How to bypass strict firewalls on public wifi hotspots and restricted networks, by tunneling

blocked ports and protocols:

Public wifi hotspots and restricted internet access
More and more, you can find public wireless hotspots, in cities, train stations, airports...
and even some public hotspots that are available with a subscription, accessible through
a web login form.
The thing is, most of the time, these hospots will have a reduced connectivity. Only some
ports and protocols will be allowed. For instance, you may be restricted to HTTP, HTTPS,
POP and SMTP. Not the best combination when one primarily uses SSH!
This also applies to protected networks, such as libraries, schools and office
environments, where your access to Internet is limited, and some ports and protocols are
blocked.
I will explain here two different solutions to break free of these restrictions: SSH tunneling
and SOCKS servers. As I write this, I run a web browser, a fish session, an IM client, a
FTP client, all through some SSH tunnel.
What do we need?
You do need the following:
HTTPS access through the firewall. Most hotspots will leave HTTPS open, port 443, so
that people can browse Internet and go to secure sites
A server somewhere on Internet, even an home machine, with root access
Well, Linux. This howto is using Debian systems. You can probably have it to work on
Windows too, using other tools
A little bit of time to try the different solutions
You may want to use a free shell provider such as SilenceIsDefeat as your server, but
make sure you can access SSH through port 443.
How does it work?
The first solution using simple SSL tunneling. What we do is create a SSH tunnel, which
connects from your machine, to your server, through port 443 (HTTPS port). This tunnel
listens on a given port on your machine, and redirects everything to Internet, through
another given port on the server. So you can for instance create an IMAP connection
from your machine to any mail server out there, even if the firewall disallows IMAP, simply
telling your mail client to connect to localhost:10000.
The second solution is to create a SSH tunnel, but rather than listen to a specific port on
your machine, what we do is to use SSH as a SOCKS server to redirect every
connections from an application, through the tunnel, directly to Internet (and via our
server). Some applications, such as Firefox, supports SOCKS, others can be tricked
using tsocks.
I find that using both solutions allows me to do almost everything. Some applications
don't play well with SOCKS, so simple tunneling works better. However, SOCKS, when
working, has the advantage of not requiring any changes of configuration in your
applications.
Before we start
You need to access your server at least once via regular SSH, port 22, in order to set it

up. If you are already behind the firewall, you will not be able to log in the server. Since I
was in a rush, I did use Anyterm to be able to access the server for the initial
configuration.
We will set the server to be listening on the port 443, so that we can SSH into it using the
port usually reserved to HTTPS. Log into your server, and edit the file
/etc/ssh/sshd_config and add the line:
Listen 443
Then restart your SSH server. It now listens on port 443 (in the configuration file, you can
leave the other ports, such as 22).
You should be able to log into your server, from behind the firewall, with the following
command:
ssh -p 443 my.server.com
You may want to set up your access so that no password is required to log in, using SSH
keys for instance. This will allow you to open the tunnels to the server without having to
type in your password. Essential.
SSH tunneling
Say that you want to access to email account via IMAP (port 143) when the firewall
forbids it. Create a SSH tunnel with the following command:
ssh -L localhost:10143:mail.isp.com:143 -p 443 user@my.server.com
This will forward any IMAP requests received on localhost port 10143 to mail.isp.com
port 143, all through a SSH tunnel. We basically use the server to forward the IMAP
connection.
Then set up your email client to use localhost as incoming server, and 10143 as the port
number. You should be able to fetch your emails, despite the firewall.
At the same time, I also want to connect to another server, via SSH. In fact, I want to
open a webspace in Konqueror, via the fish KIO plugin. Turns out that you can enable
several redirections in the same tunnel:
ssh -L localhost:10143:mail.isp.com:143 -L localhost:10022:web.isp.com:22 -p 443
user@my.server.com
Then in Konqueror, I simply go to:
fish://user@localhost:10022
SSH as a SOCKS server
Now, we will attempt to have Skype and FTP to bypass the firewall. In order to do so, we
will run a SOCKS server on a given port, and set applications to use SOCKS, either
natively, either forcibly. When an application uses SOCKS, all its network connections are
routed through the SOCKS server, which forwards it all to your server on Internet, and
then connects to your different services and servers. It is a bit like a "multi-port" SSH
tunnel.
Some applications don't understand SOCKS. So we will trick them, using tsocks .
Running an application under tsocks will catch all the application's connections and
negociate SOCKS access transparently. Technically, tsocks overwrites the kernel

connection methods with its own, using LD_PRELOAD. To install tsocks, compile it from
the source, or simply install your distribution's package. For Debian/Ubuntu:
sudo apt-get install tsocks
To run SSH as a SOCKS server listening on port 1080, use the following command:
ssh -D 1080 -p 443 user@my.server.com
Note that if you can get the firewall to redirect some ports to you, you can also enable the
forwarding into the tunnel from the server. For instance here, I have the server listening
on port 1081, and forwarding all connections to my localhost, port 1081. Can be very
useful for some peer-to-peer applications:
ssh -A -R 1081:localhost:1081 -D 1080 -p 443 user@my.server.com
Then configure tsocks to use to connect to localhost port 1080. Edit /etc/tsocks.conf, and
near the end, change it so that it looks like this:
server = 127.0.0.1
port = 1080
Then, you need to run your applications from within tsocks. You can use tsocks in many
ways. For instance, in a shell, run simply tsocks and you will get into a new shell from
which all applications will be forced to connect through the SOCKS server. You can also
run applications as following:
tsocks skype
tsocks kopete
tsocks kmail
tsocks ftp someserver.com
tsocks ssh someuser@someserver.com
If everything goes well, you will run almost all applications as if you were directly
connected to Internet.
Some notes
You need root access on your server to allow SSH to listen port 443. But you don't need
to install anything on the server. As long as your server is connected to Internet with a
less restrictive firewall, and you have a SSH account on it, you're fine.
FTP will need to be in passive mode
Annoyingly, Konqueror SOCKS configuration can't use SSH as SOCKS server, nor plays
well with tsocks
Some applications work better with simple SSH tunneling
Some plainly don't work. The only BitTorrent application I could get working is azareus,
using these instructions
Conclusion
It works very well! I was stuck in a place with only a public hostpot, and am now able to
work using all my normal tools, with very little changes. I do web coding, and I use SSH,
FTP, IM, all the time; I can now do it all. I SSH, FTP, IMAP, Skype, IM through SOCKS,
uses fish through SSH tunneling, and browse Internet trough nothing since the ISP allows
HTTP!
If you have a public hostpot nearby, which requires a registration to use, and you actually
are not registered, you can search for DNS or ICMP tunneling . You will be able to

redirect all your traffic through DNS or ICMP requests, since these hotspots let you do
that and only that.