Access Facebook Through The Great Firewall (Second Line SSH Tunnel)

Updated July 15, 2009 @ 1:39 am

new orleans second line
[ Photo by-nd Traveling Mermaid. Listening to New Orleans "Second Line" music inspired me to write this today. Re-route around your problem! ]

I’m sick of the Great Firewall that filters and irregularly blocks some Internet traffic. Right now this takes the form of blocking Facebook and Twitter, two services many in the world are using (aka, addicted to). A growing number of people are using these services as well. I’m asked daily by people in China how to get these sites. At this point, with the blockage of sites continuing up till the big October 1, 2009 numerologically significant date for some, but insignificant to many in the world, I must post my setup. It is cobbled from parts and suggestions from many including Andrew Lih, Kees Cook and Asheesh.

The generic way to describe this setup is to use an ssh tunnel + socks proxy as an option, or secondary connection, for sending your traffic over a secure channel to another server outside of the country you live, but using the much faster non-tunneled connection for the majority of your network traffic. I keep my Ubuntu-based laptop setup without a system-wide proxy or tunnel, and then only use my ssh tunnel + socks 5 connection for particular websites through the Firefox web browser with the Foxy Proxy add-on which selects a proxy based upon a specified-pattern. I also send all bittorrent traffic over my tunnel because bittorrent trackers are irregularly blocked and poisoned in the country I part-time live. Don’t worry, its not that scary to use!

As an ode to New Orleans, I’m going to call this a Second Line SSH/Socks Tunnel (SLST).

I’m posting the first brain dump on my setup here for all, but am copying the main steps for each setup to my wiki so that others can help correct or update my steps if I left out some piece, or if my mac and windows terminology is off. I helped setup Matt’s setup on his crappy windows laptop yesterday, and everything seems to work.

Linux/Unix Generic

Easy

  1. Open a terminal
  2. Use your webhosting account, or external server that has SSH (secure shell) capability. You need to have a username, password and hostname for your account for the following steps.

    Here is a quick example:

    ssh -D 1080 username@hostname.com

    Here is the variant I use which adds compression, and not logging into your server (aka, only forwarding ports). The command also prints out information about what is connecting. I love to see the output that shows all this working which the -vv option provides:

    ssh -vv -CND 1080 username@hostname.com
  3. Then enter your password when prompted.
  4. Install Mozilla Firefox on your system.
  5. Install the add-on, FoxyProxy.
  6. Follow the instructions for setting up FoxyProxy here: http://foxyproxy.mozdev.org/configuring.html or with pictures, but blocked by the GFW. The crucial step is to add the hostname as localhost and the port as 1080 in the Manual Proxy Configuration. Also, make sure to select SOCKS 5 proxy. I also add to foxyproxy’s global settings to “Use SOCKS proxy for DNS looksups.” The GFW is notorious for poisoning DNS lookups (aka, your looking for domain names that match IP numbers). Egad! Oh, make sure to name your proxy something like localhost SLST or localhost SSH + Socks Tunnel.
  7. To route all your web browsing traffic to your SLST, then you can select the mode in foxyproxy to use your proxy for all urls.
  8. More advanced is to “Use proxies based on their pre-defined patterns and priorities”. Here is an example of the lines needed for facebook, youtube, and twitter. For each URL Pattern, make sure the pattern is enabled, name it what you want, then add the below pattern after the colon to the :URL pattern:” field. Make sure the Whitelist and Wildcards radio buttons are selected. 
    URL Pattern: *.youtube.com/*

URL Pattern: *.facebook.com/*

URL Pattern: *.twitter.com/*
  9. Add more patterns to sites you find blocked. Its pretty simple to copy the handiwork above for any other sites you find blocked.
  10. Save your patterns and foxyproxy, and try to visit youtube, facebook, twitter, and other patterns you setup.
  11. If this doesn’t work, file some comments here or on the my wiki page. This isn’t a super simple setup for some and I might have made mistakes in my brain dump. The key pieces will fail if you don’t have SSH access, or if you don’t setup your foxyproxy correctly.

Advanced

The setup I run involves the above easy setup, but I used the following autossh-based script I titled, local_ssh_tunnel. I used autossh because it keeps the ssh connection alive through closing/suspending my laptop, dodgy wireless reception and other general bugs that harm one’s net connection.

  1. In Ubuntu (or other distro), install autossh through synaptic or your favorite package manager. In Gentoo, emerge autossh should do the trick.
  2. Open a file such as /home/USERNAME/bin/local_ssh_tunnel 
    #!/bin/bash

#
# local_ssh_tunnel
#
# use proxy to connect to localhost no port 1080
#

SERVER=USERNAME@HOSTNAME

# 1080 is standard port
PORT=1080

if [ "$1" != "" ]
then :
    SERVER="$1"
fi

AUTOSSH_GATETIME=0 AUTOSSH_PORT=20000 AUTOSSH_DEBUG=1 \
autossh -v -CND 1080 $SERVER
  3. Save the script.
  4. Run the following command: 
    chmod 700 /home/USERNAME/bin/local_ssh_tunnel
  5. I then set the above script to run as a startup application inside of gnome in a terminal. In Ubuntu you can set this by doing the following steps.
  6. Navigating to upper left-corner Application Icon > System > Preferences > Startup Applications
  7. Clicking Add
  8. Then filling out the fields: 
    Name: BACKGROUND SLST (Second Line SSH/Socks Tunnel)
Command: xterm -e /home/USERNAME/bin/local_ssh_tunnel
Comment: Runs SLST in the background in terminal window
  9. Click Save
  10. Close the startup
  11. If you want this immediately, you can run /home/rejon/bin/local_ssh_tunnel inside of a terminal window.
  12. Now, you can just leave the above open in the window and AUTOSSH will make sure to keep your ssh connection alive.
  13. Then start on step 4 above in the Linux/Unix Generic section.

