[ Photo by-nd Traveling Mermaid. Listening to New Orleans "Second Line" music inspired me to write this today. Re-route around your problem! ]
I’m sick of the Great Firewall that filters and irregularly blocks some Internet traffic. Right now this takes the form of blocking Facebook and Twitter, two services many in the world are using (aka, addicted to). A growing number of people are using these services as well. I’m asked daily by people in China how to get these sites. At this point, with the blockage of sites continuing up till the big October 1, 2009 numerologically significant date for some, but insignificant to many in the world, I must post my setup. It is cobbled from parts and suggestions from many including Andrew Lih, Kees Cook and Asheesh.
The generic way to describe this setup is to use an ssh tunnel + socks proxy as an option, or secondary connection, for sending your traffic over a secure channel to another server outside of the country you live, but using the much faster non-tunneled connection for the majority of your network traffic. I keep my Ubuntu-based laptop setup without a system-wide proxy or tunnel, and then only use my ssh tunnel + socks 5 connection for particular websites through the Firefox web browser with the Foxy Proxy add-on which selects a proxy based upon a specified-pattern. I also send all bittorrent traffic over my tunnel because bittorrent trackers are irregularly blocked and poisoned in the country I part-time live. Don’t worry, its not that scary to use!
As an ode to New Orleans, I’m going to call this a Second Line SSH/Socks Tunnel (SLST).
I’m posting the first brain dump on my setup here for all, but am copying the main steps for each setup to my wiki so that others can help correct or update my steps if I left out some piece, or if my mac and windows terminology is off. I helped setup Matt’s setup on his crappy windows laptop yesterday, and everything seems to work.
- Open a terminal
- Use your webhosting account, or external server that has SSH (secure shell) capability. You need to have a username, password and hostname for your account for the following steps.
Here is a quick example:
ssh -D 1080 firstname.lastname@example.org
Here is the variant I use which adds compression, and not logging into your server (aka, only forwarding ports). The command also prints out information about what is connecting. I love to see the output that shows all this working which the -vv option provides:
ssh -vv -CND 1080 email@example.com
- Then enter your password when prompted.
- Install Mozilla Firefox on your system.
- Install the add-on, FoxyProxy.
- Follow the instructions for setting up FoxyProxy here: http://foxyproxy.mozdev.org/configuring.html or with pictures, but blocked by the GFW. The crucial step is to add the hostname as localhost and the port as 1080 in the Manual Proxy Configuration. Also, make sure to select SOCKS 5 proxy. I also add to foxyproxy’s global settings to “Use SOCKS proxy for DNS looksups.” The GFW is notorious for poisoning DNS lookups (aka, your looking for domain names that match IP numbers). Egad! Oh, make sure to name your proxy something like localhost SLST or localhost SSH + Socks Tunnel.
- To route all your web browsing traffic to your SLST, then you can select the mode in foxyproxy to use your proxy for all urls.
- More advanced is to “Use proxies based on their pre-defined patterns and priorities”. Here is an example of the lines needed for facebook, youtube, and twitter. For each URL Pattern, make sure the pattern is enabled, name it what you want, then add the below pattern after the colon to the :URL pattern:” field. Make sure the Whitelist and Wildcards radio buttons are selected.
URL Pattern: *.youtube.com/* URL Pattern: *.facebook.com/* URL Pattern: *.twitter.com/*
- Add more patterns to sites you find blocked. Its pretty simple to copy the handiwork above for any other sites you find blocked.
- Save your patterns and foxyproxy, and try to visit youtube, facebook, twitter, and other patterns you setup.
- If this doesn’t work, file some comments here or on the my wiki page. This isn’t a super simple setup for some and I might have made mistakes in my brain dump. The key pieces will fail if you don’t have SSH access, or if you don’t setup your foxyproxy correctly.
The setup I run involves the above easy setup, but I used the following autossh-based script I titled, local_ssh_tunnel. I used autossh because it keeps the ssh connection alive through closing/suspending my laptop, dodgy wireless reception and other general bugs that harm one’s net connection.
