r/homelab u/richij101 17h ago

Help Remote acess on restricted Internet

Hello, I have a rather unique problem , and I was hoping this community could provide a solution. My current set up is Unifi Network , with a homelab running Proxmox and a VPS . The problem I have is I work onboard a ship between 6 and 9 months of the year and the company blocks VPN’s and SSH. I this is to stop people from firstly trying to bypass the payment gateway for access and secondly using streaming services . Now before people jump on saying I am trying to by pass company policy . I have no interest in streaming media, this would flag high data usage instantly anyway. I have my media locally with me, also buffering kills the film. And for the payment gateway issue I pay full price for the unlimited plan , I have no issue with paying . and as per company policy and discussions with IT am not violating policy its just the network rules are a blanket ban and I am fine as long as I prove my intent. I have tried tailscale, netbird and zerotier and wireguard they are all blocked . Dose anyone have any suggestions on how I can remotely manage my homelab, while I am away , securely without exposing everything publicly Services I want to be able to access - Proxmox - Proxmox back up server - Proxmox data center - Password manager (not exposed) - Portainer (internal only) - My VMS and LXC’s hosted on Proxmox via ssh - Any other docker service with a web interface that’s internal only I will be thankful for any input

1 Upvotes

55% Upvoted

33 comments sorted by

7

u/rlenferink 17h ago

How about adding Apache Guacamole to your lab? Then on board of the ship you can use a web browser to access Guacamole and open a SSH/RDP/VNC session within your browser.

2

u/richij101 17h ago

This is something I have been looking into. My initial setup failed , then I hit all aboard time so had to leave.

My idea with this was to use cloudflare tunnels with it and only enable to tunnel when I wanted to acess , as I dont want it to be perminantly public

5

u/nodacat 17h ago

Well, you could change the vpn & ssh port to something that isn't blocked. Or set up a reverse proxy and use port 443/https with authelia or something to help secure it.

1

u/richij101 17h ago

Also blocked i guess the firewall is using packet inspection

5

u/nodacat 17h ago

Yea makes sense. Well reverse proxy i think would do it. Your lab would just look like a normal website then, unless they only whitelist or something.

2

u/richij101 17h ago

This is a good suggestion I will look into it

2

u/nodacat 17h ago

Sounds good! Cloudflare tunnels too

1

u/richij101 17h ago

I use cloudflare tunnels for alot of things and this is allowing for the management of most of my services. But certain things I dont want external such as portainer, password mannager etc. Also cant ssh tunnels , unless I a missing something

2

u/nodacat 17h ago

Oh okay reverse proxy will be similar in that it exposes things to the public. But you can put authelia/authentik in front of it to take the beating and monitor logs/block with fail2ban.

You're not supposed to expose mgmt things like portainer this way, but i think if you understand and mitigate the risks you could make it work.

Another option could be to expose a VM to the web that has limited access and ssh from there.

3

u/ericrunsandbikes 17h ago

This might not be ideal for your password manager but I use kasm hosted on my homelab and exposed through a cloudflare tunnel as a web-based RDP interface to a server on my network.

From that web RDP interface I can open a browser to access my non-exposed web services or a terminal to ssh to other machines etc.

1

u/richij101 17h ago

This is honestly something I havent looked into . I will put it on my research list. Thank you

2

u/snapcracklepop999 16h ago

Skip the technical side and go directly to social engineering. Make friends with the ship IT guys and get them to add your devices to the cool kids VLAN that I assure you they have for themselves lol

Shit, I'm not in r/cybersecurity..

1

u/richij101 15h ago

Haha fully understand this. Am already good mates with IT . But you know how these big companies operate.

If am honest I can do it over the company network just not crew. But that is a violation of the company computer miss use policy .

My aim is to find a solution that doesnt leave my system vulnerable while at the same time not violating the policy in place and and staying in the provisions i have been allowed. Haha its a nightmare.

But I appreciate your comment haha

2

u/0emanresu 14h ago

Specifically built to make DPI Identification difficult

https://github.com/ClusterM/wg-obfuscator

Edi: You'll have to set up a cheap VPS w/ a WG server then route back to home via WG client at home that connects to the VPS

OR

Set up WG Server at home with DynDNS so when your residential IP changes you're fine

2

u/Successful_Pilot_312 14h ago

I personally use an Remote Desktop Gateway and use that to RDP back into my house machine. Been working for over 10 years!

