Tunneling out of Restrictive Networks

The scenario, a person tries to access a website of an independent news publication but is blocked by internet censoring appliances. How can this person access this site? One way is to use a proxy found on the internet. Another is to use the tor browser to tor itself. What this post is demostrating is how to setup a SSH Socks proxy wrapped by an SSL/TLS tunnel.

Just to be clear, I am not against the use of tor.

For this setup we will need a Linux server outside of the restrictive network that is under the user's control. On that server we will need to install stunnel,OpenSSH, and OpenSSL. The server will be an Ubuntu system. We will be using a Linux client for simplicity, but this concept should work on Mac and Windows based clients.

Server:

First, we'll install stunnel and openssh.

sudo apt-get update && apt-get install stunnel openssh-server openssh-client;

Next, we will configure the stunnel server as root or by using sudo.

vi /etc/stunnel/stunnel.conf;

Add the following lines to stunnel.conf.

cert=/etc/stunnel/stunnel/pem

pid=/var/run/stunnel.pid

[ssh]

accept=443

connect=127.0.0.1:22

This will configure stunnel to use /etc/stunnel/stunnel.pem as the SSL certificate. And use /var/run/stunnel.pid as the lock file. This configuration also defines the accepted inbound IP and port as well as the IP and port of the service to access. The inbound access is set to any IP on port 443. The reason for port 443 is that most networks allow general web access which means outbound traffic to port 80 and 443 are usually allowed. Port 443 is commonly used for SSL/TLS traffic on the Internet. So we will use this port as well so not raise any flags when traffic analysis is conducted. The service that stunnel will connect to is at IP 127.0.0.1 on port 22. This is the local (server's) SSH service running on the common ssh port, 22.

The next thing we will need to do is create a SSL/TLS certificate for stunnel. For this setup we will creating a self signed certificate. But using a certificate from a certificate authority is a possibility.

openssl genrsa -out key.pem 2048;

openssl req -new -x509 -key key.pem -out cert.pem -days 730;

cat key.pem cert.pem > /etc/stunnel/stunnel.pem;

Finally we will need to enable the stunnel service.

For Ubuntu we will need to edit /etc/default/stunnel4 as root or by using sudo.

vi /etc/default/stunnel4;

Change “ENABLED=0” to “ENABLED=1”.

Once the configurations are complete, start the service.

Executing “sudo netstat -lnp” will list the listening ports and their process ids and names.

Active Internet connections (only servers)

Proto     Recv-Q     Send-Q     Local Address     Foreign Address     State     PID/Program name

tcp         0               0              0.0.0.0:443           0.0.0.0:*                 LISTEN     4845/stunnel4

Client:

For the client we will install stunnel and openssh.

sudo apt-get update && apt-get install stunnel openssh-server openssh-client;

Like the server we will need to configure stunnel. Only for the client we only need to create the /etc/stunnel/stunnel.conf file.

As root or by using sudo, create /etc/stunnel/stunnel.conf.

vi /etc/stunnel/stunnel.conf;

Add the following to stunnel.conf.

pid=/var/run/stunnel.pid

client=yes

[ssh]

accept=443

connect=<Server's IP>:443

Where <Server's IP>, place the IP of the stunnel server. This configuration will connect to the server on port 443 and will use the local port 443 for tunneling.

Just like the server we need to enable the stunnel service.

As root or by using sudo edit /etc/default/stunnel4 and change “ENABLED=0” to “ENABLED=1”.

Now we can start the service and have the client connect create a SSL tunnel to our server.

Once the stunnel client service is started. We can create our Socks proxy with openssh.

To do this we will use a ssh command similar to this one.

ssh -p 443 -D 1234 <user>@127.0.0.1;

The user will be a user that is on the stunnel server. Port 443 is the port that ssh is listening on. Port 1234 is the port that will be used for the socks proxy. For added security, it is recommended to use key based authentication for ssh logins. That can be done by using the utility “ssh-keygen”.

Now we have a Socks proxy inside of a SSH tunnel inside of a SSL/TLS tunnel.

There are a couple ways to detect this setup from a network perspective.

First is SSL man in the middle. If the network has essentially a SSL man in the middle setup where the certificate is replaced with one where the traffic can be decrypted by the network owner. The traffic inside of the stunnel SSL tunnel would be decipherable. But since the traffic is also inside of a SSH tunnel we should be fine. The only issue is that the traffic is can now be identified as SSH traffic and will most likely be flagged.

 The second way to detect our setup would be through network traffic analysis. The traffic generated by this setup is not typical off SSL web traffic. The SSL connection will usually short lived. Our setup creates a SSL connection that would last as long as we are using the SSH Socks proxy.