
Never again be thwarted by restrictive “guest” wifi (e.g. on buses or airplanes) - rogueleaderr
http://rogueleaderr.tumblr.com/post/29855576743/never-again-be-thwarted-by-restrictive-guest-wifi
======
ben1040
This works great, except that some sites seem to block requests from EC2
hosts. StackOverflow and Yelp are two that come to mind immediately although
I'm sure there are others. If I remember right, StackOverflow only lets you
access via the API if you're on an EC2 host.

On the other hand, I can see where they're coming from by banning the whole
netblock. Otherwise you could scrape until your IP get banned for blowing a
rate limit, then tear down that instance and spin up a new one.

~~~
olalonde
Same experience using Slicehost as a VPN and searching on Google:

    
    
        We're sorry...
    
        ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now.

~~~
kibwen
I get this same message about once a week since I frequently use my Linode VPS
as a proxy for my web traffic, but it's never lasted for more than a half hour
or so. I've always wondered why their heuristics only seem to notice me so
infrequently. Do you get it consistently?

~~~
olalonde
Yes, I have never been able to access Google from my Slicehost VPN IIRC. I
also used a Linode VPN for a while and got the message infrequently with the
possibility to enter a CAPTCHA to complete my request.

------
ikonst
I'm kinda baffled how this recipe for using ssh, rudimentary sysadmin skills
and scripting is deemed news. Maybe back in the heyday of Slashdot, this would
be half-interesting -- like, uhh, when OpenSSH actually introduced tunneling,
or when Iodine was introduced, or whatever... At best, a "protip" everyone
could've discovered himself through a few minutes of Googling.

~~~
mikescar
Watch out, we've got a badass over here.

Not so much 'news' but perhaps a quick hack, nice reminder, a quick intro for
the less experienced (who may not know what they are missing in the first
place). Or perhaps someone who has set this up before in a different way might
want to change how they do it.

~~~
franzus
If you don't know "tricks" like this ... what are you doing on HACKER news?

~~~
nicholassmith
Because not everyone knows everything, and the entire point of being HACKERS
(I assume the uppercase is useful) is to promote learning and sharing
knowledge.

So whilst this is probably not front news worthy of LEET HACKERS it's probably
made someone go 'hey thats cool' and that's all it needed to do.

~~~
franzus
> man ssh

doesn't imply being "LEET".

~~~
chris_wot
No, it implies that you think that the other person is stupid AND they use
some form of Unix. Any way you put it, your response is unfriendly and rude.
And Hacker News should not be known for arrogance. In fact, the person reading
this article might not know much about tunnelling, but maybe writing the next
greatest app. You won't know who you are displaying your arrogance to, so
don't do it.

------
vegardx
My trick is usually just to setup a socks5 tunnel to a remote machine running
OpenSSH. The nice thing about this is that you don't have to install anything
on your system, and most people have access to a remote Linux/BSD-based
server.

Nifty one-liner to set it properly up: "ssh user@host -D 8080". Then you just
point your system wide proxy to localhost:8080 and magically see all your data
be tunneled.

~~~
chrisbroadfoot
You should try sshuttle. It doesn't require any system-wide proxy
configuration.

~~~
vegardx
I have read the documentation, and it's pretty nifty. But I rarely have to use
it anyway, so I've stuck with a solution that is not dependant on any other
software than what ships nativly with my OS.

------
wisty
A more interesting spin is TCP-over-DNS. Some networks will block TCP but not
DNS, so you send all your traffic over DNS.

It's not very efficient, though.

If you have a server somewhere, there's no real limit to the creative ways you
can get around network restrictions.

~~~
chris_wot
DNS is an application protocol, TCP is a transport protocol. You can't be
tunneling TCP over DNS, DNS (when not using UDP) actually uses TCP port 53.
Are you sure that you are just getting SSH to listen on port 53?

~~~
s_henry_paulson
DNS tunneling is actually possible:

<http://dnstunnel.de/>

It's also interesting to note that Julian Assange (AFAIK) was the first person
to come up with this idea back in 2006.

