Weyland.be

Hey,

Yes this is very interesting. If you want to learn more about SSH and its power, I am reading a book about it. It also contained the part described above.

SSH, the secure shell. The Definitive Guide, From Oreilly. I just got the copy from a workmate. And then after I read it I pass it on again :-) so this one I got is pretty old.

Greetings
Jelle

What if you only have ports 1023 and above open at home and access to port 80 and 443 at the office?????

That’s a tricky one indeed … as far as I know you need an open port to the internet from your work, and the same open port at home …

Lemme search for some more info ;)

And it’s too tricky, sorry :(

This connection via OpenSSH will only work if there is a port open to the outside from the firewall at your work and which is open from the internet at home…

Thanks dude works a treat, tested with RDP and also VNC.

The fight for freedom continues on all fronts.

No problem ;) Rules are ment to be bent :p (it even rhymes, so it has to be true!)

You can even do more interesting stuff with the openssh – putty combination! When I have some free time, I’ll write a follow-up…

Hi
i did everything, every step, because i really want this to work,
one problem when i use putty to connect to home, it just goes into the putty black screen, it won’t prompt me for username or a password, why is this… HELP!!!!

one more thing i forgot to mention, i had Cygwin installed at the same time this won’t cause any problems would it?? because openssh deteted it when i was installing it. problem with crygwin there’s no easy way to remove it

Try connecting locally – on the machine where you installed OpenSSH – to 127.0.0.1 on port 443, does putty asks for a username and password then?

Mmm … I don’t know because I’ve never had Cygwin installed :/

thanks for the quick reply Selder,
i tried using the same computer i’ve installed openssh, but i get

Network error : Connection refused.

what i also did was i deleted my windows XP SP2 and reinstalled, and followed the above steps as a fresh start.

any thoughts???

So if I understand correctly

1) you installed OpenSSHd on a machine
2) did the steps 1.1 through 1.4 in the above howto
3) and then tried to connect to 127.0.0.1 on port 443 on the same machine you installed OpenSSH on?

Are you sure you did all the steps and stopped/started the OpenSSH server? The Windows Firewall is disabled isn’t it?

i just installed IIS to my machine, i no longer gets the network error msg,
but when i try to connect to my local host, problem i had before the windows reinstall, putty just goes in to black screen, not prompting for username or password.

i don’t have any firewalls setup at the moment…

Ah … IIS uses port 443 for HTTPS connections too, if IIS is started, the 443 port isn’t free anymore to be used by OpenSSH… could you disable everything there is to disable to IIS and try again?

Thanks Selder, everything works!!!! :))
now i cant wait till i go to work tomorrow, see if i can connect to home from there…

thanks alot for your help, all i needed was a restart on Openssh

Cool, have fun :)

What if the proxy server at work is transparent? Any ideas on what to use in putty to get it to work? I’ve been working on this problem for a while and have yet to make any significant progress.

I also noted someone earlier mentioned using tor, I have some issues with incoming connections as well, anybody know if there’s a relatively easy way to set up ssh over tor? (on windoze?)

Awesome How To, by the way

Mmm … I’m a little afraid this isn’t going to work with a transparent proxy :/

So even forcing putty to go through 80, or one of the other ports that must be available, won’t work? I was thinking of using privoxy or something (I don’t know if privoxy will do what I need, haven’t looked at it) to direct the ssh traffic to whatever port at the work end, and then just making sure that home was accessable.

I don’t really know that much about transparent proxies other than what I’ve learned from being behind one.

Well … I don’t know nearly enough about Proxies (or transparent proxies for that matter) … but I do know that they are a pain in the …

You could try doing all the steps above, and replace the 443 by 80. Don’t know if it would be secure tough. Also, I wouldn’t have an idea what to put in the proxy configuration of Putty – perhaps try leaving it blank?

I have been following your excellent tutorial and I am getting closer…

while I can now successfully login into the the remote SSH server, I am unable to connect to my VNC server. Help/suggestions would be most appreciated.

Here’s the setup:
Home -
Running SSH, OSXVnc
NAT router, port forwarding, using port 443 to SSH Server

Work WinXP –
PuTTY
Trying to set-up a tunnel – using: L5900 192.168.1.12:5900
Internal IP address of my machine at home. I have also tried 127.0.0.1

In TightVNC I have tried 192.168.1.12:5900 / 127.0.0.1:5900 / localhost:5900

When trying to connect with TightVNC I get “Can’t connect to server”

Any ideas?

