Access Facebook Through The Great Firewall (Second Line SSH Tunnel)

Posted by & filed under Notes.

new orleans second line
[ Photo by-nd Traveling Mermaid. Listening to New Orleans "Second Line" music inspired me to write this today. Re-route around your problem! ]

I’m sick of the Great Firewall that filters and irregularly blocks some Internet traffic. Right now this takes the form of blocking Facebook and Twitter, two services many in the world are using (aka, addicted to). A growing number of people are using these services as well. I’m asked daily by people in China how to get these sites. At this point, with the blockage of sites continuing up till the big October 1, 2009 numerologically significant date for some, but insignificant to many in the world, I must post my setup. It is cobbled from parts and suggestions from many including Andrew Lih, Kees Cook and Asheesh.

The generic way to describe this setup is to use an ssh tunnel + socks proxy as an option, or secondary connection, for sending your traffic over a secure channel to another server outside of the country you live, but using the much faster non-tunneled connection for the majority of your network traffic. I keep my Ubuntu-based laptop setup without a system-wide proxy or tunnel, and then only use my ssh tunnel + socks 5 connection for particular websites through the Firefox web browser with the Foxy Proxy add-on which selects a proxy based upon a specified-pattern. I also send all bittorrent traffic over my tunnel because bittorrent trackers are irregularly blocked and poisoned in the country I part-time live. Don’t worry, its not that scary to use!

As an ode to New Orleans, I’m going to call this a Second Line SSH/Socks Tunnel (SLST).

I’m posting the first brain dump on my setup here for all, but am copying the main steps for each setup to my wiki so that others can help correct or update my steps if I left out some piece, or if my mac and windows terminology is off. I helped setup Matt’s setup on his crappy windows laptop yesterday, and everything seems to work.

Linux/Unix Generic

Easy

  1. Open a terminal
  2. Use your webhosting account, or external server that has SSH (secure shell) capability. You need to have a username, password and hostname for your account for the following steps.

    Here is a quick example:

    ssh -D 1080 username@hostname.com

    Here is the variant I use which adds compression, and not logging into your server (aka, only forwarding ports). The command also prints out information about what is connecting. I love to see the output that shows all this working which the -vv option provides:

    ssh -vv -CND 1080 username@hostname.com
  3. Then enter your password when prompted.
  4. Install Mozilla Firefox on your system.
  5. Install the add-on, FoxyProxy.
  6. Follow the instructions for setting up FoxyProxy here: http://foxyproxy.mozdev.org/configuring.html or with pictures, but blocked by the GFW. The crucial step is to add the hostname as localhost and the port as 1080 in the Manual Proxy Configuration. Also, make sure to select SOCKS 5 proxy. I also add to foxyproxy’s global settings to “Use SOCKS proxy for DNS looksups.” The GFW is notorious for poisoning DNS lookups (aka, your looking for domain names that match IP numbers). Egad! Oh, make sure to name your proxy something like localhost SLST or localhost SSH + Socks Tunnel.
  7. To route all your web browsing traffic to your SLST, then you can select the mode in foxyproxy to use your proxy for all urls.
  8. More advanced is to “Use proxies based on their pre-defined patterns and priorities”. Here is an example of the lines needed for facebook, youtube, and twitter. For each URL Pattern, make sure the pattern is enabled, name it what you want, then add the below pattern after the colon to the :URL pattern:” field. Make sure the Whitelist and Wildcards radio buttons are selected. 
    URL Pattern: *.youtube.com/*

URL Pattern: *.facebook.com/*

URL Pattern: *.twitter.com/*
  9. Add more patterns to sites you find blocked. Its pretty simple to copy the handiwork above for any other sites you find blocked.
  10. Save your patterns and foxyproxy, and try to visit youtube, facebook, twitter, and other patterns you setup.
  11. If this doesn’t work, file some comments here or on the my wiki page. This isn’t a super simple setup for some and I might have made mistakes in my brain dump. The key pieces will fail if you don’t have SSH access, or if you don’t setup your foxyproxy correctly.

Advanced

The setup I run involves the above easy setup, but I used the following autossh-based script I titled, local_ssh_tunnel. I used autossh because it keeps the ssh connection alive through closing/suspending my laptop, dodgy wireless reception and other general bugs that harm one’s net connection.

