Warning: workfilter / Warning: technobabble

Please note that all blog posts before 8 April 2007 were automatically imported from LiveJournal.  To see the comments and any LiveJournal-specific extras such as polls and user icons, please find the source posting at http://brianenigma.livejournal.com/2006/01/

Given: a laptop running OS X is on a tightly controlled LAN. There is no access to the internet, save through a WebSense proxy. This proxy is very strict. Traffic on port 80 has to be done using the HTTP proxying commands and both input and output have to have valid headers. Traffic on port 443 is more flexible since the HTTP proxy “Connect” command can be used, but only if the destination port is 443.

Goal: Configure things such that the laptop can talk any protocol to any port to any machine on the internet.

Step 1: SSH
Tunneling ssh traffic over port 443 is fairly easy. I have been doing it for over a year using the Open Source program Corkscrew. This is basically a program that is defined in ~/.ssh/config and gets run during the initial ssh handshaking that issues the appropriate HTTPS Connect proxying commands, then passes control over to ssh. Because of proxy rules, the destination ssh server has to be listening on port 443. I no longer have instructions for this, but the setup is pretty easy and involves tweaking /etc/services and adding a file in /etc/xinet.d. At this point, I can (and have been so doing for quite a while) secure shell into my home box and run any sort of command line utilities I desire. Secure copying/SFTP (scp) also works quite well.

Step 2: PPTP over SSH
This article does a pretty good job at describing how to set up PPTP via SSH. I ran into a couple of snags, though:

  • Since all the commands are issued as sudo, all of the configuration files (keys and Corkscrew config) need to be in root’s ~/.ssh folder. This was not well described in the doc; because I already have my laptop keys paired with the machine at home, I accidentally skipped those steps, not realizing they were all run as root.
  • A lot of the time, processes would just get left around on the client and server. These would eat up resources (for example, when the pppd on the server gets run multiple times using the given commands, it looks like it silently attempts to reissue the same IP addresses.) No useful syslog messages are generated and the solution to frequent connect failures involves running “sudo killall pppd” on both the client and server.
  • Once a good connection is established from client to server, it looks like the server mysteriously needs to have connection sharing enabled in the Sharing control panel (Ethernet-to-Ethernet) in order to access other machines (both on the remote LAN and on the internet)
  • As one of the comments mentions, “defaultroute” is a good pppd option to add so that you don’t have to muck about with route/netstat commands.
  • There is no usable name server on the secure LAN. A shell script to temporarily change the DNS to that of my ISP at home is required.

Now, I have full access to the internet via HTTPS -> Corkscrew -> SSH:443 -> PPTP. It’s a bit slow, but nothing compared to the slow cellular modem I’ve been using (which admittedly is not too bad considering T-Mobile has some nice Edge service up here.) Still, my ping time on certain networks went from 20-30 seconds to about 1-2 seconds. Edge’s speed is pretty decent once a connection is going, but the latency is a bit nasty.

Posted in: Software Work

Leave a Reply

Your email address will not be published. Required fields are marked *