Laclin Home Contact Xfce4 tabsets Video tools Bundled distros BEWorld Proxy tricks Coder Dansu Gitea repos Source tree

What is this page?

This page explains how to tunnel ssh and TCP traffic in general out from behind a hos­tile firewall such as a fire­wall located at a car-wash or motel room.

The pro­ce­dure is sup­port­ed by Laclin but it'll work for many other distros as well. The tar­get audience is Linux CLI devs.

Suppose that you're at a car-wash or another place where there's wifi but it isn't under your control. Web-browsing works but ssh is block­ed. Or ssh works but you'd like to protect TCP traffic in general.

If it's one of those setups that works only with Windows and you need to log-in to some auth page, stop here. Use tether­ing instead.

If web browsing in general works, you can often tunnel out as fol­lows. However, this won't work if the fire­wall that you're going through is high-grade.

Requirements: (a) ssh and sshuttle on local box. (b) An out­side ssh-able Linux VPS or dedi under your control. (c) sshd on the out­side box.

Some of the oper­a­tions discussed here may require root privs on the client box and/or the out­side box.

If the out­side box is running a web­server on the usual ports, TCP 80 and 443, you'll need to stop the web­server. This will take down the as­soc­i­a­ted web­sites.

You'll need to make a change on the out­side box. This can be done (a) be­fore you visit the hos­tile environment or (b) while you're there by way of tether­ing.

On the out­side box, make a copy of the sshd_config file that is in use. Call it sshd443 or any reason­able name that you wish. Edit the copy. For example:

cd /etc/ssh/
cp sshd_config sshd443
nano sshd443

Delete any existing Port setting and add the fol­low­ing line:

Port 443

Save and exit. Start a copy of sshd on port 443 as follows:

nohup  `which  sshd`  -f  sshd443  >&  /tmp/moo.log  &

Log out of the out­side box.

On the client box in the hos­tile environment, edit $HOME/.ssh/config and add a block simi­lar to the following:

Host magic443
User root
Hostname 111.222.333.444
Port 443
IdentityFile ~/moo.key

For example: nano $HOME/.ssh/config

If $HOME/.ssh/ and/or $HOME/.ssh/config don't already exist, create the dir­ec­tory and/or the file.

Modify each of the settings except for the Port setting as is neces­sary and/or desired.

User should speci­fy the account that you wish to use on the out­side box. Hostname should speci­fy the IPV4 for the out­side box. IdentityFile should speci­fy an abso­lute or "~"-rela­tive pathname for the private-key file to use.

You should now be able to ssh to the out­side box using this command:

ssh magic443

You can also use the usual ssh re­dir­ec­tion trick to route web browsing through the out­side box. First, exe­cute a CLI com­mand similar to this one:

sudo ssh -p443 -4 -v -i ~/moo.key -C2TNv -D 3001 magic443

Modify the key-file path­name and the magic443 label as is neces­sary and/or desired. 3001 here is an arbi­trary but unused TCP port num­ber.

Then set up a SOCKS5 proxy at the web-browser level. For example, if you're using Chromium and Switchy­Sharp, the Switchy­Sharp settings would look like this:

SOCKS Host Port 3001. SOCKs v5. No Proxy for localhost;; <local>

To redirect all TCP traffic through the out­side box, and as a side effect of that permit ssh to any out­side box with­out further ssh config-file tricks, exe­cute sshuttle using a CLI com­mand similar to the following:

sudo sshuttle -r magic443 0/0

Three advisories:

(a) If you run sshuttle and then term­in­ate that pro­cess, net­work­ing may be mixed up and you may need to reboot.

(b) This pro­ce­dure doesn't dir­ect­ly route UDP or DNS through the out­side box. Some proxies may sup­port DNS re­dir­ec­tion at their level.

(c) This pro­ce­dure doesn't run ssh over https in the sense that the https protocol is used. Instead, it runs ssh over the stand­ard https port and thereby tunnels through low- to medium-grade firewalls. So, as noted previously, it won't work with high-grade firewalls.

© 1996-2021 OldCoder (Robert Kiraly)    |  Privacy policy    |  Contact   |  Notices