[http://re-iq.blogspot.com/2006/12/ip-over-ppp-over-dns-over-...](http://re-
iq.blogspot.com/2006/12/ip-over-ppp-over-dns-over-ip.html)

~~~
oskarpearson
Hi there

I have to interject here - not to blow my own trumpet, but as a 'point of
fact'. (Oops... once you start correcting misinformation on the internet, you
are going to be busy for a long time.)

I wrote about this in 1998, when I released source code that did this on the
bugtraq mailing list - <http://gray-world.net/papers/dnstunnel.txt> has a copy
of my mail.

Before that there was a long standing existing technique to tunnel data
through UDP packets that simply pretended to be destined for the DNS port
(53). That stopped working if the network admin filtered outbound UDP and
forced people to use their local DNS server instead. My method still works in
that scenario though.

(If anyone knows of an earlier reference to the method I posted about, please
let me know.. for all I know it was a well-known tactic in the underworld
before I posted to bugtraq.)

From Julian's post, it's not possible to see which of the two methods his code
used, since the rb file seems to have disappeared. I suspect it was "my"
method.

I do like the ppp interface through - mine just tunneled bash commands +
responses.

Oskar

~~~
jjguy
Oskar, I didn't know you were an HN'er. Thanks for posting. I have studied
malicious use of DNS for a long time and have not yet found any reference
prior to your post in 1998. In fact, I used your original bugtraq post as a
reference to kick off a whitepaper detection solution approach for
enterprises: <http://armatum.com/blog/2009/dns-part-ii/> I'd sincerely welcome
your feedback.

HN'ers -- Despite Kaminsky's ego, all signs indicate Oskar invented DNS
tunneling.

~~~
chris_wot
Fascinating! Well, happy to be proven wrong - thanks all for the links. I'm
very surprised that this is even possible!

------
cpeterso
Back in 2005, Google offered "Google Secure Access", a short-lived service to
provide secure VPN access across insecure Wi-Fi networks. I'm unsure why
Google dropped the service so quickly, but there is still probably a good
business opportunity in this space. Business travelers stuck using airports'
insecure Wi-Fi and hotels' captive portals might be eager to pay for turnkey
VPN tunnels. Like this blog post suggests, you could spin up EC2 proxies as on
demand.

* September 2005: Google Secure Access goes beta: [http://lifehacker.com/126454/google-secure-access-+-encrypt-...](http://lifehacker.com/126454/google-secure-access-+-encrypt-your-wifi-connection)

* October 2005: Google Secure Access shuts down: [http://www.zdnet.com/blog/google/google-secure-access-is-his...](http://www.zdnet.com/blog/google/google-secure-access-is-history/11)

~~~
X-Istence
<https://www.getcloak.com>

\---

Although, some of their endpoints are EC2 as well ... so you won't be going
around the block that some sites have set up for EC2 instances...

~~~
rogueleaderr
I used Cloak for a while, but I always accidentally left it running and then
blew through my data limit. No limits on sshuttle!

~~~
benmanns
True, but don't forget that you still get charged for usage by AWS.

------
uncoder0
If you want to be even more clever (imo) try out iodine[1]

[1]<http://code.kryo.se/iodine/>

------
zacharycohn
I use a service called Cloak (<https://www.getcloak.com/>), which I love and
recommend to people all the time. It does something similar, but it
automatically detects when you're on an unsecured network and automatically
does everything for you.

