AvoidingRestrictiveProxy
From Hinterlands
Contents |
Avoiding a restrictive proxy
I frequently find myself using wireless internet access where you are forced to use a proxy or have limited or no access to useful ports. Here are some tips for making such a proxy a bit more useful for you.
** DANGER WILL ROBINSON **
Using these techniques to bypass, for example, a corporate firewall may have unwanted side-effects, like unemployment. You have been warned.
Tunneling SSH over HTTPS
If you're running any kind of Linux, then tunneling SSH over HTTPS is really simple. You will need a piece of software called Corkscrew. Debian users can install this with:
aptitude install corkscrew
To use corkscrew, add an entry to your ~/.ssh/config file as follows:
Host *.hinterlands.org
User martin
ForwardX11 yes
ProxyCommand corkscrew <proxyserver> <proxyport> %h %p
You will need to replace <proxyserver> and <proxyport> with suitable values. Where you are being pushed through a transparent proxy, you'll need to do a bit of detective work to find out what that host is. Trying to visit a website that doesn't exist may get the proxy to serve a page that gives you some clues, for example.
From behind the restrictive proxy, I can now simply type ssh olga.hinterlands.org and ssh will automatically set my username to martin and invoke corkscrew. This will work for any host that matches the mask *.hinterlands.org.
Install a SOCKS5 proxy - Dante
Once you have SSH tunneling enabled, you can use OpenSSH's port forwarding features to forward local ports onto remote ports. However forwarding many ports one by one is tedious, better instead to use OpenSSH's dynamic port forwarding. This requires you to have a remote SOCKS proxy available to use. Debian users can install one quite simply with:
aptitude install dante-server
A little configuration is required, but a working minimal config that does what's needed is very simple. In /etc/danted.conf:
logoutput: syslog
internal: lo port = 1080
external: <your server's public IP address here>
method: none
clientmethod: none
user.privileged: proxy
user.notprivileged: nobody
user.libwrap: nobody
client pass {
from: 127.0.0.1/32 port 1-65535 to: 0.0.0.0/0
log: connect error
}
Restart dante and you're done. This configuration listens on the loopback interface on port 1080 and allows any authorised connection to connect to any host and any port.
Tunneling SOCKS5 over SSH
The last part of the puzzle is to tunnel to your SOCKS proxy. At the command line, I would simply type:
ssh -D localhost:1080 olga.hinterlands.org
After entering your passphrase as normal, you will now be able to use any piece of software that supports using a SOCKS4 or SOCKS5 proxy, just point it at localhost:1080. All your traffic is securely encrypted from its entry point on your machine, to its exit point on the remote SOCKS proxy.
