Server Behind Enemy Lines – Proxying or Relaying Into a Corporate Network

A friend asked about making a web server reachable from the outside. It is behind some unspecified very paranoid as well as incompetently managed corporate firewall. I asked for help on Twitter and received the following suggestions, which I will collect here to reference them later and without losing them in the depths of that thread.

Tailscale
Built on Wireguard, “VPN that just works”, free for basic use, can provision servers with a simple token, access control lacking on free plan

Wireguard
Or roll your own Wireguard tunnel. May not be for the faint of heart, but should work equally reliably.

Ngrok
“Secure introspectable tunnels to localhost”, works great for development, free plan has dynamic hostname

Chisel
“A fast TCP tunnel, transported over HTTP, secured via SSH”, looks promising

Inlets
“Cloud Native Tunnel for APIs”, “combines a reverse proxy and websocket tunnels to expose your internal and development endpoints to the public Internet via an exit-server.”

socat
“Multipurpose relay (SOcket CAT)”, netcat on just about anything, useful summary

OpenVPN or tinc
Sounds feasible if you know what you’re doing. Know any good tutorials for those?

Expose
“A completely open-source ngrok alternative – written in pure PHP”

Zerotier
L2 “It just works VPN and SD-WAN”, generous free level

Azure Application Proxy
Sounds useful if your application already lives in the Azure Cloud.

Check for open ports
See which ports are allowed by the firewall. If they use some other VPN, you might get lucky masquerading as their blessed solution.

You’ll probably have to figure out which alternative will work under which circumstances, but one of the above ought to work, right? Slap any old $5 cloud server in front of it and call it a day. Maybe.

If you know something missing from that list, let me know.