Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
gpm 11 hours ago

While waiting for someone in the hospital I recently played the fun game of "how can I work around their firewall stopping me from connecting to tailscale" that they kindly provided.

It was just blocking new connections. Via SNI. Tailscale's control plane turn out not to care if SNI is sent. Tailscale's app let you set a custom control plane... like a local proxy that forwards connections to tailscale's servers without setting SNI.

devilbunny 10 hours ago | parent [-]

This may very well be the system in use.

I've seen this effect in several places, not just my work.

Of note: I do not work in the tech sphere. I suspect that this particular loophole may be used by IT personnel to be able to tell the management "yes, we block VPN use" while letting them continue to use their own VPNs. I see no reason to complain.

gpm 10 hours ago | parent [-]

I suspect there's less thought put into it than that.

There's probably a firewall vendor that has a product that does SNI inspection for blocking things like pornhub and the product comes with a list of sites that includes VPN control planes.

devilbunny 9 hours ago | parent [-]

Well, yeah, they didn't roll their own. Offhand, I forget the product, but it's definitely off the shelf.

My point being that surely some of them have noticed the same thing I have, and it hasn't been stopped. I'm not going to raise the issue either way.

dylan604 8 hours ago | parent [-]

> I'm not going to raise the issue either way.

Except, you kinda just did

devilbunny 7 hours ago | parent [-]

Not to them, in a way they can’t just ignore. I could be anyone here on HN.

dylan604 6 hours ago | parent [-]

That's why I said kinda.

It'd be funny if someone working there was a visitor here...and it doesn't matter who you are. I was thinking of them closing the loophole

devilbunny 5 hours ago | parent [-]

I understand your point better now, but if that was really a risk I cared about, I wouldn’t have put it on the public Internet to begin with.

The worst they can do to me is make me tether, and my iPad will never hit that allotment. And, like I said, I think they use it themselves. So, no incentive to close their loophole.