Sorry. Scrap that. Just used localhost only.

All works. Thanks for your tute.

Cheers.

You’re lucky there’s no other service on your ‘work’-pc which listens on port 5900 :)

Hi there. I wonder if you can help me. I’m using my pc through my cellphone to connect to the internet using gprs, for free. No dial-up or ISP costs. My problem is I cant connect with mIRC to chat. I can only connect to IRC through a program called HOPSTER. But it is a demo version and disconnects every 5 – 10 minutes!! The gprs connection I use is through a proxy server 196.6.128.12:80. I tried downloadind Openssh but no luck getting a ssh version that installs without errors. Now I’m trying to use Putty, but how? I’m running Xp Pro at home

Ehrm, the problem you described (or at least that’s how I understood it) doesn’t have much to do with this turtorial, or am I mistaken?

If you don’t have the other end of the tunnel – e.g. connecting from a PC at work to a PC at home – this turtorial is pretty useless …

When you tunnel out something on the other side has to translate. Complaining that it’s useless shows your lack of understanding.

Thanks damn.be for posting. This solution works just perfectly.

This guide worked great… I’ve been looking for an easy to follow setup of this process. Thanks

Hi,
just a question.
Once i have putty on it ask me for username and i put in the one i use to logon in windows xp but when it ask me the pwd and i put the one i use to enter it says not valid.
WHat i did wrong?

Thanks.

Gm.

Open \OpenSSH\etc\paswd in a text editor (notepad will be fine) … Is there a line with your username and some random characters on it?

No. I don’t find this file… can you please post the complete command that generate the user and the password?
The one above is generic…

It’s really that command, and nothing else, there is nothing generic about it :)

I’ve heard from people that they have to run those mkgroup and mkpasswd commands 2 times one after the other …

Probably the best guideline I’ve seen regarding SSH tunnel setup and configuration. The only problem that I’ve encountered is that my SSH session seems to timeout after a few minutes of inactivity, and the connection closes down. I’ve checked the settings within OpenSSH and haven’t found much, other than an “account logon grace period”, which I set to 500 minutes. Additionally, my proxy uses a “proxy configuration script”. Is there a way to configure putty to use the configuration script?

I use this technique every day at work, and I’ve never had 1 single disconnect – but I have a Remote Desktop Connection open all the time …

For your ‘proxy configuration script’, you don’t happen to know the contents of that scriptfile?

I posted the previous message mentioning the proxy script issue. I did manage to download the scriptfile and it’s just a javascript function for checking various URLs (such as something.com) and telling the browser whether or not to use the proxy for those URLs. I actually disabled the configuration script in IE and was still able to browse the web without issues, so the script doesn’t

However, it appears as though my proxy is sensing the app trying to connect to it (I already know it refuses connections from Firefox), because when I try to open a connection to port 443 from Putty, I get a “403 Forbidden” error message (from Putty) almost immediately upon attempting to connect. So, as you can imagine, I’m behind a beefy firewall/proxy where I work as well. Fortunately, we still have a “legacy” proxy in place that allows the 443 SSH connection.

On top of that, I rebooted my Win 2003 pc this morning and OpenSSH is not accepting my username/password. I get the SSH prompt just fine across the proxy, but I’m denied access, consistently. Prior to the reboot, everything was working fine. Do I have to recreate my passwd and group files after every reboot?

Your proxy doesn’t have any clue what application is setting up the connection, but it does sense “how” that connection is started. AFAIK Putty makes its connections with a “HTTP CONNECT” command, and maybe your proxy is configured not to allow that …

And no, normally once you created the ‘group’ and ‘passwd’ file, everything should run even after a reboot. Maybe try running the ‘mkgroup’ and ‘mkpasswd’ commands 2 times one after the other. It’s a strange thing, because I can’t recreate that behaviour on my machine, and I’ve had a couple of ppl who said it stopped working…

Anyway, if the above procedure doesn’t work for you, there’s always http://www.logmein.com, which works nearly always :p

Wouldn’t IE connect to the proxy via a “HTTP CONNECT” command (when accessing an external website, such as this one)? I’ll have to give Ethereal a shot to examine the packets transmitted to the proxy when I initially access an external website. I’m not sure why Putty is unable to connect at this point, but I definitely haven’t had any luck with it.

I figured out the OpenSSH issue — apparently my PC hung during a remote restart, when I returned home I had to reset the pos to get things in order again. I didn’t run the ‘mkgroup’ or ‘mkpasswd’ commands twice, one after the other, and things are working as expected, so I also haven’t experienced the problem you mention.

