Wednesday, 24 July 2013

SSH connection through http proxy, or another SSH tunnel

In my university, all computers in the computer labs are connected to the internet behind the firewall, and the firewall blocks every port. All traffics should go through a http proxy, and it allows only port 80 and 443 in the proxy server. What if you want to connect to a server via Internet with another protocol other than http or https? There are various ways depending on the configuration of your organisation's network.

1. Use CONNECT command of proxy server
You can use the proxy's "CONNECT" command from your proxy server. This command, however, is not supported in all proxy servers. It may be blocked in the proxy server by the organisation rule. If your proxy supports it, you can simply use http proxy to connect to the other services like ssh on port 22. For example, you can set it up from proxy settings menu on putty if you want to use SSH connection.

Unfortunately, the proxy server in my university doesn't support this command. You can simply test it using telnet command, explained in this document: http://www.anta.net/misc/telnet-troubleshooting/http-proxy.shtml

What is next option?

2. Use VPN through http proxy server
Some VPN supports connecting VPN through http proxy server. What I used was OpenVPN, and the client of OpenVPN supports http proxy. However, there is still some considerations on this method.

First of all, you need another server running OpenVPN server program out there on internet. One simple and cheap way is using a virtual machine on a cloud provider, such as Amazon's AWS. They provide one smallest instance for free for one year. For individual usage, you don't really need a powerful machine, so the smallest virtual machine is enough for it. Once you got an virtual machine, or using your own PC in your home, just configure OpenVPN server on that machine.

Secondary, you should consider the port number of OpenVPN server. As the proxy server in my university allows to connect only to port 80 and 443, OpenVPN server should use either port 80 or 443. If I use another port number, all traffic is blocked by proxy server.

Finally, you should have a administrator privilege for the computer running OpenVPN client. Since VPN changes all traffic route to go through VPN, you need root privilege to change the route table.

In my university, I cannot change the route table of the computers in the lab. I simply don't have enough permission to do it. So, I could use this method only with my own laptop using in the university's wireless.

3. Using SSH tunnelling
The last option is to use SSH tunnelling. This method is only possible if you have a server (1) that can be connected from your computer using SSH protocol, and (2) that can connect to the internet using a port number for your usage.

In my university, I can access to the internal UNIX server using SSH on port 22. This is possible because the server is not outside of the firewall. However, weirdly, I can connect to almost all ports without proxy from the internal server, such as 22. I just realise that the internal server is behind different firewall rules, and that's how this method is working in my situation.

If you could find a port opened in your firewall to the internet, you can run SSH server using that port event if the port is not 22.

Once you have a SSH server, you can simply use SSH tunnelling. It can be set up using putty without administrator privilege. In putty, you can set up SSH tunnelling on dynamic mode, or local mode.
If you use dynamic mode, you can use the tunnel as a SOCK5 proxy server from any programs once it supports SOCK5 proxy setting. The server will be just the local host, and use the port number you set up at the putty.

If the program does not support SOCK5 proxy, you can still use the local mode tunnelling. It specifies the local port and the remote port, so that you can use the localhost with the local port to connect to the remote server. For example, I set up the local port to 3000, and the remote host to "example.com:21", you can connect to example.com using FTP protocol by connecting to localhost:3000 from your FTP client program.

Better way... 
I think the VPN is the best way to bypass the firewall. It's secure as it provides secure connection between your client and the server. Also, it provides full network services as the VPN makes your client as like it's located in the same network of the VPN server. It can use all network port that can be used from the server. You can use it very convenient as well, once you have configured the server and client. You don't have to change any other settings from other programs. Use it simply as you use it normally, then the VPN client will make all traffic detour through the VPN server. If you have a root privilege to install the client software on the computer, just find a nice server with high-speed network bandwidth and go with VPN.

No comments:

Post a Comment

Android Battery Drain issue - How to dig and find the root cause?

Mobile phones is getting more and more powerful silicons and processors, which causes more and more issues on battery management. It is unav...