- In Ubuntu (or other distro), install autossh through synaptic or your favorite package manager. In Gentoo, emerge autossh should do the trick.
- Open a file such as /home/USERNAME/bin/local_ssh_tunnel
#!/bin/bash # # local_ssh_tunnel # # use proxy to connect to localhost no port 1080 # SERVER=USERNAME@HOSTNAME # 1080 is standard port PORT=1080 if [ "$1" != "" ] then : SERVER="$1" fi AUTOSSH_GATETIME=0 AUTOSSH_PORT=20000 AUTOSSH_DEBUG=1 \ autossh -v -CND 1080 $SERVER
- Save the script.
- Run the following command:
chmod 700 /home/USERNAME/bin/local_ssh_tunnel
- I then set the above script to run as a startup application inside of gnome in a terminal. In Ubuntu you can set this by doing the following steps.
- Navigating to upper left-corner Application Icon > System > Preferences > Startup Applications
- Clicking Add
- Then filling out the fields:
Name: BACKGROUND SLST (Second Line SSH/Socks Tunnel) Command: xterm -e /home/USERNAME/bin/local_ssh_tunnel Comment: Runs SLST in the background in terminal window
- Click Save
- Close the startup
- If you want this immediately, you can run /home/rejon/bin/local_ssh_tunnel inside of a terminal window.
- Now, you can just leave the above open in the window and AUTOSSH will make sure to keep your ssh connection alive.
- Then start on step 4 above in the Linux/Unix Generic section.
There is already a great guide for setting this all up in windows. I used it yesterday. Just remember to replace the HOSTNAME with your host and to use the port of your choosing. I use 1080 because its the standard port for this operation and generally not restricted for this activity on most systems.
Here is another guide, which is even better, but has pictures. I will merge my steps with this guide now:
- Follow steps at for graphically setting up SLST until the setting up Firefox section, making sure to replace HOSTNAME, USERNAME and the port for the one of your choice.
- Then start on step 4 above in the Linux/Unix Generic easy section for setting up Firefox with the correct settings.
ASIDE: Here is also another guide, which is helpful explaining the basic concepts in one page, but blocked by the GFW.
Mac OS X
Since Mac OS X is a Unix-based variant you can do the easy steps above. The crucial difference is that many don’t know where one might find Mac’s terminal in step 1.
- Navigate to a finder window
- Then navigate to the Utilities folder
- Double-click the terminal to be able to enter commands
- Continue with step 2 in the easy steps above
Setup a SLST setup not on the command line, but using the SSH Tunnel Manager graphical application. I cannot find a graphical guide to doing this. One of the great things about using AUTOSSH in the Linux/Unix/Generic advanced guide is that it keeps the connection alive through suspend, or internet outtages. There should be an option to keep-alive the connection in the SSH Tunnel Manager. Regardless, please visit the Wiki page for this article to add any notes here about graphical setup for Mac OS X to accomlish the tasks I setup here.
The crucial steps that I’m not really including is that you need to have some SSH capable server outside of the jurisdiction that is irregularly filtering the Internet. If you have a linode, slicehost, mediatemple, or dreamhost hosting account (which is also my ranking of best hosts in order) for your website, put that extra bandwidth to good use! That is what I helped Matt do so he can use his matthope.org external server as an external lifeline outside of here! You should do the same!
And, note this is much better than an unsecure proxy, using some shifty free proxy server that might go offline at anytime, faster than using Tor, and gives one the flexibility to surf raw and, or, secure.
Many have blogged about this type of setup. I wanted to spread the news to all the people I know, hopefully get someone to translate this into Chinese, and generally get this out of my mind so the next time I’m asked how to get onto to Facebook or through the GFW, I can point someone here, or you can pay me to set it up. #haole! Oh, and this guide is useful everywhere in the world, in Iran, North Korea or even the United States.