How to get around stupid firewalls that block ssh traffic.

While in Iceland, I was forced to work behind a firewall that would block most traffic to non-http ports and would even filter out ssh traffic to these ports. This left me unable to connect to my server.

In order to get around this limitation, I was able to utilize stunnel to masquerade my ssh traffic as plain SSL traffic. What the tool does is simple: It wraps all your traffic and encrypts it with SSL, sends it to your server, where the same tool decrypts it again and forwards it to the SSH port.

This post just documents my config settings, because it took me a bit to figure out how to set things up.

Server Config

/etc/stunnel/ssh.conf

[ssh]
# accept SSL connections on port 443 to make it look like https
accept = 443
# connect any incoming traffic to port 22 for ssh
connect = 22
# a self-signed certificate generated with openssl
cert = /etc/stunnel/cert.pem

Also don't forget to enable the service under /etc/defaults/stunnel4 by setting

ENABLED=1

if your distro requires it.

If something goes wrong, it's likely you need to set

pid=/stunnel4.pid

in one of these files to let stunnel create a file in /var/run or that it can't find the certificate (which is obviously needed for SSL connections).

Client Config

/etc/stunnel/ssh.conf

# act as client, not as server
client=yes
# create a pid file
pid=/tmp/stunnelclient.pid
# use all ssl versions, but not sslv2 since it's buggy
# it might be you don't need these 2 lines but mine kept complaining
# about an SSL version mismatch because it kept trying to connect with
# SSLv2 to the SSLv3 server.
sslVersion=all
options=NO_SSLv2

[stunnel-ssh]
# accept ssh connections on localhost:22222
accept=22222
# forward the SSL connection to this address:port
connect=yourserver.com:443

And that's it. If you start the stunnel service on both machines, you should be able to ssh localhost:22222 and reach your server.

Also nice: ssh -N -D 7070 localhost:22222 creates a SOCKS proxy on localhost:7070 which lets you proxy any traffic via the server, which is great for really annoying networks. I'm gonna try using this when I'm in China soon ;-)