As for logmein.com, I’m sure it works great (like gotomypc.com), but the website itself is blocked by all of our proxies (’thank you’ web content filtering ;-).

I’m no wizard when it comes to HTTP or HTTPS commands, but doesn’t IE use a “HTTP(s) GET” command to access a website? Anyway, the big evil networkadmin here at work said that he saw I was connecting to a website (my OpenSSH server at home) via an “HTTPS CONNECT” command …

But I’m beginning to think your networkadmin is even bigger and ‘badder’ than mine :p

Anyway, now that your authentification problems are out of the way, is it working when you use your “legacy procy” ?

Sure is…actually got it working with both proxies, just took some tinkering around. I discovered I had chosen a proxy used for websites on our DMZ, so I switched proxies and was able to login to OpenSSH on my server at home. I work for a very large company (to remain nameless so that I don’t incriminate myself), so we have a slew of proxies where I am, and certain groups have access to certain proxy clusters. I tried out a second “new” proxy, and was able to get right out over 443 via Putty to my server at home.

There was still one more obstacle blocking my way to freedom…

I opened up my RDP client on my work PC after connecting via Putty SSH, and attempted to connect to localhost:3390 (through the tunnel created by Putty). Sure enough, no luck.

The requesting port I was using (locally) from my work PC (to connect to RDP on my server at home) was being denied. Well, that’s the best conclusion that I have right now. All I did (in Putty) was change the local port (from 3390 to 2843), and when I tunnel out through L2843, I can open an RDP session through the tunnel without problems. At any rate, I’m enjoying freedom…finally, and through the new proxy. Things work fine over our legacy proxy, but that thing is on its way to being decommissioned, so it’s good that things are working with the new proxy. Thanks for the tips and for posting this information on your website — it came in quite handy!

I’m glad its working :) To hell with corporate proxies! :)

Damn , doesn’t work to me.
I’ve just followed the instructions but the paswd file is not generated.
Any clue?

Plz help-

What version of OpenSSHd are you using?

3.8p1-1 20040709 Build (it’s OpenSSH for Windows of course).

I installed the same version on my machine at work here, ran the 2 commands in a command prompt window, and the “passwd” and “group” files are created without any problem … I did exactly the same as stated in the howto above :/

If you search your C: drive (or wherever you installed OpenSSHd) for a file named “group” or “passwd”, do you find anything?

Wanted to add a quick suggestion for those using this method to bypass corporate proxies. If you can successfully install OpenSSH on your Windows system at home, you can DEFINITELY take the extra minute to install Squid (yes, you can install it on your Windows system!!). Squid is a caching web proxy server, open source and under the GNU license. Check out http://www.bofi.camelot.de/squid.htm for more info (I came across it via a Google Search), binary installers are available on that website. The best part about this particular Squid installer is that everything is ready to go after you install it, no additional configuration necessary. It is set up to listen on port 8080 on the Windows system.

At your work PC, add an extra tunnel within Putty by mapping a local port to port 8080 on localhost (the box you are connecting to via SSH through Putty). Configure your favorite web browser (Firefox, IE, or whatever) to connect via your newly created proxy — localhost using the local port you assigned in Putty. For example, I set up my tunnel to use port 2845 and map to localhost:8080, so in my web browser, I set up my proxy as “localhost port 2845″. It works great. Now you don’t need to bother connecting via Remote Desktop (RDP) to surf the web, surf it straight from your favorite browser on your work PC!! Speed is entirely dependent on your broadband connection at home, of course.

Indeed, once you get this ball rolling there is no stopping it :)

And for your information, I don’t use remote desktop to surf the internet (port 80 is wide open at work, and no websites are blocked) but to actually ‘control’ my system at home ;)

Ah…we’re content-filtered over here, so all of the *good* websites are blocked (webmail, media sites, sports, just about everything worth reading), so I’ll jump in up-front and say that my previous suggestion was meant for those who deal with web content filtering on their proxies ;-)

The other benefit of the Squid over SSH idea would be to keep all web surfing completely encrypted, which has its benefits if auditing were to ever become an issue ;-)

noob here..
I want to do the opposite: control my work pc (which will be doing 3d rendering) from home .. so I can check up on it from time to time

I can’t get access to the work firewall (because I share another office’s broadband and thus have to use their firewall and they use an outside IT consultant who will charge a lot just to look at it )

so I’m confused about what to install where or even if its possible to make it work – both machines are xp home, i have no need to access home pc from work
(my work pc has Apache installed for my web dev work – presumably I’d need to stop it so as to release any ports)
thanks for any pointers!

