Tunneling SSH Traffic Through the Corporate Proxy

Posted on October 11, 2010 by vpnman

If you are unable to establish a VPN connection for what ever reason be it software ssh logorestrictions, blocked ports etc, you could always try an SSH tunnel. This method of bypassing the corporate or university firewall is not as useful, the reason for this is because you require the ability to change the proxy settings in each application which should connect via your tunnel. Where as a VPN connection will redirect your default gateway meaning ALL traffic including DNS etc will be protected. SSH tunnels can be victim to DNS leaks.

DNS Leaks

DNS leaks occur when a DNS look up is requested this is then queried against your corporate or university DNS server, which potentially means your network administrator can still see what you are intending to look at.
Update:
A reader pointed out that it is possible to fix this issue by typing about:config in to the address bar and to search for dns. Find the entry that is related to remote socks dns and change its value to dns. This should solve the DNS leak.

Firefox socks proxy DNS settings

Why SSH tunnels often work via port 443

SSH tunnels are usually very successful and the reason for this is because most, not all but most corporate and university proxies do not inspect HTTPS traffic. Instead when a HTTPS connection is requested the proxy allows a CONNECT on port 443 to the destination HTTPS server in theory providing a direct connection. Now to get this to work you are going to need your SSH server listening on port 443, you can specify multiple ports for sshd to listen on.

The location of the sshd_config on CentOS is “/etc/ssh/sshd_config”, you will need to open this file in your favourite text editor such as “Nano” and find the line which looks like this “#Port 22″. Uncomment the line so it looks like “Port 22″ then directly below on the next line put “Port 443″ you must bear in mind that your server must NOT have anything else listening on port 443 for this to work. Once you are happy you have done this correctly save the file and then issue the command “service sshd restart” or on Debian this would be “/etc/init.d/sshd restart”. Your SSH server should now be listening on both Port 22 and Port 443.

Configuring Putty

Now open Putty and click on the “Proxy” category on the left. Now fill in your proxy details. Replace “corporate proxy host name or ip address” with the IP address or hostname of your corporate or university proxy server, now do the same with the port number. Usually the port number will be 8080 or 3128 but where I work it is 8090 (I have no idea why).

putty proxy settings

Now select the “Session” category on the left, again you will need to replace some examples here with your own settings starting with “ssh server host name or ip address” replace this with the IP address or hostname of your SSH box. The same with the port number you need to set this to “443″. Under “Saved Sessions” enter a descriptive name in the text box such as our example “ssh proxy connection” and then click save.

putty configuration

Ok now for the last setting within Putty, you need to enable a dynamic port forward to allow proxied traffic to pass through the SSH tunnel. On the Category list on the left under “Connection” click “SSH” and this shall expand another menu with options such as “Kex, Auth, TTY, X11, Tunnels, Bugs”. Click on “Tunnels” and then replicate the settings below. Ensure the “Source port” is set, in this example we have used port 5000 but you can use anything that is not already in use, I would suggest staying with 5000 just to make things easier though.

putty tunnel settings

Now click the “Add” button and the setting should be applied and added to the “Forwarded ports:” list just like the example below. Notice the “D5000″ in the “Forwarded ports:” list? This basically means there will be a socks proxy listening on port 5000.

putty tunnel settings saved

We dont want to have to enter these settings every single time we want to connect to our tunnel server so go back to the “Session” category and click the save button. Your session will now be saved and appear in the “Saved Sessions” list below “Default Settings”

putty save session

Double click on your saved session within putty and a black window will pop up asking for you to enter a username, once you have entered this press the “Return” key and you will be prompted for a password. The same with the password enter this and press the return key, now if you entered a valid login for an SSH enabled account on your server you will be shown a system shell.

putty ssh session

In theory if you see the shell your tunnel should be established and you should be able to set the proxy settings within your applications to connect via the tunnel. An example for Firefox is below.

firefox proxy settings

Click ok and then within Firefox browse to “http://www.whatismyip.com” and this should now show the IP address of your SSH server! Congratulations you have now made a tunnel straight through your corporate or university firewall.

That’s it! Having trouble?

