Purpose of BarbaTunnel

Apr 5, 2012 at 6:35 PM

I wonder if BarbaTunnel is made for the purpose below (please let me know):

Setup

  • Computer PC1 has an application Application1 sending data to PC2 on destination port X
  • Computer PC2 has an application Application2 receiving data on port X

Problem: I am going to block Port X

Restrictions

  • I have no control over Application1 and Application2
  • Solution must be able to work with almost all protocols (POP, IMAP, HTTP, FTP, etc)

Examples:

  • Example 1:
    • PC1 has FTP client sending data to PC2 on destination port 21
    • PC2 has FTP server listening for incoming requests on port 21
    • Problem: When port 21 is blocked, FTP doesn’t work
  • Example 2:
    • PC1 has Internet Explorer sending data to PC2 on destination port 80
    • PC2 has IIS listening for incoming requests on port 80
    • Problem: When port 80 is blocked, web browsing doesn’t work
  • Example 3:
    • Doing both examples above at the same time
    • All traffic is sent across the network using only 1 port
    • All traffic from any captured port on the sending computer is "serialized" and sent across the network using only 1 port
    • All traffic at the receiving end is "unpacked" and presented to the correct ports

Proposed solution: Re-route traffic from blocked port X to open port Y

  • Take all outgoing traffic on PC1 destined to port X on PC2 and send it to Port Y on PC2
  • Take all incoming traffic to Port Y on PC2, and forward it to Port X on PC2

Question:

  • Is this what BarbaTunnel will do for me?  (Barba-trick?)
  • Will BarbaTunnel do all 3 examples?
  • If I am incorrect, do you have suggestions?
Coordinator
Apr 5, 2012 at 8:09 PM

Dear Andrew

I think you can do it via barbatunnel but you need

1) Install Barbatunnel on both server and each client

2) You should not block ports by Local Firewall such as windows firewall, it will only work if ports blocked by network firewall (router firewall).

Anyway why you just dont establish VPN connection from client to server to bypass all firewall restriction?!

Regards

Apr 5, 2012 at 8:55 PM
Edited Apr 5, 2012 at 8:56 PM

This is very good.  Brilliant actually :)

I figured I should install Barbatunnel on both computers.  That makes sense :)

Your second point about the firewalls make sense too.

The challenge with a pure VPN connection is:

  • Traffic from all ports is routed through the tunnel.  I prefer to use only the required ports rather than all.  Can I do this with a VPN?
  • Traffic to other computers would be routed through the tunnel as well... or would it?!

From Barbatunnel's description, what is the purpose of the VPN connection?  Is it "just" to ensure the communication on Barbatunnel's port is secure?  If that's the case, I think I understand Barbatunnel.  If I am wrong, then I am missing a central piece to Barbatunnel.  Doesn't Barbatunnel serialize all communication through a single port?  Can you explain?

Andrew

Coordinator
Apr 5, 2012 at 9:15 PM

You can setup VPN and disable routing internet traffic to it then map your server web address or configure your applications to use private VPN network IP instead your public server address, in this case only those application use VPN network and your other network works as before.

BarbaTunnel is network later that change the protocol steam to most common stream, BarbaTunnel is not standalone tunnel, in some area, VPN protocols blocked by firewall and BarbaTunnel help them to bypass firewall by changing VPN port and convert the VPN stream to UDP or traditional HTTP request. If you have not any problem with VPN then BarbaTunnel is useless for you.

VPN already encrypted and does not need to be encrypted again.

Regard

Apr 6, 2012 at 5:51 PM

So I misunderstood BarbaTunnel.  Is it the case that BarbaTunnel takes Protocol X on Port Y and changes it to Protocol Z on Port Y?

In this case, my corporate firewall opens port 1723, but blocks GRE.  So BarbaTunnel will change GRE to something else (say HTTP), and transfers it across port 1723.  It will not be blocked because the firewall does not see GRE.  On the other side, BarbaTunnel will take the protocol (say HTTP) again and convert it back to GRE.  In this manner, my tunnel will still work because of BarbaTunnel.

Is this correct?

Coordinator
Apr 6, 2012 at 7:30 PM
Edited Apr 6, 2012 at 7:32 PM

I think you understand correctly too.

BarbaTunnel layer has two main features

  1. Just simply change UDP port and TCP port to another port and apply simple encryption for obfuscation and restore it on other side.
  2. Grab any network protocol and put it to HTTP or UDP tunnel, in your case if you set GRE:1723 and set HTTP-Tunnel on port 80; it will change GRE:1723 (VPN-PPTP) to simple HTTP request download and upload and restore it on other side. In this case network firewall could not detect you establish VPN connection and think you just downloading and uploading file.

These features may useful by various applications, but mostly used to bypass internet censorship. But if someone uses it for internet censorship, it already needs software to route its traffic to server, handle authentication and many other stuff.  The best way is to use built-in VPN service on windows (SSTP or PPTP), or use any other proxy software. Now if VPN or his proxy software work perfectly, he will not need BarbaTunnel, but if Firewall detect VPN or that proxy application he can use BarbaTunnel to hidden its network traffic so firewall could not detect it. For example you can configure BarbaTunnel to HTTP-Tunnel on port 80 and set GrabProtocols to GRE:*;TCP:1723; so it will grab all network activity in this protocols and convert them to HTTP-Tunnel on port 80.

In last example network firewall will not see any GRE or TCP:1723 network activity. PPTP use GRE and TCP:1723 protocols.

Regards