Let me get back to you with hopefully an answer :)

Hi
I have set up cygwin on my mail server along with PuTTY to allow some of my guys who are working behind a clients firewall (who need access to their external email accounts) to access email using a port 22 SSH tunnel. I have set up alternate pop3 and smtp ports on the mail server to facilitate them also (pop 1010 and smtp 225).
I access the mail server using Remote Desktop Connection to administer it periodically. Am I correct in assuming that PuTTY needs to be left open or can it be set to run automatically in the background when I log off the server. These guys need to log in as required and consequently the service needs to be always available.
Any suggestions would be welcomed…

Putty needs to be open indeed, it’s putty who catched the requests for “localhost:xxx” and forwards those requests through the SSH tunnel.

You could write a script or batch file that opens putty first, and then open the emal client?

Well written guide. I have a question that I have not yet found an answer for. I have read many guides on the use of OpenSSH and PuTTY. It workd great and have had no problems using it except for the fact that I can’t seem to be able to tunnel DNS queries. Whne using Firefox yep I have it working just fine but what about some other stand alone program that has to connect to another server? I can get that programs connection tunneled with no problem like irc as an example. But the computer will still show the DNS of ther server you are connecting to. Do you know if there is a way to do a range of ports since you have no idea what port your computer will use when it sends a DNS quiery, you only know the destination port not the source.

Any suggestions would be helpful :)

Doesn’t DNS always use port 53? The problem is that DNS queries are sometimes UPD and sometimes TCP. This guide only works for TCP portmaps.

And I tried fiddling with the “dynamic” ports instead of a “local” port in Putties configuration (see step 2.3) but stopped trying before I figured out if it could work or not.

True DNS uses port 53 as the destination port (the DNS server you are connecting to). But the source port is random and I have not been able to get putty to tunnel DNS queries at all. If I use Firefox at set network.proxy.socks_remote_dns to true in about:config it work perfect. If I use smartsniff to monitor my traffic all I see is my connection on port 22 to the SSH server. But all programs that may need to connect to a server like mail or irc or IM’s may leak the DNS queries out even though the traffic from these programs will be secure.

I’m gonna read a bit more about, but I think it’s not possible – because I’m fairly certain DNS requests are send over an UDP port …

Selder, I found a solution for DNS queries over SSH. Yes you are correct that DNS is UDP and SSH doesn’t currently support UDP BUT if you socksify your connection first it will work perfectly. While on another site I came across SocksCap http://www.socks.permeo.com/Download/SocksCapDownload/index.asp

This program will enable you to run just about any program over a socks connection created on your own machine. As you know IE leaks DNS even over SSH. Well if you SocksCap IE first then run the socks through SSH your entire connection is encrypted and no more DNS leaks. If you would like more detailed info just say so and I can write it up. Just wanted to pass this on.

Usefull if you want to route all internet traffic through your SSH tunnel, but I only use it for Remote Desktop ;)

Thanks for all the info on this. I have putty and openssh talking to each other on my home system no problem. When I try putty from the office though, I get:

Proxy Error: 504 Proxy Timeout (The connection timed out.)

Any suggestions?

Seems to me that your work has a well-configured Proxy server, and that he does not permit these kind of connections. That, or there is no good internet-peering-connection between the two ISPs (work and home).

To troubleshoot: if you install a webserver at home (a simple one, like Xampp), can you reach that webserver from your work? Or does it time out too?

Figured it out. Zonealarm was blocking the traffic on my home system. Even though I configured it to allow both trusted and Internet traffic for this app. Once I added my work IP to the trusted list, started working fine.

Thanks again for the info.

Last comment from Peeps. Sorry, left out the name.