Highly recommended. The author of the program hangs out on HN sometimes too.

~~~
dbalatero
Another Cloak user here - I was able to stream Netflix on my flight this week
due to running it through their proxy. No infrastructure to run, and fully
integrated with OS X's wifi selector. It runs on multiple cloud platforms to
boot, so if someone is blocking EC2 you might have better luck.

------
inportb
Nifty trick, but some services kill ssh on port 443, and I guess they do so by
limiting connection lifetime. In these cases, I find GNU httptunnel _very_
useful.

------
guylhem
This is interesting but incomplete. It may not survive to deep packet
inspection or rate limiting. Even worse - your only S3 machine could get
blacklisted, and I don't see why operators wouldn't share blacklist the way
it's done to fight spam.

So my suggestion is to have multiple alternatives instead, as in lines of
defense.

First, a simple SSH server also running a socks and a http proxy is useful.
Easy to reach and configure - some browser work better with http proxy (or was
it sock? Opera only supports one but I can't remember which at the moment)

In the second line, you want to run the SSH server on a nonstandard port as
the author does. I suggest multiplexing the port : simply run SSLH on both
port 80 and 443, with the patch published on
<http://rutschle.net/pipermail/sslh/2012-April/000202.html>

But that will not look like a standard SSL connection. Even worse, if you use
your own certificate - operators could deny all self-signed certificates.

So get stunnel running on port 443 with a "usual" certificate instead, and
pass the traffic on port 80 where you'll be happy to have SSLH or whatever you
prefer - like Openvpn which can do port sharing or which can be put "behind"
stunnel and sslh, so that you will use a standard 443 port, and do a genuine
SSL connection on that port. Much better. Have some fun with burst.net - they
offer you 2 IP for like $7/month : you can do some routing and give the 2nd IP
address to your laptop on the other end of the tunnel. Now _that_ is freedom
:-) Every port will be opened in both ways :-)

Still, I do not believe anything of that will be enough to resist to
statistical analysis. I've seen interesting tools, but if I down to that I'd
better use a standard DNS tunnel (iodine, dns2tcp, ntsx, whatever).

Once again, multiplexing port 53 could be good to have them on different
subdomains (you never know which tool you'll have on hand, or can easily
recompile on the go) or to run a standard DNS server too (named, maradns,
...).

It will be a good idea to "rate limit" one of them because having too much
traffic flow on port 53 to a given IP is something that stands out. (And I
have seen DNS tunnels broken by a simple rate limit rule)

I found something interesting to multiplex DNS request in C, which name I
don't remember at the moment. If anyone is interested I can dig that up.

Finally, deploy all that setup on at least 2 machines, using different domains
and different subnet so that if one of your "lines of defenses" goes down (ie
get blacklisted) you can safely move to the next one.

Total time it takes : 2 hours, then you'll always have a way out of a locked
connection.

~~~
peteretep
> It may not survive to deep packet inspection

I'd love to hear about your plans for "deep packet inspection" on SSL
packets...

> your only S3 machine could get blacklisted

I thought the whole reason the original article was suggesting S3 was so that
you could just spin up a random Micro instance, with a new IP address.

~~~
A1kmm
You could identify it as ssh vs SSL because they have different unencrypted
headers. So systems which check that you are speaking SSL on port 443 would
block ssh.

~~~
peteretep
Which headers do you believe are sent in the clear over https?

~~~
regularfry
With HTTPS you get a handshake Client Hello packet sent in the clear, which
has a TLS version identifier and a plaintext session ID among other things.
With SSH2, you get a literal "SSH-2.0" as part of the protocol identifier
which appears before the key exchange.

------
greenyouse
Instead of using an Amazon machine, why not use a low-power ARM device? I have
been running a small ARM computer at home for doing sshuttle, iodine, and
samba over ssh (with port binding) for the past few weeks and it works very
well. I know tcp over tcp is usually not good but it still works quickly for
some reason. This costs less than a VM on Amazon and gives you more
flexibility.

A nicer sshuttle command for VPN may be: $ ./sshuttle -v
--remote=server_USERNAME@serverIP:port_number --dns 0/0

If you sshuttle to your home router you may be able to samba or nfs to the ARM
on your home network (using tcp and udp, I think).

Alternatively, SSHFS or something more normal could be used for mounting the
ARM filesystem without a VPN but if you want to try Samba over SSH you could
try: $ ssh -C -c blowfish -L[host_bind_port]:localhost:445
server_USERNAME@serverIP $ mkdir /Users/username/mount_spot $ mount -t smbfs
//server_USERNAME@localhost:[host_bind_port]/server_drive ~/mount_spot

Tools like rsync over SSH and UFTP are also nice for moving large files to and
from the ARM server.

I tried making an instructible on this last week but it's kinda poor:
<http://www.instructables.com/id/Personal-ARM-Cloud-Server/>

~~~
pflanze
The sshuttle docs explicitely mention that it doesn't do TCP over TCP (rather
as I understand, it's a transparent TCP proxy). I wonder how it handles UDP,
my main interest in a VPN is for VoIP (SIP); I guess turning UDP into TCP
still won't fly for this, especially over 3G. I guess I'll have to try it.

------
Splines
If you run an openwrt/dd-wrt firmware on your home router you can bounce of it
too. Just configure ssh access on it and you have pretty much the same thing.

~~~
cysun
How do you make sure no one else is using your home router proxy?

