Friday, January 21, 2011

Digging Tunnels (part 1)

WARNING: following the instructions below can get you in trouble.

REMINDER: most system administrators can and do google.

You're at work, behind a restrictive protocol-aware firewall, which allows outgoing connections only through HTTP (port 80) and HTTPS (port 443), and blocks other protocols, specifically SSH, regardless of the destination port (read about Deep Packet Inspection, to see how it's done).

And you want to access your Debian/Linux box at home, over SSH.

As long as said firewall allows HTTPS, you can use stunnel to tunnel SSH traffic through the firewall.

  1. Server side (PC at home):
    1. configure your firewall to accept connections on port 443
    2. configure your SSH daemon to listen to (the default) port 22 (note that it need not be accessible to the outside world)
    3. install stunnel:
      aptitude install stunnel4
    4. comment out unwanted services from /etc/stunnel/stunnel.conf and add the following:
      [sshd]
      accept  = 443
      connect = 22
      TIMEOUTclose = 0
      
    5. generate (as root) a new self-signed SSL certificate:
      openssl req -new -x509 -days 999999 -nodes -out /etc/ssl/certs/stunnel.pem -keyout /etc/ssl/certs/stunnel.pem
      openssl gendh >> /etc/ssl/certs/stunnel.pem
      
    6. enable the stunnel daemon in /etc/default/stunnel4 like this:
      ENABLED=1
      
    7. start the daemon:
      invoke-rc.d stunnel4 start
  2. Client side (PC at work):
    1. download, compile and install stunnel in your account
    2. add the following stanza in ~/.ssh/config (where sshd.example.com stands for the address of your home PC):
      Host sshd.example.com
        Port 443
        ProxyCommand stunnel3 -c -f -r %h:%p   
      
You should now be able to connect to your home PC over SSH.

Next time: same scenario, but with your work PC running Windows.

No comments:

Post a Comment