Censorship Bad

This is an outgrowth of a post I was making on Violet Blue’s blog which was too technical and not enough sexual (It’s a sex blog). The topic was firewall piercing.

For an overview of the topic, you might like this Wikipedia article.

I was going to write something back, but while her site is about sex and technology, I think that my response had too much technology, and not enough sex.

This is turning into a mini-howto on basic and advanced firewall piercing. While I do think that this is important for people who are worried about their privacy online, I also think that this discussion needs to happen elsewhere and not clutter up a sex blog with too much tech-talk.

For an SSH tunnel, I was thinking more along the lines of this:
ssh user@example.com -L localhost:8888:127.0.0.1:8888

Then running a tinyproxy instance bound to the localhost (127.0.0.1) address of the ssh server on port 8888. Set your web browser to use 127.0.0.1 port 8888 as your web proxy, and you’re done. Personally, I would recommend combining this with something like FoxyProxy, which would allow you to easily switch Firefox between normal and tunneled communications. This approach gives you a clean tunnel anywhere SSH is sold. (Coffee shops, most airports…)

If you’re dealing with a really draconian set of rules, you could use a listener on some port of the ssh server, and run httptunnel ( http://www.nocrew.org/software/httptunnel.html ) on both ends, and encapsulate the SSH connection in http (web) traffic. This can even be set up to work through a web proxy server.

On the server, this is run as:
hts -F localhost:22 8443

The client side configuration looks like this:
htc -F 8022 ssh_server.example.com:8443

The ssh tunnel is brought up with:
ssh -p 8022 user@127.0.0.1 -L localhost:8888:127.0.0.1:8888

(Note: those are all 1-liners)

For bonus points, put the httptunnel instance on port 80 of the ssh server, so as to make life more difficult for censors. This can be done by replacing the “8443″ port numbers with “80″ in the example above.

For double bonus points, run a recursive DNS resolver on the machine, and replace tinyproxy with Dante. That gives you arbitrary dynamic port forwards on the far end for any application that either (a) supports socks(4/5), or (b) is socksified. Dante can be found at
http://www.inet.no/dante/ , and a windows Socksifier can be found at http://www.freecap.ru/eng/ . Socksifiers are nice for handling windows application that expect a direct connection to the Internet – but are not needed for Firefox, and any other applications that have been compiled to run natively with socks.

For triple bonus points, run openvpn in tcp mode through a httptunnel. Using this option, you can dump ssh and the proxy altogether, and run arbitrary protocols. It does, however, require a bit more work on the destination (server) end.

Edit: Fixed typos in example

This entry was posted in Society, Stupidity, Work. Bookmark the permalink.