~~~
nitrogen
Instead of setting up a standard proxy, you set up a standard ssh server,
which can act as and/or tunnel to an internal proxy (e.g. by using the _ssh
-D_ option to create a SOCKS proxy).

------
sspiff
I've been doing something similar for almost 8 years now. I wrote a Ruby
script to do the heavy lifting of tunneling all my TCP traffic through an
HTTPS proxy.

It's about 160 lines of code, you can find it at
<https://github.com/wvdschel/ProxyBash>.

I first wrote it to circumvent the firewall at a summer job to be able to
connect to IRC, and I recently got it out of the dust to do something similar
at my current job. I couldn't use anything pre-existing, because I was on a
tightly locked down Windows system. This approach only required some kind of
portable Ruby runtime.

Corkscrew does pretty much the same thing, but my script doesn't require an
SSH server to run on port 443 and does away with SSH encryption for most
connections. The latter can be either a good or a bad thing, depending on your
use case.

------
lobo_tuerto
I know this is a bit different, but maybe you could modify it a bit so you
don't need sshuttle?

[http://blog.mixu.net/2009/05/05/how-to-watch-hulu-videos-
via...](http://blog.mixu.net/2009/05/05/how-to-watch-hulu-videos-via-ssh-
tunneling/)

Just make your server listen for ssh on port 80 or 443, and then tunnel away!

~~~
ciupicri
Also if an application does not support SOCKS, there is tsocks[1]. tsocks is a
library to allow transparent SOCKS proxying. It wraps the normal connect()
function.

[1] <http://tsocks.sourceforge.net/>

~~~
irishcoffee
Thanks much for the link

------
jamescun
You can also configure any OpenSSH Server/Client (v4.3 or greater) into a
fully-fledged VPN (as opposed to port tunnelling). Granted there are more
steps involved in connection than say, OpenVPN, however it is still relatively
simple and you get a nice little VPN.

------
mbreese
I'm pretty sure that you could also setup an OpenVPN server. It can be
configured to listen over TCP port 443, so it can also get past proxies. It
may be a bit more setup on the server-side, but it should be a lot easier on
the clients.

~~~
olalonde
In my experience, it is way more complicated on the server side and client
support isn't that great either (no native iPhone/Android support last I
checked). pptpd on the other hand is pretty easy to setup on server side and
has excellent client support. The only drawback is that it is less secure than
OpenVPN.

~~~
mbreese
The PPTP encryption scheme is less secure, but the other problem is that it
might be blocked at the firewall. If I remember my VPNs correctly, PPTP uses a
different port and protocol (GRE), so it can easily be blocked by overly
restrictive firewalls.

OpenVPN, on the other hand, can go through TCP 443, which is all but
guaranteed to be unblocked.

But, you're right that there isn't any iPhone support for non-jailbroken
phones. I'm not sure about Android, but I see less of a problem getting it
working on an Android phone.

------
jdc0589
Well I'll throw my solution in as well. However, it is only intended for web
traffic, nothing else (useful for getting around firewalls, filters, etc..)

I have squid running on a vps, but NOT exposed externally (and it has basic
auth). Then just set up an ssh tunnel "ssh -f user@mydomain.com -L
3128:mydomain.com:3128 -N" and now you have a proxy server available on
localhost:3128. Then its as simple as pointing a single proxy supporting app,
your OS wide proxy settings, etc.. to localhost:3128 with the correct basic
auth credentials and you are in business.

I use this on linux and windows (cygwin) every day, works beautifully

------
chetan51
Sidestep (<http://chetansurpur.com/projects/sidestep/>) is a great way to have
this automatically happen when you connect to the network.

------
octopine
I use this setup on my laptop (mac specific). I have an ssh server listening
on port 443 on a linux machine in the basement of some university somewhere.

.ssh/config

    
    
        Host bouncebox
        Port 443
    
    

/usr/local/bin/prox

    
    
        #!/bin/bash
    
        if [ $1 == 'off' ]; then
          echo "Disabling Proxy..."
          networksetup -setsocksfirewallproxystate "Wi-Fi" off
        else 
          echo "Enabling Proxy on port 12345"
          networksetup -setsocksfirewallproxy "Wi-Fi" localhost 12345
        fi
    
    

Just type `prox; ssh -D 12345 bouncebox`

------
simias
While it's not as comprehensive as full traffic redirection, I host a
shellinabox[1] over HTTPS on my server that I use when SSH is disabled. It's
quite convenient when I want a shell from anywhere quickly since there's
nothing to setup.