Mmm … that’s odd, that shouldn’t give an error on the proxy, but just some “time out” error … oh wait, it did, but still …

Hi,
I did all the steps you have given. I am behind a University firewall that practically blocks everything but port 80. I tried to connect to m pc at home using the steps above as to get into mirc. After doing all the steps with port 80 set as the port and turning all firewall on the home pc off, when i try to open connection i get the error ” Server unexpectedly closed network connection “. Please help me out.
I tried the same procedure using port 443 but then i get the error ” Proxy error : HTTP responce was absent ”

Vivek

If it works at home or from another PC, I’m thinking that your proxy at work doesn’t permit the command HTTP connect, which is used to start the tunnel … I don’t think there is a solution to that problem…

You could always try LogMeIn.com to remote control your pc…

Hi – great tutorial by the way! I’ve done steps 1.1 – 1.4 and am trying to connect locally to test that evrything this end haseen setup correctly. I don’t have a router in my apartment at the minute and am using a cable modem. I’ve tried connecting to my ip address via putty on ports 443 and 80 but it eeps bringing up ‘Network Error – connection refused’? Ports are definetly open and all firewalls switched off. Any ideas?

Ok managed to get connected locally via Putty on port 22?! Not sure what to put in as my username and password though? I’ve tried Scott which is my windows login and have no password but no joy! Keep getting access denied messages…

Make sure that you change # port 22 to port 443 in sshd_config. Reboot your computer after changing the port (or alternatively stop/start the OpenSSHd service, but a reboot is easyer)

And that Scott username is correct, but you need to set a password, with an empty password it won’t work.

Also check the passwd file to verify that there is a line beginning with scott:xxxx…. If not re-do step 1.2

Hi thanks for reply. I only have port 22 open at home and work so i take it it’s ok to use this instead? I’ll try re doing the settings when i go home on OpenSSH. For now im in work and have setup Putty. I can’t actually find any open ports using port scanners which is strange as i’ve a colleague that uses port 22 and it works. I was told just to use the same port for the tunnel? Does this make sense – slightly confused! Ayyways ill try and get the login working at home locally then worry about the work end of things… Thanks again

Ah, whoops, sorry, you are correct, if you want to use port 22 with OpenSSH you don’t need to change anything in the sshd_config.

In my howto i used port 443, because in most of the cases port 22 will be closed on companies firewalls, whereas port 443 will be open … you can easily check this if you have access to HTTPs websites.

And the port you will be using in the tunnel (step 2.3) you can use anything you want, it doesn’t have to be port 22 or 443 or the default port of the service you want to connect to.

I’m having real problems getting OpenSSH passwd file sorted. I’ve reinstalled OpenSSH and then when it is no started typed:

mkgroup -l >> ..\etc\group
mkpasswd -l >> ..\etc\passwd

Then restarted OpenSSH and checked the passwd file but no scott anywhere in the doc? This is driving me crazy! And i’ve also got a password set for my windows login before i tried all this…

Ok, do the following: remove all text from the passwd and group files (so the files are there but are 0 KB in size) and then run each command 2 times, so:

mkgroup -l >> ..\etc\group
mkgroup -l >> ..\etc\group
mkpasswd -l >> ..\etc\passwd
mkpasswd -l >> ..\etc\passwd

Then check the passwd file to see if it is filled with information…

I’ve just realised that thre is no group file i.e. no text or c file only group.exe? I have the passwd.c file but thats it?

Sorry – i’ve been so stupid -i’ve been looking at the passwd file in the bin folder the entire time and now \etc! Apologies for the time wasting… I shall now do what u said…

group file now reads as follows:

root:S-1-5-32-544:0:
SYSTEM:S-1-5-18:18:
None:S-1-5-21-484763869-764733703-1343024091-513:513:
Administrators:S-1-5-32-544:544:
Guests:S-1-5-32-546:546:
Users:S-1-5-32-545:545:
HelpServicesGroup:S-1-5-21-484763869-764733703-1343024091-1001:1001:

passwd reads:

SYSTEM:*:18:544:,S-1-5-18::
Administrators:*:544:544:,S-1-5-32-544::
Administrator:unused_by_nt/2000/xp:500:513:U-SCOTTB\Administrator,S-1-5-21-484763869-764733703-1343024091-500:/home/Administrator:/bin/switch
ASPNET:unused_by_nt/2000/xp:1004:513:ASP.NET Machine Account,U-SCOTTB\ASPNET,S-1-5-21-484763869-764733703-1343024091-1004:/home/ASPNET:/bin/switch
Guest:unused_by_nt/2000/xp:501:513:U-SCOTTB\Guest,S-1-5-21-484763869-764733703-1343024091-501:/home/Guest:/bin/switch
HelpAssistant:unused_by_nt/2000/xp:1000:513:Remote Desktop Help Assistant Account,U-SCOTTB\HelpAssistant,S-1-5-21-484763869-764733703-1343024091-1000:/home/HelpAssistant:/bin/switch
Scott Boyd:unused_by_nt/2000/xp:1005:513:Scott,U-SCOTTB\Scott Boyd,S-1-5-21-484763869-764733703-1343024091-1005:/home/Scott Boyd:/bin/switch
SUPPORT_388945a0:unused_by_nt/2000/xp:1002:513:CN=Microsoft Corporation,L=Redmond,S=Washington,C=US,U-SCOTTB\SUPPORT_388945a0,S-1-5-21-484763869-764733703-1343024091-1002:/home/SUPPORT_388945a0:/bin/switch

Does this help any?

