O wad some Pow'r the giftie gie us
To see oursels as others see us
To see oursels as others see us
Laclin tips: ssh over https
What is this page?
This page explains how to tunnel ssh and TCP traffic in general out from behind a hostile firewall such as a firewall located at a car-wash or motel room.
The procedure is supported by Laclin but it'll work for many other distros as well. The target audience is Linux CLI devs.
Suppose that you're at a car-wash or another place where there's wifi but it isn't under your control. Web-browsing works but ssh is blocked. Or ssh works but you'd like to protect TCP traffic in general.
If it's one of those setups that works only with Windows and you need to log-in to some auth page, stop here. Use tethering instead.
If web browsing in general works, you can often tunnel out as follows. However, this won't work if the firewall that you're going through is high-grade.
Requirements: (a) ssh and sshuttle on local box. (b) An outside ssh-able Linux VPS or dedi under your control. (c) sshd on the outside box.
Some of the operations discussed here may require root privs on the client box and/or the outside box.
If the outside box is running a webserver on the usual ports, TCP 80 and 443, you'll need to stop the webserver. This will take down the associated websites.
You'll need to make a change on the outside box. This can be done (a) before you visit the hostile environment or (b) while you're there by way of tethering.
On the outside box, make a copy of the sshd_config file that is in use. Call it sshd443 or any reasonable name that you wish. Edit the copy. For example:
cd /etc/ssh/
cp sshd_config sshd443
nano sshd443
Delete any existing Port setting and add the following line:
Port 443
Save and exit. Start a copy of sshd on port 443 as follows:
nohup `which sshd` -f sshd443 >& /tmp/moo.log &
Log out of the outside box.
On the client box in the hostile environment, edit $HOME/.ssh/config and add a block similar to the following:
Host magic443
User root
Hostname 111.222.333.444
Port 443
IdentityFile ~/moo.key
For example: nano $HOME/.ssh/config
If $HOME/.ssh/ and/or $HOME/.ssh/config don't already exist, create the directory and/or the file.
Modify each of the settings except for the Port setting as is necessary and/or desired.
User should specify the account that you wish to use on the outside box. Hostname should specify the IPV4 for the outside box. IdentityFile should specify an absolute or "~"-relative pathname for the private-key file to use.
You should now be able to ssh to the outside box using this command:
ssh magic443
You can also use the usual ssh redirection trick to route web browsing through the outside box. First, execute a CLI command similar to this one:
sudo ssh -p443 -4 -v -i ~/moo.key -C2TNv -D 3001 magic443
Modify the key-file pathname and the magic443 label as is necessary and/or desired. 3001 here is an arbitrary but unused TCP port number.
Then set up a SOCKS5 proxy at the web-browser level. For example, if you're using Chromium and SwitchySharp, the SwitchySharp settings would look like this:
SOCKS Host 127.0.0.1. Port 3001. SOCKs v5. No Proxy for localhost; 127.0.0.1; <local>
To redirect all TCP traffic through the outside box, and as a side effect of that permit ssh to any outside box without further ssh config-file tricks, execute sshuttle using a CLI command similar to the following:
sudo sshuttle -r magic443 0/0
Three advisories:
(a) If you run sshuttle and then terminate that process, networking may be mixed up and you may need to reboot.
(b) This procedure doesn't directly route UDP or DNS through the outside box. Some proxies may support DNS redirection at their level.
(c) This procedure doesn't run ssh over https in the sense that the https protocol is used. Instead, it runs ssh over the standard https port and thereby tunnels through low- to medium-grade firewalls. So, as noted previously, it won't work with high-grade firewalls.