  1. In Ubuntu (or other distro), install autossh through synaptic or your favorite package manager. In Gentoo, emerge autossh should do the trick.
  2. Open a file such as /home/USERNAME/bin/local_ssh_tunnel 
    #!/bin/bash

#
# local_ssh_tunnel
#
# use proxy to connect to localhost no port 1080
#

SERVER=USERNAME@HOSTNAME

# 1080 is standard port
PORT=1080

if [ "$1" != "" ]
then :
    SERVER="$1"
fi

AUTOSSH_GATETIME=0 AUTOSSH_PORT=20000 AUTOSSH_DEBUG=1 \
autossh -v -CND 1080 $SERVER
  3. Save the script.
  4. Run the following command: 
    chmod 700 /home/USERNAME/bin/local_ssh_tunnel
  5. I then set the above script to run as a startup application inside of gnome in a terminal. In Ubuntu you can set this by doing the following steps.
  6. Navigating to upper left-corner Application Icon > System > Preferences > Startup Applications
  7. Clicking Add
  8. Then filling out the fields: 
    Name: BACKGROUND SLST (Second Line SSH/Socks Tunnel)
Command: xterm -e /home/USERNAME/bin/local_ssh_tunnel
Comment: Runs SLST in the background in terminal window
  9. Click Save
  10. Close the startup
  11. If you want this immediately, you can run /home/rejon/bin/local_ssh_tunnel inside of a terminal window.
  12. Now, you can just leave the above open in the window and AUTOSSH will make sure to keep your ssh connection alive.
  13. Then start on step 4 above in the Linux/Unix Generic section.

Windows

There is already a great guide for setting this all up in windows. I used it yesterday. Just remember to replace the HOSTNAME with your host and to use the port of your choosing. I use 1080 because its the standard port for this operation and generally not restricted for this activity on most systems.

Here is another guide, which is even better, but has pictures. I will merge my steps with this guide now:

  1. Follow steps at for graphically setting up SLST until the setting up Firefox section, making sure to replace HOSTNAME, USERNAME and the port for the one of your choice.
  2. Then start on step 4 above in the Linux/Unix Generic easy section for setting up Firefox with the correct settings.

ASIDE: Here is also another guide, which is helpful explaining the basic concepts in one page, but blocked by the GFW.

Mac OS X

Easy

Since Mac OS X is a Unix-based variant you can do the easy steps above. The crucial difference is that many don’t know where one might find Mac’s terminal in step 1.

  1. Navigate to a finder window
  2. Then navigate to the Utilities folder
  3. Double-click the terminal to be able to enter commands
  4. Continue with step 2 in the easy steps above

Advanced

Setup a SLST setup not on the command line, but using the SSH Tunnel Manager graphical application. I cannot find a graphical guide to doing this. One of the great things about using AUTOSSH in the Linux/Unix/Generic advanced guide is that it keeps the connection alive through suspend, or internet outtages. There should be an option to keep-alive the connection in the SSH Tunnel Manager. Regardless, please visit the Wiki page for this article to add any notes here about graphical setup for Mac OS X to accomlish the tasks I setup here.

Conclusion

The crucial steps that I’m not really including is that you need to have some SSH capable server outside of the jurisdiction that is irregularly filtering the Internet. If you have a linode, slicehost, mediatemple, or dreamhost hosting account (which is also my ranking of best hosts in order) for your website, put that extra bandwidth to good use! That is what I helped Matt do so he can use his matthope.org external server as an external lifeline outside of here! You should do the same!

And, note this is much better than an unsecure proxy, using some shifty free proxy server that might go offline at anytime, faster than using Tor, and gives one the flexibility to surf raw and, or, secure.

Many have blogged about this type of setup. I wanted to spread the news to all the people I know, hopefully get someone to translate this into Chinese, and generally get this out of my mind so the next time I’m asked how to get onto to Facebook or through the GFW, I can point someone here, or you can pay me to set it up. #haole! Oh, and this guide is useful everywhere in the world, in Iran, North Korea or even the United States.

30 Responses to “Access Facebook Through The Great Firewall (Second Line SSH Tunnel)”

  2. jon

    I couldn’t take it anymore. I had to write down my favorite setup and too many questions per day :) I think joyent is a bit expensive. There is probably a really cheap hosting option with just a simple shell somewhere in hong kong or japan which would really help out mainlanders…

  3. Richard Ford

    What I do is have twitter and facebook proxies or apps for word press. So when I am inside my blog – I can just click and link and use facebook and twitter right from the wordpress dashboard. And since my blog is on one of our company’s servers in HK – the server is fetching the data so it always works. A good side effect is that it keeps me logged into my blog, thus forcing me to blog more.

  4. jon

    Richard that is a great idea. Yes, microblogging has definitely cut into my blogging cycle!