Luckily those passwords are encrypted ;)

But that looks okay, but do make sure that you logged on at least one locally on your XP (or other windows) so that the user-folder in documents and settings is created, and security is applied… And is there a space in your username?

What is the exact error message you receive?

Is it ok to leave those files like that now? I have tried logging in via putty and all i get is access denied. My username is Scott. When i enter it it then has the disclaimer bit and asks to cache user key and asks for password. It displays Scott@89.xx.xx.xx etc… then i type in the password but it doesn’t display a moving cursor or anything it just stays on the same space?

Don’t know why this won’t work? :(

Are you 100% sure your username is Scott and not Scott Boyd? Because that last one is what I see in your passwd file…

I’ve tried Scott Boyd as well but neither works. It doesn’t seem like it is actually letting me type in a password – what i mean is the * symbols don’t even appear – is this normal?

What would you suggest I do next? Is the last resort a reinstall of Windows and start from scratch? I really want to get this working!

Yes, it is normal that the characters do not appear when you are typing your password, not even asteriks or dots…

Could you try making a new account on your Windows, name it test and set its password to test too. Re-run the mkgroup and mkpasswd after that, and try loggin on to openssh again, using that test user.

You are trying to connect to localhost:22 or 127.0.0.1:22 right?

hey, i managed to get everything working now! Switched to FreeSSH and it works fine – has a GUI so was easier to configure as well. Then set up a tunnel in it using putty and installed RealVNC and heypresto – i can now access my PC fully from behind my works firewall (Intel) :D Thanks so much for your help…

I’m glad, but I’m wondering what went wrong with OpenSSH ;)

I have a question. My work logs all of our internet activity and also blocks some good sites. So I connect to my home pc via vnc viewer and just open up the web browser on the home pc and start surfin. I open up vnc and put in my ip address plus the port number which gets forwarded by my router. So my question is, what does my activity look like to my works firewall or network?

I don’t know if you are using some sort of encryption for that VNC connection, but a “good” networkadmin will see that you are surfing the net :)

so they should be able to see that i’m connected to ‘ipaddress:port’ and see activitiy on there, but they can’t actually see or know what websites i’m at, right?

I’m reluctant to do the workaround talked about above because that would be seen by my company as blatantly trying to circumvent the system. They frequently run auditscans on our pc’s to see what programs are installed. The putty program might not go over so well. But I could easily say I have vnc installed to check on my daughter that gets home before me.

Well yeah, I don’t know what the policy on internet is in your company, that is something you need to take in consideration before “hacking your way to freedom” ;)

I for one wouldn’t fall for the “it’s for my daughter” excuse :p

Hi!! i was trying to connect remotlty to my PC at home to use like the server request, i mean, i want to tunnel the trafiic of one app that use the port 3724 but the server varies all the time, is there a way to tunnel all the traffic of this port using putty and OPENSSH??

I normally use putty and OPENSSH like proxy server on Internet Explorer and Firefox and wordks well

Thanks, i hope you can help me

uhm, I don’t know, what app is that?

Hi, does this method work with UDP based programs i.e. CS:Source or Quake 3? If the server is 3000 miles away with a DSL connection, I will experience alot of lag, correct?

Nope, TCP only.

Great tutorial! That’s the only thing that worked for making a connection from my work pc to my home one!

Hey, great HowTo!!
I’m so close but no cigar yet.. :(
I believe I have everything set up correctly. I am running squid at home on my linux box on the default 3128 port. I can connect directly to the squid proxy from work without a problem. Now, I want to incorporate SSH tunneling to encrypt my traffic :) I already have sshd running on my linux box so I setup Putty to use a source port of 13128 on my work pc, then destination: mydyndnsname.org:3128 When I hit connect I login fine. I can even telnet to localhost on 13128 on my work pc and get the Squid banners. So I know that the tunnel is setup and I’m talking with Squid, however once I setup my options in Firefox or IE, I get an access denied for every page.. although it seems it will let me open some cached pages, but only the data thats been cached. I’ve been hunting around the config file for squid for hours and still no luck. Any ideas would be greatly appreciated!!!

