This article was inspired by RSnake’s article on using Trillian behind firewalls, but takes it a few steps further to let you proxy any application that supports proxying.
This tutorial uses OpenBSD as the example, but will work with little to no modification on any UNIX-like system, or even Windows with Cygwin installed, run away now if that frightens you. The concept is fairly simple, for each service you need to connect through to avoid a restriction, or just don’t want anyone to see you will set up an ssh tunnel and proxy it off of your remote server.
On your server (home computer) you’ll need both sshd and apache, both are installed by default on OpenBSD, for your OS of choice I’ll leave it up to you to figure out how to install them.
Note (stolen from Rsnake’s article): “By “static connection” I mean somewhere that has an IP address that you can connect to that doesn’t change, but you can also use a service like DynDNS to make a dynamic connection appear static. If you cannot do port forwarding or cannot host a machine on your broad-band connection, stop now, and find a friend who will let you host a machine at their house.”
Step 1. SSHD
edit sshd_conf (usually in /etc/ssh) add the following line if it is not already there, making sure it is not commented out.
Step 2. Firewall
You DO have a firewall installed right? Unless you have specific needs just block all traffic and allow port 22 inbound
OpenBSD comes with PF an excellent firewall that does just about everything you could want.
using pf your pf.conf should look something like this:
ext_if = "rl0" block log all pass in quick on $ext_if inet proto tcp from any to ip_of_interface \ port 22 label ssh flags S/SAFR keep state
restart/reload your firewall rules as needed
Step 3. Configure Apache 1.3 to proxy
NOTE: OpenBSD by default runs httpd chrooted, in order for Apache to resolve hostnames while chrooted you will need to create a /var/www/etc directory, and copy resolve.conf into it.
mkdir /var/www/etc cp /etc/resolve.conf /var/www/etc
Open httpd.conf in your favorite editor find the proxy section and uncomment or add:
Listen 127.0.0.1:8080 LoadModule proxy_module /usr/lib/apache/modules/libproxy.so
start or restart apache
Note the AllowCONNECT, for each service that supports proxying you will need to add the associated port, the above example includes SSL connections, AIM and Yahoo IM.
On the computer you will be connecting from you will need to create a new file in your .ssh directory. It will contain an alias for the host you want to connect to, in this case your home computer, the address of the home computer, your username used for ssh on your home computer, and some port forwarding statements. Do not use root for the username.
~/.ssh/config should look something like this:
HostName somehost.com (or an IP address) User username Compression yes LocalForward 22 somehostontheothersideofthebastion:22 LocalForward 25 somemailserver:25 LocalForward 143 someimapserver:143 LocalForward 8080 127.0.0.1:8080
Now you just have to connect: (Note: Rembrant sent an alternate connection method and correctly pointed out that the source ports should be greater than 1024 if using a UNIX host as the client, see his email here)
remotecomputer$ ssh alias_for_somehost password:
Note: you must leave this session open as long as you are proxying an application
Now that you are logged in all of the ports defined in ~/.ssh/config will be forwarded from your work computer, or whatever to your home computer. In the example above you can now directly connect to somehostontheothersideofthebastion simply by sshing to localhost on your computer, it’s convenient for scp’ing to a machine behind the proxy server you just set up without double copying it.
You can set your mail client to use localhost as its mail server for outgoing and incoming mail.
And now you can surf all those warez sites from work by setting your proxy to localhost port 8080, same with IM, or any other application that allows itself to be proxied, just make sure you add the port to the AllowCONNECT line in httpd.conf
If you find this useful or confusing, let me know.