If you couldn’t get this to work just leave a comment and I will try to help you out. Remember though as always trying anything like this could be a severe breach of your networks acceptable use policy!

Posted in Miscellaneous | Tagged , , , , , | 6 Comments

Unblocking Skype in UAE, Belize etc

Posted on October 11, 2010 by vpnman

In order to combat the continuous threat of lost revenue there are many Internet skype logoservice providers in many countries who are blocking their customers from using Skype. There are for example Internet service providers within Brazil, Belize, Mexico, China, Columbia, Cuba, United Arab Emirates (UAE) and more who have adopted this practice. Some of the providers either severely shape Skype traffic to slow it down or they block this all together.

If you have ever visited a country or been resident on an Internet service providers network whom blocks Skype you can appreciate how frustrating this can be. Some people also have family in these countries or use certain Skype blocking Internet service providers, this results in relatives having to make ludicrously expensive long distance phone calls.

There is a known solution to circumvent this issue of Skype being blocked, by using a Virtual Private Network (VPN). Not only will this bypass the blocks set in place, your data will be encrypted keeping your ISP from traffic shaping any encapsulated data (unless they shape VPN traffic). By connecting to a VPN server your traffic is sent in an encrypted form to the VPN server (usually residing in a different country) and from there on its forwarded to its destination.

You may setup your own VPN server but the easiest and usually most cost effective way is to purchase a VPN service, there are many providers to choose from such as “StrongVPN
Once you have got a VPN service all of your Skype traffic will bypass any blocks which means you once again can have cost effective voice conversations with your loved ones.

There are many different types of VPN service and StrongVPN happen to sell most of them. Starting at $7 per month (approx £4.38, the cost of a couple of pints) they are one of the most competitively priced VPN service providers with many end point locations round the world. They also offer a 7 day unconditional money back guarantee! and 24×7 support! This is certainly a provider you can’t go wrong with.

To order your self a very reliable and competitively priced VPN service click the banner below to take you directly to the StrongVPN website.

Posted in Service Providers, VPN uses | Tagged , , | 2 Comments

Windows 7 Connecting to PPTP VPN

Posted on October 8, 2010 by vpnman

Windows 7 has a built in VPN client which is simple and very easy to use. To get connected to your anonymous VPN service just go through the following few simple steps to get connected as quickly as possible.

  1. In your system tray right click the computer icon and select “Open Network and Sharing Center”
    network and sharing center
  2. Now the Network and Sharing Center will show you some options. Under the subheading “Change your network settings” click on “Setup a new connection or network”
    setup connection or network
  3. Now from the next screen you need to select “Connect to a workplace”connect to a workplace
  4. If you already have another VPN or Dial-Up connection setup you will see the following screen. You need to select “No, create a new connection” if you do see this screen, however if you don’t see it proceed straight to Step 5
    use existing connection
  5. You will now have two options “Use my Internet connection (VPN)” or “Dial directly” we need to select “Use my Internet connection (VPN)”
    use my internet connection
  6. This is the part where you are going to need your VPN login details, make sure you have the VPN hostname / IP address to hand. In the “Internet address:” text box we need to enter the VPN hostname or IP address, for example we have used “vpn01.myvpnserver.com“. For the “Destination name:” enter a descriptive name to describe your VPN. Once you have entered the required details click the “Next” button to continue.
    internet address to connect to
  7. Make sure you have your username and password handy because this is the step where you will need them. In this example our username is “vpnusername” and our password is hidden. Tick the “Remember this password” checkbox and click “Connect”
    type username and password
  8. You should now be presented with a screen similar to the following.
    connecting to vpn server
  9. After another few moments if everything went well you should now be connected to the VPN. This is confirmed by the following screen.
    windows connected to vpn
  10. You can confirm at any time if you are connected to the VPN by left clicking the computer icon on the system tray. This should show the VPN Server name, in our example “My VPN Server” and then next to it the words in bold “Connected”
    windows currently connected
Posted in Miscellaneous, Point To Point Tunneling Protocol (PPTP) | Tagged , , | Leave a comment

OpenVPN UDP or TCP, Which is Better?

