Expat-IT Tech Bits

Home

Contact

Links

Search this site:

Categories:

/ (287)
  Admin/ (122)
    Apache/ (10)
      HTTPS-SSL/ (4)
      PHP/ (3)
      performance/ (2)
    Cherokee/ (1)
    LAN/ (4)
    LVM/ (6)
    Monitoring/ (2)
      munin/ (2)
    SSH/ (6)
    SSL/ (1)
    Samba/ (1)
    VPN-options/ (6)
      OpenVPN/ (1)
      SSH-Proxy/ (3)
      Tinc/ (1)
      sshuttle/ (1)
    backups/ (17)
      SpiderOak/ (1)
      backuppc/ (5)
      dirvish/ (1)
      misc/ (6)
      rdiff-backup/ (1)
      rsync/ (1)
      unison/ (2)
    commandLine/ (24)
      files/ (8)
      misc/ (10)
      network/ (6)
    crontab/ (1)
    databases/ (15)
      MSSQL/ (2)
      MySQL/ (8)
      Oracle/ (3)
      PostgreSQL/ (1)
    dynamicDNS/ (2)
    email/ (11)
      Dovecot/ (1)
      deliverability/ (1)
      misc/ (1)
      postfix/ (7)
      puppet/ (1)
    iptables/ (3)
    tripwire/ (1)
    virtualization/ (9)
      VMware/ (1)
      virtualBox/ (8)
  Coding/ (14)
    bash/ (1)
    gdb/ (1)
    git/ (3)
    php/ (5)
    python/ (4)
      Django/ (2)
  Education/ (1)
  Hosting/ (27)
    Amazon/ (18)
      EBS/ (3)
      EC2/ (10)
      S3/ (1)
      commandline/ (4)
    Godaddy/ (2)
    NearlyFreeSpeech/ (3)
    Rackspace/ (1)
    vpslink/ (3)
  Linux/ (30)
    Android/ (1)
    Awesome/ (3)
    CPUfreq/ (1)
    China/ (2)
    Debian/ (8)
      APT/ (3)
      WPA/ (1)
    audio/ (1)
    encryption/ (3)
    fonts/ (1)
    misc/ (6)
    remoteDesktop/ (1)
    router-bridge/ (3)
  SW/ (45)
    Micro$soft/ (1)
    browser/ (2)
      Chrome/ (1)
      Firefox/ (1)
    business/ (28)
      Drupal/ (9)
      KnowledgeTree/ (6)
      Redmine/ (2)
      SugarCRM/ (7)
      WebERP/ (2)
      WordPress/ (1)
      eGroupware/ (1)
    chat/ (1)
    email/ (1)
    fileSharing/ (2)
      btsync/ (1)
      mldonkey/ (1)
    graphics/ (2)
    research/ (2)
    website/ (6)
      blog/ (6)
        blosxom/ (3)
        rss2email/ (1)
        webgen/ (1)
  Security/ (15)
    IMchat/ (2)
    circumvention/ (2)
    cryptoCurrency/ (1)
    e-mail/ (4)
    greatFirewall/ (1)
    hacking/ (1)
    password/ (1)
    privacy/ (2)
    skype/ (1)
  Services/ (1)
    fileSharing/ (1)
  TechWriting/ (1)
  xHW/ (14)
    Lenovo/ (1)
    Motorola_A1200/ (2)
    Thinkpad_600e/ (1)
    Thinkpad_a21m/ (3)
    Thinkpad_i1300/ (1)
    Thinkpad_x24/ (1)
    USB_audio/ (1)
    scanner/ (1)
    wirelessCards/ (2)
  xLife/ (17)
    China/ (9)
      Beijing/ (5)
        OpenSource/ (3)
    Expatriation/ (1)
    Vietnam/ (7)

Archives:

  • 2016/07
  • 2016/05
  • 2016/02
  • 2016/01
  • 2015/12
  • 2015/11
  • 2015/06
  • 2015/01
  • 2014/12
  • 2014/11
  • 2014/10
  • 2014/09
  • 2014/07
  • 2014/04
  • 2014/02
  • 2014/01
  • 2013/12
  • 2013/10
  • 2013/08
  • 2013/07
  • 2013/06
  • 2013/05
  • 2013/04
  • 2013/02
  • 2013/01
  • 2012/12
  • 2012/10
  • 2012/09
  • 2012/08
  • 2012/07
  • 2012/06
  • 2012/05
  • 2012/04
  • 2012/03
  • 2012/01
  • 2011/12
  • 2011/11
  • 2011/10
  • 2011/09
  • 2011/08
  • 2011/07
  • 2011/06
  • 2011/05
  • 2011/04
  • 2011/02
  • 2010/12
  • 2010/11
  • 2010/10
  • 2010/09
  • 2010/08
  • 2010/07
  • 2010/06
  • 2010/05
  • 2010/04
  • 2010/03
  • 2010/02
  • 2010/01
  • 2009/12
  • 2009/11
  • 2009/10
  • 2009/09
  • 2009/08
  • 2009/07
  • 2009/06
  • 2009/05
  • 2009/04
  • 2009/03
  • 2009/02
  • 2009/01
  • 2008/12
  • 2008/11
  • 2008/10
  • 2008/09
  • Subscribe XML RSS Feed

    Creative Commons License
    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
    PyBlosxom

    This site has no ads. To help with hosting, crypto donations are accepted:
    Bitcoin: 1JErV8ga9UY7wE8Bbf1KYsA5bkdh8n1Bxc
    Zcash: zcLYqtXYFEWHFtEfM6wg5eCV8frxWtZYkT8WyxvevzNC6SBgmqPS3tkg6nBarmzRzWYAurgs4ThkpkD5QgiSwxqoB7xrCxs

    Thu, 04 Oct 2012


    /Admin/VPN-options/SSH-Proxy: A Do-It-Yourself Proxy For Those Who Need to Circumvent a Firewall

    Thanks to Jon[2] for reminding me that there is something better then flaky public proxies and the over-taxed Tor network[1]. Tor is still better if you want end-to-end security and anonymity, but if you just want a secure hop out of the local censored network and after that you do not care, renting a cheap server (as little as $8/month at vpslink[3], 100G of bandwidth included) is a simple and easy option.

