2012-09-25

How to bypass those annoying filtered internet accesses

Today I had to login on one of those FON access points where http/https are ok but the rest was not.
Here is my recipe to quickly and painlessly bypass those.
The only prerequisite : to have a public server or vps ready on the internet to help you.

1. make your ssh daemon wait on port 443 on your public server.

The reason is that 443 is the https port which is normally open even on stalinian firewalls (note: it happened to me once that the firewall detected that the traffic was not a genuine https one but it should be really rare)
File /etc/ssh/sshd_config
[...]
Port 443
[...]

2. client side, setup a specific ssh config

prepare a configuration for your server in ~/.ssh/config
[...]
Host myserver
HostName server.domain.tld
   User myuser
   Port 443
   DynamicForward localhost:3141
[...]
It says : create a shortcut called "myserver" towards the machine "server.domain.tld", login with user "myuser", on the https port and, most importantly, create a local socks server on port 3141 that will tunnel the traffic through it.

3. install tsocks

Install tsocks on your client. It is a tool that redirects all network traffic from your applications towards a specific socks server.
# on gentoo (be sure the flag tordns is not active)
emerge -av net-proxy/tsocks

4. configure tsocks

File : /etc/socks/tsocks.conf
                                                                                                     

server = 127.0.0.1
server_port = 3141

It just tells tsocks to use your local socks proxy you have setup previously

5. start your tunnel

Login to your server from one terminal and leave it there, it should create a socks proxy.
                                                                                                     
ssh myserver

6. enable tsocks on a session

let tsocks hijack the session to redirect the sockets creation toward the tunnel
                                                                                                      
. tsocks on
Note: the . (or source) is really important here
You can check if the hijacking has been done correctly with the command "tsocks show", it should answer LD_PRELOAD="/lib/libtsocks.so"

7. enjoy the "almost" full internet access

any application on the same shell started after the ". tsocks on" should connect through your tunnel with no port/protocol restriction whatsoever.

1 comment:

  1. If you do not have a VPS, you could also recompile TOR with a one hop feature. Tor developers do not like it, but it works.

    ReplyDelete