Posted on October 7, 2010 by vpnman

This question has been asked many times before. “Which is better for OpenVPN TCP or UDP” bluntly neither is better. TCP is more reliable than UDP however UDP performs better than TCP.

As TCP is a stateful protocol every packet that is sent requests that an acknowledgement “ACK” packet is received as a reply. This causes a greater overhead on TCP connections but does make them more reliable.

UDP on the other hand is a stateless protocol. This means that packets are sent and assumed that they are received the other end with no retry or acknowledgement. This will make UDP quicker than TCP but less reliable. On a network as big as the Internet there can often be packet loss. Each connection you initiate crosses many routers on many different ISP’s if one ISP is having some issues this may cause packet loss meaning your data does not get to its destination.

OpenVPN in UDP mode will resend data if it is not received at the other end as the encapsulated TCP / IP protocol will recognize the packet loss and try a retransmission of the data.

UDP SSL VPN’s are better for VoIP and Gaming traffic where as a TCP SSL VPN is better for overall reliability.

Posted in OpenVPN | Tagged , , , , , | Leave a comment

Setting up the PPTP Client on Windows XP

Posted on October 7, 2010 by vpnman

Getting connected to a PPTP VPN with Windows XP is really easy. There are only a few short steps to take before you can be browsing anonymously. Make sure before you start that you are armed with your VPN login details such as the user name, password and host name / IP address.

  1. Goto Control Panel -> Network Connections and then click the “New connection wizard” icon.
  2. You will now see the “New connection wizard” screen.
    network connection wizard
  3. Click “Next” and you will then see three options. Make sure you select “Connect to the network at my workplace”
    connect network workplace
  4. Click next and you will now be shown some more options, make sure “Virtual Private Network connection” is selected.
  5. Click next and then you will be prompted to enter a connection name for your VPN. Note this is NOT the server address this is a descriptive name only.
    vpn connection name
  6. If you currently have other other dial up connections defined you may see the following screen, if you see this screen select “Do not dial the initial connection” and then click “Next”. If this screen is not displayed skip to Step 7.
    do not dial initial connection
  7. Now you should see a screen asking for the VPN server host name or IP address. Example “vpn01.myvpnserver.com” then click “Next”
    vpn server hostname
  8. If you have multiple users setup on your system, you will be asked if you would like other users to be able to use this connection. We don’t want people using our VPN so select “My use only”.
    vpn connection availability
  9. Once you click “Next” you have now finished the basic VPN configuration, you may want to create a desktop shortcut to make it easy to connect to your VPN.
    complete vpn wizard
  10. Once you have clicked “Finish” you will be presented with the VPN connection dialogue, Enter your user name and password then click the “Connect” button. You may choose to tick “Save this username and password …” if you do not want to enter your VPN login details each time you connect.
    vpn connection dialogue
  11. Congratulations! You should now be connected to your VPN service. If not leave a comment and I will try to help you.
    windows vpn connected
Posted in Point To Point Tunneling Protocol (PPTP) | Tagged , , , | 1 Comment

Connect to PPTP VPN From Android 2.2 (Froyo)

Posted on October 6, 2010 by vpnman

Android phones are able to connect directly to VPN servers allowing you to bypass most restrictions put in place by your network operator. In the UK BBC iPlayer mobile is only accessible if you are on Vodafone or Three (3). It would appear the beep do a pretty good job of blocking any other networks from accessing the service, or is it the networks doing the blocking?

Well anyway! If you are not on Vodafone or Three (3) then you can still access iPlayer as long as your network does not block VPN traffic too.

First of all you will need to get a VPN account, you can get such an account from StrongVPN. Once you have the account make sure you note down the VPN server IP address or host name and the user name and password required to connect.

Please note that the instructions below are for the “HTC Desire” Smart Phone other models may vary slightly.

