Friday, January 28, 2011

Digging Tunnels (part 2)

WARNING: following the instructions below can get you in trouble.

REMINDER: most system administrators can and do google.

As promised, this time I'll show how to tunnel from your workstation at work, to your PC at home, through a protocol aware firewall - only that this time with the client workstation running Windows.

Server setup is the same as in the previous post. If your home machine runs Windows, then you may want to research setting up Cygwin with an SSH daemon and stunnel directing traffic to it. I haven't done it myself, so you're on your own here.

Client side, at work, is easy, if you already have Cygwin installed there:
  1. install stunnel using Cygwin's setup.exe
  2. add the following stanza in ~/.ssh/config (where sshd.example.com stands for the address of your home PC):
    Host sshd.example.com
      Port 443
      ProxyCommand stunnel3 -c -f -r %h:%p   
    
If you don't have Cygwin, then do this:
  1. download and install stunnel for Windows
  2. open stunnel.conf for editing by selecting 'Edit stunnel.conf' from the newly created stunnel sub-menu in the Windows Start menu
  3. replace its contents with the following:
    client = yes
    debug = 7
    [putty]
    accept = localhost:60022
    connect = sshd.exmaple.com:443 
    
    (replace the stuff in red with your own stuff)
  4. start stunnel by selecting 'Run stunnel' from the same stunnel sub-menu as before
  5. use PuTTY to connect to your home PC, by pointing it to localhost:60022
  6. if you hit any problem, then you may be able to troubleshoot it by going over the stunnel log messages, which can be accessed from the stunnel tray icon context menu

Friday, January 21, 2011

Digging Tunnels (part 1)

WARNING: following the instructions below can get you in trouble.

REMINDER: most system administrators can and do google.

You're at work, behind a restrictive protocol-aware firewall, which allows outgoing connections only through HTTP (port 80) and HTTPS (port 443), and blocks other protocols, specifically SSH, regardless of the destination port (read about Deep Packet Inspection, to see how it's done).

And you want to access your Debian/Linux box at home, over SSH.

As long as said firewall allows HTTPS, you can use stunnel to tunnel SSH traffic through the firewall.

  1. Server side (PC at home):
    1. configure your firewall to accept connections on port 443
    2. configure your SSH daemon to listen to (the default) port 22 (note that it need not be accessible to the outside world)
    3. install stunnel:
      aptitude install stunnel4
    4. comment out unwanted services from /etc/stunnel/stunnel.conf and add the following:
      [sshd]
      accept  = 443
      connect = 22
      TIMEOUTclose = 0
      
    5. generate (as root) a new self-signed SSL certificate:
      openssl req -new -x509 -days 999999 -nodes -out /etc/ssl/certs/stunnel.pem -keyout /etc/ssl/certs/stunnel.pem
      openssl gendh >> /etc/ssl/certs/stunnel.pem
      
    6. enable the stunnel daemon in /etc/default/stunnel4 like this:
      ENABLED=1
      
    7. start the daemon:
      invoke-rc.d stunnel4 start
  2. Client side (PC at work):
    1. download, compile and install stunnel in your account
    2. add the following stanza in ~/.ssh/config (where sshd.example.com stands for the address of your home PC):
      Host sshd.example.com
        Port 443
        ProxyCommand stunnel3 -c -f -r %h:%p   
      
You should now be able to connect to your home PC over SSH.

Next time: same scenario, but with your work PC running Windows.