  5. Shasha Liu

    I was just able to go on facebook, twitter and youtube in China, using this hotspot shield free program http://hotspot-shield.com/downloads. Try it out if you are in China and wants go to these sites, but the pop-up ads are a bit annoying, but I still think it worth the a little trouble.

  10. Charlie

    Very great guide.

    Will it be possible to make it works on iPhone too. I know that there is SSH utility with JB iPhone.

  11. Ron

    Hello. I am in China and trying to get over the GFC. I am a bit of a novice, so my first question is, How do I find a remote server I can connect with? Sorry to ask such a basic question, but since I don’t know how to do this, I can’t proceed with the steps above. Please help. Thanks! Ron

  12. jacktian

    hey guys.. the sock proxy works. that is how I get access to facebook in china.

    And for the Hosting choice.. don’t even try Joyent.com, they are really bad..

    slicehost.com is really good.

  13. Andy

    ey
    thanks for this

    i heart about the /green door/ – a build in chip to make censur at buying a new hardware.
    hm – should also be crackable with something like this.

    Hm – :) hehe

    andy

    ps: http://freenetproject.org/

  15. Anonymous VPN

    Using an SSH tunnel is one way of getting things done but it does not encapsulate all traffic. You would find using a PPTP, IPsec or OpenVPN connection more ideal as then ALL of your traffic will be sent via the VPN connection in encrypted form ;)

    I have written an article on setting up a PPTP VPN within Windows XP and also Windows 7 checkout the following links. They may be of use to your self or your readers.

    windows xp pptp vpn

    windows 7 pptp vpn

  16. bosn

    Nice Jon, but the problem is for the people who don’t have access to remote ssh server.
    Well, u should check cjb net free services because one of them is a free shell service.

  18. HHH

    Helpful guide, thanks. With a bit of messing around I have it working on Windows.

    If you’re using URL patterns, add in *.ytimg.com/* and *.fbcdn.net/* to get Youtube and Facebook working properly.

  21. Ted

    Hi Jon,

    I have done all that has been described in this article but still fail to bypass the China firewall.
    My friend in China, after the successful tunelling, is able to surf all other websites except Facebook and Youtube using Firefox. When SSH link is down, he is unable to access any sites. We also make use of remote DNS as you describe to avoid DNS poisoning.
    The command used is the same except I am using openSSH:
    ssh -v -CND 8090 $SERVER
    Both my friend and I are using Mac OSX with mine being the server.
    I cannot understand why after SSH is setup as an encrypted channel, China is still able to detect and block it.
    Thanks in advance for any advice and explanation.

    Ted

  22. jon

    Hi, I would recommend you just setup openvpn on a server and use tunnelblick now.

    But, as for why youtube and facebook still are not working, its because you need to also tunnel your DNS through the ssh tunnel or even vpn.

    The other option is to try alternative dns like opendns.

  25. jon

    I’ve altered this now, I keep the autossh running and then set the gnome proxy to manual, and set Socks Host to 127.0.0.1 and the port to the port setting your local machine is connected to the ssh daemon.

    This is working quite well to get a nice hybrid approach to connections.

  26. McKay

    This is amazing! Thank you for the great script. I am in China and just bought a proxy off taobao yesterday.

    Two things:
    1. I am having problems with autostart. I use Kubuntu. Any ideas for how I can get this to work?
    2. How is autostart supposed to work if you have a password. Is there any way that the script can be setup so that it does not need a password?

  27. jon

    Do you mean autossh? On the password requirement, you can save your password into your keyring so that your ssh key is unlocked upon login.

    You don’t want to put your password into a script so that its entered into your accounts history, which would be insecure.

  28. Jev

    I’d also highly recommend setting network interface MTUs on both server and client machines to something reasonably low, like 1200~1300; this will make for a much more stable SSH tunnel connection.

    Note that this is not an OpenSSH setting – rather, it is something you set with ‘ifconfig’ command or in ‘/etc/sysconfig/ifcfg-ethX’ interface config file.

    Happy scaling!

  29. McKay

    Thanks for your reply Jon. Not exactly sure how to save my password in the keyring. You mean KDE Wallet? (I am using Kubuntu)

    I think I might go about doing this a different way. I am trying to use a GUI like KVpnc or gSTM. So far I have had no luck though.

    From the guy I purchased the proxy from on Taobao, I was given an IP address, port (7070) Username and Password. That is it.

Trackbacks/Pingbacks

  1.  How to use Facebook & Youtube in China… « martins blog…