  1. From the home screen press the menu button
  2. Select settings by taping it once
  3. Select Wireless & networks
  4. Select VPN Settings
  5. Select Add VPN
  6. Select Add PPTP VPN
  7. Click VPN name and provide a description such as “StrongVPN” and then press tap ok.
  8. Click “Set VPN Server” now enter the host name or IP address for your VPN server e.g vpn.server.com
  9. Make sure the tick box “Enable Encryption” is ticked.
  10. Now press the back button to bring you back to the “VPN settings screen”
  11. Find your VPN you just created in the list then tap and hold it, a new menu will be shown
  12. From the new menu there will be an option “Connect to network” tap this.
  13. If you have not setup a VPN before you will be prompted to create a pass phrase for the credential storage. If you have setup the credential storage before just enter your password then tap ok.
  14. Now a new screen will be shown “Connect to <network name here>” enter the user name and password for your vpn connection and then tap “Connect”
  15. You will now be back at the “VPN Settings” screen, you will notice that under your VPN name it will show “connecting” after a few seconds this should change to “Connected”

Congratulations! If your VPN is now showing as “Connected” all of your internet traffic from your phone is being routed via your VPN server. If however the connection failed please keep reading.

If your VPN network did not connect correctly please check your network settings (are you connected to WiFi? Has your phone got any signal). Once this is done double check your VPN settings and then try again.

If you still cant get your VPN to work then leave a comment here and I will endeavour to help you out.

Posted in Smartphones, VPN uses | Tagged , , , | 8 Comments

Watching BBC iPlayer Abroad

Posted on October 6, 2010 by vpnman


There are some very good uses for VPN’s be it unblocking content, getting a public IP address or avoiding traffic shaping policies. Another great use for a VPN is to watch BBC iPlayer abroad. For this to work you are going to need a VPN service which is hosted within the United Kingdom and provides a UK IP address.

The BBC iPlayer service uses geo-location to figure out where you are connecting from. For example if you are connecting from China then the service is not going to allow you to access the content. The reason for this is beacuse BBC iPlayer is only intended for UK residents.

If you are an British expat this can be annoying as you are unable to watch all of your favourite shows such as Eastenders on demand. By using a UK VPN your computer where ever it may be, China, United States, Brazil it will provide you with a UK IP address which means you will now be able to access the BBC iPlayer service from overseas.

The BBC are cracking down on this and may possibly block certain VPN providers IP ranges from connecting. StrongVPN however offer a 7 day money back guarantee so it does not hurt to try.

Posted in Miscellaneous, VPN uses | Tagged , , , , | 3 Comments

Case Study: Bypass University Traffic Shaping

Posted on October 6, 2010 by vpnman

Recently one of my friends at an undisclosed university was frustrated at the speed of the connection they were receiving. The basic connection provided in halls has a maximum speed of 4mbit unless you want to pay some extra money to have this upgraded to 8mbit. The annoying part is that my friend was not even getting the full 4mbit connection speed. YouTube videos were taking a few minutes to buffer and speedtest.net was returning a connection speed figure closer to 1mbit than 4mbit! I bet you are thinking the same as me!? 1mbit is not worthy of anything in this day and age.

Luckily for my friend I have a Windows 2003 web server setup which has a HUGE monthly traffic quota, I have also setup routing and remote access on this server to allow VPN dial in via both IPsec and PPTP. All it took was for me to setup an account for my friend, enable their account for routing and remote access and then provide the IP of the server and the user login details. Once my friend had the details he created the VPN connection in Windows and connected. The connection was made via PPTP successfully, ok so far so good!

Next it was time to test if this fixed the issue of the slow Internet connection. As you are probably aware by reading this, most universities have a huge connection usually somewhere from 100mbit upwards. There would have to be at least 99 other people using 1mbit each for my friends connection to be affected which I personally think was not the case. I got him to fire up his browser and go to WhatIsMyIP.com to confirm the public IP address presented was the one of the web server which it was. Next we ran a speed test at SpeedTest.net, this time the SpeedTest.net returned a connection speed of 4mbit exactly!!! This just goes to prove that the university or connection provider had employed some sort of traffic shaping or traffic prioritization policy.

This just shows not only does a VPN unblock things like facebook, myspace, youtube ect. It can also increase the speed of the connection you receive. If you are at university I am pretty sure you would not look back at using a VPN, you would be the envy of your friends.

