View Full Version : VPN/Port Forwarding Help (please hide me!)
Mike Lowe
05-21-2015, 05:47 PM
I log into a Cisco VPN client remotely for work, and I'm trying to go one extra step for security and to mask my varying locations from time to time. It doesn't seem possible to use two VPN clients simultaneously, at least I was told, and I also didn't get too far in trying to use port forwarding with the VPN client. Then again, I suck at this stuff, and that's why I'm looking for help! :)
Belkin, my router company, told me I had to get "the Cisco VPN IP" in order to port forward. They gave me the impression that this was some sort of universal IP from Cisco. However, when I called Cisco, they said I would basically need the serial number from the device (I live 2,000 miles from it), my username (which I don't ever see), etc. to get that sort of info, giving me the impression it wasn't so generic. FWIW, my router does NOT have VPN built-in.
Ideally, I'd have something setup via the router so that any device I connect would have the location hidden. However, I'd settle for getting at least the machine with the VPN client's location masked.
I've read that a simple proxy could work, but would it? I don't even know how I'd check once I actually had something setup. Would one of those IP sites indicate a location "change" that quickly?
Should I just buy a better router?
I'm hoping there's a quick and easy process for getting something done. Thanks a million for any suggestions!
jeff061
05-21-2015, 06:26 PM
You mean you are trying to obscure what your public IP address is to sites you connect to? Don't think you can without a proxy.
go to IP Chicken - Whats my IP address? ip address lookup (http://www.ipchicken.com). That's your IP and anywhere you connect is going to know that. If you connect through a proxy to that site, you'll get the IP of the proxy returned back to you(rather than your own), which is also what would happen if you connected to other sites through the proxy.
I don't think port forwarding has anything to do with that, just makes sure your firewall redirect applications to the proper client, applications that may have otherwise been blocked.
Granted networking has never been my specialty, so maybe I'm misunderstanding.
jeff061
05-21-2015, 06:27 PM
"the Cisco VPN IP"
This I believe is just the IP of the virtual NIC the Cisco VPN client creates. I think you can get it by doing an ipconfig from the command prompt after you connect. But again, I'm not sure what you would gain configuring some type of port forwarding.
Unfortunately, the IP likely changes every time you connect. Probably same subnet, but different IP. Maybe you could script a solution to that, but I doubt it on a Belkin or any other home router.
jeff061
05-21-2015, 06:29 PM
Unless if you port forward everything back to the VPN IP, your companies IP will be returned instead of your own personal one. In which case going to IP Chicken - Whats my IP address? ip address lookup (www.ipchicken.com) would show your companies IP as well, if you wanted to test it.
Haha, I'm thinking things through as I type. Again, networking wasn't ever my specialty.
NobodyHere
05-21-2015, 06:37 PM
Yeah proxy sounds like the way to go if what you're trying to do is hide your ip address.
They basically act as a middle man between your ISP and your company's ISP, and all they'll ever see is your proxy's IP address.
NobodyHere
05-21-2015, 06:40 PM
Also to my understanding port forwarding is just sending ip packets to certain devices on a network based on what port you're trying to reach, for example a router could be set up to send traffic to a web server for destination ports that are known to be used for web traffic such as 80 and 443.
In another words it does nothing to hide your own address if you're outside the network.
jeff061
05-21-2015, 06:44 PM
Yeah, but if those packets always go to and from the Cisco VPN IP, instead of this physical NIC IP, then he would be identified by his company's data center IP instead of his personal one. Granted your company would now have the ability to track everything you do, no matter where you are, as long as you are connected to the VPN.
My feeling is that's a setting either on the VPN client or on the server. Not the firewall. I think I've had VPN profiles/configurations that routed everything through my company and I've had ones that only did that for company resources.
Edit: Course, it may all be for naught if his router can't route packets to his Cisco VPN IP, assuming it's on a different network.
In short, get a proxy.
Mike Lowe
05-22-2015, 01:23 AM
Thank you!
So a proxy is just for surfing, or?
I need to eliminate any identifying of my location, which I assume is via my IP.
But does a proxy mask the location of all activity, such as running software? Is that traceable too?
I'm a noob with this stuff, so thanks for the info! As for a proxy, any good recs? Do I need to sign into the proxy every single time I am using my computer? Or can it be set for longterm use?
Alan T
05-22-2015, 04:47 AM
Ok' network security is what I do for a living. (Firewalls, Vpns, proxies, etc). So this is right in my wheel house so to speak.
