Passing through corporate firewall

Well, at least from inside your corporate network ;-)to surf, chat and more anonymously.

After reading this blog article thanks man) and its comments, I tried it and I have to say thatI have been happily surprised how easy it was. I didn’t know the existence of proxytunnel and that’s the key in it (for the theory about establishing a Ssh connectionthrough a SSL proxy see here).

Proxytunnel allows you to establish a SSH connectionvia a corporate proxy (all proxies that supports the CONNECT command). Here a schema of the solution I adopted :

Schema |Internet
----------- SSL ------------- SSL --------- SSL 443--------------
| Windows WS| --------| Company Proxy |-----| Firewall|--------| Home SSh Server |
| | | "CONNECT TO" | | | | | |
----------- --------------- --------- | -----------------

The other major point in this solution is the usage of a Socks5 server that will allow you to connect to any machine of your internal network with any Socks5 compliant software. A socks5 proxy is a proxy on layer4 of OSI model. For example, I have been able to establish a VNC connection to a Windows XP machine on my home network with “Smart CodeVNC manager” that has Socks5 capabilites.

Here are the steps I followed.

1) First check the prequesites

Tools needed on client side (we’ll make the assumption that it runs on Windows)

Server side prerequisites:

  • SSH daemon and that’s it.
  • Port 443 opened.
  • Optional: xinetd or a NAT tool to do port redirection (I used OpenBSD packet filter to redirect connections on port 443 on my Internet gateway to an internal Linux server in my home network).

2) SSH server configuration

The only thing to do is to configure it to listen on port 443 and authorize root loggin. Or you can use xinetd to use port redirection or any NAT tool ( PF, Netfilter…) and leave the server run on port 22.

3) Client SSH configuration
In a cygwin terminal, create a $HOME/.ssh/config file and add the following lines:

Host myserver   KeepAlive yes   ProxyCommand path_to_proxytunnel/proxytunnel.exe -g proxy_ip_address -G proxy_port -d ssh_server address -D ssh_server_port

The ssh server port should be 443.

4) Establish the ssh tunnel

In one command, you establish a SSH tunnel with SOCKS5 capabilities to your remote SSH server.

# ssh -D 1080 -l root myserver

update: use -N to avoid opening a Shell and -C for compression

Actually, the -D enables dynamic port redirection and listens on local port 1080.Connections are tunneled through SSH and are on the other side of the tunnel made by the remote SSh server (which behaves as a Socks proxy). ssh can also understant SOCKS5 protocol therefore you know have a Socks5 server that listens on port 1080 locally. The SOCKS connections are tunneled and are remotely executed by your ssh server

5) Configure your Workstation software to use the Socks5 server on port 1080 on localhost and enjoy.

Note that you can use IP of your remote internal network, you created “a kind of VPN”for SOCKS5 compliant software. For example, let’s say that you have on your home network a Web server that runs on the private address You can now reach it by typing in firefox

Also don’t forget to use a firewall on your workstation or your coworkers will gladly be able to connect to your Socks5 proxy.

Broadcasting music with Itunes on your corporate Network

Well,since most companies don't allow their employees to host mp3 on serversespecially on production servers ;-) Here's a little trick if you havea machine connected to the internet at home (with a fixed IP address ordyndns to easily connect to it) to listen your mp3.

Once again it uses SSL tunnel and SSH (See my previous post)to connect through your corporate firewalls and proxies to your homemachine. As a Itunes server I chose to use mt-daapd daemon on a Linuxserver. Here are steps:

1) On your home machine configure mt-daapd daemon. The step mostly consists in chosing the directory where your mp3s are.

2) Configure ssh on your corporate machine to use stunnel (See my previous post)

3)Configure the SSh daemon at home (See my previous post)

4) On your local machine, use RendezvousProxy tool as a proxy for RendezVousprotocol. Itunes uses RendezVous protocol to automatically discover anyItunes server. It works with multicast packets (not investigated thatmuch on it).Configure RendezvousProxy to listen on port 3690 for instance and use daacp.tcp plugin.

5) Establish the SSL tunnel:

# ssh -N -C -L 3690:mp3remotehost:3689 user@homegateway

Where -N option does not open a shell. -C is for compression.-L is for port forwarding. 3690 is the local port open your machine.mp3host and 3689 are the hostname andport of your mt-daapd server. user and homegateway are the user andhost of your home gateway with whom you will establish the SSHconnection.

6) Start Itunes and your server should be listed in the left pane.

I have tested it with my home internet connection which is a DSLconnection with 256 Mbits/s upload capabilities and it rocks. No need to tell your coworkers who use Itunes that you host a mp3 broadcasting server because if they are in the same LAN, they all should see it…

Ask you network administrator also to route IP multicast packets for the RDV address to make your whole company enjoy your mp3 server ;-)