Posted in Miscellaneous | Tagged , , , , , | 2 Comments

Using a VPN: Bypass The College Firewall

Posted on October 6, 2010 by vpnman

In the last few years I have had many friends who have set off to university to continue their studies ….. (of alcohol intoxication). Ok seriously not everyone goes to university for partying and drinking it just comes as a part of the package (yea right!). These friends that have moved to halls often expressed their anguish about the supplied university internet connection, many have told me its slow, facebook, myspace, youtube, adult sites ect are blocked.

As you can imagine it can be annoying having a crippled internet connection which blocks most the good stuff and traffic shapes the remaining good stuff. This is where a VPN can come in very handy (if your university does not block it). Most university students that I know have been able to use some type of VPN connection to bypass the firewall / content filter. Getting a VPN established at university is dependant on what is already blocked or filtered. In most cases I have always been able to get a connection established and bypass the content restrictions in place.

Usually the best bet is running OpenVPN on port 443 as this appears to the university firewall as innocent secure http (HTTPS) traffic. The downside being you will need to install a specific client to connect to an OpenVPN server but this is not too much of a hassle as the client works on Windows, Linux and OSX. From what I can gather most VPN providers whom supply OpenVPN connections do have their servers listening on TCP port 443. Another good port to use but not so common is UDP port 53 as this is usually open to allow DNS traffic but the traffic can be caught by Intrusion Detection Systems (IDS) as it will not look like genuine DNS traffic.

Another option that has been successful is Point to Point Tunneling Protocol (PPTP) VPN’s these rely on TCP port 1723 and IP protocol 47 (GRE) to be established. There is usually a PPTP client built into your operating system, I know Windows comes as standard with a PPTP client. Connecting to a PPTP VPN service on Windows is pretty easy as all the options are presented in a graphical form. Once the VPN has been configured to connect all you need to do is goto your Dial-Up Connections and the VPN connection will be listed, double click it then press connect.

IPsec VPN services whilst being typically the most secure do not work well most of the time. This type of VPN was never really designed to work behind a Network Address Translator (NAT) it was intended for site to site connectivity not point to point. When configured for NAT traversal the packets for the VPN are sent over UDP port 500, if your university does not block UDP ports you may be in luck.

As you can see there are many types of VPN protocols available to use but not all of these will work in every environment. Our partner StrongVPN however offer a 7 day no questions asked money back gaurentee. This is useful as if you do purchase the incorrect VPN type you can always get your money back and switch.

Posted in Miscellaneous | Tagged , , , , , , , | Leave a comment

Secure Your Traffic: Public WiFi Zones

Posted on October 5, 2010 by vpnman

Did you know that most public wireless networks do not employ any encryption of any sort? This means that anything you transmit or receive from your device, be it a laptop, smart phone or PDA is being broadcast over their airwaves with no security! This is not strictly true if you are accessing secure services such as HTTPS or IMAPS but usually this is not the case!

Not only is it dangerous to broadcast your data over an unsecured network it is also plainly stupid! I have heard of a horror story where one person went to the airport to catch a flight, while they were waiting for their flight they accessed their online banking via the public wifi and went along with their day thinking nothing of it. Only later did this person realise when they got to their destination and tried to withdraw cash they were unable to. It turns out that the login details for their online banking had been intercepted in the airport by another person and then used.

Although the above example is not as likely to happen today due to the increased security that banks now use there are other details that could be captured. Anything which does not use a secure protocol is being sent and received in cleartext for everyone to read. You are also relying on the sole security of the service you are using, if someone managed to figure out how to crack the key for the HTTPS connection or your IMAPS connection then they could then decrypt the data.

There is a way to prevent this though. By using a secure VPN connection EVERYTHING that is transmitted over the network is encrypted keeping it safe from prying eyes. This gives you extra protection when accessing encrypted services as there are now two layers of encryption to circumvent. This also keeps you safe when using non encrypted services as this is encrypted by the VPN all the way back to the VPN server and from that point is then sent in clear text back to its destination.

If you frequently use public WiFi zones then you should seriously consider looking into purchasing a secure VPN service.

Posted in Miscellaneous | Tagged , , , , | 1 Comment