SSH Tunnels, SOCKS proxies, and Sticking It to IT

Today I achieved perhaps my greatest triumph in my eternal struggle against the shackles my IT department places on my laptop. Aside from the inability to install programs needing admin privileges, the greatest strife I have with IT is the restrictions in places on certain websites. To name the most basic example, I cannot access Facebook. Not that I want to, I just want the ability to. I also can’t access various hacking blogs, anything having to do with brewing beer – anything to do with alcohol at all, for that matter – even some personal blogs are restricted as they are not necessary for my job function. Nuts to that!

This post is the result of many steps that didn’t really have the ultimate goal of sticking it to IT, so it may be a little tough to get through. There may be other ways of achieving the same things, for instance. This is just how I did it, and I’m posting it here in case I need to do it again – for instance, if IT replaces this laptop, or if I have to recreate my server at home.

Software that will be mentioned in this post:
CopSSH (https://www.itefix.no/i2/copssh)
PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
MyEnTunnel (http://nemesis2.qx.net/pages/MyEnTunnel)
Google Chrome (http://www.google.com/chrome)

Get SSH on to that Windows server

I used Linux on my home server for a long time. Then I got an AMD-based GPU and realized that Linux drivers currently suck and things would just be a helluvalot easier for me to install Windows 7. So I did. Then I went to connect to the terminal via SSH and realized there is no SSH server on Windows as there is on every default installation of Linux out there right now. I used CopSSH to recreate the experience of logging into a terminal remotely for server maintenance.

I can’t remember if there were any problems with this install. As I remember, everything went very smoothly. A couple of caveats:

1) Forward port 22 on your router in order to access your SSH server from outside your network. Port forwarding is beyond the scope of this post.

2) CopSSH starts an SSH service that allows you to connect to a Cygwin interface. In order to access your standard windows drives from the terminal once you log in, navigate to /cygdrive. There you will see folders named after your drive letters (c, d, e, etc.), and you can access your files there.

The IT department at my office blocks a lot of ports, but not 22 for some reason. I suppose it might be a necessary port for them to use for pushing program installs or something. For whatever the reason, with CopSSH installed at home, I can navigate my hard drive from work and stop/start services, create/edit/remove files, copy files to/from (with WinSCP), and, most importantly for this post, perform some SSH tunneling.

Tunnels and the Men Who Love Them

SSH tunneling is something I discovered (and fell in love with) only recently. Therefore, it is a bit tough to describe since I know so little about it. Essentially, you attach a rider to your SSH connection that says for x port on the remote server, treat it as y port locally. For instance, let’s say (since I do) that you have SABnzbd+ installed and running at home, and that the web frontend is running on port 8080. With an SSH tunnel, I tell my work computer to bridge port 9080 to port 8080 on my home computer. Once that bridge is made (bridges, tunnels, what’s the difference), I can open a web browser to localhost:9080 and receive the content that I would normally see at home using localhost:8080. This is particularly important to me, because the only external port I am able to reach at work through a web browser is port 80. Since tunneling treats it as a local port, I am free to access my SAB queue from work.

So how do you do it? Well, first you need to install PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). I’m sure there are other programs out there that do this, but just use PuTTY. It’s free, awesome, and ALWAYS works. You just need to download the Putty.exe file and place it in your path somewhere. While you’re there, download Plink.exe as well, since we’ll be using that later.

Here are the important pieces to configure when setting up a server in PuTTY:
1) host name is your external IP address at home (or your DNS name if you have one registered)
2) port is (almost) always 22
3) Tunneling is done under Connection->SSH->Tunnels
a) Source Port is what you want your local computer to use (9080 in the SAB example)
b) Destination is IP:RemotePort (xxx.xxx.xxx.xxx:8080 in the SAB example)
c) Click “Add” and this rule will be placed in the listbox under “Forwarded ports”
4) After you set up tunneling, go back to Session (at the top of the list box on the left) and save this connection as something memorable. “Tunnels” is usually a pretty good name.

Tunneling the Internet

So now you know how to tunnel a specific port from one computer to another. But what about using your home computer to do your web browsing and forwarding that content back to your work computer? For instance, what if I want to enter Facebook.com into my browser at work and have my home computer be the one looking up that web site? What if I want to do this for ALL internet content so that the IT department can never go snooping through logs of what I’ve been browsing on the web?

Simple. Go back into PuTTY and load up the Tunnels saved session you just created. Go back to Tunnels and add this:

Source Port: 9870
Destination: (blank)
Dynamic checked (not Local or Remote)

This will forward all dynamic traffic from the home to port 9870 at work. You can use a different port if you want, just make sure you remember what it is. Now, if you have access to your proxy settings or use Firefox (which ignores Windows proxy settings), you can go ahead and set those up as you normally would. You’re using a SOCKS connection, and the address is 127.0.0.1:9870. But if you don’t have access to your proxy settings (like me), and you like to use Chrome (like I do) instead of FireFox, you have to do a little extra work.

First, install Chrome. Most of you already have, I’m sure. Find your Chrome installation folder (might have to do a little googling to discover where Chrome installs). Create a new shortcut for that executable and add the following parameters to the end of it:

–proxy-server=”socks5://127.0.0.1:9870″

For me, the whole shortcut looks like this (in Windows XP)

“C:\Documents and Settings\(USER NAME)\Local Settings\Application Data\Google\Chrome\Application\chrome.exe” –proxy-server=”socks5://127.0.0.1:9870″

Add that to your desktop, start menu, whatever, and viola, you have proxy-fied internet every time you open Chrome. Of course, you will first have to open a session with PuTTY in order to open that tunnel to port 9870. That means that you will have a PuTTY window open all day, and your boss might start to get suspicious. What then?

Why I Love Hackers

Since PuTTY and all of its ancillary software is free and open, hackers are able to create really cool things like MyEnTunnel (http://nemesis2.qx.net/pages/MyEnTunnel), which stands for My Encrypted Tunnel. This program runs as a system tray icon that opens a saved PuTTY session and monitors it to make sure it stays connected. When the connection drops, it will retry as long as you tell it to. Your boss will be none the wiser.

1) Install and start the program.
2) SSH Server: Tunnels (or whatever you called your PuTTY session, above)
3) SSH Port: 22 (almost always)
4) username and password are obvious
5) Reconnect on Failure is a good idea, and Infinite Retry Attempts is preferable as well
6) IMPORTANT – I found that the Plink.exe file that came with MyEnTunnel simply did not work. I overwrote it with a current download from the PuTTY site. This is why I suggested you download it above.

Then connect, and you are in the mighty perpetual hands of an SSH tunnel. As long as the little icon in the system tray glows green, you will be able to open your Chrome shortcut and browse freely.

Final Thoughts

Yes, this does lead to a slower internet connection. You are browsing through a remote computer – what did you expect? However, I have thus far found this to be worth the trouble. You can add a –proxy-bypass-list=”aaa;bbb;ccc” parameter to your chrome shortcut if you visit sites like Pandora and need high bandwith available.

Also, I realized that with all internet traffic tunneled, I no longer needed the individual ports tunneled. For instance, rather than opening localhost:9080 for my sab queue, I can just open 192.168.1.100:8080 (i.e. the internal IP of the server at home). This is because, effectively, I am browsing from my home network.

I wrote this post somewhat haphazardly, just trying to set down my thoughts before they vanish and I have to figure this out all over again. If you would like clarification, leave me an email, and I will update the post or answer your question(s).

Advertisements