This post is about setting up a secure SSH tunnel and make sure its difficult to be blocked. This solution needs a public PC which is in our control.
The *often* faster Proxy , if you use a configuration script to connect
A typical scenario is one where we are required to use a HTTP proxy for all our internet traffic. Ideally for a large organization there would an automatic configuration script which would let you get an “ideal” proxy for your specific subnet and location.
Normally, the most resolved proxy is often the slowest one. So, If you go get your configuration script file and have a close look, you will most probably find a backup default proxy (at the end), which for my case has been faster of the lot.
Let’s do it
How they block ’em
Often we find sites, applications blocked at workplaces. Let’s first try to understand how they normally do it. I believe most common method is URL filtering. One such most used filtering tool is SmartFilter. The basic technology is to subscribe to a third party database of global list of websites. These lists are dynamically updated downloaded and categorized and filtered. So orkut.com definitely fells in category, “Dating and Relationship”.
- One common solution is to go through commonly available CGI/PHP based web proxy
- Sometimes, static pages can be rendered by ipaddress.
- Google cached pages often work for static content.
- Use public proxies. [Preferably avoid.]
Normally all of above methods are not so effective most of the times. Moreover a cgi web proxy is often blocked and you risk loosing sensitive information to the hoster.
Lets do it ourselves
Opening up ports at your home router
Browse to your router homepage and NAT some ports to your machine. Router page is mostly your http://<default-gateway>. Port Required = 443
For e.g. On airtel 220BX router, I’d browse to http://<IP>/main.html and open up port 443, under Advanced Setup -> NAT -> Virtual servers category. Or you can give your PC ip in DMZ host address. Although this is considered unsafe but If you feel your machine is well protected, you can go for it. I have been DMZing for 2 years without any issues. But ofcourse I dont use Windows at home 🙂 But I feel these days a patched Win XP machine is safe enough. Nor do we we see any remotely exploitable zero day vulns these days. So let me say DMZing is safe for now.
Creating a public name
Create a free account at dyndns.com. Browse to My servcies and click “Add Host Services” and create an address for yourself. For e.g. I am vikx.dyndns.org, Leave everything as it is. You might check the wildcard ,” Yes, alias *.hostname.domain to same settings.” if you plan to add more machines to this domain, For e.g. pc2.vikx.dydns.org. (using a domain controller may be ..) Anyways, we are done here.
Again quickly, browse to your router page, Find out heading ,”Dynamic DNS” under DNS category. Add a dynamic DNS, with hostname and username/password.
– If you cant find this, then you’d probably need a dyndns client, as this one. I use “inadyn” for linux.
Once you are done, go here, check whether your machine is pinging by hostname on port 443.
For e.g. when I ping vikx.dyndns.org on port 443, I get
Scanning ports on 220.127.116.11 (ABTS-AP-dynamic-18.104.22.168.airtelbroadband.in)
22.214.171.124 is responding on port 443 (https)."
All set!! For better control, set up our own secure proxy server.
We are going to do it over SSH. Man I just love ssh, such a beautiful thing.
Requirements: A PC, Internet Connection with a public IP
The trick is HTTP proxies* normally allow HTTPS communication, so we are going to set up our server on port 443. So if you can access https://gmail.com, You are good to go. Further we are going to tunnel our “blocked traffic” over ssh.
Get openssh server from here. Install it, and set up users by going through Quickstart.txt Just two commands as:
<Opnessh_path>\bin\mkpasswd.exe -l <Opnessh_path>\etc\passwd
<Opnessh_path>\bin\mkgroup.exe -l <Opnessh_path>\etc\passwd
- Edit Program Files\OpenSSH\etc\sshd_config
- Uncomment “# Port 22” to “Port 443”
- Restart service , net stop opensshd and net start opensshd
Do the following, if you also want to control access to your proxy. I have created separate guest account to access SSH, and sometimes I want to access control usage of my proxy server, such as maximum connections allowed.
Now we are going to setup a proxy on this system. This helps us in tracking/control the outside usage. Use ccproxy (free upto three connections) on windows. Download the installer and install it. I use tinyproxy or polipo on Ubuntu.
Run ccproxy and set your preferred ports in Options and say Hide.
Take on your grim smiling face 8) and rush office. You are done here.
Grab the putty client.
There are a million things that you can do with this tool. But more on Putty in another session.
Set the following parms:
Hostname = Your public name (abced.dyndns.org)
Port = 443
Browse to proxy setting, Select HTTP proxy, Specify proxy credentials. Now the default Telnet command should be:
connect %host %port\n You might try changing it to:
%user\n%pass\nconnect %host %port\n if former doesn’t work.
Now go to, heading “Tunnels” under category SSH. We will add a new tunnel now,
There are two possible tunnels here :
1. If you did the optional, (setting up a home proxy)
Source port = 12345 (any port this is on your local machine)
Make sure the checkbox *local* is checked.
Destination = localhost:8080 (Make sure the port here is same as one you ran your CCproxy/home proxy on)
We have just forwarded(tunneled) localport 12345 to remote proxy port on your home machine.
– Using a dedicated proxy @ home for outside world helps in better control and tracking of what’s going out and coming in.
2. Source port = 12345(Any)
Destination = Empty
Choose “Dynamic” among, “Local”, “Remote” and “Dynamic”.
– Use this one, if you want to pretty much use it for yourself, you can get along easily by setting up a socks proxy. But the problem here is not every program supports a Socks proxy. e.g.Opera
Click ADD. Make sure both checkboxes for Port forwarding are un-checked. Else you have just created a public proxy for your LAN. (Danger!!)
Click on Session and Save the settings under some name. Click Open.
You should be asked a username, password. Give local administrator account credentials for your machine. [Since we did mkpasswd -l , so local account should work].
What ? You are done man! Open on Firefox, rush to Network settings and use
1. HTTP Proxy – > proxyhost = localhost, port = 12345. , If you used the first kind of tunnel, i.e. you set up a home proxy as well.
2. Socks proxy – > proxyhost = localhost, port = 12345. , If you used second kind of tunnel, without the home proxy. In this case, make sure you leave all other proxies blank.
You can run any application that supports communication through a proxy – GoogleTalk, YMsgr, Nything!! 🙂
This can be a safe way of tunneling your way out. All your traffic is encrypted and it will take a dedicated soul to find out what you are up to.
Don’t hesitate asking any doubts, questions.
Coming up. Proxy hacks part 2. Host file servers inside LAN behind proxy.
Also have a look at Proxy Hacks – IV to set up a much simpler web based proxy
The End Word
– Respect your work-place rules. As I told you, a dedicated soul will find what you are up to.
– And now the bad news, this wont through all proxies. You may find yourself wanting in following situations.
a. SysAdmin may some how block port 443(Damn!) over HTTP proxy.
b. He may block HTTP_CONNECT(Doh!) feature of the proxy. This is used to forward encrypted connections. Putty relies upon the same method.
c. Also he may detect/differentially block packets from putty(NOO!!). [Yes, doable. e.g. putty packets are without HTTP headers. Although there are other applications also without these headers so this cant be basis of detection. ]
d. Or in the end, he might just take away your internet connection 😉 .
And the good news, All of above are still breakable through some more tools (‘man httptunnel’ 😉 ). Will write about it as soon as I find time. So lets hold our heads high, and say “Bring it On, You punk!! ” 🙂 Of course, just make sure you don’t get fired. 😉 Prevention is always better than cure.