How to get around stupid firewalls that block ssh traffic.
While in Iceland, I was forced to work behind a firewall that would block most traffic to non-http ports and would even filter out ssh traffic to these ports. This left me unable to connect to my server.
In order to get around this limitation, I was able to utilize stunnel to masquerade my ssh traffic as plain SSL traffic. What the tool does is simple: It wraps all your traffic and encrypts it with SSL, sends it to your server, where the same tool decrypts it again and forwards it to the SSH port.
This post just documents my config settings, because it took me a bit to figure out how to set things up.
[ssh] # accept SSL connections on port 443 to make it look like https accept = 443 # connect any incoming traffic to port 22 for ssh connect = 22 # a self-signed certificate generated with openssl cert = /etc/stunnel/cert.pem
Also don't forget to enable the service under /etc/defaults/stunnel4 by setting
if your distro requires it.
If something goes wrong, it's likely you need to set
in one of these files to let stunnel create a file in /var/run or that it can't find the certificate (which is obviously needed for SSL connections).
# act as client, not as server client=yes # create a pid file pid=/tmp/stunnelclient.pid # use all ssl versions, but not sslv2 since it's buggy # it might be you don't need these 2 lines but mine kept complaining # about an SSL version mismatch because it kept trying to connect with # SSLv2 to the SSLv3 server. sslVersion=all options=NO_SSLv2 [stunnel-ssh] # accept ssh connections on localhost:22222 accept=22222 # forward the SSL connection to this address:port connect=yourserver.com:443
And that's it. If you start the stunnel service on both machines, you should be
ssh localhost:22222 and reach your server.
ssh -N -D 7070 localhost:22222 creates a SOCKS proxy on localhost:7070
which lets you proxy any traffic via the server, which is great for really annoying
networks. I'm gonna try using this when I'm in China soon ;-)