I want to access an unrestricted desktop at home (preferably a docker novnc desktop container), from the very restricted office laptop/network.

The foundations are clear, started a docker container with novnc access published the porst, forwarded the required ports on my router, and i can access it from outside using my phone, or my own laptop, but can’t from the office.

The novnc landing page loads, but the connection to remote desktop fails, probably because the websockets connections are also blocked in office, so only the plain http(s) accesses are allowed (not even RDP is allowed).

(Not even dyndns providers are allowed, but i can note my current ip address in my phone :D )

Ofc i barely can install anything on office laptop, so i can create fe openvpn tunnel, etc…

Do you have some hints if it can be solved?

  • owenfromcanada@lemmy.world
    link
    fedilink
    English
    arrow-up
    27
    arrow-down
    6
    ·
    8 months ago

    There’s a reason they restrict these things. Trying to get around them is a bad idea. If you get caught, your professional life is over.

    If you’re that desperate, bring a non-office laptop and use a hotspot on your phone.

    • TootSweet@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      7
      ·
      8 months ago

      If you get caught, your professional life is over.

      That seems hyperbolic. Maybe your workplace is super draconian and will immediately fire you in such a case. But different employers have different cultures. Where I work, there are running jokes among the employees about how hard it is to get fired. One of the few cases of a firing we know of involved someone who was so passed-out drunk at his desk that he couldn’t be awoken. And that was after he was given multiple stern talkings to.

      I’ve seen people play WOW and Counter Strike on their office computers in the office in very visible areas.

      Lest you think “yeah, but no place where it’s that hard to get fired is going to have a locked down firewall” this is the same place where I had to make a special request to have http://portswigger.net/ , the official site of Burp Suite Pro, the web application security tool, unblocked so I could evaluate it’s suitability to replace the tool we were using previously. (From what I’ve seen, Burp Suite Pro is kindof the de facto tool for web app security among pen testers, or at least was at the time.) The reason given on the “this site is blocked” page the corporate proxy gave was because it had something to do with alcohol.

      In my time here, I’ve gone to lengths to curcumvent corporate firewalls multiple times. Both for personal aims and because it was necessary to do my job. I’ve never once been repremanded for it.

      OP knows their workplace. OP, be smart, but do if you can get away with it, go for it.

      • xmunk@sh.itjust.works
        link
        fedilink
        arrow-up
        11
        arrow-down
        6
        ·
        8 months ago

        As someone in a rapidly corporatifying company I’d like to reinforce how insanely hyperbolic that statement was. These rules don’t exist for security reasons, they exist for contractual issues - rules will often be arbitrary and decrease effective security by requiring frequent elevation or encouraging weak credentials.

        OP, do what you think is going to help you work most effectively - if you’re using your work machine’s tunnel to run torrents over your employer’s VPN or look at nekked ladies then you’ll be sacked if you get found out - if you’re tunneling because your employer is a Microsoft shop and won’t let you install vim then your manager (if they don’t suck) will defend you if you’re discovered.

        Even if you get fired for working around the company firewalls it’ll almost certainly be without cause (so EI/severance will apply) and it won’t be career ending - nobody smart cares about this bullshit.

    • Itsamelemmy@lemmy.zip
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      2
      ·
      8 months ago

      All the replies to you so far don’t seem to give a shit about cyber security. As an alternative experience, I’ve had a supervisor that was friends with the IT guy and together they bypassed the content filter. And not for porn or anything, for like games like wordle being blocked. They were both instantly fired when found out. Granted, this company dealt with financial transactions flowing through their network so had additional scrutiny and laws to follow, but this is basic security that any company should follow.

  • nothacking@discuss.tchncs.de
    link
    fedilink
    arrow-up
    13
    ·
    8 months ago

    Well first off, how nice/tolerant is your management? Do you have savings? Some companies can fire people over this stuff, other will just ignore it.

    The easiest (and least likely to make anyone mad) solution would just be to bring in your own machine and use celular internet. This way your setup will be completly seperate from the company network, and they can hardly claim you were exposing them to malware or anything. On the other hand you might have problems accessing devices like printers without copying files back and forth (are USB drives allowed?).

  • NightEagle@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    8 months ago

    You can setup Apache Guacamole on your server. It uses Websockets by default, but it also has an automatic fallback to plain http/https. It will be ultra slow, but at least it will be working. It will behave like any other website, so no security risks for your company if they already have a proxy server to monitor your Internet traffic.

    • cm0002@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      8 months ago

      Was about to post to use Guacamole too, web sockets will work over HTTPS, OP is likely trying to do websockets over another port that’s getting blocked.

      But over HTTPS with Guac should be fine because I did this exact thing on a very locked down work network

      • NightEagle@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        8 months ago

        Some proxies block Websocket Connections by default for unknown URLs, even for port 443. Don’t ask me how I know :D

  • RonSijm@programming.dev
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    8 months ago

    How about figure out what you can and can’t access first. Like can you access the rest of the internet openly?

    Are all sites allowed, are some things blacklisted, or are sites whitelisted? If things are whitelisted on the network, it might be pretty difficult to find a hole.

    Anyways, you mentioned your phone - If you have unlimited data, I’d suggest you just set up your phone for tethering, and create a private wifi from your laptop to your phone using mobile data, that should bypass all network restrictions.

  • 0v0@sopuli.xyz
    link
    fedilink
    arrow-up
    1
    ·
    8 months ago

    You can give chisel a try. It tunnels all traffic over http/https, and the client can then create port forwards, just as with ssh, to access other services.

  • onlinepersona@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    ·
    7 months ago

    Use one of the options described on StackOverflow:

    • open your SSH port on 443 - maybe that’s enough
    • use a SOCKS proxy server that forwards the traffic from another host to yours
    • tunnel SSH over HTTPS using this old guide
    • Use “sslh – A ssl/ssh multiplexer” (basically an advanced version of the above but simpler to setup)
    Anti Commercial AI thingy

    CC BY-NC-SA 4.0

  • disconnectikacio@lemmy.worldOP
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    7 months ago

    as i wrote, i can’t install anything on the office laptop, probably cant even set a proxy, no docker. SSH works, but only that windows one, putty cant be installed. Everything should be done on my home server, office laptop acts basicly as just a dumb browser sslh docker commands/compose yml-s are having references to moved images, also some are missing parts