Random notes from mg

a blog by Marius Gedminas

Marius is a Python hacker. He works for Programmers of Vilnius, a small Python/Zope 3 startup. He has a personal home page at http://gedmin.as. His email is marius@gedmin.as. He does not like spam, but is not afraid of it.

Sun, 11 Oct 2009

Escaping hotel firewalls with ssh over port 80

I booked a stay at a particular hotel because the web page said "Free WiFi". It didn't say "all outgoing ports firewalled except for port 80 and a few other (useless) ones". Not having SSH access is most painful. Luckily, there's a solution.

You need a web server running Apache and SSH. Enable mod_proxy and mod_proxy_connect and add this to the first (i.e. default) virtual host configuration:

<VirtualHost whatever:80>
...

  # allow ssh to localhost over http proxy
  ProxyRequests on
  AllowCONNECT 22
  <Proxy localhost>
    Order allow,deny
    Allow from all
  </Proxy>

</VirtualHost>
Reload Apache configuration. The setup is done. (Instructions based on Tunneling SSH over HTTP(S) by Dag Wieers.)

On the client side you need proxytunnel. Sadly, it's not packaged for Ubuntu yet, but compiling from sources is trivial. Edit ~/.ssh/config and add an entry for your proxied ssh connection:

Host pmyservername
ProxyCommand proxytunnel -q -p myserver.mydomain.com:80 -d localhost:22

That's it. Now you can ssh pmyservername. (The p prefix is a reminder that I'm using a proxied connection: ssh fridge versus ssh pfridge. Also it reminds me of Terry Pratchett's Pyramids.).

For extra fun (e.g. IRC) use ssh's built-in SOCKS5 proxy: ssh -D 1080 pmyservername. Then tell the apps to use a SOCKS5 proxy on localhost. Since telling each app to use a proxy (and then, later, telling it to stop using it) is a big *pain*, and some apps (e.g. ssh) don't support proxies directly, a wrapper like tsocks is handy. Edit /etc/tsocks.conf and set the default socks server to 127.0.0.1, then use it to run apps:

$ tsocks xchat-gnome
$ tsocks bzr push lp:myprojectname

tsocks is packaged for Ubuntu.

If your hotel doesn't have free WiFi, a prepaid SIM card with 3G access could be cheaper than roaming charges. Apparently you can get one with a virtually unlimited (for a short stay, anyway) data plan for 27 EUR in Amsterdam.

posted at 23:09 | tags: | permanent link to this entry | 9 comments
Complain loudly at the reception about the uselessness of the "free WiFi" and false advertising.
posted by Albertas Agejevas at Mon Oct 12 00:11:35 2009
You said "and a few other (useless) ports", but you could obviously tunnel SSH over those ports.

Also, you might consider one of the various solutions for tunneling over DNS.
posted by Anonymous at Mon Oct 12 02:11:40 2009
Very useful post, thanks!  Unless you are already planning to do it, I will package proxytunnel for the N900.
posted by Graham Cobb at Mon Oct 12 23:51:36 2009
Re those "useless ports": I haven't run nmap or anything, so I don't know what exactly was allowed, but I could access IMAP and one of my two Jabber servers.
posted by Marius Gedminas at Tue Oct 13 09:00:58 2009
I am a frequent traveler, and not being able to send emails is real pain.
YES I can use Web-Mail client and probably hook up to our Exchange server, BUT using my regular email program would simplify things.
Can somebody write a MAEMO 5 App for above that a NON coder can operate, then all frequent travelers like me will be VERY happy.
posted by Nils Wiklund at Tue Oct 13 11:14:13 2009
Great post Marius - I had this same problem too in Amsterdam at the Art Hotel. I think it is annoying when they cripple the network that way and I certainly won't stay at that hotel next time in A'dam.

@Nils Wiklund - This is a little tricky to do because you need to have access to a web server. Someone could maybe set that up for you and then create a client-side hack which would do the tunneling but this is really more of an administrative hack. The real solution is a social one: Hotels should not cripple the network.
posted by jeremiah at Thu Oct 15 14:49:49 2009
I've got port 110 (pop), redirected to 22. Works well for me and doesn't require any tools for as long as you don't use pop.
posted by x29a at Mon Nov 2 14:30:30 2009
Yeah, tunneling through DNS is interesting alternative.  Albeit slow:

http://www.dnstunnel.de/

Plus, it requires registered domain name and single-use access to appropriate DNS configuration.
posted by s2 at Sun Mar 28 22:41:47 2010
Looks good. I also found this which is a bit more detailed:

http://www.saulchristie.com/how-to/bypass-firewalls

Same as yours really but talks about using ssl too. You might need that as sometimes you can't get HTTP CONNECT to work with HTTP on port 80, but only on 443 as it's an SSL thang.
posted by Johan at Sat Apr 24 12:40:06 2010

Name (required)


E-mail (will not be shown)


URL


Comment (some HTML allowed)


A picture of me

Recent entries

Author's pick

Tags

Archives

Technorati Profile
RSS
Made with PyBlosxom
Copyright © 2004–2010 Marius Gedminas. This page uses valid HTML and CSS, I hope.
Powered by PyBlosxom with a few plugins. RSS feed.