Seshan's Blogkeyboard_backspaceBack to Posts
Setting Up a Proxy/”VPN” using SSH over SSL.
March 24, 2019
Hey! It’s been a little while, but don’t worry, there is exciting stuff coming soon!
In the mean time, a friend wanted a tutorial on how to run a proxy (“VPN”) using SSH over SSL. This makes a really nice setup that can go through pretty much any firewall, as the SSH and it’s proxied traffic appear as regular SSL web traffic.
To set this up, you’ll need a Linux server (Ubuntu 18.04 in my case) with port 443 open (Note: if you want to run this alongside a normal web server, you’ll want to look at sslh. It will run behind stunnel in this setup, and route traffic based on SSH or web).
Something like a DigitalOcean droplet is a cheap and effective choice.
Commands that start with a “#” mean run with sudo. Don’t type the “#” or “$”.
# apt install stunnel4
# openssl genrsa 1024 > stunnel.key
# openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt
# cat stunnel.crt stunnel.key > stunnel.pem
# mv stunnel.pem /etc/stunnel/
5. Edit the following file…
# nano /etc/stunnel/stunnel.conf
and place the text…
pid = /var/run/stunnel.pid cert = /etc/stunnel/stunnel.pem [ssh] accept = 0.0.0.0:443 connect = 127.0.0.1:22
# nano /etc/default/stunnel4
and set the like Enabled = 0 to Enabled = 1
7. Final steps on the server:
# systemctl restart stunnel4 # systemctl enable stunnel4
Note, you’ll also want to set “GatewayPorts” to “yes” in /etc/ssh/sshd_config.
Now you need to setup SSH on your *nix client (Linux or macOS).
1. Edit your SSH config…
$ nano ~/.ssh/config
And put in the following content:
Host SOME_NAME User SERVER_USERNAME ProxyCommand socat - OPENSSL:SERVER_IP:443,verify=0
If socat is giving you problems (“E SSL_connect(): error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error”), use this ProxyCommand instead:
ProxyCommand openssl s_client -connect SERVER_IP:443 -quiet -servername YOUR_DOMAIN
Replace SOME_NAME with some name to identify the server. SERVER_USERNAME is the username of an account of the server, and SERVER_IP is the server IP or domain.
The “-servername” argument is apparently needed on newer distros, just put the domain name that is registered to the certificate you used.
On macOS you’ll want to install socat using “brew install socat” (make sure Homebrew is installed).
2. Try connecting to the server.
$ ssh SOME_NAME
If it works, awesome! If not, try googling the issue/error.
3. Download sshuttle (“brew install sshuttle” on macOS). Then…
$ sshuttle -r SOME_NAME -x SERVER_IP 0/0
And there you go! Your system traffic should now be routed through sshuttle.
This is a really nice way to be able to go through all sorts of firewalls, and is actually really fast (since it’s your own server). As a side note, you can also use “ssh SOME_NAME -D 5222” to start a SOCKS proxy on port 5222. This is pretty useful, since it’s faster than SSHuttle. You’ll need to set the proxy setting in, for example, FireFox’s settings page. For other apps, use proxychains.