Seshan Ravikumar

aka. Seshpenguin

← Back

title: Setting Up a Proxy/”VPN” using SSH over SSL. author: Seshan Ravikumar type: post date: 2019-03-24T21:53:48+00:00 url: /2019/03/24/59/ classic-editor-remember:

Hey! It’s been a little while, but don’t worry, there is exciting stuff coming soon!
In the mean time, a friend wanted a tutorial on how to run a proxy (“VPN”) using SSH over SSL. This makes a really nice setup that can go through pretty much any firewall, as the SSH and it’s proxied traffic appear as regular SSL web traffic.

To set this up, you’ll need a Linux server (Ubuntu 18.04 in my case) with port 443 open (Note: if you want to run this alongside a normal web server, you’ll want to look at sslh. It will run behind stunnel in this setup, and route traffic based on SSH or web).
Something like a DigitalOcean droplet is a cheap and effective choice.
Commands that start with a “#” mean run with sudo. Don’t type the “#” or “$”.

# apt install stunnel4

# openssl genrsa 1024 > stunnel.key

# openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt

# cat stunnel.crt stunnel.key > stunnel.pem
# mv stunnel.pem /etc/stunnel/

  1. Edit the following file…

# nano /etc/stunnel/stunnel.conf

and place the text…

pid = /var/run/
    cert = /etc/stunnel/stunnel.pem
    accept = 
    connect = 

# nano /etc/default/stunnel4

and set the like Enabled = 0 to Enabled = 1

  1. Final steps on the server:
# systemctl restart stunnel4
    # systemctl enable stunnel4

Note, you’ll also want to set “GatewayPorts” to “yes” in _ /etc/ssh/sshd_config._

Now you need to setup SSH on your *nix client (Linux or macOS).

  1. Edit your SSH config…

$ nano ~/.ssh/config

And put in the following content:

    ProxyCommand socat - OPENSSL:SERVER_IP:443,verify=0

If socat is giving you problems (“E SSL_connect(): error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error”), use this ProxyCommand instead:

ProxyCommand openssl s_client -connect SERVER_IP:443 -quiet -servername YOUR_DOMAIN

Replace SOME_NAME with some name to identify the server. SERVER_USERNAME is the username of an account of the server, and SERVER_IP is the server IP or domain.

The “-servername” argument is apparently needed on newer distros, just put the domain name that is registered to the certificate you used.
On macOS you’ll want to install socat using “brew install socat” (make sure Homebrew is installed).

  1. Try connecting to the server.


If it works, awesome! If not, try googling the issue/error.

  1. Download sshuttle (“brew install sshuttle” on macOS). Then…

$ sshuttle -r SOME_NAME -x SERVER_IP 0/0

And there you go! Your system traffic should now be routed through sshuttle.

This is a really nice way to be able to go through all sorts of firewalls, and is actually really fast (since it’s your own server). As a side note, you can also use “ssh SOME_NAME -D 5222” to start a SOCKS proxy on port 5222. This is pretty useful, since it’s faster than SSHuttle. You’ll need to set the proxy setting in, for example, FireFox’s settings page. For other apps, use proxychains.