help me understand tunneling.

egzodas · 2010-05-20 12:55:05

Greetings,

For the past couple of days I've been trying to use my home internet connection from behind a college firewall. The reason I want to do this is to have access to my ISP's message boards.

The issue I'm having is this: Back at home I have an arch box running an openssh server on port 443. Here in college I'm running windows 7 on a laptop and connect to the home box by using putty. I have no problem establishing the connection. When I configure firefox, my ip is shown as my home ip however college web access restrictions still seem to apply and I can't access the board or any other sites that are blocked by college (brings up an opendns page saying the page is blocked).

So my question is, am I missing something ? does this mean that that I'm only using the ip address of my home connection, but use the internet traffic of the college connection ?

I've tried following a bunch of tutorials on putty and openssh setup but none seemed to help me access internet through my own home box.

kokoko3k · 2010-05-20 13:03:58

If you have ssh access, you could simply think of using freenx server at home and nxclient at school, that way you have a full 'unrestricted' access to your home pc (like vnc, but a lot faster).

If you just want to use ssh, then you can setup ssh to act as a socks4/5 server and configure firefox to use it:
http://thinkhole.org/wp/2006/05/10/howt … ith-putty/

Last edited by kokoko3k (2010-05-20 13:04:24)

ewaller · 2010-05-20 15:27:04

egzodas wrote:

Back at home I have an arch box running an openssh server on port 443. Here in college I'm running windows 7 on a laptop and connect to the home box by using putty. I have no problem establishing the connection. When I configure firefox, my ip is shown as my home ip however college web access restrictions still seem to apply and I can't access the board or any other sites that are blocked by college (brings up an opendns page saying the page is blocked).

I am not sure exactly what this means.

I see you are using SSH in kind of a standard way in which you create an encrypted channel over which you establish a terminal session. At this point, all other ports on your local machine continue to be routed through your local internet connection. Port 443 happens to be connected to another machine in the cloud (your home machine).

What SSH can do is to provide port forwarding. When you establish the initial link, you can tell SSH to also take a port from your local machine (SFTP, for example) and take any requests of that port and forward them to the computer at the other end of the link. That computer will then service the request, and return data back through the SSH link to OpenSSH which then forwards the return data back to the initial port.

SSH can also provide X forwarding. The details in my mind are sketchy because I have not done it in a while, but with X forwarding, you establish an SSH connection from a terminal in an X session with X forwarding enabled. Once you have logged into a terminal on the host, you launch the program of interest -- on the host -- and the X11 connection to and from that program is forwarded to a Window on your local machine -- but the program is still running on the host. Performance in this mode is disappointing at best. YMMV. For a Windows client, you probably need an X11 environment like Exceed from Hummingbird

What you may want to look into is a full blown VPN (Virtual Private Network). What this does is to create a tunnel to a host computer to which ALL IP traffic from your local machine is forwarded. What happens in this case is any guest IP traffic is routed to the host computer at the other end of the link. Those ports then appear on the network belonging to that host. In essence, this logically makes your computer a part of the network to which you are attaching -- behind your home firewall. You can print to printers in your home, you can hit any port on any computer in your home (since you are behind the firewall). In this mode, the only traffic over your university computer routed through port 443. In this mode, you won't be able to see any university computers behind the university's firewall since, logically, you are no longer part of that network. Sort of.

I say 'sort of' because there does exist the situation where you may have multiple NICs. Some VPN configurations can be locked down so there can be no NAT forwarding or Bridging between networks. This is critical in facilities where they do not want unknown / unauthorized machines having the ability to get to sensitive data or to introduce bad things to the network. Other configurations may allow this. With two NICS, you can create the situation where one NIC is part of your home network, the other part of the school network, and, if you link them, could unwittingly give everyone at school access to your home network. Be careful.

Anyway, this was a bigger-than-I-had-intended core dump, but I hope it helps.

falconindy · 2010-05-20 15:39:23

Why did you think using port 443 was a good idea? This is already a defined port by IANA standards and you're using it for the "wrong" purpose.

I think the problem may be related to the fact that you've chosen this port to run your SSH server on -- there's http traffic on that port and the school's perimeter is still intercepting and denying the traffic because it's a valid port for http traffic to appear on. Pick a port in the 4 digit range.