Windows

There is already a great guide for setting this all up in windows. I used it yesterday. Just remember to replace the HOSTNAME with your host and to use the port of your choosing. I use 1080 because its the standard port for this operation and generally not restricted for this activity on most systems.

Here is another guide, which is even better, but has pictures. I will merge my steps with this guide now:

  1. Follow steps at for graphically setting up SLST until the setting up Firefox section, making sure to replace HOSTNAME, USERNAME and the port for the one of your choice.
  2. Then start on step 4 above in the Linux/Unix Generic easy section for setting up Firefox with the correct settings.

ASIDE: Here is also another guide, which is helpful explaining the basic concepts in one page, but blocked by the GFW.

Mac OS X

Easy

Since Mac OS X is a Unix-based variant you can do the easy steps above. The crucial difference is that many don’t know where one might find Mac’s terminal in step 1.

  1. Navigate to a finder window
  2. Then navigate to the Utilities folder
  3. Double-click the terminal to be able to enter commands
  4. Continue with step 2 in the easy steps above

Advanced

Setup a SLST setup not on the command line, but using the SSH Tunnel Manager graphical application. I cannot find a graphical guide to doing this. One of the great things about using AUTOSSH in the Linux/Unix/Generic advanced guide is that it keeps the connection alive through suspend, or internet outtages. There should be an option to keep-alive the connection in the SSH Tunnel Manager. Regardless, please visit the Wiki page for this article to add any notes here about graphical setup for Mac OS X to accomlish the tasks I setup here.

Conclusion

The crucial steps that I’m not really including is that you need to have some SSH capable server outside of the jurisdiction that is irregularly filtering the Internet. If you have a linode, slicehost, mediatemple, or dreamhost hosting account (which is also my ranking of best hosts in order) for your website, put that extra bandwidth to good use! That is what I helped Matt do so he can use his matthope.org external server as an external lifeline outside of here! You should do the same!

And, note this is much better than an unsecure proxy, using some shifty free proxy server that might go offline at anytime, faster than using Tor, and gives one the flexibility to surf raw and, or, secure.

Many have blogged about this type of setup. I wanted to spread the news to all the people I know, hopefully get someone to translate this into Chinese, and generally get this out of my mind so the next time I’m asked how to get onto to Facebook or through the GFW, I can point someone here, or you can pay me to set it up. #haole! Oh, and this guide is useful everywhere in the world, in Iran, North Korea or even the United States.

tags { , , , , , , , , , , , , , , , }

12 Comments »

  1. Jon, good of you to write this up. Any decent hosing service should offer Secure Shell, but this feature is often overlooked. In my opinion, http://joyent.com should be on your list.

    Comment by Christopher — July 15, 2009 @ 6:13 am

  2. I couldn’t take it anymore. I had to write down my favorite setup and too many questions per day :) I think joyent is a bit expensive. There is probably a really cheap hosting option with just a simple shell somewhere in hong kong or japan which would really help out mainlanders…

    Comment by jon — July 15, 2009 @ 10:30 am

  3. What I do is have twitter and facebook proxies or apps for word press. So when I am inside my blog – I can just click and link and use facebook and twitter right from the wordpress dashboard. And since my blog is on one of our company’s servers in HK – the server is fetching the data so it always works. A good side effect is that it keeps me logged into my blog, thus forcing me to blog more.

    Comment by Richard Ford — July 16, 2009 @ 1:07 am

  4. Richard that is a great idea. Yes, microblogging has definitely cut into my blogging cycle!

    Comment by jon — July 16, 2009 @ 2:03 am

  5. I was just able to go on facebook, twitter and youtube in China, using this hotspot shield free program http://hotspot-shield.com/downloads. Try it out if you are in China and wants go to these sites, but the pop-up ads are a bit annoying, but I still think it worth the a little trouble.

    Comment by Shasha Liu — July 16, 2009 @ 8:01 am

  6. Cool, and great blog post recommending ways around the firewall in China: http://shashaliu.com/2009/07/get-through-the-great-firewall-%e7%bf%bb%e5%a2%99%e6%88%90%e5%8a%9f%ef%bc%81/

    Comment by jon — July 19, 2009 @ 8:30 pm

  7. The way I use is: http://sites.google.com/site/gbraad/ssh-tunnel in combination with some servers I own around the globe.

    Comment by Gerard Braad — September 28, 2009 @ 2:57 am

  8. Smart Gerard

    Comment by jon — September 29, 2009 @ 4:33 pm

  9. GREAT !!! GREAT !!! GREAT !!!
    Thanks you so much

    Comment by Bassel Safadi — October 12, 2009 @ 1:28 pm

  10. Very great guide.

    Will it be possible to make it works on iPhone too. I know that there is SSH utility with JB iPhone.

    Comment by Charlie — October 16, 2009 @ 4:48 am

  11. Hello. I am in China and trying to get over the GFC. I am a bit of a novice, so my first question is, How do I find a remote server I can connect with? Sorry to ask such a basic question, but since I don’t know how to do this, I can’t proceed with the steps above. Please help. Thanks! Ron

    Comment by Ron — December 3, 2009 @ 5:35 pm

  12. hey guys.. the sock proxy works. that is how I get access to facebook in china.

    And for the Hosting choice.. don’t even try Joyent.com, they are really bad..

    slicehost.com is really good.

    Comment by jacktian — December 23, 2009 @ 4:59 pm

RSS feed for comments on this post. TrackBack URL

Leave a comment

OR