Squid and OpenSSHd both run on the same machine? Try configuring a tunnel in putty with source port: 13128 and destination “localhost:3128″ instead of your mydnsname…

But I do think that your problems lies somewhere with Squid and not OpenSSHd or putty or their tunnels…

folks, dont use ssh in a corporate environment, because the people sitting before the ids console could see strange ssh traffic on port 443. Almost every IDS system detects that this traffic is ssh and not https.

That’s 100% correct, and those people even see with what command the connection is established. HTTPS uses a HTTP POST command, and this OpenSSH tunnel uses a HTTP CONNECT command, and that would be lit up like a christmas tree.

The sort of traffic is also very different than visiting a website, with this kind of connection you will have as much download as you have upload … again, the christmastree.

But … they only see traffic, they don’t see 1 single but of data that is transferred because it is encrypted.

I had it working but I’ve since change ISP and DSL to cable. In theory it should still work (I use DynDNS on the router). However now I seem not to be able to get past the proxy at work. I get “503 service unavailable”. Does it sound like the IT guys have blocked me somehow? Or could something at home not be setup correctly (I’m not sure I setup 443 port forwarding this time…)

You should check that forwarding indeed, sounds like something’s wrong with that…

VNC works fine through tunneling, it’s just that you need 2 ports forwarded, think default is 5800 and 5900.

Has there been any more investigation into using transparent proxies? I know that it does not work at my current company, but I can use http-tunnel and forward putty through that. It’s incredibly slow, however.

Hi all,
I would really appreciate any help anyone can provide with this query.

I am using log’me’in.com at work to remotely connect to my computer at home.

From time to time I had been using my computer on logmein.com as if I was at home, accessing sites, mail, music downloads etc that would not be acceptable in work.
Now, work are stepping up their security and I am worried about what they can monitor of my past activity.
Even in the most extreme cases, what is the potential of what activity can be monitored when using a remote site like log’me’in.
Is there any way to cache\save the images displayed by log’me’in by a monitoring system?
Is there anyway for an internet monitoring system in work to cache\save the sites visited\typed while using the remote interface?
I assumed that all this was ok, as I thought the streaming display could not be monitored.

Any help, thanks in advance.

Hi Anonymous, [i]they[/i] can see almost anything. And if they see it’s encrypted, they can very well guess what kind of traffic it is. There is no such thing as privacy.

Hi
Is it possible that a company would be able to block protocols within the tunnel.
In my situation I have followed your guide which is great and very well laid out by the way… however what I find is although I am able to establish a connection and view the local content of my disk when putty throws up the SSH terminal session, I am unable to run an rdp session to my remote host from the office. I.e.
1. Establish link
2. Authenticated
3. Confirmed authentication through remote host drive content
4. attemp RDP to tunnel – L3390 localhost:3389
Results – MSTSC Guid for RDP results in usual error when it can not find the host its trying to talk to ‘the client could not establish a connection to the remote computer’.
I have ‘borrowed’ a wireless internet connection detectable from the office to establish a session to my remote host (this is a wireless internet connection not provided by the company i am connecting from) and can establish an RDP session no worries.
Hence my question – is it possible for a company to block protocols within a tunnel like this?

No, that would not be possible. Once the tunnel is up and running, all your company sees is encrypted traffic between your local and remote machine.

Try setting up a tunnel for RDP as “L:8000 – localhost:3389″ and then connecting to “localhost:8000″ on your machine at work.

Wow…that was a quick response. Thanks for the advice, I will give it a try right away and post my results.

Hi
I tried the L:8000 – localhost:3389 configuration and unfortunately had the same result with a failed RDP connection.
I will try going back to square one and confirm that I have set everything up correctly…fingers crossed I have just missed a config step…although i don’t know how that would be if I am able to establish the link and remotely view my home computers drives.

When you are connected to that borrowed wireless connection, do you use the OpenSSH tunnel too? Or do you connect directly to port 3389 at home?

I connect directly to the port 3389. I will have to wait until tomorrow to attempt it through the same connection via SSH. I will post my results again as soon as I try it.

Hi – Well i attemped the connection again, this time through the wireless internet available and through another internet provision. Each time resulting in the same issue as in the office which is a connection that allows me to read local disk on the home computer, however RDP does not connect.
I figure the problem has to be from my configuration although i did not deviate from the directions in the least with exception for the proxy configuration as each of the non-office locations do not have a proxy. Any thoughts?