Xyne · 2010-05-20 15:40:28

I'm too tired to know if this is a stupid question, but could it be that your DNS requests are not getting tunnelled and thus going directly to your college's DNS server? I think "DNS leaks" are a common problem with setting up browser proxies. If that's the case then you should be able to find a solution quickly with a search engine.

ewaller · 2010-05-20 15:57:39

falconindy wrote:

Why did you think using port 443 was a good idea? This is already a defined port by IANA standards and you're using it for the "wrong" purpose.

Speaking for myself, I do it all the time. And for two and a half reasons:

1. Script kiddies don't pound of port 443 looking for ssh servers. In general they expect to find shhtp there.

2. Any place that provides "Internet Access" that blocks ports is not going to be blocking 443. In the case of the university, they are likely to block ports having to do with SSH or VPN, but they won't be blocking 443. In addition, 443 traffic is normally encrypted anyway, so encrypted SSH traffic won't raise any flags with the sysadmins

1/2. I don't intend for Joe Internet to connect to my home network. I really don't care If that machine does not follow public standards.

egzodas · 2010-05-20 16:07:53

ewaller thank you, that was a very informative and easy to understand post. In fact, I tried creating a vpn and it works ! Once again, thank you.

falconindy I do admit that I do understand a lot of the things related to networking, but to answer your question, port 443 was the only one I was able to establish a connection to my home box.

Bebo · 2010-05-20 17:39:42

Xyne wrote:

I'm too tired to know if this is a stupid question, but could it be that your DNS requests are not getting tunnelled and thus going directly to your college's DNS server? I think "DNS leaks" are a common problem with setting up browser proxies. If that's the case then you should be able to find a solution quickly with a search engine.

I haven't had the problem that the OP has (DNS blocks), but I always use an ssh tunnel when surfing at work, and I have noticed that Firefox sends DNS requests outside of such a tunnel. I googled on it some time ago, and it seems that the Firefox config option "network.proxy.socks_remote_dns" set to true should fix it. Actually I never verified this afterwards, so I can't say if it works

EDIT: Oh, and using port 443 as tunnel server port is a common way to bypass firewalls... If they set up something smarter in the future you can always try proxytunnel or some such; the tunnel traffic will only look like an https session.

Last edited by Bebo (2010-05-20 17:46:22)

egzodas · 2010-05-20 20:22:46

Bebo wrote:

Xyne wrote:
I'm too tired to know if this is a stupid question, but could it be that your DNS requests are not getting tunnelled and thus going directly to your college's DNS server? I think "DNS leaks" are a common problem with setting up browser proxies. If that's the case then you should be able to find a solution quickly with a search engine.
I haven't had the problem that the OP has (DNS blocks), but I always use an ssh tunnel when surfing at work, and I have noticed that Firefox sends DNS requests outside of such a tunnel. I googled on it some time ago, and it seems that the Firefox config option "network.proxy.socks_remote_dns" set to true should fix it. Actually I never verified this afterwards, so I can't say if it works
EDIT: Oh, and using port 443 as tunnel server port is a common way to bypass firewalls... If they set up something smarter in the future you can always try proxytunnel or some such; the tunnel traffic will only look like an https session.

I tried the above method too and wow, it also solves the problem I had. Thank you for pointing that out.

Xyne · 2010-05-21 15:22:54

So it wasn't a stupid question after all.

R00KIE · 2010-05-21 20:36:06

If you can connect through port 443 and access your machine through ssh then you can tunnel the internet at home to school.

The configuration you have to use may be a bit tricky though (oh the joys and pains of gui apps), if you were using ssh you would need to use it like this: 'ssh -D someport user@ip'. The compression flag -C is optional but may be worth it.

Then you would need to configure your browser to use a socks v5 proxy, that would be localhost:someport and thats it. You just need to hunt for the right way to do it with putty.

Arch Linux

#1 2010-05-20 12:55:05

help me understand tunneling.

#2 2010-05-20 13:03:58

Re: help me understand tunneling.

#3 2010-05-20 15:27:04

Re: help me understand tunneling.

#4 2010-05-20 15:39:23

Re: help me understand tunneling.

#5 2010-05-20 15:40:28

Re: help me understand tunneling.

#6 2010-05-20 15:57:39

Re: help me understand tunneling.

#7 2010-05-20 16:07:53

Re: help me understand tunneling.

#8 2010-05-20 17:39:42

Re: help me understand tunneling.

#9 2010-05-20 20:22:46

Re: help me understand tunneling.

#10 2010-05-21 15:22:54

Re: help me understand tunneling.

#11 2010-05-21 20:36:06

Re: help me understand tunneling.

Board footer