The Pan Galactic Guide to Connectivity

Connectivity while traveling is a pain. I’m trying to put all the various tricks and tips for connectivity in one place so I can easily reference them while on the road. These instructions are for Linux, because what I’m usually bringing on trips is a little Chromebook with Ubuntu or GalliumOS.

Situations

• You can SSH but want to access the web
• You want SSH but they block the SSH ports
• You have SOCKS but want SSH
• You can SSH but really want a VPN
• You can ping your site but can’t access the web
• You can’t ping but can get DNS resolution
• You have only an untethered phone

Using SOCKS over SSH

If you can SSH, then there is an easy way to get a SOCKS server with the -D option:

ssh -D 3128 you@yourdomain.com

and then just use the browser settings to go through the SOCKS proxy, or you can use an extension to switch settings – I use FoxyProxy since I’m usually juggling a bunch of different proxies.

You’ll want to make sure that your DNS is forwarded over the proxy. You can go to dnsleaktest.com and see if the nameservers found are the ones for your remote servers and not for your current location.

Firefox

1. enter about:config in address bar
2. look for network.proxy.socks_remote_dns and set it to true

Chrome

As of 2017, Chrome should be forwarding DNS requests over SOCKS.

SSH ports are blocked

You can reach the web normally, but can’t SSH into your box because port 22 is blocked.

Preparation

Use 443 for SSH instead of 22.

In /etc/ssh/sshd_config, just add the port:

## What ports, IPs and protocols we listen for
Port 22
Port 443

and then sudo service ssh restart.

Using

ssh -p 443 you@yourdomain.com

Using SSH over SOCKS

Sometimes you have a SOCKS proxy and nothing else, but you want SSH over it. You can use something like this:

ssh -o ProxyCommand='nc -X 5 -x socks.server:port %h %p' ssh.server

i.e., if your SOCKS proxy is at 192.168.0.100 port 3128, then:

ssh -o ProxyCommand='nc -X 5 -x 192.168.0.100:3128 %h %p' you@yourdomain.com

This uses netcat to pipe everything from SSH through SOCKS.

Sshuttle

sshuttle is a neat little utility that forwards everything over an SSH connection. Something like:

sshuttle --dns -r you@yourdomain.com:port 0/0

will redirect everything over the SSH connection. So, given an SSH connection, you have essentially a full VPN.

See Also

• Man page
• Github page
• ReadTheDocs

Ptunnel

You can ping, but that’s it – the rest of the web is blocked by the portal. So, just run your traffic with ICMP packets.

Preparation

On the server, you’ll have ptunnel running.

sudo ptunnel -x password

Client:

sudo ptunnel -p yoursite.com -lp 8888 -da destinationhost -dp 22 -x password

Where -p is the server name, -lp is the local port number that is redirected, -da is the destination (usually localhost, but can be a different server), and -dp is the destination port (almost always 22, for SSH).

After it is set up you can ssh into destination host with:

ssh -p 8888 you@localhost

Some places block ICMP but do not block UDP, so you can pass a -udp option on both sides (server and client) to use UDP instead… or run two instances, one doing ICMP and one for UDP.

See also

• Man page
• Ping Tunnel

Iodine

Ping doesn’t work, but you get IPs back for domains

Preparation

Set up iodine on the server – more details are here. Note that for real-world situations I’ve had much more luck using the -c option when running iodined.

Using

Run iodine on the client with sudo iodine -P password tun.yourdomain.com. Now, use the server tunnel IP to access your box, i.e. ssh you@tunnel-ip to SSH to the box. Use SSH to set up SOCKS or sshuttle to redirect all traffic over the link.

See also

• Iodine
• DNS Tunneling on Mac OS X
• NStun script
• IP tunnel over DNS HOWTO with Iodine

Ad Hoc plus Sshuttle

Sometimes, all you have is a non-tethered phone running a SOCKS server.

Preparation

Build and install rickyzhang82/tethering.

Using

Set up a local ad hoc network. This can allegedly be done from the Connections menu, but I have never gotten that to work, and in case you run into the same problems, you can use hostapd.

sudo service network-manager stop
sudo ifconfig wlp1s0 169.254.128.1 netmask 255.255.255.0
# or: sudo ip addr add 169.254.128.1/255.255.255.0 dev wlp1s0
sudo hostapd hostapd.conf

where hostapd.conf is

interface=wlp1s0
hw_mode=g
channel=1
ieee80211d=1
country_code=US
ieee80211n=1
ieee80211ac=1
wmm_enabled=1

ssid=tether
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=password

At this point you may not have a default route; do a sudo route to check. If not, add a default route with a sudo route add default dev wlp1s0.

Connect the iPhone to the ad hoc network. Assign an IP to it in your subnet.

Create a local port that connects to your SSH server.

ssh -L2222:localhost:22 -o ProxyCommand='nc -X 5 -x ip.of.socks.phone:3128 %h %p' ip.of.your.server

Note that IPs (not domain names) must be used, because at this point you don’t have access to DNS.

Now sshuttle over:

sshuttle --dns -r you@localhost:2222 0/0

… and it should all work.

All Preparations

• Have a VPN handy – I like siomiz/softethervpn, using Docker for easy deployment
• Open port 443 for SSH
• Run two instances of ptunnel, one for UDP and one for standard ICMP
• Run iodined
• Have ptunnel installed locally
• Have iodine installed locally
• Turn on tethering, or at least have SOCKS app ready

Discussion

Comments are moderated whenever I remember that I have a blog.

Alexandre Fenyo | 2017-03-23 21:02:58

Another case can be covered: you only have access to dig or nslookup and you want to ssh or browse the Internet. Just bootstrap a full VPN over DNS client and get Internet access only with dig (or nslookup) and a simple core Perl installation: http://vpnoverdns.com/hack.html

Reply