The scenario, a
person tries to access a website of an independent news publication
but is blocked by internet censoring appliances. How can this person
access this site? One way is to use a proxy found on the internet.
Another is to use the tor browser to tor itself. What this post is
demostrating is how to setup a SSH Socks proxy wrapped by an SSL/TLS
tunnel.
Just to be clear,
I am not against the use of tor.
For this setup we
will need a Linux server outside of the restrictive network that is
under the user's control. On that server we will need to install
stunnel,OpenSSH, and OpenSSL. The server will be an Ubuntu system. We
will be using a Linux client for simplicity, but this concept should
work on Mac and Windows based clients.
Server:
First, we'll install
stunnel and openssh.
sudo
apt-get update && apt-get install stunnel openssh-server
openssh-client;
Next,
we will configure the stunnel server as root or by using sudo.
vi
/etc/stunnel/stunnel.conf;
Add
the following lines to stunnel.conf.
cert=/etc/stunnel/stunnel/pem
pid=/var/run/stunnel.pid
[ssh]
accept=443
connect=127.0.0.1:22
This
will configure stunnel to use /etc/stunnel/stunnel.pem as the SSL
certificate. And use /var/run/stunnel.pid as the lock file. This
configuration also defines the accepted inbound IP and port as well
as the IP and port of the service to access. The inbound access is
set to any IP on port 443. The reason for port 443 is that most
networks allow general web access which means outbound traffic to
port 80 and 443 are usually allowed. Port 443 is commonly used for
SSL/TLS traffic on the Internet. So we will use this port as well so
not raise any flags when traffic analysis is conducted. The service
that stunnel will connect to is at IP 127.0.0.1 on port 22. This is
the local (server's) SSH service running on the common ssh port, 22.
The
next thing we will need to do is create a SSL/TLS certificate for
stunnel. For this setup we will creating a self signed certificate.
But using a certificate from a certificate authority is a
possibility.
openssl
genrsa -out key.pem 2048;
openssl
req -new -x509 -key key.pem -out cert.pem -days 730;
cat
key.pem cert.pem > /etc/stunnel/stunnel.pem;
Finally
we will need to enable the stunnel service.
For
Ubuntu we will need to edit /etc/default/stunnel4 as root or by using
sudo.
vi
/etc/default/stunnel4;
Change
“ENABLED=0” to “ENABLED=1”.
Once
the configurations are complete, start the service.
Executing
“sudo netstat -lnp” will list the listening ports and
their process ids and names.
Active
Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4845/stunnel4
Client:
For
the client we will install stunnel and openssh.
sudo
apt-get update && apt-get install stunnel openssh-server
openssh-client;
Like
the server we will need to configure stunnel. Only for the client we
only need to create the /etc/stunnel/stunnel.conf file.
As
root or by using sudo, create /etc/stunnel/stunnel.conf.
vi
/etc/stunnel/stunnel.conf;
Add
the following to stunnel.conf.
pid=/var/run/stunnel.pid
client=yes
[ssh]
accept=443
connect=<Server's
IP>:443
Where
<Server's IP>, place the IP of the stunnel server. This
configuration will connect to the server on port 443 and will use the
local port 443 for tunneling.
Just
like the server we need to enable the stunnel service.
As
root or by using sudo edit /etc/default/stunnel4 and change
“ENABLED=0” to “ENABLED=1”.
Now
we can start the service and have the client connect create a SSL
tunnel to our server.
Once
the stunnel client service is started. We can create our Socks proxy
with openssh.
To
do this we will use a ssh command similar to this one.
ssh
-p 443 -D 1234 <user>@127.0.0.1;
The
user will be a user that is on the stunnel server. Port 443 is the
port that ssh is listening on. Port 1234 is the port that will be
used for the socks proxy. For added security, it is recommended to
use key based authentication for ssh logins. That can be done by
using the utility “ssh-keygen”.
Now
we have a Socks proxy inside of a SSH tunnel inside of a SSL/TLS
tunnel.
There
are a couple ways to detect this setup from a network perspective.
First
is SSL man in the middle. If the network has essentially a SSL man in
the middle setup where the certificate is replaced with one where the
traffic can be decrypted by the network owner. The traffic inside of
the stunnel SSL tunnel would be decipherable. But since the traffic
is also inside of a SSH tunnel we should be fine. The only issue is
that the traffic is can now be identified as SSH traffic and will
most likely be flagged.
The
second way to detect our setup would be through network traffic
analysis. The traffic generated by this setup is not typical off SSL
web traffic. The SSL connection will usually short lived. Our setup
creates a SSL connection that would last as long as we are using the
SSH Socks proxy.
