Jan 21, 2015

Bypassing restrictive firewalls


The usual company security setup is to block all incoming and outgoing connections, letting through only HTTP(S) traffic.

Now, the trivial way to set this up (and to punch through the firewall) is to simply open the port 443 for HTTPS. To bypass this you can simply set up a VPN connection or proxy on that port.

More restrictive options include a proxy and/or deep packet inspection. Because HTTPS is encrypted via SSL, the proxy acts like a kind of man-in-the-middle. To accomplish this, the proxy makes a secure connection with the site you want to visit, and establishes a secure connection with the client with his certificate. Because there is a mismatch in the certificates, company computers must have the proxy's own certificate authority installed. Obviously if you have your own computer (without the proxy's CA marked as trusted) such connections would fail.

This also causes some privacy concerns when browsing on a corporate network, so in this article we will go through some of the options for maintaining privacy.

The only way through a proxy is to establish another HTTP proxy or a HTTP tunnel.
A HTTP tunnel encapsulates TCP data in standard http.

http://sebsauvage.net/punching/

The two most common solutions for this are


However these two didn't work for me.

When you are on a network secured with a proxy with a deep packet inspection, this data is examined and fails because the proxy firewall detects some weird base64 data being passed on, and blocks it.

Interestingly, another solution has worked.

stunnel (https://www.stunnel.org/index.html) makes an SSL tunnel (HTTPS uses SSL), so you will need a server with port 443 open and not in use.

First, install stunnel



apt-get install stunnel4 -y
Next, create a configuration file

nano /etc/stunnel/stunnel.conf

debug = 5
output = stunnel.log
cert = /etc/stunnel/cert.pem
key = /etc/stunnel/key.pem
[ssh]
accept  = 443
connect = 127.0.0.1:22
Generate server's certificate

openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
cat key.pem cert.pem >> /etc/stunnel/key.pem
This will make an SSL tunnel on portz 443 which will connect to SSH on localhost, port 22. You will use this tunnel to create a SOCKS proxy via SSH.

On the client side, also install stunnel. We will use the Windows version this time.
https://www.stunnel.org/downloads.html
There is also an Android version.

The windows version includes a sample configuration file, that you can leave as is. The only thing to add is the section for the SSL connection on your server.

[my-conn]
client = yes
accept = 127.0.0.1:9922
connect = your.host:443
And that's it. Well, allmost.

Fire up PuTTY and navigate to Connection > SSH > Tunnels. Set source port to 8080 and choose Dynamic, then click Add. Connect with PuTTY to localhost 9922 (SSH).

Now you've made a SOCKS proxy on localhost port 8080 which uses the SSH on your server via SSL tunnel on port 443.

Congrats!