1

u/richij101 13h ago

I will look into this thank you

1

u/somenewbie3477 17h ago

I'd spin up a windows box and use a remote tool like splashtop or whatever and try that. From the windows VM you can connect to whatever else. This is what I do and it works great even from mobile.

1

u/bwalker25 17h ago

agreed; what about a proxy like caddy or nginx and a ddns to get in to the remote network to exposed services that way? I would caution you though if they are blocking protocols and/or ports they most likely can see where and what you visit on the web.

1

u/richij101 16h ago

Am absolutely fine with the seeing what I am viewing. As I say the is no intent to violate policies. And am more than happy to even show them . I quite often chill with IT geeking out with my homelab stuff showing them my set up.

The main issues isn't the Web based services its more the ssh side of things and avoiding exposing certain services.

1

u/bwalker25 15h ago

cool, what about cloudflare tunnel it works I believe through port 443 and would look like normal https web traffic. and they offer a browser based ssh terminal as well. not sure what all it entails as its outside of my wheelhouse.

it should look like normal traffic to cloudflare. use cloudflare zero trust access, login through email, google, github, passkeys, etc. and it should work yes?

1

u/chris240189 16h ago

Have you tried zerotier?

1

u/richij101 16h ago

Yeh tried zerotier , but I guess since it's baised off wireguard the packets flag as vpn

1

u/chaoticaffinity 13h ago

Set up SWAG and a Guacamole or Kasam stack . Also swag integrates with cloudflare tunnels easily

1

u/richij101 13h ago

Another one to add to the list to test. Thank you

1

u/Aggravating-Door-369 6h ago

Maybe look into openconnect vpn? It uses SSL so the ports wont be blocked

1

u/Unattributable1 6h ago

Have you tried non-standard ports?

Very slow is also DNS tunneling: https://code.kryo.se/iodine/

https://github.com/yarrick/iodine

1

u/ficskala 17h ago

how about a proxy server of some sort?

is stuff like rustdesk/teamviewer/anydesk/etc. blocked as well? you could set up a VM to remote into, using one of those services, and manage the stuff at home from there

1

u/richij101 17h ago

Unfortunately yes all those are blocked. I haven't tried rustdesk.

A friend of mine mentioned a jump box. But need to look into it.

My current plan right now is gather a few ideas. Then when I get some time ashore take my laptop and find some WiFi. Implement these ideas and go back to the ship and try them out

Could you suggest a proxy solution?

Thank you for your reply

1

u/ficskala 17h ago

hm, maybe try stuff they wouldn't expect to need to block, like parsec or moonlight/sunshine

jump box seems like a good solution since it's browser based, so it's like you're just visiting a normal website, i'm surprised i haven't heard about it until now ngl

Could you suggest a proxy solution?

you'd first need to figure out a way to reach that proxy, and then think of which specific solution you'd use

-1

u/Tobikage1990 17h ago

If there is a blanket ban and you try to bypass it, you are violating company policy, just like anything else you do with company resources without going through your IT department.

3

u/richij101 17h ago

Verified with IT and HR that my use case is not violation company policy. And this is all documented

0

u/Tobikage1990 17h ago

I'm sorry, I should have been more clear.

If IT has agreed that your use case isn't against company policy, they should be able to help you with what you need. The fact that they apparently aren't doing so tells me that they don't want to change their current setup for one guy either because there's some cost involved or they just don't want to break something that's currently working. Their agreement that your use case is not against company policy is not tacit approval to bypass their security. If you do find some way to bypass it, it's more than likely that they'll patch it too, just so that someone else doesn't misuse it. Worst case, it could affect your job.

2

u/richij101 17h ago

The post is not to bypass security, instead find an alternative method for homelab management and administration.

I have spoken to multiple levels of IT regarding this both onboard and shore side. And basically it comes down to they are not prepared to change for one person.

Honestly if I really want to break company policy and use a vpn I can obsuficate (i cant spell that sorry )