If I understand you correctly, you want to hide the IP address that you show up connecting from when you connect to your work vpn (Cisco vpn), correct?
If this is a ssl vpn solution where the entire thing is done over web type communication, there are ways to do this using a web proxy service as was mentioned earlier in this thread. By connecting through a web proxy server to connect to the SSL VPN server, your IP address will show up to that VPN server as the IP address of that proxy server and not your own personal IP address. You typically can tell if your VPN solution is an ssl VPN solution if you only use a web browser to connect and it does not launch some type of client on your computer. VPN solutions that you launch with a web browser but then starts up a client on your computer could use other non-ssl ports which do not pass through your web proxy. Depending on the client, there are possible ways to force that client to send all of the traffic over ssl via the proxy, but in some cases can be difficult.
The other type of common VPN solution is the traditional client based VPN which uses IPSec to connect. Using a web proxy for this is ineffective due to the way this communication is handled. Even translating your address in various ways is ineffective due to the way the actual IPSec data packets carry ip information from the initial source imbedded within it. To try to connect this type of client through a different location would effectively require you to use a VPN tunnel within another VPN tunnel, which in many cases will not even work depending on the method of IPSec that they use, and in other cases is not necessarily easy to accomplish. Even if you were to do this, it would require having a separate VPN server somewhere else that you connect in to that you then can VPN through. In 99% of the cases, I would not even think it would work the way you wanted if you got it to work at all.
With a traditional client based IPSec solution, one thing that can be done is having an middle man type of landing point such as a terminal server that is elsewhere (not on your home network) that you can remotely connect to using rdp and from there VPN out. (You would have to configure things in a way that the VPN action would not cause your rdp session to break though). An example of this would be if you paid to have a small server somewhere like in Amazon aws that you then VPN out from. In that case your IP address would show up to your work VPN server as the actual IP address coming from the Amazon server.
The other way to try to accomplish this could be by using a fairly obsolete method of having a way to dial up over a modem to a service provider and then initiating your VPN connection from there. You would show up as coming from the dial up providers network rather than your home network.
I guess bottom line is that there are ways to accomplish what you are wanting, but in some scenarios is not necessarily easy or other cases not cheap.
weegeebored
05-22-2015, 02:40 PM
As for a proxy, any good recs? Do I need to sign into the proxy every single time I am using my computer? Or can it be set for longterm use?A couple of highly rated VPN/proxies are TorGuard and Private Internet Access. With TorGuard you can have the client/service start with the operating system, but you still have to choose the server that you want to connect to which could be in Dallas, New Zealand, Singapore, etc. There are other VPN/proxies available as well so you could Google.
Also make sure that the service that you choose passes the DNS leak test. This is important if you make a connection that uses DNS to find the specific site or location. If you're using a specific IP address (e.g. hxxp://192.168.1.144 (http://192.168.1.144)) instead of a domain name that needs to be resolved this is less of an issue.
Drake
05-22-2015, 04:32 PM
Just as an FYI, this is *not* how you fudge a bank statement.
Mike Lowe
05-22-2015, 07:17 PM
Alan and others, thank you so much! Including the jokes--good stuff!
Ala, I'm pretty sure my VPN Client is the more complicated one you described, because I don't go to a website to connect to it, I open up a .exe progam and login to the server from there. This allows me to connected to the shared network, etc.
So is it best to just leave it be? I'm willing to spend up to maybe $150 for a solution that's reliable and relatively simple to get going (new router?). I'm honestly doubting my work will ever notice. I was told I had to move to another state for tax reasons, and I've moved on paper, but am not ready to physically move just yet because my gf just started her new job here.
My work is pretty clear about not wanting to lose me, so I doubt anything comes of it...but I worry whether I'm out of lives if they do! :)
CU Tiger
05-23-2015, 09:46 AM
Im a dumb ass on this sort of stuff.
But what about a physical desktop box at the parents/friends place not in CA. The goto my pc or similar to that box and vpn from that box that you are remotely connecting to?
Desnudo
05-23-2015, 10:30 AM
I would buy a personal laptop if you want to watch porn and NFL games during the workday
Mike Lowe
05-25-2015, 06:19 PM
Thanks, Everyone! So it seems my best bet would be to setup a VPN at say my brother's house out of state? What would I need to get for him? He's good with computers/web design, but not as much with VPN, etc.
vBulletin v3.6.0, Copyright ©2000-2026, Jelsoft Enterprises Ltd.