.
I see some f the system versions of replies, I would consider the big possiblity that will not help.
VPN over https, is usually called ssl-vpn. If there’s an application control feature in place, this would still be rendered non working. HTTPS has one standard port, 443. I fail to see how anything would “…break your standard routing at home…”. Also, I think there’s a small issue with your train of thought that something would remove the WAN IP from login logs, that’s a reverse tunnel you’re now describing (?).
Not sure either on your take that all colleges are the “same”, I’ll assume you have a history with MIT, since your take on MIT that it’s “trash”. Not sure how this is on track either?
Are you sure that they provide you with an ISP? Is it not a simple link to the college provided internet, ie, the collage acting as a ISP for you, with the link a portioned out speed?
VPN traffic can be disguised as standard https web traffic. It’s how Tor bridges function.
You make a standard appearing https connection to 443 or 8443 at your controlled bent pipe. This appears as a standard website load to third parties and network monitors.
Go ahead and port bind 443 on your wan to a dedicated vm inside your LAN and tell me if you can still access your banking site from another computer on the LAN.
The login logs recorded by credential authorized resources on WAN would record a VPN ip address as origination instead of the hosted bent pipe.
This is all InfoSec 101 from 2010, tier knowledge.
The tor network works outside of a how a normal VPN functions. Traffic normalization, would like application control halt any attempts on this. Tor and normal methods of VPN can be fingerprinted. And , for the thread creator, seems to be the case. Sure, perhaps the pluggable transport specification could assist in ensuring traffic flow.
Semantics - you stated standard ports - there’s one standard port defined, the protocol however, does not lock to a port, as nothing really does, standard ports are simply standards, that one can deviate from.
Bent pipe is not something I am familiar with, since I am not into satellite communication - that kind of traffic operates to my knowledge on small differences in principals, protocols and definitions. Are you referring to routing, and address translation?
Sure I can bind a port - you’re not declaring that I need to perform portforwarding the gateways port 443. However, this does not really assist in any way. or form, nor is it needed.
No, not really in the sense your describing it… address-translation would need to be in place for this to happen, ie, the new gateway states it’s the sender, and also, something that needs to happen, and something that is not unsual when it’s not a split vpn scenario.
And no, it’s not infosec 101 from 2010 I am aware of, not even from when I was in school :), so no, I do not see the tier knowledge either.
You’re using for me really unusual terminology, that makes little sense, perhaps because I have a hard time understanding what you try to perform or describe. Perhaps it’s related to a language barrier I have not hit before. On this I am unsure.
As others have mentioned, this may well be a breach of your employment contract. You may be better of just talking to IT in person and maybe bringing them some cake or whatever. They are usually nice people who just want to keep the network safe from enterprising students who want to torrent viruses onto their unpatched Windows 7 machine.
If you wish to risk trouble anyway, one of the following will probably work:
Add a line to /etc/hosts with whatever blocked domain/IP you are attempting to access. Test with http and https. If it works with https and not http, change the DNF repo URLs to https.
A good old fashioned HTTPS proxy like tinyproxy
If they are young or incompetent: SOCKS proxy
OpenVPN over TCP on port 443
Something like sshuttle if you are allowed outbound ssh
Wiring the computer instead of using wifi. This actually worked in a building in my alma mater.
If you only need it for DNF you can spin up your own proxy to the fedora repos using a simple proxy_pass directive in nginx and host it whereever.
All of the above requires some infra elsewhere except for the dns over https. You can test this trivially by enabling it in your browser.
Edit: Remember if you piss of IT they can really make your life miserable so you should probably just buy them lots of cake and get access to their special unrestricted internet (which they always have).