    Assuming your remote server is called hostname.com, setting up an encrypted tunnel is as simple as executing this on a local terminal (must be root):

    ssh -v -CND 1080 username@hostname.com

    Note that for my own Debian server on the other end of the SSH proxy tunnel, I have found that "username" cannot be "root". I am not sure why this is (and it is definitely counter-intuitive) but if I try to tunnel to the root account on my server, when I try to use the tunnel to browse to a website it does not work and the following error is reported:

    channel 1: open failed: administratively prohibited: open failed

    If I tunnel to an ordinary user account on my server, I get no error and everything works. Go figure.....

    To semi-automate this I created an alias in my ~/.bashrc:

    tunnel="autossh -M 0 -v -CND 1080 username@hostname.com"

    Thereafter, in any terminal, just invoke "tunnel" to create the encrypted tunnel. (To eliminate the password prompt, setup passwordless authentication[6].)

    Any browser can use this proxy, by pointing its proxy setting at localhost and port 1080, with SOCKS 5 turned on. The Firefox FoxyProxy[4] plugin makes this infinitely more flexible by allowing the simultaneous configuration of multiple proxies, and providing fine-grained control over which websites are accessed using which proxies.

    Once FoxyProxy is installed into Firefox, you have the option of selecting any one proxy (or none) for all of your surfing, or associating certain websites with certain proxies and running FoxyProxy in "Patterns" mode. Since youtube is often getting itself blocked, a pattern for youtube would be:

    *.youtube.com/*

    While you are at it, install privoxy[5] and make it your default proxy for websites that have not been diverted to Tor or your just created personal proxy. Privoxy blocks a lot of advertisements and information gathering by nosy websites.

    Finally, note that

    ssh -v -CND 1080 username@hostname.com

    will only allow connections from the localhost. To allow connections from other computers over your local network, start it like this for example:

    ssh -v -CND [192.168.8.58]:1080 username@hostname.com

    This will allow any connections to port 1080 on the machine's exterior network interface. To start this as a persistent service at boot, add the following line to /etc/rc.local:

    su username -c 'autossh -M 0 -v -CND [192.168.8.58]:1080 username@hostname.com'&

    where username is the account you wish the service to run under.

    [1] http://www.torproject.org/
    [2] http://rejon.org/2009/07/access-facebook-through-the-great-firewall-second-line-ssh-tunnel/
    [3] http://blog.langex.net/index.cgi/Hosting/vpslink/
    [4] https://addons.mozilla.org/en-US/firefox/addon/2464
    [5] http://www.privoxy.org/
    [6] http://blog.langex.net/index.cgi/Admin/SSH-SSL/passwordless-ssh-authentication.html

    posted at: 08:39 | path: /Admin/VPN-options/SSH-Proxy | permanent link to this entry

    Sun, 17 Jan 2010


    /Admin/VPN-options/SSH-Proxy: Proxychains Allows Any Application to Use a Proxy

    My SSH Socks5 proxy[1] works great, especially with the addition of autossh, but unlike most web browsers and Pidgin, many applications (particularly on the command line) just do not have proxy support built in.

    Proxychains[2] is a wrapper that redirects all network traffic through a designated proxy. To get it working is very simple. After installing, I made this change to the bottom of /etc/proxychains.conf:

    # defaults set to "tor"
    # socks4 127.0.0.1 9050
    socks5 127.0.0.1 1082

    ie. I commented out the default Tor proxy and added my local SSH socks5 proxy which I have placed on port 1082.

    Then, for instance, to send my gpodder podcatcher through the SSH tunnel, I just start gpodder in a terminal as follows:

    proxychains gpodder&

    Then all of gpodder's network traffic (DNS queries included) go out via SSH through my out-of-country server. And now I have restored access to many blocked podcasts, PGP key servers, and no doubt many other things as they come up. I have been looking for something like this for years.

    [1] http://blog.langex.net/index.cgi/Admin/SSH-Proxy/
    [2] http://proxychains.sourceforge.net/

    posted at: 09:04 | path: /Admin/VPN-options/SSH-Proxy | permanent link to this entry

    Fri, 08 Jan 2010


    /Admin/VPN-options/SSH-Proxy: Use autossh to Fix Frequent Disconnects

    Sometimes the bandwidth is so bad here (or is it the "Great Firewall" deliberately trying to break my connection?) that my SSH tunnel will frequently fail. Very inconvenient, as I do not notice until I need it, then I have to do a manual restart and wait for it to connect (and said wait can sometimes be significant when bandwidth sucks...)

    Enter autossh[1].

    I have setup an alias in my .bashrc as follows:

    alias tunnel="autossh -M 0 -v -CND 1082 username@hostname.com"

    To start the tunnel at the beginning of the day, I just type "tunnel" in any terminal. And whenever the ssh connection is broken, autossh automatically (and apparently intelligently) restarts it. So far, so good.

    [1] http://www.harding.motd.ca/autossh/

    posted at: 01:11 | path: /Admin/VPN-options/SSH-Proxy | permanent link to this entry