Further to that, I have also tried establishing the tunnel over multiple ports from 443, 80, 81

The plot thickens – I have bypassed the entire firewall and remote connectivity and setup the SSH connection internally on my own network at home, only to encounter the same results. When I replicate the test on a private network in the office, everything works. It would seem the issue is relative to my target host at home which I will now confirm my theory by targeting another host on my home network both within the home network and then from my office connection to the alternate host on my home network. Results to be posted shortly…

Did you try disabling all firewall-alike things on your PCs and network at home?

Yes. I bypassed the firewall entirely by using a switch between two hosts at home. I also confirmed that the o/s Windows XP SP2 Security Settings are fully disabled. Still, I get the same issue though – remote view of local disk content but no RDP.
I reversed the direction of tunnelling to ensure it was not one specific computer causing the problem at home, as I said i would do in my last post, however the same issue occured.
I then took a backup of the openssh configuration files and ran ExamDiff against them to find what was configured differently – all i found was what was to be expected, the listening address in shhd_config, user and group content in Group and passwd files. The rest is the same from ssh and putty versions to configuration steps.
Kind of baffling really seeing as I am able to setup the same test at work internally on our network there with two hosts, and as mentioned before, it works well with RDP working fine too.

Yah, indeed … I’m all out of ideas :/

Oh well, thanks for the help though. I have at least seen the light of remote connectivity through a work firewall…, it was good getting this far.
I will continue to try and resolve the problem and will post my results if and when I figure it out for your other readers.
Thanks again.

I work at a client place, where all ports except 80 and 443 are blocked. I need to dowloand my emails usin pop3. Any way to resolve is issue

Thanks In advance

If port 443 is open to the internet, and port 443 is open from the internet to your machine at home, you can just follow this guide and do pretty much everything you want… :)

Hello all!

Im new at this so bare with me ;)
Just a week ago my employer started to use a website filtering system.
Would like to bypass that :) Found this super nice toturial.

I can do everything in this guide but get hold of the proxy settings in step 2.2.
Do you know how you can detect the settings of a proxy server? In my webrowser IE 7 (yes using windows at work) there are no server specified.

Would be nice to get some input on this.
Thanks // Andre

Could you possibly write a similiar tutorial on setting file and print sharing up remotely?

I have the following problem when I travel:

“work” access changes due to airports, hotels, coffee shops, etc. that I am at. I want to tunnel to the home pc to keep traffic protected in naturally unprotected environments.

Each of these remote locations have random ports open on my “client” end – and I won’t know what is there until I arrive. One place will have 443, the next 3189, random, random, etc. Other than having all ports at the server router point to the server (to enable any condition I might run into – and which is more risky for the home server, is there a workaround?

I have nmap installed on my “client pc” so I can find all open ports on the “client” access point end without much problem. My whole setup between client and server has been tested and works on both my server network (DSL) and a neighbor’s cable wifi (so I knew it was working across multiple broadband providers and different LANs.

I don’t use putty or windows, both client and server are running Xubuntu 8.04, openssh, and Remote Desktop Viewer with Vino VNC, but the problem is the same as those using putty/windows… using “ssh -L 5901:localhost:3986 user@ip.com” returns timeout errors as the server port forwarding is not set up for 3986 (3986 is an open port at an example remote hotel found via nmap; ports I have forwarded at the server are 5900 and 443 right now while testing, 5901 is the port on the client machine that VNC is connected to – thought the ssh tunnel never gets set up to route through.).

Any suggestions other than forwarding “all” ports to the server machine (very risky)?

I’m thinking running the opensshd on port 80 on your machine at home, isn’t that port open *everywhere* ?

I’ll try that. however, my current example hotel has “free wifi” with these ports open (from nmap): 21 ftp, 53 domain, 1723 pptp, 2000callbook, 3986mapper-ws_ethd), but I am getting through to http…

Hi nice tutorial :)
And cant get it to work though.
In step 2.2 Proxy configuration you say I should fill in all the information about your proxy at work. Does that mean my ip (at work) ?
When I do this and try to connect I get “Network Error: Connection Refused”. I think I have done everything as I should. I have checked and rechecked everything.

it means the IP address (or hostname) of the proxy server at your work. What kind of proxy do you have? I have tried it on various proxy servers, and found that Microsoft’s ISA server didn’t work so well…