I also have an openvpn for when I want full tunneling, but that takes more
time to setup properly.

[1] <https://code.google.com/p/shellinabox/> (there are quite a lot of others
web-based terminals if this one doesn't suit you)

~~~
pflanze
I've written a script[1] to do the setup for me, using preshared keys
transparently. I'm sometimes running into an issue where the UDP packets stop
reaching the server, but that may be my ISP.

[1] <https://github.com/pflanze/openvpn-tunnel-setup>

------
mastahyeti
Alternative this is much more sneaky: run an obfuscated tunnel. Most firewalls
will allow egress DNS for example, so tunnel your TCP over DNS. This will also
allow you to sneak out of pay-for wifi setups like at the airport.
<http://analogbit.com/software/tcp-over-dns>

------
altano
I've done this with my Windows Home Server. You just turn on VPN, and then on
my ThinkPad with WiMax, I have it automatically VPN in whenever I switch
antennae. Never have to worry about what content is being restricted, what
kind of shaping the hotel wifi is doing, or what snooping fellow coffee-shop
goers are engaging in.

------
dfc
Or just run tor and turn on the restrictive/fascist firewall option with ports
80 and 443. No EC2 instance needed...

------
pasbesoin
I long ago learned that effective public wifi means a VPN over SSL/443.

My concern is that this knowledge -- about VPN's, much of the "for dummies"
versions using 443 -- is becoming mainstream. Whereupon there will be further
escalation.

(As long as it was a niche, it was missed or ignored by many "public wifi"
providers.)

------
jhull
You can use the HideMyAss VPN service. I used it to stream the Olympics
[http://engineerwithoutacause.com/how-to-
stream-2012-olympics...](http://engineerwithoutacause.com/how-to-
stream-2012-olympics-live-from-anywhere-in-the-world.html)

------
firefoxman1
Ah the classic SSH tunnel. I used to use something similar to bypass the
blocks in highschool. I used PuTTY to set up an SSH tunnel to my home server
and it would host a local proxy port for the browser to use.

------
yottabyte47
Megabus isn't blocking traffic, their Wi-Fi is cellular-based and being shared
with everyone else on the bus. Therefore; slow and crappy.

~~~
rogueleaderr
They're doing something...web sites eventually resolve, but any SSH connection
always times out.

------
ChuckMcM
This is a great trick. I've done it with my home server with great success,
using an EC2 server is an even better solution.

------
chris_wot
Why not just do port forwarding from port 80 to the ssh port (forget the
number) on your home router/Linux gateway?

------
mastahyeti
`ssh -D 1337 me@mysite.me` <\-- Does dynamic port forwarding (SOCKS proxy)...

------
drivebyacct2
This won't work with a variety of even quasi intelligent filters. In fact,
it's shameful that this works anywhere near as much as it does.

This is way overkill anyway.

Change the SSHD port (since the filters are naive enough to just whitelist
ports apparently), then run `ssh -D 8080 user@ec2-instance:80` and voila, you
have a SOCKS proxy that will proxy any traffic, including DNS requests. (and
good OSes will easily allow you to utilize that proxy system wide)

~~~
ajross
Except that port 80 is often intercepted by transparent proxies and the non-
HTTP traffic will get dropped. Using port 443 is more reliable as except in
the most restricted environment presumptive HTTPS is passed straight through.

~~~
lloeki
In that case use GNU httptunnel[0].

The tool needs an update or two regarding a few features (notably it only
supports a single tunnel at once), but it pierces through literally any HTTP
proxy, since it's really HTTP and not some CONNECT trick over SSL.

Then you just use your favorite OpenVPN over that, and make all traffic
(including DNS, and except your httptunnel endpoint) go over it.

[0] <http://www.nocrew.org/software/httptunnel.html>

~~~
ajross
Not "literally" any HTTP proxy, as IDS systems have very little trouble
distinguishing tunneled traffic from real web sessions. If someone wants to
block you, they will. My point was more: If you're going to pick a port other
than 22 to avoid networks that block "ssh", 443 is probably the best choice.

