verot.net - How to bypass strict firewalls on public wifi hotspots and restricted networks, by tunneling blocked ports and protocols ==================================================================================================================================== https://www.verot.net/socks.htm ### Public wifi hotspots and restricted internet access More and more, you can find public wireless hotspots, in cities, train stations, airports... and even some public hotspots that are available with a subscription, accessible through a web login form. The thing is, most of the time, these hospots will have a reduced connectivity. Only some ports and protocols will be allowed. For instance, you may be restricted to HTTP, HTTPS, POP and SMTP. Not the best combination when one primarily uses SSH! This also applies to protected networks, such as libraries, schools and office environments, where your access to Internet is limited, and some ports and protocols are blocked. I will explain here two different solutions to break free of these restrictions: SSH tunneling and SOCKS servers. As I write this, I run a web browser, a fish session, an IM client, a FTP client, all through some SSH tunnel. ### What do we need? You do need the following: * HTTPS access through the firewall. Most hotspots will leave HTTPS open, port 443, so that people can browse Internet and go to secure sites * A server somewhere on Internet, even an home machine, with root access * Well, Linux. This howto is using Debian systems. You can probably have it to work on Windows too, using other tools * A little bit of time to try the different solutions You may want to use a free shell provider: http://www.dmoz.org/Computers/Internet/Access_Providers/Unix_Shell_Providers/Free_Shells/ such as SilenceIsDefeat: http://silenceisdefeat.com/ as your server, but make sure you can access SSH through port 443. ### How does it work? The first solution using simple SSL tunneling. What we do is create a SSH tunnel, which connects from your machine, to your server, through port 443 (HTTPS port). This tunnel listens on a given port on your machine, and redirects everything to Internet, through another given port on the server. So you can for instance create an IMAP connection from your machine to any mail server out there, even if the firewall disallows IMAP, simply telling your mail client to connect to localhost:10000. The second solution is to create a SSH tunnel, but rather than listen to a specific port on your machine, what we do is to use SSH as a SOCKS server to redirect every connections from an application, through the tunnel, directly to Internet (and via our server). Some applications, such as Firefox, supports SOCKS, others can be tricked using tsocks. I find that using both solutions allows me to do almost everything. Some applications don't play well with SOCKS, so simple tunneling works better. However, SOCKS, when working, has the advantage of not requiring any changes of configuration in your applications. ### Before we start You need to access your server at least once via regular SSH, port 22, in order to set it up. If you are already behind the firewall, you will not be able to log in the server. Since I was in a rush, I did use Anyterm: http://anyterm.org/ to be able to access the server for the initial configuration. We will set the server to be listening on the port 443, so that we can SSH into it using the port usually reserved to HTTPS. Log into your server, and edit the file /etc/ssh/sshd_config and add the line: Port 443 Then restart your SSH server. It now listens on port 443 (in the configuration file, you can leave the other ports, such as 22). You should be able to log into your server, from behind the firewall, with the following command: ssh -p 443 my.server.com You may want to set up your access so that no password is required to log in, using SSH keys for instance. This will allow you to open the tunnels to the server without having to type in your password. Essential. ### SSH tunneling Say that you want to access to email account via IMAP (port 143) when the firewall forbids it. Create a SSH tunnel with the following command: ssh -L localhost:10143:mail.isp.com:143 -p 443 user@my.server.com This will forward any IMAP requests received on localhost port 10143 to mail.isp.com port 143, all through a SSH tunnel. We basically use the server to forward the IMAP connection. Then set up your email client to use localhost as incoming server, and 10143 as the port number. You should be able to fetch your emails, despite the firewall. At the same time, I also want to connect to another server, via SSH. In fact, I want to open a webspace in Konqueror, via the fish KIO plugin. Turns out that you can enable several redirections in the same tunnel: ssh -L localhost:10143:mail.isp.com:143 -L localhost:10022:web.isp.com:22 -p 443 user@my.server.com Then in Konqueror, I simply go to: fish://user@localhost:10022 ### SSH as a SOCKS server Now, we will attempt to have Skype and FTP to bypass the firewall. In order to do so, we will run a SOCKS server on a given port, and set applications to use SOCKS, either natively, either forcibly. When an application uses SOCKS, all its network connections are routed through the SOCKS server, which forwards it all to your server on Internet, and then connects to your different services and servers. It is a bit like a "multi-port" SSH tunnel. Some applications don't understand SOCKS. So we will trick them, using tsocks: http://tsocks.sourceforge.net/. Running an application under tsocks will catch all the application's connections and negociate SOCKS access transparently. Technically, tsocks overwrites the kernel connection methods with its own, using LD_PRELOAD. To install tsocks, compile it from the source, or simply install your distribution's package. For Debian/Ubuntu: sudo apt-get install tsocks To run SSH as a SOCKS server listening on port 1080, use the following command: ssh -D 1080 -p 443 user@my.server.com Note that if you can get the firewall to redirect some ports to you, you can also enable the forwarding into the tunnel from the server. For instance here, I have the server listening on port 1081, and forwarding all connections to my localhost, port 1081. Can be very useful for some peer-to-peer applications: ssh -A -R 1081:localhost:1081 -D 1080 -p 443 user@my.server.com Then configure tsocks to use to connect to localhost port 1080. Edit /etc/tsocks.conf, and near the end, change it so that it looks like this: server = 127.0.0.1 port = 1080 Then, you need to run your applications from within tsocks. You can use tsocks in many ways. For instance, in a shell, run simply tsocks and you will get into a new shell from which all applications will be forced to connect through the SOCKS server. You can also run applications as following: tsocks skype tsocks kopete tsocks kmail tsocks ftp someserver.com tsocks ssh someuser@someserver.com If everything goes well, you will run almost all applications as if you were directly connected to Internet. ### Some notes * You need root access on your server to allow SSH to listen port 443. But you don't need to install anything on the server. As long as your server is connected to Internet with a less restrictive firewall, and you have a SSH account on it, you're fine. * FTP will need to be in passive mode * Annoyingly, Konqueror SOCKS configuration can't use SSH as SOCKS server, nor plays well with tsocks * Some applications work better with simple SSH tunneling * Some plainly don't work. The only BitTorrent application I could get working is azareus, using these instructions: http://www.freebsdcluster.dk/~lasse/sshazureustunnel/ ### Conclusion It works very well! I was stuck in a place with only a public hostpot, and am now able to work using all my normal tools, with very little changes. I do web coding, and I use SSH, FTP, IM, all the time; I can now do it all. I SSH, FTP, IMAP, Skype, IM through SOCKS, uses fish through SSH tunneling, and browse Internet trough nothing since the ISP allows HTTP! If you have a public hostpot nearby, which requires a registration to use, and you actually are not registered, you can search for DNS: http://www.google.com/search?q=dns+tunneling or ICMP tunneling: http://www.google.com/search?q=icmp+tunneling. You will be able to redirect all your traffic through DNS or ICMP requests, since these hotspots let you do that and only that. For instance, see these two: http://thomer.com/howtos/nstx.html tutorials: http://thomer.com/icmptx/. Corrections, comments, feedback? contact me!: mailto:web@verot.net