— because if it was easy, everyone would do it

  • Credits : John S and John C

Coding is one of the highest art forms achieved by mankind; an idea - just an electrical impulse - is made real in an alternate electronic universe; the created idea however, does not have physical form, and yet can change the physical world; it cannot be touched, and yet may touch all mankind.

Howto: by-pass the censor with ssh

ssh username@remote_server -L local_port_to_use:localhost:proxy_service_port [-p ssh_port] [-X]

The explanation

Use an ssh tunnel to by-pass the censor. You may only perform this operation under academic supervision and for purposes described by the AUP. You'll learn quite a bit about the Internet from this.

To set up the by-pass tunnel

You need to know:

  1. The name or IP address of a suitable proxy computer (we refer to this as the proxy-server)
  2. A user account on the proxy computer (you need to be able to log in to it)
  3. The port used by the proxy service running on the proxy computer
  4. The port used by the ssh service running on the proxy computer

You can get the names and numbers above from your tutor. When you've got them, drop to a terminal session and do the following:

With these, prepare to issue the ssh command followed by the user account name on the proxy server. In this example the user name is me and the proxy computer is called proxy.server.com:

ssh me@proxy.server.com

The parameter for port-forwarding is -L

With this you can choose a local port (which is not already in use) to accept connections. In this example I'm using 7890.

We want traffic going to this port to be forwarded through the local device (localhost) out to the port used by the remote proxy service. In this example the proxy port is 3128.

The parameter becomes:

-L 7890:localhost:3128

Finally, if needed, add a parameter to change the ssh port connected to on the remote computer. The default port for ssh is 22. If the ssh service is running on that port you don't need to specify this. In this example the ssh port on the remote computer is 1800 so I will add:

-p 1800

(You can also add -X if you think you want to run X-windows applications on the remote computer) My full command therfore is:

ssh me@proxy.server.com -L 7890:localhost:3128 -p 1800 -X

When this command is issued you will be connected to the remote computer where you can log in. After you log in there will be an unseen tunnel from your local computer to the remote computer through which you can access the proxy service on the other end. As long as this tunnel remains open you will be able to access the remote proxy service.

To close down the tunnel, exit the remote ssh session by typing exit or by closing the terminal window.

To use the by-pass tunnel

Configure your browser to use the local end of the tunnel to access the proxy service at the other end.

In Firefox this involves clicking on Edit/Preferences/Advanced/Network/Settings/Manual proxy configuration. Then put localhost in the HTTP Proxy field and 7890 in the Port field. You can also select Use this proxy server for...

Now click on OK and then Close and you're done. Browse, research, learn.

How does this work?

Consider the diagram below. Scenario 1 is the normal web browsing scenario. The client connects directly to the web server. Scenario 2 is also quite normal; we often use proxy servers for reasons of efficiency, convenience and voluntary control.

Both scenarios are plain text communication between two computers. Any system that the packets of data pass through can take a peek inside and see what's going on. This is inherently insecure and enables easy censorship. For that reason we examine scenario 3. Secure encrypted communication is possible using the secure shell protocol. This is often used on the Internet for secure logon to a remote workstation.

In scenario 4 — which is much more complicated than scenarios 1 or 2 — we use a combination of scenarios 2 and 3. Scenario 4 as shown below diagrams this command:

ssh me@proxy.server.com -L 7890:localhost:3128

When your tunnel is in operation and your browser is configured to use the tunnel, diagram 4 above describes how things work. When your browser requests a page from the web server the request goes through local port 7890, is then sent up the ssh tunnel, at the other end the request packets are passed to the proxy service. The proxy service obtains the web page from the server, returns the packets containing the web page through the tunnel, and the data pops out on the local end and is displayed by your browser. Voilà!

Other examples

User name john, remote computer called pictures.somenet.ie, local port 4020, remote proxy service on port 9500, standard ssh port, no X-windowing:

ssh john@pictures.somenet.ie -L 4020:localhost:9500

User name pquinn, remote computer called www.overnight.org, local port 444, remote proxy service on port 5921, ssh service on port 5604, no X-windowing:

ssh pquinn@www.overnight.org -L 444:localhost:5921 -p 5604


Q. Do I have to use local port 7890?

A. No. Use any other local port value in the range 1..65535 that is not already in use. Check here for a list of common ports already in use. Make sure you use the same port number when configuring your browser.

Q. What happens if I don't use the same port when configuring the browser?

A. The connection to the end of the tunnel won't be made; plus, you won't be able to browse at all until the setting is corrected or the browser is configured not to use any proxy.

Q. Must I use port 3128?

A. Probably. You will use whatever port number is used for the proxy service on the proxy server. 3128 is used in these example because it is the normal port number for the Squid proxy program. Port 8080 is also commonly used. Ask the owner of the proxy server what number port she's using.

Q. Do I have to do this everytime I want to use the 'net?

A. Depends. If the site you want to look at is not blocked then configure your browser not to use a proxy server. If it is, then set up the tunnel.

Q. What happens to the tunnel when I log out?

A. When you log out the ssh terminal session will be closed. The tunnel will close with it.

Q. Is it possible to snoop on ssh traffic?

A. Yes. It's just really, really, really hard to do in real-time.

Q. Can I choose to use a different ssh port?

A. No. Find out the ssh port on the server and use that; if you try a different port number you won't connect to the ssh service.

Q. Can I use this technique for other stuff?

A. Yes. Other services which run in plain text mode can be re-directed in this manner; set-up the tunnel and configure the software.

Q. I used this yesterday and now I can't use the Internet at all!

A. Either re-configure your browser to use no proxy or re-establish the tunnel.

Q. Do I have to use -X?

A. No. That's to use remote X-windowing. If you don't intend using remote X-windowing, don't put that in. But if you do you won't break anything.

Q. Can I use any server for this?

A. No. Apart from needing a user account on the server, the server must run ssh and proxying (Linux has these services but they might not be turned on), and the server has to be on the other side of the obstacle you are trying to avoid.

Q. Can I do this under Microsoft Windows?

A. Yes. But you'll have to download an ssh client first. Go here and start reading.

Q. Will this make my browser faster or slower?

A. Slower. By definition, using a proxy server means your web request has an extra journey to make; and making the web request go through the tunnel requires an extra few milliseconds for encryption and decryption on either end. But the total delay should be negligible and measured in milliseconds.

Q. Can I do this under Windows?

A. Yes; use PuTTY, and configure in the Category list Connection/SSH/Tunnels. The settings are shown here:

Last updated: 20150326-09:41